morgan/FreeRDP
1
0
Fork 0
mirror of https://github.com/morgan9e/FreeRDP synced 2026-04-15 00:44:19 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fixed a broken length check in rdg_process_packet

Browse Source 
HTTP gateway connections aborted due to this.
Additionally add more verbose error logging in RDG.
This commit is contained in:
Armin Novak
2018-11-23 09:45:09 +01:00
parent 4c4e5b887d
commit 391528f40a
1 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
libfreerdp/core/gateway/rdg.c
View File

@@ -641,7 +641,11 @@ static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
}
if (Stream_GetRemainingLength(s) < 10)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected 10",
__FUNCTION__, Stream_GetRemainingLength(s));
return FALSE;
}
Stream_Read_UINT32(s, errorCode);
Stream_Read_UINT8(s, verMajor);
@@ -655,7 +659,7 @@ static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
if (FAILED(errorCode))
{
WLog_DBG(TAG, "Handshake error %s", error);
WLog_ERR(TAG, "Handshake error %s", error);
return FALSE;
}
@@ -675,7 +679,11 @@ static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
}
if (Stream_GetRemainingLength(s) < 10)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected 10",
__FUNCTION__, Stream_GetRemainingLength(s));
return FALSE;
}
Stream_Read_UINT16(s, serverVersion);
Stream_Read_UINT32(s, errorCode);
@@ -687,7 +695,7 @@ static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
if (FAILED(errorCode))
{
WLog_DBG(TAG, "Tunnel creation error %s", error);
WLog_ERR(TAG, "Tunnel creation error %s", error);
return FALSE;
}
@@ -707,7 +715,11 @@ static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
}
if (Stream_GetRemainingLength(s) < 8)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected 8",
__FUNCTION__, Stream_GetRemainingLength(s));
return FALSE;
}
Stream_Read_UINT32(s, errorCode);
Stream_Read_UINT16(s, fieldsPresent);
@@ -718,7 +730,7 @@ static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
if (FAILED(errorCode))
{
WLog_DBG(TAG, "Tunnel authorization error %s", error);
WLog_ERR(TAG, "Tunnel authorization error %s", error);
return FALSE;
}
@@ -738,7 +750,11 @@ static BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
}
if (Stream_GetRemainingLength(s) < 8)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected 8",
__FUNCTION__, Stream_GetRemainingLength(s));
return FALSE;
}
Stream_Read_UINT32(s, errorCode);
Stream_Read_UINT16(s, fieldsPresent);
@@ -766,14 +782,22 @@ static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
Stream_SetPosition(s, 0);
if (Stream_GetRemainingLength(s) < 8)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected 8",
__FUNCTION__, Stream_GetRemainingLength(s));
return FALSE;
}
Stream_Read_UINT16(s, type);
Stream_Seek_UINT16(s); /* reserved */
Stream_Read_UINT32(s, packetLength);
if (Stream_GetRemainingLength(s) < packetLength)
if (Stream_Length(s) < packetLength)
{
WLog_ERR(TAG, "[%s] Short packet %"PRIuz", expected %"PRIuz,
__FUNCTION__, Stream_Length(s), packetLength);
return FALSE;
}
switch (type)
{
@@ -794,7 +818,7 @@ static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
break;
case PKT_TYPE_DATA:
assert(FALSE);
WLog_ERR(TAG, "[%s] Unexpected packet type DATA", __FUNCTION__);
return FALSE;
}