checks BER decoding result and stream size when processing NLA packets

2013-01-11 01:27:19 +01:00 · 2013-01-11 01:27:19 +01:00 · 2a6c62520f
commit 2a6c62520f
parent 6bc7da797b
1 changed files with 16 additions and 9 deletions
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@ -1158,17 +1158,20 @@ int credssp_recv(rdpCredssp* credssp)
 	}
 	/* TSRequest */
-	ber_read_sequence_tag(s, &length);
+	if(!ber_read_sequence_tag(s, &length) ||
-	ber_read_contextual_tag(s, 0, &length, TRUE);
+		!ber_read_contextual_tag(s, 0, &length, TRUE) ||
-	ber_read_integer(s, &version);
+		!ber_read_integer(s, &version))
 		return -1;
 	/* [1] negoTokens (NegoData) */
 	if (ber_read_contextual_tag(s, 1, &length, TRUE) != FALSE)
 	{
-		ber_read_sequence_tag(s, &length); /* SEQUENCE OF NegoDataItem */
+		if (!ber_read_sequence_tag(s, &length) || /* SEQUENCE OF NegoDataItem */
-		ber_read_sequence_tag(s, &length); /* NegoDataItem */
+			!ber_read_sequence_tag(s, &length) || /* NegoDataItem */
-		ber_read_contextual_tag(s, 0, &length, TRUE); /* [0] negoToken */
+			!ber_read_contextual_tag(s, 0, &length, TRUE) || /* [0] negoToken */
-		ber_read_octet_string_tag(s, &length); /* OCTET STRING */
+			!ber_read_octet_string_tag(s, &length) || /* OCTET STRING */
 			stream_get_left(s) < length)
 			return -1;
 		sspi_SecBufferAlloc(&credssp->negoToken, length);
 		stream_read(s, credssp->negoToken.pvBuffer, length);
 		credssp->negoToken.cbBuffer = length;
@ -1177,7 +1180,9 @@ int credssp_recv(rdpCredssp* credssp)
 	/* [2] authInfo (OCTET STRING) */
 	if (ber_read_contextual_tag(s, 2, &length, TRUE) != FALSE)
 	{
-		ber_read_octet_string_tag(s, &length); /* OCTET STRING */
+		if(!ber_read_octet_string_tag(s, &length) || /* OCTET STRING */
 			stream_get_left(s) < length)
 			return -1;
 		sspi_SecBufferAlloc(&credssp->authInfo, length);
 		stream_read(s, credssp->authInfo.pvBuffer, length);
 		credssp->authInfo.cbBuffer = length;
@ -1186,7 +1191,9 @@ int credssp_recv(rdpCredssp* credssp)
 	/* [3] pubKeyAuth (OCTET STRING) */
 	if (ber_read_contextual_tag(s, 3, &length, TRUE) != FALSE)
 	{
-		ber_read_octet_string_tag(s, &length); /* OCTET STRING */
+		if(!ber_read_octet_string_tag(s, &length) || /* OCTET STRING */
 			stream_get_left(s) < length)
 			return -1;
 		sspi_SecBufferAlloc(&credssp->pubKeyAuth, length);
 		stream_read(s, credssp->pubKeyAuth.pvBuffer, length);
 		credssp->pubKeyAuth.cbBuffer = length;