From 909a965fe947a1beeb33bfb3278748a05c140e80 Mon Sep 17 00:00:00 2001
From: David FORT <contact@hardening-consulting.com>
Date: Tue, 26 May 2015 14:50:13 +0200
Subject: [PATCH] Added misc checks in rdg.c

---
 libfreerdp/core/gateway/rdg.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index 4682e995f..05d79ecca 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -323,7 +323,8 @@ wStream* rdg_build_http_request(rdpRdg* rdg, char* method)
 	s = http_request_write(rdg->http, request);
 	http_request_free(request);
 
-	Stream_SealLength(s);
+	if (s)
+		Stream_SealLength(s);
 	return s;
 }
 
@@ -435,9 +436,7 @@ BOOL rdg_process_in_channel_response(rdpRdg* rdg, HttpResponse* response)
 	s = rdg_build_http_request(rdg, "RDG_IN_DATA");
 
 	if (!s)
-	{
 		return FALSE;
-	}
 
 	status = tls_write_all(rdg->tlsIn, Stream_Buffer(s), Stream_Length(s));
 
@@ -489,13 +488,16 @@ BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
 {
 	HRESULT errorCode;
 
-	WLog_DBG(TAG, "Handshake response recieved");
+	WLog_DBG(TAG, "Handshake response received");
 
 	if (rdg->state != RDG_CLIENT_STATE_HANDSHAKE)
 	{
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 5)
+		return FALSE;
+
 	Stream_Seek(s, 8);
 	Stream_Read_UINT32(s, errorCode);
 
@@ -519,6 +521,9 @@ BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 14)
+		return FALSE;
+
 	Stream_Seek(s, 10);
 	Stream_Read_UINT32(s, errorCode);
 
@@ -542,6 +547,9 @@ BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 5)
+		return FALSE;
+
 	Stream_Seek(s, 8);
 	Stream_Read_UINT32(s, errorCode);
 
@@ -565,6 +573,9 @@ BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
 		return FALSE;
 	}
 
+	if (Stream_GetRemainingLength(s) < 5)
+		return FALSE;
+
 	Stream_Seek(s, 8);
 	Stream_Read_UINT32(s, errorCode);
 
@@ -584,9 +595,11 @@ BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
 	BOOL status = TRUE;
 	UINT16 type;
 
+	if (Stream_GetRemainingLength(s) < 2)
+		return FALSE;
+
 	Stream_SetPosition(s, 0);
-	Stream_Read_UINT16(s, type);
-	Stream_SetPosition(s, 0);
+	Stream_Peek_UINT16(s, type);
 
 	switch (type)
 	{