fös., 2. ágú. 2024 kl. 14:53 skrifaði Solar Designer <so...@openwall.com>:
>
> On Fri, Aug 02, 2024 at 02:41:18PM +0000, Dane Bouchie wrote:
> > The client chooses the security type, so they can pass in "None" to the
> > switch statement. is_allowed_security_type() now prevents that.
>
> Oh, so was the issue a trivial authentication bypass? Evidently, logic
> errors like this are easy to miss in plain sight.
>
Yes, and yes.
> switch (type) {
> case RFB_SECURITY_TYPE_NONE:
> security_handshake_ok(client, NULL);
> client->state = VNC_CLIENT_STATE_WAITING_FOR_INIT;
> break;
>
> Should the above RFB_SECURITY_TYPE_NONE support continue to exist in the
> code at all, if RFB_SECURITY_TYPE_NONE is never added to the allowed
> security types array that the code now pre-checks against? Maybe it
> should be #if 0'ed out, leaving it only as an example for debugging?
>
It is added to the list if no authentication is required.
Regards,
Andri
