Merge branch 'main' into dev

ChangeLog.md

@@ -91,6 +91,12 @@ file keyword or the server did not support `rsa-sha2-256`.
 TurboVNC Viewer when it attempted to receive a clipboard update from QEMU's VNC
 server.
 
+7. Fixed a denial-of-service (DoS) vulnerability in the TurboVNC Server,
+introduced by 3.0 beta1[20], that triggered an infinite loop in the server's
+automatic WebSocket detection code if an ill-behaved client sent 3 or fewer
+bytes of data immediately after connecting.  Certain versions of Apache
+Guacamole were known to trigger this issue sporadically.
+
 
 3.1.2
 =====

unix/Xvnc/programs/Xserver/hw/vnc/sockets.c

@@ -472,8 +472,11 @@ int PeekExactTimeout(rfbClientPtr cl, char *buf, int len, int timeout)
   int n;
   fd_set readfds, exceptfds;
   struct timeval tv;
+  CARD32 start, now;
   int sock = cl->sock;
 
+  start = GetTimeInMillis();
+
   while (len > 0) {
     do {
 #if USETLS
@@ -519,6 +522,21 @@ int PeekExactTimeout(rfbClientPtr cl, char *buf, int len, int timeout)
         errno = ETIMEDOUT;
         return -1;
       }
+      /* If the client has sent less than len bytes and is waiting for the
+         server before sending more bytes, then we need to enforce the timeout
+         ourselves in order to prevent an infinite loop and subsequent denial
+         of service.  Otherwise recv() will keep returning n < len with errno
+         set to EAGAIN, and select() will keep returning 1, since recv() has
+         not removed any data from the queue.  We need to loop back in order to
+         give the client an opportunity to send more data, but we can't do that
+         forever. */
+      if (errno == EWOULDBLOCK || errno == EAGAIN) {
+        now = GetTimeInMillis();
+        if (now - start >= (CARD32)timeout) {
+          errno = ETIMEDOUT;
+          return -1;
+        }
+      }
     }
   }
   return 1;