Fixed rdp_recv_tpkt_pdu parsing, use substream.
This commit is contained in:
parent
df55f40ecf
commit
0533c05be3
@ -1328,6 +1328,7 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
{
|
{
|
||||||
while (Stream_GetRemainingLength(s) > 3)
|
while (Stream_GetRemainingLength(s) > 3)
|
||||||
{
|
{
|
||||||
|
wStream sub;
|
||||||
size_t startheader, endheader, start, end, diff, headerdiff;
|
size_t startheader, endheader, start, end, diff, headerdiff;
|
||||||
|
|
||||||
startheader = Stream_GetPosition(s);
|
startheader = Stream_GetPosition(s);
|
||||||
@ -1347,6 +1348,9 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
pduLength -= headerdiff;
|
pduLength -= headerdiff;
|
||||||
|
Stream_StaticInit(&sub, Stream_Pointer(s), pduLength);
|
||||||
|
if (!Stream_SafeSeek(s, pduLength))
|
||||||
|
return -1;
|
||||||
|
|
||||||
rdp->settings->PduSource = pduSource;
|
rdp->settings->PduSource = pduSource;
|
||||||
rdp->inPackets++;
|
rdp->inPackets++;
|
||||||
@ -1354,13 +1358,13 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
switch (pduType)
|
switch (pduType)
|
||||||
{
|
{
|
||||||
case PDU_TYPE_DATA:
|
case PDU_TYPE_DATA:
|
||||||
rc = rdp_recv_data_pdu(rdp, s);
|
rc = rdp_recv_data_pdu(rdp, &sub);
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
return rc;
|
return rc;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PDU_TYPE_DEACTIVATE_ALL:
|
case PDU_TYPE_DEACTIVATE_ALL:
|
||||||
if (!rdp_recv_deactivate_all(rdp, s))
|
if (!rdp_recv_deactivate_all(rdp, &sub))
|
||||||
{
|
{
|
||||||
WLog_ERR(TAG, "rdp_recv_tpkt_pdu: rdp_recv_deactivate_all() fail");
|
WLog_ERR(TAG, "rdp_recv_tpkt_pdu: rdp_recv_deactivate_all() fail");
|
||||||
return -1;
|
return -1;
|
||||||
@ -1369,14 +1373,14 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case PDU_TYPE_SERVER_REDIRECTION:
|
case PDU_TYPE_SERVER_REDIRECTION:
|
||||||
return rdp_recv_enhanced_security_redirection_packet(rdp, s);
|
return rdp_recv_enhanced_security_redirection_packet(rdp, &sub);
|
||||||
|
|
||||||
case PDU_TYPE_FLOW_RESPONSE:
|
case PDU_TYPE_FLOW_RESPONSE:
|
||||||
case PDU_TYPE_FLOW_STOP:
|
case PDU_TYPE_FLOW_STOP:
|
||||||
case PDU_TYPE_FLOW_TEST:
|
case PDU_TYPE_FLOW_TEST:
|
||||||
WLog_DBG(TAG, "flow message 0x%04" PRIX16 "", pduType);
|
WLog_DBG(TAG, "flow message 0x%04" PRIX16 "", pduType);
|
||||||
/* http://msdn.microsoft.com/en-us/library/cc240576.aspx */
|
/* http://msdn.microsoft.com/en-us/library/cc240576.aspx */
|
||||||
if (!Stream_SafeSeek(s, pduLength))
|
if (!Stream_SafeSeek(&sub, pduLength))
|
||||||
return -1;
|
return -1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -1385,7 +1389,7 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
end = Stream_GetPosition(s);
|
end = Stream_GetPosition(&sub);
|
||||||
diff = end - start;
|
diff = end - start;
|
||||||
if (diff != pduLength)
|
if (diff != pduLength)
|
||||||
{
|
{
|
||||||
@ -1393,8 +1397,6 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
|
|||||||
"pduType %s not properly parsed, %" PRIdz
|
"pduType %s not properly parsed, %" PRIdz
|
||||||
" bytes remaining unhandled. Skipping.",
|
" bytes remaining unhandled. Skipping.",
|
||||||
pdu_type_to_str(pduType), diff);
|
pdu_type_to_str(pduType), diff);
|
||||||
if (!Stream_SafeSeek(s, pduLength - diff))
|
|
||||||
return -1;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user