From 0773bb9303d24473fe1185d85a424dfe159aff53 Mon Sep 17 00:00:00 2001 From: Bernhard Miklautz Date: Mon, 1 Jul 2013 19:24:19 +0200 Subject: [PATCH] nla: invalidate sec handle after creation If sec pointer isn't invalidated after creation it is not possible to check if the upper and lower pointers are valid. This fixes a segfault in the server part if the client disconnects before the authentication was finished. --- libfreerdp/core/nla.c | 1 + libfreerdp/core/peer.c | 1 + libfreerdp/core/transport.c | 2 ++ winpr/libwinpr/sspi/sspi.c | 6 +++--- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c index 2b4b71992..875c0ae73 100644 --- a/libfreerdp/core/nla.c +++ b/libfreerdp/core/nla.c @@ -1245,6 +1245,7 @@ rdpCredssp* credssp_new(freerdp* instance, rdpTransport* transport, rdpSettings* ZeroMemory(&credssp->negoToken, sizeof(SecBuffer)); ZeroMemory(&credssp->pubKeyAuth, sizeof(SecBuffer)); ZeroMemory(&credssp->authInfo, sizeof(SecBuffer)); + SecInvalidateHandle(&credssp->context); if (credssp->server) { diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c index 3806a736e..eb4ad60ea 100644 --- a/libfreerdp/core/peer.c +++ b/libfreerdp/core/peer.c @@ -272,6 +272,7 @@ static int peer_recv_callback(rdpTransport* transport, wStream* s, void* extra) sspi_CopyAuthIdentity(&client->identity, &(rdp->nego->transport->credssp->identity)); IFCALLRET(client->Logon, client->authenticated, client, &client->identity, TRUE); credssp_free(rdp->nego->transport->credssp); + rdp->nego->transport->credssp = NULL; } else { diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c index a9a710511..4afec5a12 100644 --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -159,6 +159,7 @@ BOOL transport_connect_nla(rdpTransport* transport) "If credentials are valid, the NTLMSSP implementation may be to blame.\n"); credssp_free(transport->credssp); + transport->credssp = NULL; return FALSE; } @@ -292,6 +293,7 @@ BOOL transport_accept_nla(rdpTransport* transport) { fprintf(stderr, "client authentication failure\n"); credssp_free(transport->credssp); + transport->credssp = NULL; return FALSE; } diff --git a/winpr/libwinpr/sspi/sspi.c b/winpr/libwinpr/sspi/sspi.c index 8747e3f01..96c959995 100644 --- a/winpr/libwinpr/sspi/sspi.c +++ b/winpr/libwinpr/sspi/sspi.c @@ -248,7 +248,7 @@ void* sspi_SecureHandleGetLowerPointer(SecHandle* handle) { void* pointer; - if (!handle) + if (!handle || !SecIsValidHandle(handle)) return NULL; pointer = (void*) ~((size_t) handle->dwLower); @@ -268,7 +268,7 @@ void* sspi_SecureHandleGetUpperPointer(SecHandle* handle) { void* pointer; - if (!handle) + if (!handle || !SecIsValidHandle(handle)) return NULL; pointer = (void*) ~((size_t) handle->dwUpper); @@ -839,7 +839,7 @@ SECURITY_STATUS SEC_ENTRY CompleteAuthToken(PCtxtHandle phContext, PSecBufferDes SECURITY_STATUS SEC_ENTRY DeleteSecurityContext(PCtxtHandle phContext) { - char* Name; + char* Name = NULL; SECURITY_STATUS status; SecurityFunctionTableA* table;