Merge branches 'fix-vencrypt-leak' and 'fixes-ssecurityplain' of https://github.com/michalsrb/tigervnc

commit: efd93fd97bedd5fba60780f016117383e85d8b59 [log] [tgz]
author: Pierre Ossman <ossman@cendio.se> Thu Mar 30 16:23:11 2017 +0200
committer: Pierre Ossman <ossman@cendio.se> Thu Mar 30 16:23:11 2017 +0200
tree: aa8597c7cbf6d22333955cc730f76d628a7184cf
parent: 8f3e8663b3cf57c0b62d939d6953fbfcc112aadd [diff]
parent: 62197c89e98be47a174074e4c7429c57767a4929 [diff]
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
index f5a5cc7..fc9dff2 100644
--- a/common/rfb/SSecurityPlain.cxx
+++ b/common/rfb/SSecurityPlain.cxx

@@ -86,13 +86,20 @@
   if (state == 0) {
     if (!is->checkNoWait(8))
       return false;
+
     ulen = is->readU32();
+    if (ulen > MaxSaneUsernameLength)
+      throw AuthFailureException("Too long username");
+
     plen = is->readU32();
+    if (plen > MaxSanePasswordLength)
+      throw AuthFailureException("Too long password");
+
     state = 1;
   }
 
   if (state == 1) {
-    if (is->checkNoWait(ulen + plen + 2))
+    if (!is->checkNoWait(ulen + plen))
       return false;
     state = 2;
     pw = new char[plen + 1];

diff --git a/common/rfb/SSecurityPlain.h b/common/rfb/SSecurityPlain.h
index 080fcd5..2c08c24 100644
--- a/common/rfb/SSecurityPlain.h
+++ b/common/rfb/SSecurityPlain.h

@@ -54,6 +54,9 @@
     PasswordValidator* valid;
     unsigned int ulen, plen, state;
     CharArray username;
+
+    static const unsigned int MaxSaneUsernameLength = 1024;
+    static const unsigned int MaxSanePasswordLength = 1024;
   };
 
 }
commit	efd93fd97bedd5fba60780f016117383e85d8b59	[log] [tgz]
author	Pierre Ossman <ossman@cendio.se>	Thu Mar 30 16:23:11 2017 +0200
committer	Pierre Ossman <ossman@cendio.se>	Thu Mar 30 16:23:11 2017 +0200
tree	aa8597c7cbf6d22333955cc730f76d628a7184cf
parent	8f3e8663b3cf57c0b62d939d6953fbfcc112aadd [diff]
parent	62197c89e98be47a174074e4c7429c57767a4929 [diff]