[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [PATCH virt-viewer 15/19] Hook up handling of Monitors



On Tue, Jul 17, 2012 at 03:02:46PM +0200, Marc-André Lureau wrote:
> On Tue, Jul 17, 2012 at 2:52 PM, Christophe Fergeau <cfergeau redhat com> wrote:
> > I'm concerned about malicious payload putting a huge number there for a
> > nasty purpose. Moreover, is this value coming from the server, or is it
> > coming from the qxl driver in the guest?
> 
> 
> I don't think this is a concern here. You might worry about a lot of
> other parts of spice then.. In general, it can be very hard to verify
> integrity,

I'm indeed worried about the day when someone starts actively fuzzing the
spice protocol...


> and I guess we rely on lower level of the stack to do that for us.

Except I'm not sure any part of the stack is doing this for us, is there
such a part? In this specific case, the protocol can handle an arbitrary
number of monitors as I understand it, it's the client code that cannot
handle too many monitors, so limiting the number of monitors here would
make sense.
It's an issue I wanted to raise, I'm not saying this must be fixed in this
patch.

Christophe

Attachment: pgpyN8q6FCL0v.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]