Bug 1171717

Summary: SPICE ActiveX plugin crashes when menu is longer than 4096 B
Product: Red Hat Enterprise Virtualization Manager Reporter: Frantisek Kobzik <fkobzik>
Component: spice-activex-winAssignee: Uri Lublin <uril>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bmcclain, cfergeau, dblechte, gklein, jbelka, lsurette, michal.skrivanek, rbalakri, Rhev-m-bugs, tpelka, yeylon, ykaul
Target Milestone: ovirt-3.6.0-rc   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Windows   
Whiteboard:
Fixed In Version: spicex-win-3.6-3 rhevm-spice-client-3.6-4 Doc Type: Bug Fix
Doc Text:
Previously, the SPICE ActiveX plug-in sometimes crashed if a dynamic menu string was set larger than 4096 bytes. This happened because the menu string property in the SPICE ActiveX plug-in was stored in a 4096-byte array, and when a new menu string was set, its size was not checked. This was fixed by making the menu string property dynamically allocated according to the size of the new string. Additionally, to limit the memory allocated, the SPICE ActiveX plug-in also checks and rejects all strings that are too large. Strings are now sent to the client as UTF-8, and log messages size is limited. As a result, the plug-in no longer crashes when given a large menu string.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 20:04:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Spice RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1162792    

Description Frantisek Kobzik 2014-12-08 13:11:07 UTC 
Description of problem:
When dynamic menu of SPICE ActiveX plugin is big enough (> 4096), the plugin crashes. The crash is probably caused by limited size of dynamic menu in the client:

SpiceXCommon.h:#define RED_CLIENT_MAX_MENU_SIZE        4096

After adjusting dynamicMenu string so that is smaller than 4k the console connects fine.

NOTE: The bug was repeatedly reproduced on Win8 with IE 10 by various users. I couldn't reproduce the bug on Win7 & IE9.

Version-Release number of selected component (if applicable):
Spice 5.0.3.5002
rhevm-3.5 vt9
IE 10 on Win8 32-bit

Steps to Reproduce:
1. Try to connect to a SPICE VM using browser plugin on Win8 32-bit & IE10.

Actual results:
IE crashes.

Expected results:
IE doesn't crash.

Additional info:
IE doesn't crash if some part (some ISOs) of dynamic menu is dynamically deleted using IE Developer tools.
Comment 1 Uri Lublin 2014-12-15 16:23:34 UTC 
I can reproduce the problem, using the html test page + setting the menu size to 16 bytes.

So 4096 bytes is not enough for the menu.
How much is enough ?
How did the menu string get so long ?

One way of fixing this bug is to reject (return an invalid-param error) such long menu strings. That's probably not going to help rhev-m.

Another option is to use a dynamically allocated strings, std::wstring.
This solution trusts RHEV-M to not send much longer strings (MB/GB).
Comment 2 Frantisek Kobzik 2014-12-16 08:44:58 UTC 
I could reproduce using file that has around 5.3k. This size is not unrealistic since dynamic menu contains CDs from ISO domain (which can grow to really big sizes).

I think 1 MB is enough for everyone :) (as Michal pointed out, dynamic allocation with no limits/checking could DOS clients).
Comment 3 Uri Lublin 2015-02-26 15:35:39 UTC 
Patches posted
http://post-office.corp.redhat.com/archives/spice-list/2015-February/msg00038.html
Comment 8 errata-xmlrpc 2016-03-09 20:04:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0377.html