[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH][Take 3] VNC authentification

To: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Tue, 03 Oct 2006 12:56:31 -0500
Cc: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx, "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Delivery-date: Tue, 03 Oct 2006 10:57:11 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Masami Watanabe wrote:

+static int vnc_auth(VncState *vs)
+{
+    extern char vncpasswd[64];
+    extern unsigned char challenge[AUTHCHALLENGESIZE];
+
+    if (*vncpasswd == '\0') {
+       /* AuthType is None */
+       vnc_write_u32(vs, 1);
+       vnc_flush(vs);
+       vnc_read_when(vs, protocol_client_init, 1);
+    } else {
+       /* AuthType is VncAuth */
+       vnc_write_u32(vs, 2);
+       vnc_flush(vs);
+
+       /* Read AuthType */
+       vnc_read_when(vs, protocol_authtype, 1);

As I mentioned before, you cannot have to vnc_read_when()'s executionpath without returning the the mainloop.

protocol_authtype() cannot possibly be invoked. If the code is workingnow, it's pure luck.

There was just a very high profile RealVNC vulnerability that was due toimproper authtype handling. It's very important we do this right so wedon't duplicate this bug.


Regards,

Anthony Liguori

+       /* Send Challenge */
+       make_challenge(challenge, AUTHCHALLENGESIZE);
+       vnc_write(vs, challenge, AUTHCHALLENGESIZE);
+       vnc_flush(vs);
+
+       /* Read Responce */
+       vnc_read_when(vs, protocol_response, AUTHCHALLENGESIZE);
+    }
+
+    return 0;
+}

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH][Take 3] VNC authentification
  - From: Daniel P. Berrange

References:
- [Xen-devel] Re: [PATCH][Take 2] VNC authentification
  - From: Daniel P. Berrange
- [Xen-devel] Re: [PATCH][Take 2] VNC authentification
  - From: Anthony Liguori
- [Xen-devel] Re: [PATCH][Take 2] VNC authentification
  - From: Daniel P. Berrange
- [Xen-devel] RE: [PATCH][Take 2] VNC authentification
  - From: Ian Pratt
- [Xen-devel] [PATCH][Take 3] VNC authentification
  - From: Masami Watanabe

Prev by Date: [Xen-devel] USB split driver
Next by Date: Re: [Xen-devel] [PATCH][Take 3] VNC authentification
Previous by thread: [Xen-devel] [PATCH][Take 3] VNC authentification
Next by thread: Re: [Xen-devel] [PATCH][Take 3] VNC authentification
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.