From 63c80423a9b6e72fe1d820aafbc6e091d3e9d1dc Mon Sep 17 00:00:00 2001 From: akarl10 Date: Mon, 26 Jun 2023 07:47:07 +0200 Subject: [PATCH] [multitransport] Ignore unknown data If the reserved filed is not 0 the request PDU seems to contain some extra data. Two bytes of 0 (probably a version field) followed by a JSON payload (not null terminated, until the end of the packet. There seems to be no dedicated length field) --- libfreerdp/core/multitransport.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libfreerdp/core/multitransport.c b/libfreerdp/core/multitransport.c index 10a837aba..1e71c06e3 100644 --- a/libfreerdp/core/multitransport.c +++ b/libfreerdp/core/multitransport.c @@ -63,13 +63,29 @@ state_run_t multitransport_recv_request(rdpMultitransport* multi, wStream* s) UINT32 requestId; UINT16 requestedProto; + UINT16 reserved; const BYTE* cookie; Stream_Read_UINT32(s, requestId); /* requestId (4 bytes) */ Stream_Read_UINT16(s, requestedProto); /* requestedProtocol (2 bytes) */ - Stream_Seek(s, 2); /* reserved (2 bytes) */ + Stream_Read_UINT16(s, reserved); /* reserved (2 bytes) */ cookie = Stream_ConstPointer(s); Stream_Seek(s, RDPUDP_COOKIE_LEN); /* securityCookie (16 bytes) */ + if (reserved != 0) + { + /* + * If the reserved filed is not 0 the request PDU seems to contain some extra data. + * If the reserved value is 1, then two bytes of 0 (probably a version field) + * are followed by a JSON payload (not null terminated, until the end of the packet. + * There seems to be no dedicated length field) + * + * for now just ignore all that + */ + WLog_WARN(TAG, + "reserved is %" PRIu16 " instead of 0, skipping %" PRIuz "bytes of unknown data", + reserved, Stream_GetRemainingLength(s)); + Stream_SafeSeek(s, Stream_GetRemainingLength(s)); + } WINPR_ASSERT(multi->MtRequest); return multi->MtRequest(multi, requestId, requestedProto, cookie);