mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3079 from akallabeth/drive_hotplug_fix

Browse Source 
Fixed argument checks for drive channel.
This commit is contained in:
Hardening 2016-02-04 09:06:43 +01:00
commit 13df05be78
6 changed files with 324 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
channels/rdpdr/client/devman.c
View File

@ -6,6 +6,7 @@
* Copyright 2010-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
* Copyright 2015 Thincast Technologies GmbH
* Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
* Copyright 2016 Armin Novak <armin.novak@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -42,6 +43,9 @@
void devman_device_free(DEVICE* device)
{
if (!device)
return;
IFCALL(device->Free, device);
}
@ -49,6 +53,9 @@ DEVMAN* devman_new(rdpdrPlugin* rdpdr)
{
DEVMAN* devman;
if (!rdpdr)
return NULL;
devman = (DEVMAN*) calloc(1, sizeof(DEVMAN));
if (!devman)
@ -84,6 +91,9 @@ void devman_unregister_device(DEVMAN* devman, void* key)
{
DEVICE* device;
if (!devman || !key)
return;
device = (DEVICE*) ListDictionary_Remove(devman->devices, key);
if (device)
@ -99,6 +109,12 @@ static UINT devman_register_device(DEVMAN* devman, DEVICE* device)
{
void* key = NULL;
if (!devman || !device)
return ERROR_INVALID_PARAMETER;
if (device->type != RDPDR_DTYP_FILESYSTEM)
return CHANNEL_RC_OK;
device->id = devman->id_sequence++;
key = (void*) (size_t) device->id;
@ -115,6 +131,9 @@ DEVICE* devman_get_device_by_id(DEVMAN* devman, UINT32 id)
DEVICE* device = NULL;
void* key = (void*) (size_t) id;
if (!devman)
return NULL;
device = (DEVICE*) ListDictionary_GetItemValue(devman->devices, key);
return device;
@ -137,6 +156,9 @@ UINT devman_load_device_service(DEVMAN* devman, RDPDR_DEVICE* device, rdpContext
DEVICE_SERVICE_ENTRY_POINTS ep;
PDEVICE_SERVICE_ENTRY entry = NULL;
if (!devman || !device || !rdpcontext)
return ERROR_INVALID_PARAMETER;
if (device->Type == RDPDR_DTYP_FILESYSTEM)
ServiceName = DRIVE_SERVICE_NAME;
else if (device->Type == RDPDR_DTYP_PRINT)

21
channels/rdpdr/client/irp.c
View File

@ -77,18 +77,28 @@ static UINT irp_complete(IRP* irp)
return error;
}
IRP* irp_new(DEVMAN* devman, wStream* s)
IRP* irp_new(DEVMAN* devman, wStream* s, UINT* error)
{
IRP* irp;
DEVICE* device;
UINT32 DeviceId;
if (Stream_GetRemainingLength(s) < 20)
{
if (error)
*error = ERROR_INVALID_DATA;
return NULL;
}
Stream_Read_UINT32(s, DeviceId); /* DeviceId (4 bytes) */
device = devman_get_device_by_id(devman, DeviceId);
if (!device)
{
WLog_ERR(TAG, "devman_get_device_by_id failed!");
WLog_WARN(TAG, "devman_get_device_by_id failed!");
if (error)
*error = CHANNEL_RC_OK;
return NULL;
};
@ -97,6 +107,8 @@ IRP* irp_new(DEVMAN* devman, wStream* s)
if (!irp)
{
WLog_ERR(TAG, "_aligned_malloc failed!");
if (error)
*error = CHANNEL_RC_NO_MEMORY;
return NULL;
}
@ -117,6 +129,8 @@ IRP* irp_new(DEVMAN* devman, wStream* s)
{
WLog_ERR(TAG, "Stream_New failed!");
_aligned_free(irp);
if (error)
*error = CHANNEL_RC_NO_MEMORY;
return NULL;
}
Stream_Write_UINT16(irp->output, RDPDR_CTYP_CORE); /* Component (2 bytes) */
@ -131,5 +145,8 @@ IRP* irp_new(DEVMAN* devman, wStream* s)
irp->thread = NULL;
irp->cancelled = FALSE;
if (error)
*error = CHANNEL_RC_OK;
return irp;
}

2
channels/rdpdr/client/irp.h
View File

@ -23,6 +23,6 @@
#include "rdpdr_main.h"
IRP* irp_new(DEVMAN* devman, wStream* s);
IRP* irp_new(DEVMAN* devman, wStream* s, UINT* error);
#endif /* FREERDP_CHANNEL_RDPDR_CLIENT_IRP_H */

85
channels/rdpdr/client/rdpdr_capabilities.c
View File

@ -4,8 +4,9 @@
*
* Copyright 2010-2011 Vic Lee
* Copyright 2010-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
* Copyright 2015 Thincast Technologies GmbH
* Copyright 2015-2016 Thincast Technologies GmbH
* Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
* Copyright 2016 Armin Novak <armin.novak@thincast.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -60,12 +61,21 @@ static void rdpdr_write_general_capset(rdpdrPlugin* rdpdr, wStream* s)
}
/* Process device direction general capability set */
static void rdpdr_process_general_capset(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_general_capset(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 capabilityLength;
if (Stream_GetRemainingLength(s) < 2)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityLength);
if (Stream_GetRemainingLength(s) < capabilityLength - 4)
return ERROR_INVALID_DATA;
Stream_Seek(s, capabilityLength - 4);
return CHANNEL_RC_OK;
}
/* Output printer direction capability set */
@ -75,12 +85,21 @@ static void rdpdr_write_printer_capset(rdpdrPlugin* rdpdr, wStream* s)
}
/* Process printer direction capability set */
static void rdpdr_process_printer_capset(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_printer_capset(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 capabilityLength;
if (Stream_GetRemainingLength(s) < 2)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityLength);
if (Stream_GetRemainingLength(s) < capabilityLength - 4)
return ERROR_INVALID_DATA;
Stream_Seek(s, capabilityLength - 4);
return CHANNEL_RC_OK;
}
/* Output port redirection capability set */
@ -90,12 +109,21 @@ static void rdpdr_write_port_capset(rdpdrPlugin* rdpdr, wStream* s)
}
/* Process port redirection capability set */
static void rdpdr_process_port_capset(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_port_capset(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 capabilityLength;
if (Stream_GetRemainingLength(s) < 2)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityLength);
if (Stream_GetRemainingLength(s) < capabilityLength - 4)
return ERROR_INVALID_DATA;
Stream_Seek(s, capabilityLength - 4);
return CHANNEL_RC_OK;
}
/* Output drive redirection capability set */
@ -105,12 +133,21 @@ static void rdpdr_write_drive_capset(rdpdrPlugin* rdpdr, wStream* s)
}
/* Process drive redirection capability set */
static void rdpdr_process_drive_capset(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_drive_capset(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 capabilityLength;
if (Stream_GetRemainingLength(s) < 2)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityLength);
if (Stream_GetRemainingLength(s) < capabilityLength - 4)
return ERROR_INVALID_DATA;
Stream_Seek(s, capabilityLength - 4);
return CHANNEL_RC_OK;
}
/* Output smart card redirection capability set */
@ -120,53 +157,77 @@ static void rdpdr_write_smartcard_capset(rdpdrPlugin* rdpdr, wStream* s)
}
/* Process smartcard redirection capability set */
static void rdpdr_process_smartcard_capset(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_smartcard_capset(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 capabilityLength;
if (Stream_GetRemainingLength(s) < 2)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityLength);
if (Stream_GetRemainingLength(s) < capabilityLength - 4)
return ERROR_INVALID_DATA;
Stream_Seek(s, capabilityLength - 4);
return CHANNEL_RC_OK;
}
void rdpdr_process_capability_request(rdpdrPlugin* rdpdr, wStream* s)
UINT rdpdr_process_capability_request(rdpdrPlugin* rdpdr, wStream* s)
{
UINT status = CHANNEL_RC_OK;
UINT16 i;
UINT16 numCapabilities;
UINT16 capabilityType;
if (!rdpdr || !s)
return CHANNEL_RC_NULL_DATA;
if (Stream_GetRemainingLength(s) < 4)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, numCapabilities);
Stream_Seek(s, 2); /* pad (2 bytes) */
for (i = 0; i < numCapabilities; i++)
{
if (Stream_GetRemainingLength(s) < sizeof(UINT16))
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, capabilityType);
switch (capabilityType)
{
case CAP_GENERAL_TYPE:
rdpdr_process_general_capset(rdpdr, s);
status = rdpdr_process_general_capset(rdpdr, s);
break;
case CAP_PRINTER_TYPE:
rdpdr_process_printer_capset(rdpdr, s);
status = rdpdr_process_printer_capset(rdpdr, s);
break;
case CAP_PORT_TYPE:
rdpdr_process_port_capset(rdpdr, s);
status = rdpdr_process_port_capset(rdpdr, s);
break;
case CAP_DRIVE_TYPE:
rdpdr_process_drive_capset(rdpdr, s);
status = rdpdr_process_drive_capset(rdpdr, s);
break;
case CAP_SMARTCARD_TYPE:
rdpdr_process_smartcard_capset(rdpdr, s);
status = rdpdr_process_smartcard_capset(rdpdr, s);
break;
default:
break;
}
if (status != CHANNEL_RC_OK)
return status;
}
return CHANNEL_RC_OK;
}
/**

2
channels/rdpdr/client/rdpdr_capabilities.h
View File

@ -25,7 +25,7 @@
#include "rdpdr_main.h"
void rdpdr_process_capability_request(rdpdrPlugin* rdpdr, wStream* s);
UINT rdpdr_process_capability_request(rdpdrPlugin* rdpdr, wStream* s);
UINT rdpdr_send_capability_response(rdpdrPlugin* rdpdr);
#endif /* FREERDP_CHANNEL_RDPDR_CLIENT_CAPABILITIES_H */

74
channels/rdpdr/client/rdpdr_main.c
View File

@ -4,8 +4,9 @@
*
* Copyright 2010-2011 Vic Lee
* Copyright 2010-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
* Copyright 2015 Thincast Technologies GmbH
* Copyright 2015-2016 Thincast Technologies GmbH
* Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
* Copyright 2016 Armin Novak <armin.novak@thincast.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -81,7 +82,7 @@ static UINT rdpdr_send_device_list_remove_request(rdpdrPlugin* rdpdr, UINT32 cou
UINT32 i;
wStream* s;
s = Stream_New(NULL, 256);
s = Stream_New(NULL, count * sizeof(UINT32) + 8);
if (!s)
{
WLog_ERR(TAG, "Stream_New failed!");
@ -429,7 +430,7 @@ static UINT handle_hotplug(rdpdrPlugin* rdpdr)
BOOL dev_found = FALSE;
device_ext = (DEVICE_DRIVE_EXT *)ListDictionary_GetItemValue(rdpdr->devman->devices, (void *)keys[j]);
if (!device_ext)
if (!device_ext || !device_ext->path)
continue;
/* not plugable device */
@ -496,7 +497,6 @@ static UINT handle_hotplug(rdpdrPlugin* rdpdr)
free(drive->Path);
free(drive->Name);
free(drive);
error = CHANNEL_RC_NO_MEMORY;
goto cleanup;
}
}
@ -592,6 +592,7 @@ out:
static UINT drive_hotplug_thread_terminate(rdpdrPlugin* rdpdr)
{
UINT error;
if (rdpdr->hotplugThread)
{
if (rdpdr->stopEvent)
@ -661,13 +662,18 @@ static UINT rdpdr_process_connect(rdpdrPlugin* rdpdr)
return error;
}
static void rdpdr_process_server_announce_request(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_server_announce_request(rdpdrPlugin* rdpdr, wStream* s)
{
if (Stream_GetRemainingLength(s) < 8)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, rdpdr->versionMajor);
Stream_Read_UINT16(s, rdpdr->versionMinor);
Stream_Read_UINT32(s, rdpdr->clientID);
rdpdr->sequenceId++;
return CHANNEL_RC_OK;
}
/**
@ -683,7 +689,7 @@ static UINT rdpdr_send_client_announce_reply(rdpdrPlugin* rdpdr)
if (!s)
{
WLog_ERR(TAG, "Stream_New failed!");
return CHANNEL_RC_OK;
return CHANNEL_RC_NO_MEMORY;
}
Stream_Write_UINT16(s, RDPDR_CTYP_CORE); /* Component (2 bytes) */
@ -733,12 +739,15 @@ static UINT rdpdr_send_client_name_request(rdpdrPlugin* rdpdr)
return rdpdr_send(rdpdr, s);
}
static void rdpdr_process_server_clientid_confirm(rdpdrPlugin* rdpdr, wStream* s)
static UINT rdpdr_process_server_clientid_confirm(rdpdrPlugin* rdpdr, wStream* s)
{
UINT16 versionMajor;
UINT16 versionMinor;
UINT32 clientID;
if (Stream_GetRemainingLength(s) < 8)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, versionMajor);
Stream_Read_UINT16(s, versionMinor);
Stream_Read_UINT32(s, clientID);
@ -750,9 +759,9 @@ static void rdpdr_process_server_clientid_confirm(rdpdrPlugin* rdpdr, wStream* s
}
if (clientID != rdpdr->clientID)
{
rdpdr->clientID = clientID;
}
return CHANNEL_RC_OK;
}
/**
@ -810,7 +819,7 @@ static UINT rdpdr_send_device_list_announce_request(rdpdrPlugin* rdpdr, BOOL use
if (!Stream_EnsureRemainingCapacity(s, 20 + data_len))
{
WLog_ERR(TAG, "Stream_EnsureRemainingCapacity failed!");
return CHANNEL_RC_NO_MEMORY;
return ERROR_INVALID_DATA;
}
Stream_Write_UINT32(s, device->type); /* deviceType */
@ -859,12 +868,12 @@ static UINT rdpdr_process_irp(rdpdrPlugin* rdpdr, wStream* s)
IRP* irp;
UINT error = CHANNEL_RC_OK;
irp = irp_new(rdpdr->devman, s);
irp = irp_new(rdpdr->devman, s, &error);
if (!irp)
{
WLog_ERR(TAG, "irp_new failed!");
return CHANNEL_RC_NO_MEMORY;
WLog_ERR(TAG, "irp_new failed with %lu!", error);
return error;
}
IFCALLRET(irp->device->IRPRequest, error, irp->device, irp);
@ -921,6 +930,12 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
UINT32 status;
UINT error;
if (!rdpdr || !s)
return CHANNEL_RC_NULL_DATA;
if (Stream_GetRemainingLength(s) < 4)
return ERROR_INVALID_DATA;
Stream_Read_UINT16(s, component); /* Component (2 bytes) */
Stream_Read_UINT16(s, packetId); /* PacketId (2 bytes) */
@ -929,7 +944,8 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
switch (packetId)
{
case PAKID_CORE_SERVER_ANNOUNCE:
rdpdr_process_server_announce_request(rdpdr, s);
if ((error = rdpdr_process_server_announce_request(rdpdr, s)))
return error;
if ((error = rdpdr_send_client_announce_reply(rdpdr)))
{
WLog_ERR(TAG, "rdpdr_send_client_announce_reply failed with error %lu", error);
@ -948,7 +964,8 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
break;
case PAKID_CORE_SERVER_CAPABILITY:
rdpdr_process_capability_request(rdpdr, s);
if ((error = rdpdr_process_capability_request(rdpdr, s)))
return error;
if ((error = rdpdr_send_capability_response(rdpdr)))
{
WLog_ERR(TAG, "rdpdr_send_capability_response failed with error %lu", error);
@ -957,7 +974,9 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
break;
case PAKID_CORE_CLIENTID_CONFIRM:
rdpdr_process_server_clientid_confirm(rdpdr, s);
if ((error = rdpdr_process_server_clientid_confirm(rdpdr, s)))
return error;
if ((error = rdpdr_send_device_list_announce_request(rdpdr, FALSE)))
{
WLog_ERR(TAG, "rdpdr_send_device_list_announce_request failed with error %lu", error);
@ -975,6 +994,9 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
case PAKID_CORE_DEVICE_REPLY:
/* connect to a specific resource */
if (Stream_GetRemainingLength(s) < 8)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(s, deviceId);
Stream_Read_UINT32(s, status);
break;
@ -1002,6 +1024,9 @@ static UINT rdpdr_process_receive(rdpdrPlugin* rdpdr, wStream* s)
case PAKID_PRN_CACHE_DATA:
{
UINT32 eventID;
if (Stream_GetRemainingLength(s) < 4)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(s, eventID);
WLog_ERR(TAG, "Ignoring unhandled message PAKID_PRN_CACHE_DATA (EventID: 0x%04X)", eventID);
}
@ -1132,10 +1157,11 @@ UINT rdpdr_send(rdpdrPlugin* rdpdr, wStream* s)
UINT status;
rdpdrPlugin* plugin = (rdpdrPlugin*) rdpdr;
if (!rdpdr || !s)
return CHANNEL_RC_NULL_DATA;
if (!plugin)
{
status = CHANNEL_RC_BAD_INIT_HANDLE;
}
else
{
status = plugin->channelEntryPoints.pVirtualChannelWrite(plugin->OpenHandle,
@ -1190,7 +1216,7 @@ static UINT rdpdr_virtual_channel_event_data_received(rdpdrPlugin* rdpdr,
if (!Stream_EnsureRemainingCapacity(data_in, (int) dataLength))
{
WLog_ERR(TAG, "Stream_EnsureRemainingCapacity failed!");
return CHANNEL_RC_NO_MEMORY;
return ERROR_INVALID_DATA;
}
Stream_Write(data_in, pData, dataLength);
@ -1223,7 +1249,7 @@ static VOID VCAPITYPE rdpdr_virtual_channel_open_event(DWORD openHandle, UINT ev
rdpdr = (rdpdrPlugin*) rdpdr_get_open_handle_data(openHandle);
if (!rdpdr)
if (!rdpdr || !pData)
{
WLog_ERR(TAG, "rdpdr_virtual_channel_open_event: error no match");
return;
@ -1256,6 +1282,12 @@ static void* rdpdr_virtual_channel_client_thread(void* arg)
rdpdrPlugin* rdpdr = (rdpdrPlugin*) arg;
UINT error;
if (!rdpdr)
{
ExitThread((DWORD) CHANNEL_RC_NULL_DATA);
return NULL;
}
if ((error = rdpdr_process_connect(rdpdr)))
{
WLog_ERR(TAG, "rdpdr_process_connect failed with error %lu!", error);
@ -1444,7 +1476,6 @@ BOOL VCAPITYPE VirtualChannelEntry(PCHANNEL_ENTRY_POINTS pEntryPoints)
rdpdrPlugin* rdpdr;
CHANNEL_ENTRY_POINTS_FREERDP* pEntryPointsEx;
rdpdr = (rdpdrPlugin*) calloc(1, sizeof(rdpdrPlugin));
if (!rdpdr)
@ -1473,7 +1504,6 @@ BOOL VCAPITYPE VirtualChannelEntry(PCHANNEL_ENTRY_POINTS pEntryPoints)
CopyMemory(&(rdpdr->channelEntryPoints), pEntryPoints, sizeof(CHANNEL_ENTRY_POINTS_FREERDP));
rc = rdpdr->channelEntryPoints.pVirtualChannelInit(&rdpdr->InitHandle,
&rdpdr->channelDef, 1, VIRTUAL_CHANNEL_VERSION_WIN2000, rdpdr_virtual_channel_init_event);