From b138f6ca18c5a53388dae65f3c501d25bda37850 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Wed, 5 Mar 2025 12:05:40 +0100
Subject: [PATCH 1/2] [core,gateway] add tsg checks

---
 libfreerdp/core/gateway/tsg.c | 81 ++++++++++++++++++++---------------
 1 file changed, 46 insertions(+), 35 deletions(-)

diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c
index 4613d88af..ab74f2465 100644
--- a/libfreerdp/core/gateway/tsg.c
+++ b/libfreerdp/core/gateway/tsg.c
@@ -1504,7 +1504,6 @@ static BOOL tsg_ndr_read_consent_message(wLog* log, rdpContext* context, wStream
 static BOOL tsg_ndr_read_tunnel_context(wLog* log, wStream* s, CONTEXT_HANDLE* tunnelContext,
                                         UINT32* tunnelId)
 {
-
 	if (!tsg_stream_align(log, s, 4))
 		return FALSE;
 
@@ -1553,43 +1552,55 @@ static BOOL tsg_ndr_read_caps_response(wLog* log, rdpContext* context, wStream*
 		Stream_Read_UINT32(s, MsgId);              /* MsgId (4 bytes) */
 		Stream_Read_UINT32(s, MsgType);            /* MsgType (4 bytes) */
 		Stream_Read_UINT32(s, IsMessagePresent);   /* IsMessagePresent (4 bytes) */
-		Stream_Read_UINT32(s, MessageSwitchValue); /* MessageSwitchValue (4 bytes) */
-	}
-
-	{
-		UINT32 MsgPtr = 0;
-		if (!tsg_ndr_pointer_read(log, s, index, &MsgPtr, TRUE))
-			return FALSE;
-	}
-	if (!tsg_ndr_read_quarenc_data(log, s, index, &caps->pktQuarEncResponse))
-		goto fail;
-
-	switch (MessageSwitchValue)
-	{
-		case TSG_ASYNC_MESSAGE_CONSENT_MESSAGE:
-		case TSG_ASYNC_MESSAGE_SERVICE_MESSAGE:
+		if (IsMessagePresent != 0)
 		{
-			if (!tsg_ndr_read_consent_message(log, context, s, index))
+
+			Stream_Read_UINT32(s, MessageSwitchValue); /* MessageSwitchValue (4 bytes) */
+
+			(void)MsgId; /* [MS-TSGU] 2.2.9.2.1.9 TSG_PACKET_MSG_RESPONSE MsgId is unused */
+			if (MsgType != MessageSwitchValue)
+			{
+				WLog_ERR(TAG,
+				         "[MS-TSGU] 2.2.9.2.1.9 TSG_PACKET_MSG_RESPONSE MsgType[0x%08" PRIx32
+				         "] != MessageSwitchValue [0x%08" PRIx32 "]",
+				         MsgType, MessageSwitchValue);
 				goto fail;
+			}
+
+			{
+				UINT32 MsgPtr = 0;
+				if (!tsg_ndr_pointer_read(log, s, index, &MsgPtr, TRUE))
+					return FALSE;
+			}
+			if (!tsg_ndr_read_quarenc_data(log, s, index, &caps->pktQuarEncResponse))
+				goto fail;
+
+			switch (MessageSwitchValue)
+			{
+				case TSG_ASYNC_MESSAGE_CONSENT_MESSAGE:
+				case TSG_ASYNC_MESSAGE_SERVICE_MESSAGE:
+					if (!tsg_ndr_read_consent_message(log, context, s, index))
+						goto fail;
+					break;
+
+				case TSG_ASYNC_MESSAGE_REAUTH:
+				{
+					if (!tsg_stream_align(log, s, 8))
+						goto fail;
+
+					if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 8))
+						goto fail;
+
+					Stream_Seek_UINT64(s); /* TunnelContext (8 bytes) */
+				}
+				break;
+
+				default:
+					WLog_Print(log, WLOG_ERROR, "Unexpected Message Type: 0x%" PRIX32 "",
+					           MessageSwitchValue);
+					goto fail;
+			}
 		}
-		break;
-
-		case TSG_ASYNC_MESSAGE_REAUTH:
-		{
-			if (!tsg_stream_align(log, s, 8))
-				goto fail;
-
-			if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 8))
-				goto fail;
-
-			Stream_Seek_UINT64(s); /* TunnelContext (8 bytes) */
-		}
-		break;
-
-		default:
-			WLog_Print(log, WLOG_ERROR, "Unexpected Message Type: 0x%" PRIX32 "",
-			           MessageSwitchValue);
-			goto fail;
 	}
 
 	return tsg_ndr_read_tunnel_context(log, s, tunnelContext, tunnelId);

From 9be85188737d60feccccc5f00bcb09ea3b48b62e Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Wed, 5 Mar 2025 14:02:44 +0100
Subject: [PATCH 2/2] [client,common] fix gateway parameter parsing

Abort if an invalid /gateway:type:xxx parameter was passed.
---
 client/common/cmdline.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/client/common/cmdline.c b/client/common/cmdline.c
index b024776df..31f143e7d 100644
--- a/client/common/cmdline.c
+++ b/client/common/cmdline.c
@@ -3987,6 +3987,8 @@ static BOOL parse_gateway_cred_option(rdpSettings* settings, const char* value,
 
 static BOOL parse_gateway_type_option(rdpSettings* settings, const char* value)
 {
+	BOOL rc = FALSE;
+
 	WINPR_ASSERT(settings);
 	WINPR_ASSERT(value);
 
@@ -3997,6 +3999,7 @@ static BOOL parse_gateway_type_option(rdpSettings* settings, const char* value)
 		    !freerdp_settings_set_bool(settings, FreeRDP_GatewayHttpUseWebsockets, FALSE) ||
 		    !freerdp_settings_set_bool(settings, FreeRDP_GatewayArmTransport, FALSE))
 			return FALSE;
+		rc = TRUE;
 	}
 	else
 	{
@@ -4006,6 +4009,7 @@ static BOOL parse_gateway_type_option(rdpSettings* settings, const char* value)
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayHttpTransport, TRUE) ||
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayArmTransport, FALSE))
 				return FALSE;
+			rc = TRUE;
 		}
 		else if (option_equals(value, "auto"))
 		{
@@ -4013,6 +4017,7 @@ static BOOL parse_gateway_type_option(rdpSettings* settings, const char* value)
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayHttpTransport, TRUE) ||
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayArmTransport, FALSE))
 				return FALSE;
+			rc = TRUE;
 		}
 		else if (option_equals(value, "arm"))
 		{
@@ -4021,9 +4026,10 @@ static BOOL parse_gateway_type_option(rdpSettings* settings, const char* value)
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayHttpUseWebsockets, FALSE) ||
 			    !freerdp_settings_set_bool(settings, FreeRDP_GatewayArmTransport, TRUE))
 				return FALSE;
+			rc = TRUE;
 		}
 	}
-	return TRUE;
+	return rc;
 }
 
 static BOOL parse_gateway_usage_option(rdpSettings* settings, const char* value)