svn commit: r319487 - head/usr.sbin/bhyve

Conrad Meyer cse.cem at gmail.com
Sat Jun 10 16:55:12 UTC 2017 

Forgot to mention — this one was CID 1375949.

Additionally additionally,

On Thu, Jun 1, 2017 at 7:35 PM, Marcelo Araujo <araujo at freebsd.org> wrote:
> Author: araujo
> Date: Fri Jun  2 02:35:16 2017
> New Revision: 319487
> URL: https://svnweb.freebsd.org/changeset/base/319487
>
> Log:
>   Add VNC Authentication support based on RFC6143 section 7.2.2.
>
> ...
>
> Modified: head/usr.sbin/bhyve/rfb.c
> ==============================================================================
> --- head/usr.sbin/bhyve/rfb.c   Fri Jun  2 01:00:40 2017        (r319486)
> +++ head/usr.sbin/bhyve/rfb.c   Fri Jun  2 02:35:16 2017        (r319487)
> ...
> @@ -739,8 +754,19 @@ rfb_handle(struct rfb_softc *rc, int cfd)
>  {
>         const char *vbuf = "RFB 003.008\n";
>         unsigned char buf[80];
> +       unsigned char *message;
> +
> +#ifndef NO_OPENSSL
> +       unsigned char challenge[AUTH_LENGTH];
> +       unsigned char keystr[PASSWD_LENGTH];
> +       unsigned char crypt_expected[AUTH_LENGTH];
> +
> +       DES_key_schedule ks;
> +       int i;
> +#endif
> +
>         pthread_t tid;

This is uninitialized.

> -        uint32_t sres;
> +       uint32_t sres;
>         int len;
>
>         rc->cfd = cfd;
> @@ -751,19 +777,91 @@ rfb_handle(struct rfb_softc *rc, int cfd)
> ...
> +       /* 2c. Do VNC authentication */
> +       switch (buf[0]) {
> +       case SECURITY_TYPE_NONE:
> +               sres = 0;
> +               break;
> +       case SECURITY_TYPE_VNC_AUTH:
 ...
>
> +
> +               if (memcmp(crypt_expected, buf, AUTH_LENGTH) != 0) {
> +                       message = "Auth Failed: Invalid Password.";
> +                       sres = htonl(1);
> +               } else
> +                       sres = 0;
> +#else
> +               sres = 0;
> +               WPRINTF(("Auth not supported, no OpenSSL in your system"));
> +#endif
> +
> +               break;
> +       }
> +
> +       /* 2d. Write back a status */
>         stream_write(cfd, &sres, 4);
>
> +       if (sres) {
> +               *((uint32_t *) buf) = htonl(strlen(message));
> +               stream_write(cfd, buf, 4);
> +                stream_write(cfd, message, strlen(message));
> +               goto done;
> +       }

When authentication fails, 'done:' label will pthread_join(tid), which
is also uninitialized at this point.  This is CID 1375950.

Best,
Conrad

More information about the svn-src-head mailing list