[core,info] enforce extended info limits

the cbClientAddress field limits defined in [MS-RDPBCGR] 2.2.1.11.1.1.1 Extended Info Packet (TS_EXTENDED_INFO_PACKET) are now properly enforced.
2022-12-14 09:44:57 +01:00 · 2022-12-14 09:44:57 +01:00 · 0da0f5ca54
commit 0da0f5ca54
parent 4ab9fb4425
1 changed files with 36 additions and 4 deletions
--- a/libfreerdp/core/info.c
+++ b/libfreerdp/core/info.c
@ -274,6 +274,27 @@ static void rdp_write_client_auto_reconnect_cookie(rdpRdp* rdp, wStream* s)
 	Stream_Write(s, autoReconnectCookie->securityVerifier, 16); /* SecurityVerifier (16 bytes) */
 }

+/*
+ * Get the cbClientAddress size limit
+ * see [MS-RDPBCGR] 2.2.1.11.1.1.1 Extended Info Packet (TS_EXTENDED_INFO_PACKET)
+ */
+
+static size_t rdp_get_client_address_max_size(const rdpRdp* rdp)
+{
+	UINT32 version;
+	rdpSettings* settings;
+
+	WINPR_ASSERT(rdp);
+
+	settings = rdp->settings;
+	WINPR_ASSERT(settings);
+
+	version = freerdp_settings_get_uint32(settings, FreeRDP_RdpVersion);
+	if (version < RDP_VERSION_10_0)
+		return 64;
+	return 80;
+}
+
 /**
 * Read Extended Info Packet (TS_EXTENDED_INFO_PACKET).
 * msdn{cc240476}
@ -300,7 +321,7 @@ static BOOL rdp_read_extended_info_packet(rdpRdp* rdp, wStream* s)
 	 * is mandatory, connections via Microsoft's TS Gateway set cbClientAddress to 0.
 	 */

-	if ((cbClientAddress % 2) || cbClientAddress > 80)
+	if ((cbClientAddress % 2) || (cbClientAddress > rdp_get_client_address_max_size(rdp)))
 	{
 		WLog_ERR(TAG, "protocol error: invalid cbClientAddress value: %" PRIu16 "",
 		         cbClientAddress);
@ -435,6 +456,7 @@ static BOOL rdp_write_extended_info_packet(rdpRdp* rdp, wStream* s)
 	UINT16 clientAddressFamily;
 	WCHAR* clientAddress = NULL;
 	size_t cbClientAddress;
+	const size_t cbClientAddressMax = rdp_get_client_address_max_size(rdp);
 	WCHAR* clientDir = NULL;
 	size_t cbClientDir;
 	UINT16 cbAutoReconnectCookie;
@ -447,7 +469,18 @@ static BOOL rdp_write_extended_info_packet(rdpRdp* rdp, wStream* s)

 	if (cbClientAddress > (UINT16_MAX / sizeof(WCHAR)))
 		goto fail;
-	cbClientAddress = (UINT16)cbClientAddress * sizeof(WCHAR);
+
+	cbClientAddress = (UINT16)(cbClientAddress + 1) * sizeof(WCHAR);
+	if (cbClientAddress > cbClientAddressMax)
+	{
+		WLog_WARN(TAG,
+		          "[%s] the client address %s [%" PRIuz "] exceeds the limit of %" PRIuz
+		          ", truncating.",
+		          __FUNCTION__, settings->ClientAddress, cbClientAddress, cbClientAddressMax);
+
+		clientAddress[(cbClientAddressMax / sizeof(WCHAR)) - 1] = '\0';
+		cbClientAddress = cbClientAddressMax;
+	}

 	clientDir = ConvertUtf8ToWCharAlloc(settings->ClientDir, &cbClientDir);
 	if (cbClientDir > (UINT16_MAX / sizeof(WCHAR)))
@ -459,11 +492,10 @@ static BOOL rdp_write_extended_info_packet(rdpRdp* rdp, wStream* s)
 	cbAutoReconnectCookie = (UINT16)settings->ServerAutoReconnectCookie->cbLen;

 	Stream_Write_UINT16(s, clientAddressFamily); /* clientAddressFamily (2 bytes) */
-	Stream_Write_UINT16(s, cbClientAddress + 2); /* cbClientAddress (2 bytes) */
+	Stream_Write_UINT16(s, cbClientAddress);     /* cbClientAddress (2 bytes) */

 	Stream_Write(s, clientAddress, cbClientAddress); /* clientAddress */

-	Stream_Write_UINT16(s, 0);
 	Stream_Write_UINT16(s, cbClientDir + 2); /* cbClientDir (2 bytes) */

 	Stream_Write(s, clientDir, cbClientDir); /* clientDir */