From nobody Thu Feb 19 19:40:54 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fH3df5RG6z6SKY7 for ; Thu, 19 Feb 2026 19:40:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fH3df4t6rz3fJj for ; Thu, 19 Feb 2026 19:40:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771530054; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FMkycXJaZW2OrMjAhDlNddEM511f/CDdCwZLbubaQnc=; b=UAsqJQRVfAmnRIM2xFGY7yq61uMqM1M0IEwKt6+KtaN9o8bcgp4O+PFjsvLu/1EODYMLHH 3MXI8FEGaH+Z1kCjtjYIYYDS5F4uVdcIvnl3IKLFTQQHT9/5oTPV+MYJpEP0NxLKQWwQF+ FE+5CoyMtRdmryXjllnl/9CKtm4Dc+u7HzTavX1Wab0jL6VEwYr6KUi1PzM3E+Yr3uLo6n b18nxSZjz610DP4o0lIoma0oiX2ze3L+eDoaqwzFh7EFxVy9+SOWbbA+Mx4Nz6Wy4Z4R9Y 4k7MbkvDoMTE5RmU/wHBUiQDYDxlBcxh+9aU0Cfq904UDxyJePYnqohPwzh9MQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771530054; a=rsa-sha256; cv=none; b=Dz43LxVe32Tp9s5Qnr0oL7/LOsmeFVGZH/bE3nULi7ybTLGciEbnhmStyImDAnbwbJN2u6 soBjRHguQwgtutLP9sebzgLYWn2HJNqDg6ZOpxWOtMfC7LUKiWfMGv2oX8kSDjNycwIZ1E iQO0lVpYBt3QU3k4cb8Q3vuxU1OQyl8uluIlfGlwiFCYKUrlzisvw+Y1PdsD2j65iMRxBA P4Ja9isGNLYXM4mhraFY6eUU+maxkOs65eqcfaMzrnHkS2Q8HGT7SCSZlk8U1492zRTPsS 0pmLrVR/d7YVfq1cVf9X2nsN7fvTLqHBe+SCVuVRjM0ttWpehinBOpKHvWP50Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771530054; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FMkycXJaZW2OrMjAhDlNddEM511f/CDdCwZLbubaQnc=; b=Ylmsu5b7mlIPU81PUaVUi07yaX/+Fynt3xfPw8SnRffpcJpp0IiCe4xbrq7TXvAowLkMq+ yib0MaDSm3Z5wvORQlIb8Rrbe72FwUDsEStAORcn/pw+3/4MXPh8d5H65Sukgoxd7KCA1W GiG0LdEFlbANwDzDwnfjfOnr+xtm8OI13eB4Qoo1y0b+gonEaFgk1CrDbbSlCMsPVAUAwk hJ44xemJHJ517xmtagZeA1Bi3Khw6jraXx8lURw6Yr37bDRq7u18BRoHJtC/sN7JXXSWF7 ixojfBZ6aEJQTrG3hgfnAfSxiRWnae85YWwN0VKjbFBzJXpSzw+gvUXGGnVnrw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fH3df45RhzwLD for ; Thu, 19 Feb 2026 19:40:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 454cf by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 19 Feb 2026 19:40:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Hayzam Sherif From: Mark Johnston Subject: git: 818971cc403e - main - bhyve: Fix unchecked stream I/O in RFB handler List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 818971cc403e78d42b77eb6c18a2d2a073e5541f Auto-Submitted: auto-generated Date: Thu, 19 Feb 2026 19:40:54 +0000 Message-Id: <69976746.454cf.28d9030d@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=818971cc403e78d42b77eb6c18a2d2a073e5541f commit 818971cc403e78d42b77eb6c18a2d2a073e5541f Author: Hayzam Sherif AuthorDate: 2026-02-19 19:24:02 +0000 Commit: Mark Johnston CommitDate: 2026-02-19 19:24:07 +0000 bhyve: Fix unchecked stream I/O in RFB handler Convert rfb_send_* helpers to return status codes and check their results. Add missing checks for stream_read() and stream_write() returns during the handshake in rfb_handle() to avoid acting on failed I/O. Signed-off-by: Hayzam Sherif Reviewed by: markj MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D55343 --- usr.sbin/bhyve/rfb.c | 76 +++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 54 insertions(+), 22 deletions(-) diff --git a/usr.sbin/bhyve/rfb.c b/usr.sbin/bhyve/rfb.c index fe6b628f94e2..c6c048d2b140 100644 --- a/usr.sbin/bhyve/rfb.c +++ b/usr.sbin/bhyve/rfb.c @@ -265,7 +265,7 @@ struct rfb_cuttext_msg { uint32_t length; }; -static void +static int rfb_send_server_init_msg(struct rfb_softc *rc, int cfd) { struct bhyvegc_image *gc_image; @@ -289,11 +289,14 @@ rfb_send_server_init_msg(struct rfb_softc *rc, int cfd) sinfo.pixfmt.pad[1] = 0; sinfo.pixfmt.pad[2] = 0; sinfo.namelen = htonl(rc->fbnamelen); - (void)stream_write(cfd, &sinfo, sizeof(sinfo)); - (void)stream_write(cfd, rc->fbname, rc->fbnamelen); + if (stream_write(cfd, &sinfo, sizeof(sinfo)) <= 0) + return (-1); + if (stream_write(cfd, rc->fbname, rc->fbnamelen) <= 0) + return (-1); + return (0); } -static void +static int rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd) { struct rfb_srvr_updt_msg supdt_msg; @@ -303,7 +306,8 @@ rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd) supdt_msg.type = 0; supdt_msg.pad = 0; supdt_msg.numrects = htons(1); - stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)); + if (stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)) <= 0) + return (-1); /* Rectangle header */ srect_hdr.x = htons(0); @@ -311,10 +315,12 @@ rfb_send_resize_update_msg(struct rfb_softc *rc, int cfd) srect_hdr.width = htons(rc->width); srect_hdr.height = htons(rc->height); srect_hdr.encoding = htonl(RFB_ENCODING_RESIZE); - stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)); + if (stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)) <= 0) + return (-1); + return (0); } -static void +static int rfb_send_extended_keyevent_update_msg(struct rfb_softc *rc, int cfd) { struct rfb_srvr_updt_msg supdt_msg; @@ -324,7 +330,8 @@ rfb_send_extended_keyevent_update_msg(struct rfb_softc *rc, int cfd) supdt_msg.type = 0; supdt_msg.pad = 0; supdt_msg.numrects = htons(1); - stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)); + if (stream_write(cfd, &supdt_msg, sizeof(struct rfb_srvr_updt_msg)) <= 0) + return (-1); /* Rectangle header */ srect_hdr.x = htons(0); @@ -332,7 +339,9 @@ rfb_send_extended_keyevent_update_msg(struct rfb_softc *rc, int cfd) srect_hdr.width = htons(rc->width); srect_hdr.height = htons(rc->height); srect_hdr.encoding = htonl(RFB_ENCODING_EXT_KEYEVENT); - stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)); + if (stream_write(cfd, &srect_hdr, sizeof(struct rfb_srvr_rect_hdr)) <= 0) + return (-1); + return (0); } static int @@ -728,7 +737,10 @@ rfb_send_screen(struct rfb_softc *rc, int cfd) rc->width = gc_image->width; rc->height = gc_image->height; if (rc->enc_resize_ok) { - rfb_send_resize_update_msg(rc, cfd); + if (rfb_send_resize_update_msg(rc, cfd) < 0) { + retval = -1; + goto done; + } rc->update_all = true; goto done; } @@ -819,7 +831,10 @@ rfb_send_screen(struct rfb_softc *rc, int cfd) goto done; } - rfb_send_update_header(rc, cfd, changes); + if (rfb_send_update_header(rc, cfd, changes) <= 0) { + retval = -1; + goto done; + } /* Go through all cells, and send only changed ones */ crc_p = rc->crc_tmp; @@ -868,7 +883,8 @@ rfb_recv_update_msg(struct rfb_softc *rc, int cfd) return (-1); if (rc->enc_extkeyevent_ok && (!rc->enc_extkeyevent_send)) { - rfb_send_extended_keyevent_update_msg(rc, cfd); + if (rfb_send_extended_keyevent_update_msg(rc, cfd) < 0) + return (-1); rc->enc_extkeyevent_send = true; } @@ -1045,7 +1061,8 @@ rfb_handle(struct rfb_softc *rc, int cfd) rc->cfd = cfd; /* 1a. Send server version */ - stream_write(cfd, vbuf, strlen(vbuf)); + if (stream_write(cfd, vbuf, strlen(vbuf)) <= 0) + goto done; /* 1b. Read client version */ len = stream_read(cfd, buf, VERSION_LENGTH); @@ -1080,10 +1097,14 @@ rfb_handle(struct rfb_softc *rc, int cfd) case CVERS_3_8: buf[0] = 1; buf[1] = auth_type; - stream_write(cfd, buf, 2); + if (stream_write(cfd, buf, 2) <= 0) + goto done; /* 2b. Read agreed security type */ len = stream_read(cfd, buf, 1); + if (len <= 0) + goto done; + if (buf[0] != auth_type) { /* deny */ sres = htonl(1); @@ -1094,7 +1115,8 @@ rfb_handle(struct rfb_softc *rc, int cfd) case CVERS_3_3: default: be32enc(buf, auth_type); - stream_write(cfd, buf, 4); + if (stream_write(cfd, buf, 4) <= 0) + goto done; break; } @@ -1128,10 +1150,13 @@ rfb_handle(struct rfb_softc *rc, int cfd) /* Initialize a 16-byte random challenge */ arc4random_buf(challenge, sizeof(challenge)); - stream_write(cfd, challenge, AUTH_LENGTH); + if (stream_write(cfd, challenge, AUTH_LENGTH) <= 0) + goto done; /* Receive the 16-byte challenge response */ - stream_read(cfd, buf, AUTH_LENGTH); + len = stream_read(cfd, buf, AUTH_LENGTH); + if (len <= 0) + goto done; memcpy(crypt_expected, challenge, AUTH_LENGTH); @@ -1164,14 +1189,17 @@ rfb_handle(struct rfb_softc *rc, int cfd) case CVERS_3_8: report_and_done: /* 2d. Write back a status */ - stream_write(cfd, &sres, 4); + if (stream_write(cfd, &sres, 4) <= 0) + goto done; if (sres) { /* 3.7 does not want string explaining cause */ if (client_ver == CVERS_3_8) { be32enc(buf, strlen(message)); - stream_write(cfd, buf, 4); - stream_write(cfd, message, strlen(message)); + if (stream_write(cfd, buf, 4) <= 0) + goto done; + if (stream_write(cfd, message, strlen(message)) <= 0) + goto done; } goto done; } @@ -1181,7 +1209,8 @@ report_and_done: /* for VNC auth case send status */ if (auth_type == SECURITY_TYPE_VNC_AUTH) { /* 2d. Write back a status */ - stream_write(cfd, &sres, 4); + if (stream_write(cfd, &sres, 4) <= 0) + goto done; } if (sres) { goto done; @@ -1190,9 +1219,12 @@ report_and_done: } /* 3a. Read client shared-flag byte */ len = stream_read(cfd, buf, 1); + if (len <= 0) + goto done; /* 4a. Write server-init info */ - rfb_send_server_init_msg(rc, cfd); + if (rfb_send_server_init_msg(rc, cfd) < 0) + goto done; if (!rc->zbuf) { rc->zbuf = malloc(RFB_ZLIB_BUFSZ + 16);