Commit Graph

723 Commits

Author SHA1 Message Date
Gerd Hoffmann
f8c223f69a gtk: bind to text terminal consoles too
This way gtk has text terminal consoles even when building without vte.
Most notably you'll get a monitor tab on windows now.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-22 13:21:16 +02:00
Gerd Hoffmann
f98f43eab0 gtk: handle switch_surface(NULL) properly
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-22 13:21:16 +02:00
Daniel P. Berrange
2cdb5e142f CVE-2015-1779: limit size of HTTP headers from websockets clients
The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.

A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01 17:12:55 +02:00
Daniel P. Berrange
a2bebfd6e0 CVE-2015-1779: incrementally decode websocket frames
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.

The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]

  @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
  -        *payload_size = input->offset;
  +        *payload_size = *payload_remain;

[ kraxel: fix 32bit build ]

  @@ -306,7 +306,7 @@ struct VncState
  -    uint64_t ws_payload_remain;
  +    size_t ws_payload_remain;

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01 17:11:34 +02:00
Hervé Poussineau
4cdfc93526 gtk: do not call gtk_widget_get_window if drawing area is not initialized
This prevents gtk_widget_get_window to return a NULL pointer.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-26 17:58:12 +01:00
Daniel P. Berrange
4a48aaa9f5 ui: ensure VNC websockets server checks the ACL if requested
If the x509verify option is requested, the VNC websockets server
was failing to validate that the websockets client provided an
x509 certificate matching the ACL rules.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:14 +01:00
Daniel P. Berrange
7b45a00d05 ui: remove separate gnutls_session for websockets server
The previous change to the auth scheme handling guarantees we
can never have nested TLS sessions in the VNC websockets server.
Thus we can remove the separate gnutls_session instance.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:14 +01:00
Daniel P. Berrange
51941e4695 ui: enforce TLS when using websockets server
When TLS is required, the primary VNC server considers it to be
mandatory. ie the server admin decides whether or not TLS is used,
and the client has to comply with this decision. The websockets
server, however, treated it as optional, allowing non-TLS clients
to connect to a server which had setup TLS. Thus enabling websockets
lowers the security of the VNC server leaving the admin no way to
enforce use of TLS.

This removes the code that allows non-TLS fallback in the websockets
server, so that if TLS is requested for VNC it is now mandatory for
both the primary VNC server and the websockets VNC server.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Daniel P. Berrange
f9148c8ae7 ui: fix setup of VNC websockets auth scheme with TLS
The way the websockets TLS code was integrated into the VNC server
made it essentially useless. The only time that the websockets TLS
support could be used is if the primary VNC server had its existing
TLS support disabled. ie QEMU had to be launched with:

  # qemu -vnc localhost:1,websockets=5902,x509=/path/to/certs

Note the absence of the 'tls' flag. This is already a bug, because
the docs indicate that 'x509' is ignored unless 'tls' is given.

If the primary VNC server had TLS turned on via the 'tls' flag,
then this prevented the websockets TLS support from being used,
because it activates the VeNCrypt auth which would have resulted
in TLS being run over a TLS session. Of course no websockets VNC
client supported VeNCrypt so in practice, since the browser clients
cannot setup a nested TLS session over the main HTTPS connection,
so it would not even get past auth.

This patch causes us to decide our auth scheme separately for the
main VNC server vs the websockets VNC server. We take account of
the fact that if TLS is enabled, then the websockets client will
use https, so setting up VeNCrypt is thus redundant as it would
lead to nested TLS sessions.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Daniel P. Berrange
0dd72e1531 ui: split setup of VNC auth scheme into separate method
The vnc_display_open method is quite long and complex, so
move the VNC auth scheme decision logic into a separate
method for clarity.

Also update the comment to better describe what we are
trying to achieve.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Daniel P. Berrange
d169f04b8b ui: report error if user requests VNC option that is unsupported
If the VNC server is built without tls, sasl or websocket support
and the user requests one of these features, they are just silently
ignored. This is bad because it means the VNC server ends up running
in a configuration that is less secure than the user asked for.
It also leads to an tangled mass of preprocessor conditionals when
configuring the VNC server.

This ensures that the tls, sasl & websocket options are always
processed and an error is reported back to the user if any of
them were disabled at build time.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Daniel P. Berrange
153130cd4f ui: replace printf() calls with VNC_DEBUG
Handling of VNC audio messages results in printfs to the console.
This is of no use to anyone in production, so should be using the
normal VNC_DEBUG macro instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Daniel P. Berrange
a2f45bc02a ui: remove unused 'wiremode' variable in VncState struct
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18 09:25:13 +01:00
Markus Armbruster
f3cf80e805 vnc: Fix QMP change not to use funky error class
Error classes are a leftover from the days of "rich" error objects.
New code should always use ERROR_CLASS_GENERIC_ERROR.  Commit 1d0d59f
added a use of ERROR_CLASS_DEVICE_NOT_FOUND.  Replace it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-17 14:24:26 +01:00
Peter Maydell
dea4635998 misc ui patches, mostly sdl related.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJVAafbAAoJEEy22O7T6HE4t4kP/0uizYcn7yoSt2JREKmn6/lh
 dc3cAxuwcxEZ8KXUxWSGCSheQDDdYAaKyK06pl8GUncnRSUOpSvcRvjN6IE7GVZP
 6VQu5cdE69rPKPOIxvGApLbXvwqkngYCiDyKdFiJ/pjn4E7zA5yjv4YOa8LkQsMU
 L9iqPF5NogQ9yZiTepeWULJU/6kqhOAb4gfueGEC5SrePoa8E7chaBF8EjYt+IBB
 E1BJjZ12mtXHgG5mDVL7ysWrPTXMqDJSGKdFfV8uICFK21E0pN4uG6U4mq6+t3rY
 g2KJ3X//3KSSg9vJnNGpFSTSuXqRmf6cgpK0I+r+v99mKpuNRPNPSYBT0GWEfZUX
 TYxL3fTw03PqSHsL/Ep+ppmWOwwNPsryahoCBtPUHNnd48HluTlV62ONyQah8XTk
 TzAaeuGcbAwMwrLjzn92Qz4Dx/8Bdnj67tqGSYVqv+dOKlko41sgY0Q0n9TU1t6P
 oEOEfQvrnfot8Wey4tZ3jAfdxrf1Jr3bc1zehzVWCRusBTt7iCFpWi8kMA6PEfGX
 aivQXBbBJBzJ6B91asKLizjvVBiNvavy+BDWIBNYH++lou9htrdWg23qpH7etWOE
 S9IIFIR57P1+gSdr9k4Bed4B0A9qz5GQA6I1CHHyQSz6S8PU2s8YKC2viljr+hyn
 riFN11We9O20RVL1k7PX
 =OoVt
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150312-2' into staging

misc ui patches, mostly sdl related.

# gpg: Signature made Thu Mar 12 14:51:07 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-20150312-2:
  pixman: add a bunch of PIXMAN_BE_* defines for 32bpp
  Allow the use of X11 from a non standard location.
  configure: opengl overhaul
  sdl: Fix crash when calling sdl_switch() with NULL surface
  sdl: Refresh debug statements

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-13 14:03:31 +00:00
Benjamin Herrenschmidt
d28d6505bd sdl: Fix crash when calling sdl_switch() with NULL surface
This happens for example when doing ctrl-alt-u and segfaults

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 12:54:23 +01:00
Benjamin Herrenschmidt
5f5d82ddf1 sdl: Refresh debug statements
Put them under a #define similar to the VGA model and make them
actually compile. Add a couple too.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 12:54:23 +01:00
Gonglei
81607cbfa4 vnc: fix segmentation fault when invalid vnc parameters are specified
Reproducer:
 #./qemu-system-x86_64 -vnc :0,ip
qemu-system-x86_64: -vnc :1,ip: Invalid parameter 'ip'
Segmentation fault (core dumped)

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 09:09:10 +01:00
Gonglei
b3c33f9173 vnc: avoid possible file handler leak
vs->lsock may equal to 0, modify the check condition,
avoid possible vs->lsock leak.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 08:22:12 +01:00
Gonglei
f76b84a04b ui/console: fix OVERFLOW_BEFORE_WIDEN
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 08:22:12 +01:00
Daniel P. Berrange
8c7d064573 ui: fix regression in x509verify parameter for VNC server
The 'x509verify' parameter is documented as taking a path to the
x509 certificates, ie the same syntax as the 'x509' parameter.

  commit 4db14629c3
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Tue Sep 16 12:33:03 2014 +0200

    vnc: switch to QemuOpts, allow multiple servers

caused a regression by turning 'x509verify' into a boolean
parameter instead. This breaks setup from libvirt and is not
consistent with the docs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-12 08:22:12 +01:00
Gerd Hoffmann
e556032960 vnc: switch to inet_listen_opts
Use inet_listen_opts instead of inet_listen.  Allows us to drop some
pointless indirection:  Format strings just to parse them again later on.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-03-12 08:22:07 +01:00
Gerd Hoffmann
fc5c3ff751 vnc: remove dead code
If vs->ws_enabled is set ws_display is non-NULL.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-03-12 08:22:07 +01:00
Gerd Hoffmann
bf7aa45e7b vnc: drop display+ws_display from VncDisplay
Nobody cares about those strings, they are only used to check whenever
the vnc server / websocket support is enabled or not.  Add bools for
this and drop the strings.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-03-12 08:22:07 +01:00
Peter Maydell
21025c29f5 vnc bugfixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJU/sl/AAoJEEy22O7T6HE4LukP/07iHj+f3/9kZZzzE92urNJx
 NwXfdWvx+cr6bRHmkuoab6W14HZnsuwPOP8k6sHJnA5Jxl0IhFF9UsZZwrNXC9GB
 S1za5jd63C6ZsSP1FaItFTsd4ENAfjoeu1+92qNqnxJzQqttaMnTPPeNZXmyD+1n
 WZJwEMIffY9qukgZhaZwhPY0igjZHMrrkB4xoIUbCOUwL/t2tadXwQmdZzROwNsB
 Uslr34Tl7bC0vuNo6ZAed8OTI4cCqA/3N0W3xKOYrsFNjhRN+F4MDGtuAFlSzNJj
 tZFF4a73KKcWvFnTNMN1CUNSJd9+CGTc5gEmqie6yRHdNiEgCQTwGg69j3mODd/J
 3OBHdqK26hyzgvtFVEatcOA93YKDlFNJGidqVUpsGBS9mD3s/ddBZAsx0lv9evHC
 ejGhR22z6P7MeOIv3nig1lE9rDWw/It07wWTtQMK4XzZexYZNPbiB/0wdYqcgRVk
 YuVMcStl8EGB2S/CeWoILVWGy7PsJMV2OLZHzw5IrWwrRClQP4N0aA2t09aIPvMQ
 u0imH6fsj4Nv/pCys+nONvRgIRZDLBV5/amTJzMB2kUcUWohGAQ6Cj3dgdMec0xA
 PlpEZM8PaxC9wxRp6nZ0bMV3xN5oZTR6dWTDvP7NcrrvaZw30Sp7t7/SlDmx/oIG
 /yDiLcNWiCzhmQD2fWjg
 =mH6B
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150310-1' into staging

vnc bugfixes.

# gpg: Signature made Tue Mar 10 10:37:51 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20150310-1:
  Fix crash when connecting to VNC through websocket
  vnc: -readconfig fix
  vnc: set id at parse time not init time

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-10 19:28:09 +00:00
Jorge Acereda Maciá
b57489cfe4 Fix crash when connecting to VNC through websocket
Connecting to VNC through websocket crashes in vnc_flush() when trying
to acquire a mutex that hasn't been initialized (vnc_init_state(vs)
hasn't been called at this point).

Signed-off-by: Jorge Acereda Macia <jacereda@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-10 11:33:42 +01:00
Gerd Hoffmann
9634f4e3b7 vnc: set id at parse time not init time
This way the generated id will be stored in -writeconfig cfg files.
Also we can make vnc_auto_assign_id() local to vnc.c.

Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-10 11:33:35 +01:00
Wang Xin
09f4fbe473 qemu-char: add cyrillic characters 'numerosign' to VNC keysyms
This patch adds missing cyrillic character 'numerosign' to the VNC
keysym table, it's needed by Russian keyboard. And I get the keysym from
'<X11/keysymdef.h>', the current keysym table in Qemu was generated from
it.

Signed-off-by: Wang xin <wangxinxin.wang@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-10 08:15:34 +03:00
Thomas Huth
09526058d0 ui/vnc: Remove vnc_stop_worker_thread()
This function is not used anymore, let's remove it.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-10 08:15:33 +03:00
Thomas Huth
b67072f0ab ui: Removed unused functions
Remove qemu_console_displaystate(), qemu_remove_kbd_event_handler(),
qemu_different_endianness_pixelformat() and cpkey(), since they are
completely unused.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-10 08:15:33 +03:00
Peter Maydell
68b459eaa6 hmp: Normalize HMP command handler names
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJU5HCgAAoJEDhwtADrkYZT0gcP/ijfMUqLlOPMagm5ggDCx/HK
 IFFgcrynQNS6FwTNSIEW04So4q2EMbqwuTEpZ5pe330brGy0U/UgkVmz76BkyoXT
 9LcgKwtVytfc/niF4k5nIKXrasNG1DHPrhd+zx/oTvwmC/8r+NqHZoPOjNaOPLCX
 18SWJMy57l47XAzVOUoFHEW3mEO5YjF8qo3eRcbUWEWXkRp6wg/d2f9nkiHIAfcB
 0XVso0PUJ3jID/WkNqb9JoexTnH5rQSkbeJVZWed8iSAt2cCi+pnE/RjL75M9VF8
 3mPh2Zhi1lEV4qsYQH1OY7909RtKIj7EBDd7kuUWBi1oSIEaIn5GjNWBGCmBbPbY
 0ZVhGFXFvvtI+tPEK3aqRSlyENReT29oKfEv0LAKoUQFBl+jb7qqBns4cfOF+i26
 Tb4cnzqN1rdnlCNemTQATOrr01JAZEkdp3NHq+Bx967ocP3zxfL+pX2Q/3S8aFDs
 j9Ynq+3FvweeDKeYbHKKscELII1DZcNs1CYJOtJIl+XgzowfgpoTRP7P/e2qFM+z
 ey5qF8nc3mW8tVSkotMeeseFe9tj1xxIV+CslTRiYqnxHnmq4HgsN3DoDtnyy9De
 g3U0d9rgBKFPEkAWXg939GXbH2HVUqLkOSy50WGRruP4dzco7BhLyhQimqPchBFj
 b7P40f6NyWCYDhzJu6+N
 =Kleh
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2015-02-18' into staging

hmp: Normalize HMP command handler names

# gpg: Signature made Wed Feb 18 10:59:44 2015 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/pull-monitor-2015-02-18:
  hmp: Name HMP info handler functions hmp_info_SUBCOMMAND()
  hmp: Name HMP command handler functions hmp_COMMAND()
  hmp: Clean up declarations for long-gone info handlers

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-02-25 13:14:37 +00:00
Markus Armbruster
3e5a50d64c hmp: Name HMP command handler functions hmp_COMMAND()
Some are called do_COMMAND() (old ones, usually), some hmp_COMMAND(),
and sometimes COMMAND pointlessly differs in spelling.

Normalize to hmp_COMMAND(), where COMMAND is exactly the command name
with '-' replaced by '_'.

Exceptions:

* do_device_add() and client_migrate_info() *not* renamed to
  hmp_device_add(), hmp_client_migrate_info(), because they're also
  QMP handlers.  They still need to be converted to QAPI.

* do_memory_dump(), do_physical_memory_dump(), do_ioport_read(),
  do_ioport_write() renamed do hmp_* instead of hmp_x(), hmp_xp(),
  hmp_i(), hmp_o(), because those names are too cryptic for my taste.

* do_info_help() renamed to hmp_info_help() instead of hmp_info(),
  because it only covers help.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
2015-02-18 11:58:30 +01:00
Gerd Hoffmann
9e0ff75e51 vnc: fix coverity warning
vnc_display_local_addr will not be called with an invalid display id.
Add assert() to silence coverity warning about a null pointer dereference.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:48:00 +01:00
Peter Lieven
0e7d6f6083 ui/vnc: optimize full scanline updates
in case we send and update for a complete scanline increment
the y offset to avoid running to find_next_bit for that lines
twice.

Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:48:00 +01:00
Gonglei
2779672fa3 vnc: introduce an wrapper for auto assign vnc id
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:47:59 +01:00
Gonglei
a2c72de096 vnc: using bool type instead of int for QEMU_OPT_BOOL
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:47:59 +01:00
Gonglei
e2a11d9d5a vnc: correct missing property about vnc_display
Missing three property for vnc socket connection,
revalue display variable with correct way.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:47:59 +01:00
Gonglei
88428b7a93 vnc: fix qemu crash when not configure vnc option
Add missing vnc options: to, ipv4, ipv6 and fix
qemu crash.

Reproducer:
$ x86_64-softmmu/qemu-system-x86_64
qemu-system-x86_64: Invalid parameter 'to'
Segmentation fault (core dumped)

BTW the patch fix the below bug:
https://bugs.launchpad.net/qemu/+bug/1414222

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Don Slutz <dslutz@verizon.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-02-16 08:47:59 +01:00
Markus Armbruster
4b3be73006 vnc: g_realloc() can't fail, bury dead error handling
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-10 09:27:20 +03:00
Peter Maydell
adeecf14d6 spice: fix coverity defect, add unix address support
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUwNxEAAoJEEy22O7T6HE4srMQAIBKASUv8434NMAtnRKmMtUk
 auQrl+ZZjjluymrULtGjXaCHpw0o8taMjRhFi21ODuQFEbHm8oo2NThSY2gxmg91
 sQIR5WNb9O4a6S3jAH/XVf/iTBDaPIcFVSeuML7+YhXp3rhIfBMIj6trsK/iWSGD
 qCDWKMORZAdGrGPh6wzskmfR2fRm/sXeXm7oqmEP0jawd0oIX+Chno5BbfXz4/WB
 18SV/b2nqiV4vGOZF7Lzyi0a5IcrJV9vl+kQRf446TbJbyoVZPZQp6qLOCL3UT4c
 P5MtON2XqFjJb2BvXN6Jg3sMSGYGixHtenHXLXCTRUCUD+CWMIwN+AeA9q17wiWJ
 bXjYROx6oQ1YmhXLaJI0N7dXTohBEYC54SoDjinjdIKKrf2rCjAr6B6eaqyidc4q
 GHCrOdL4jTkbcAiBJ/MgUBgay9OFbKkje7tK8BP1j7cWpDaz7lG8qErmwkzWW3DX
 PvZxumMYnQe5gVPI6nIT2dNTwRTofyavkb/1KnthJTeFqJa1ecFCjew8c9TLo0WO
 29WHTeuwtblUmRFarapaB2zRyt6LR+f75mRQHog3h1qFaBiaWYuMrtxoqrCq1RL2
 J0LRLnmVxKK2+nuAHM4xMvzLl7dLHKIHHMClhAj3E8rIHOnk8ssy9/lunDiq/VHt
 CENvqA32bzkZyW2fmT3H
 =BEw6
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150122-1' into staging

spice: fix coverity defect, add unix address support

# gpg: Signature made Thu 22 Jan 2015 11:17:24 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/spice/tags/pull-spice-20150122-1:
  spice: fix coverity reported defect in display code
  spice: add unix address support

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-22 13:56:11 +00:00
Gerd Hoffmann
4478aa768c monitor: add vnc websockets
Add websockets bool to VncBasicInfo, report websocket server sockets,
flag websocket client connections.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:47 +01:00
Gerd Hoffmann
df88768460 monitor: add query-vnc-servers command
Add new query vnc qmp command, for the lack of better ideas just name it
"query-vnc-servers".  Changes over query-vnc:

 * It returns a list of vnc servers, so multiple vnc server instances
   are covered.
 * Each vnc server returns a list of server sockets.  Followup patch
   will use that to also report websockets.  In case we add support for
   multiple server sockets server sockets (to better support ipv4+ipv6
   dualstack) we can add them to the list too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:47 +01:00
Gerd Hoffmann
2d29a4368c vnc: factor out qmp_query_client_list
so we can reuse it for the new vnc query command.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:47 +01:00
Gerd Hoffmann
e5f34cdd2d vnc: track & limit connections
Also track the number of connections in "connecting" and "shared" state
(in addition to the "exclusive" state).  Apply a configurable limit to
these connections.

The logic to apply the limit to connections in "shared" state is pretty
simple:  When the limit is reached no new connections are allowed.

The logic to apply the limit to connections in "connecting" state (this
is the state you are in *before* successful authentication) is
slightly different:  A new connect kicks out the oldest client which is
still in "connecting" state.  This avoids a easy DoS by unauthenticated
users by simply opening connections until the limit is reached.

Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:47 +01:00
Gerd Hoffmann
1d0d59fe29 vnc: allow binding servers to qemu consoles
This patch adds a display= parameter to the vnc options.  This allows to
bind a vnc server instance to a specific display, allowing to create a
multiseat setup with a vnc server for each seat.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:46 +01:00
Gerd Hoffmann
4db14629c3 vnc: switch to QemuOpts, allow multiple servers
This patch switches vnc over to QemuOpts, and it (more or less
as side effect) allows multiple vnc server instances.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:46 +01:00
Gerd Hoffmann
c8496408b4 vnc: add display id to acl names
In case the display id is "default" (which is the one you get if you
don't explicitly assign one) we keep the old name scheme, without
display, for backward compatibility reasons.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-01-22 11:18:46 +01:00
Gerd Hoffmann
14f7143ede vnc: remove unused DisplayState parameter, add id instead.
DisplayState isn't used anywhere, drop it.  Add the vnc server ID as
parameter instead, so it is possible to specify the server instance.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-01-22 11:18:46 +01:00
Gerd Hoffmann
d616ccc5dd vnc: remove vnc_display global
Replace with a vnc_displays list, so we can have multiple vnc server
instances.  Add vnc_server_find function to lookup a display by id.
With no id supplied return the first vnc server, for backward
compatibility reasons.

It is not possible (yet) to actually create multiple vnc server
instances.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-01-22 11:18:46 +01:00
Gerd Hoffmann
51a0909914 spice: fix coverity reported defect in display code
Report:

1. Condition surface, taking false branch
406    if (surface && ssd->surface &&
407        surface_width(surface) == pixman_image_get_width(ssd->surface) &&
408        surface_height(surface) == pixman_image_get_height(ssd->surface)) {
409        /* no-resize fast path: just swap backing store */
...

10. alias_transfer: Assigning: ssd->ds = surface.
440    ssd->ds = surface;

11. var_deref_op: Dereferencing null pointer ssd->ds.
CID 1264334 (#1 of 1): Dereference after null check (FORWARD_NULL)
441    ssd->surface = pixman_image_ref(ssd->ds->image);

Fix:

Move code block dereferencing ssd->ds into the already existing
if (ssd->ds) { ... } block.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22 11:18:41 +01:00