server: proxy: fix race issue

Proxy server might receive input updates while client side being redirected (and reset), then a heap-after-free might occur. To solve this, we register server input/update callbacks only after client is fully activated. (cherry picked from commit db0196fd01)
2020-07-05 09:11:56 +03:00 · 2020-07-05 09:11:56 +03:00 · 14119ac48d
commit 14119ac48d
parent 757b4106e6
2 changed files with 16 additions and 4 deletions
--- a/server/proxy/pf_client.c
+++ b/server/proxy/pf_client.c
@ -35,6 +35,7 @@
 #include "pf_update.h"
 #include "pf_log.h"
 #include "pf_modules.h"
+#include "pf_input.h"
 #include "pf_capture.h"

 #define TAG PROXY_TAG("client")
@ -72,6 +73,19 @@ static void pf_client_on_error_info(void* ctx, ErrorInfoEventArgs* e)
 	freerdp_send_error_info(ps->context.rdp);
 }

+static void pf_client_on_activated(void* ctx, ActivatedEventArgs* e)
+{
+	pClientContext* pc = (pClientContext*)ctx;
+	pServerContext* ps = pc->pdata->ps;
+	freerdp_peer* peer = ps->context.peer;
+
+	LOG_INFO(TAG, pc, "client activated, registering server input callbacks");
+
+	/* Register server input/update callbacks only after proxy client is fully activated */
+	pf_server_register_input_callbacks(peer->input);
+	pf_server_register_update_callbacks(peer->update);
+}
+
 static BOOL pf_client_load_rdpsnd(pClientContext* pc)
 {
 	rdpContext* context = (rdpContext*)pc;
@ -197,6 +211,7 @@ static BOOL pf_client_pre_connect(freerdp* instance)
 	PubSub_SubscribeChannelDisconnected(instance->context->pubSub,
 	                                    pf_channels_on_client_channel_disconnect);
 	PubSub_SubscribeErrorInfo(instance->context->pubSub, pf_client_on_error_info);
+	PubSub_SubscribeActivated(instance->context->pubSub, pf_client_on_activated);
 	/**
 	 * Load all required plugins / channels / libraries specified by current
 	 * settings.
@ -304,7 +319,7 @@ static BOOL pf_client_post_connect(freerdp* instance)
 		if (!pf_capture_create_session_directory(pc))
 		{
 			LOG_ERR(TAG, pc, "pf_capture_create_session_directory failed!");
-			return FALSE;
+		return FALSE;
 		}

 		LOG_ERR(TAG, pc, "frames dir created: %s", pc->frames_dir);
--- a/server/proxy/pf_server.c
+++ b/server/proxy/pf_server.c
@ -36,7 +36,6 @@
 #include "pf_config.h"
 #include "pf_client.h"
 #include "pf_context.h"
-#include "pf_input.h"
 #include "pf_update.h"
 #include "pf_rdpgfx.h"
 #include "pf_disp.h"
@ -181,8 +180,6 @@ static BOOL pf_server_post_connect(freerdp_peer* peer)
 		return FALSE;
 	}

-	pf_server_register_input_callbacks(peer->input);
-	pf_server_register_update_callbacks(peer->update);
 	return pf_modules_run_hook(HOOK_TYPE_SERVER_POST_CONNECT, pdata);
 }