From 1d6460c5f723be587eb33d1888ddcab4e4758183 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 23 Apr 2024 08:57:56 +0200
Subject: [PATCH] [core,redirection] add sanity check for TargetNetAddress

Abort on implausible TargetNetAddressLength values. (check remaining
data length to determine that)
---
 libfreerdp/core/redirection.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libfreerdp/core/redirection.c b/libfreerdp/core/redirection.c
index 5343a071c..9aea9147f 100644
--- a/libfreerdp/core/redirection.c
+++ b/libfreerdp/core/redirection.c
@@ -815,6 +815,18 @@ static state_run_t rdp_recv_server_redirection_pdu(rdpRdp* rdp, wStream* s)
 		Stream_Read_UINT32(s, targetNetAddressesLength);
 		Stream_Read_UINT32(s, redirection->TargetNetAddressesCount);
 		const UINT32 count = redirection->TargetNetAddressesCount;
+		/* sanity check: the whole packet has a length limit of UINT16_MAX
+		 * each TargetNetAddress is a WCHAR string, so minimum length 2 bytes
+		 */
+		if (count * sizeof(WCHAR) > Stream_GetRemainingLength(s))
+		{
+			WLog_ERR(TAG,
+			         "Invalid RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressLength %" PRIuz
+			         ", sanity limit is %" PRIuz,
+			         count * sizeof(WCHAR), Stream_GetRemainingLength(s));
+			return STATE_RUN_FAILED;
+		}
+
 		redirection->TargetNetAddresses = NULL;
 		if (count > 0)
 		{