brahma1989
commented
2 years ago This issue occurs when you launch a vnc console in a browser either in Chrome or Mozilla. the x11vnc server crashes when you select a large text more than 40kb of size in console, the reason for the crash is a buffer overflow in web socket encoding code, basically, the connection between the NoVnc client to x11vnc server to be established using web socket APIs which are part of libvncserver library.
the server has to push/send the text to be selected to all the connected clients and it performs data encoding before pushing the text to the NoVnc client which is using web socket encoding. The x11vnc server allocates 256 kb of buffer to hold the select text but web socket encoding allocates only 40kb of buffer to hold the data that is encoded, that's where the buffer overflow occurs when the server pushes more than 40kb of data to be encoded, which corrupts the memory of data structures eventually causing the server to down when it tries to access the bad memory.
To maintain the same buffer lengths in both x11vnc and web socket encode, this below patch allocates 256kb of buffer in web socket code which solves the x11vnc server crash issue.
diff -ruN a/libvncserver/ws_decode.h b/libvncserver/ws_decode.h --- a/libvncserver/ws_decode.h 2021-11-02 11:28:23.023362582 +0530 +++ b/libvncserver/ws_decode.h 2021-11-05 12:09:16.134032729 +0530 @@ -28,6 +28,7 @@
define WS_HYBI_MASK_LEN 4
define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0])))))
+#define WS_MAX_ENCODE_BUF (262144L)
struct ws_ctx_s; typedef struct ws_ctx_s ws_ctx_t; @@ -112,7 +113,7 @@
struct ws_ctx_s { char codeBufDecode[2048 + WSHLENMAX]; / base64 + maximum frame header length /
- char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; / base64 + maximum frame header length /
- char codeBufEncode[WS_MAX_ENCODE_BUF + 1 + WSHLENMAX]; / base64 + maximum frame header length / char writePos; unsigned char readPos; int readlen;
maxnet
If you'd like to put out an incentive for fixing this bug, you can do so at https://issuehunt.io/r/LibVNC/libvncserver
Describe the bug when I select large text say 1500 lines using cursor my x11vnc server gets segmentation fault. x11vnc version: 0.9.13 libvncserver version: 0.9.13 here is the stack trace : (gdb) bt
0 0x76ea6b8c in rfbStatLookupMessage (cl=cl@entry=0x1fa5460, type=type@entry=3)
1 0x76ea6d10 in rfbStatRecordMessageSent (cl=cl@entry=0x1fa5460, type=type@entry=3, byteCount=byteCount@entry=262152, byteIfRaw=byteIfRaw@entry=262152)
2 0x76ea279c in rfbSendServerCutText (rfbScreen=,
3 0x00081dd0 in selection_send (ev=ev@entry=0x7ecd1aa8) at selection.c:508
4 0x000bd678 in check_xevents (reset=reset@entry=0) at xevents.c:1471
5 0x0007fc18 in watch_loop () at screen.c:4611
6 0x000291e8 in main (argc=, argv=) at x11vnc.c:5990
(gdb) frame 0
0 0x76ea6b8c in rfbStatLookupMessage (cl=cl@entry=0x1fa5460, type=type@entry=3)
196 if (ptr->type==type) { (gdb) frame 1
1 0x76ea6d10 in rfbStatRecordMessageSent (cl=cl@entry=0x1fa5460, type=type@entry=3, byteCount=byteCount@entry=262152, byteIfRaw=byteIfRaw@entry=262152)
256 ptr = rfbStatLookupMessage(cl, type); (gdb)
To Reproduce
Expected Behavior
it should be able to paste the large text at least 256 KB without any server crash. server must be pasting large text to client clipboard. Logs/Backtraces
(gdb) bt
0 0x76ea6b8c in rfbStatLookupMessage (cl=cl@entry=0x1fa5460, type=type@entry=3)
1 0x76ea6d10 in rfbStatRecordMessageSent (cl=cl@entry=0x1fa5460, type=type@entry=3, byteCount=byteCount@entry=262152, byteIfRaw=byteIfRaw@entry=262152)
2 0x76ea279c in rfbSendServerCutText (rfbScreen=,
3 0x00081dd0 in selection_send (ev=ev@entry=0x7ecd1aa8) at selection.c:508
4 0x000bd678 in check_xevents (reset=reset@entry=0) at xevents.c:1471
5 0x0007fc18 in watch_loop () at screen.c:4611
6 0x000291e8 in main (argc=, argv=) at x11vnc.c:5990
(gdb) frame 0
0 0x76ea6b8c in rfbStatLookupMessage (cl=cl@entry=0x1fa5460, type=type@entry=3)
196 if (ptr->type==type) { (gdb) frame 1
1 0x76ea6d10 in rfbStatRecordMessageSent (cl=cl@entry=0x1fa5460, type=type@entry=3, byteCount=byteCount@entry=262152, byteIfRaw=byteIfRaw@entry=262152)
256 ptr = rfbStatLookupMessage(cl, type); (gdb) Your environment (please complete the following information):
Additional context
i see this segmentation fault as well in frequently.
1 0x76ae1ae8 in poll_for_reply () at ../../libxcb-1.12/src/xcb_in.c:457
2 0x76ae23c0 in wait_for_reply () at ../../libxcb-1.12/src/xcb_in.c:515
3 0x76ae24ac in xcb_wait_for_reply () at ../../libxcb-1.12/src/xcb_in.c:546
4 0x76dc4d70 in _XReply (dpy=dpy@entry=0x1768470, rep=rep@entry=0x7ef48040, extra=2129952832, extra@entry=0, discard=1995091968, discard@entry=1)
5 0x76dbb374 in XQueryPointer (dpy=dpy@entry=0x1768470, w=w@entry=246, root=root@entry=0x7ef480e4, child=child@entry=0x7ef480e8,
6 0x000c60a8 in XQueryPointer_wr (display=0x1768470, w=246, root_return=0x7ef480e4, root_return@entry=0x7ef480dc, child_return=0x7ef480e8,
7 0x0004c7d0 in check_x11_pointer () at cursor.c:2000
8 0x000809d0 in check_cursor_changes () at screen.c:4137
9 watch_loop () at screen.c:4719
10 0x000291e8 in main (argc=, argv=) at x11vnc.c:5990
(gdb) bt 0 full (More stack frames follow...) (gdb) frame 0
0 0x76c5feac in __GI___libc_free (mem=) at malloc.c:3123
3123 ar_ptr = arena_for_chunk (p); (gdb) frame 1
1 0x76ae1ae8 in poll_for_reply () at ../../libxcb-1.12/src/xcb_in.c:457
457 free(head);