diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c index 2189b0b8c..696fedeed 100644 --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -422,6 +422,8 @@ int transport_read_pdu(rdpTransport* transport, wStream* s) return status; } + /* update position value for further checks */ + position = Stream_GetPosition(s); header = Stream_Buffer(s); if (transport->NlaMode) @@ -439,7 +441,9 @@ int transport_read_pdu(rdpTransport* transport, wStream* s) { if ((header[1] & ~(0x80)) == 1) { - if ((status = transport_read_layer_bytes(transport, s, 1)) != 1) + /* check for header bytes already was readed in previous calls */ + if (position < 3 + && (status = transport_read_layer_bytes(transport, s, 3 - position)) != 1) return status; pduLength = header[2]; @@ -447,7 +451,9 @@ int transport_read_pdu(rdpTransport* transport, wStream* s) } else if ((header[1] & ~(0x80)) == 2) { - if ((status = transport_read_layer_bytes(transport, s, 2)) != 1) + /* check for header bytes already was readed in previous calls */ + if (position < 4 + && (status = transport_read_layer_bytes(transport, s, 4 - position)) != 1) return status; pduLength = (header[2] << 8) | header[3]; @@ -471,7 +477,9 @@ int transport_read_pdu(rdpTransport* transport, wStream* s) if (header[0] == 0x03) { /* TPKT header */ - if ((status = transport_read_layer_bytes(transport, s, 2)) != 1) + /* check for header bytes already was readed in previous calls */ + if (position < 4 + && (status = transport_read_layer_bytes(transport, s, 4 - position)) != 1) return status; pduLength = (header[2] << 8) | header[3]; @@ -488,7 +496,9 @@ int transport_read_pdu(rdpTransport* transport, wStream* s) /* Fast-Path Header */ if (header[1] & 0x80) { - if ((status = transport_read_layer_bytes(transport, s, 1)) != 1) + /* check for header bytes already was readed in previous calls */ + if (position < 3 + && (status = transport_read_layer_bytes(transport, s, 3 - position)) != 1) return status; pduLength = ((header[1] & 0x7F) << 8) | header[2];