[core,redirection] add sanity check for TargetNetAddress

Abort on implausible TargetNetAddressLength values. (check remaining data length to determine that)
2024-04-23 08:57:56 +02:00 · 2024-04-23 08:57:56 +02:00 · 1d6460c5f7
commit 1d6460c5f7
parent 449e8b82f1
1 changed files with 12 additions and 0 deletions
--- a/libfreerdp/core/redirection.c
+++ b/libfreerdp/core/redirection.c
@ -815,6 +815,18 @@ static state_run_t rdp_recv_server_redirection_pdu(rdpRdp* rdp, wStream* s)
 		Stream_Read_UINT32(s, targetNetAddressesLength);
 		Stream_Read_UINT32(s, redirection->TargetNetAddressesCount);
 		const UINT32 count = redirection->TargetNetAddressesCount;
+		/* sanity check: the whole packet has a length limit of UINT16_MAX
+		 * each TargetNetAddress is a WCHAR string, so minimum length 2 bytes
+		 */
+		if (count * sizeof(WCHAR) > Stream_GetRemainingLength(s))
+		{
+			WLog_ERR(TAG,
+			         "Invalid RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressLength %" PRIuz
+			         ", sanity limit is %" PRIuz,
+			         count * sizeof(WCHAR), Stream_GetRemainingLength(s));
+			return STATE_RUN_FAILED;
+		}
+
 		redirection->TargetNetAddresses = NULL;
 		if (count > 0)
 		{