From 838c585cf6c899a0b48683a0b46ed01cc24d835c Mon Sep 17 00:00:00 2001 From: Susanooo Date: Fri, 25 Oct 2024 10:08:39 +0800 Subject: [PATCH] ui/vnc: don't return an empty SASL mechlist to the client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The SASL initialization phase may determine that there are no valid mechanisms available to use. This may be because the host OS admin forgot to install some packages, or it might be because the requested SSF level is incompatible with available mechanisms, or other unknown reasons. If we return an empty mechlist to the client, they're going to get a failure from the SASL library on their end and drop the connection. Thus there is no point even sending this back to the client, we can just drop the connection immediately. Reviewed-by: Marc-André Lureau Signed-off-by: Daniel P. Berrangé Signed-off-by: zhangchujun --- ui/vnc-auth-sasl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c index 47fdae5b21..e321c9decc 100644 --- a/ui/vnc-auth-sasl.c +++ b/ui/vnc-auth-sasl.c @@ -674,6 +674,13 @@ void start_auth_sasl(VncState *vs) } trace_vnc_auth_sasl_mech_list(vs, mechlist); + if (g_str_equal(mechlist, "")) { + trace_vnc_auth_fail(vs, vs->auth, "no available SASL mechanisms", ""); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + vs->sasl.mechlist = g_strdup(mechlist); mechlistlen = strlen(mechlist); vnc_write_u32(vs, mechlistlen); -- 2.41.0.windows.1