From 33f0eb0915bdc1693594d482742861a4bcd65ace Mon Sep 17 00:00:00 2001 From: Hardening Date: Wed, 18 Dec 2013 10:54:02 +0100 Subject: [PATCH] More security fixes for capabilities This patch fixes a security issue which would allow an attackant to set bytes to 1 at choosen places. It also fixes a warning when DEBUG_CAPABILITIES is set. --- libfreerdp/core/capabilities.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libfreerdp/core/capabilities.c b/libfreerdp/core/capabilities.c index 5abb75860..5255f67b9 100644 --- a/libfreerdp/core/capabilities.c +++ b/libfreerdp/core/capabilities.c @@ -3162,7 +3162,15 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa rdp_read_capability_set_header(s, &length, &type); - settings->ReceivedCapabilities[type] = TRUE; + if (type < 32) + { + settings->ReceivedCapabilities[type] = TRUE; + } + else + { + fprintf(stderr, "%s: not handling capability type %d yet\n", __FUNCTION__, type); + } + em = bm + length; if (Stream_GetRemainingLength(s) < length - 4) @@ -3333,6 +3341,12 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa numberCapabilities--; } + if (numberCapabilities) + { + fprintf(stderr, "%s: strange we haven't read the number of announced capacity sets, read=%d expected=%d\n", + __FUNCTION__, count-numberCapabilities, count); + } + #ifdef WITH_DEBUG_CAPABILITIES Stream_GetPointer(s, em); Stream_SetPointer(s, mark); @@ -3340,11 +3354,6 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa rdp_print_capability_sets(s, numberCapabilities, TRUE); Stream_SetPointer(s, em); #endif - if (numberCapabilities) - { - fprintf(stderr, "%s: strange we haven't read the number of announced capacity sets, read=%d expected=%d\n", - __FUNCTION__, count-numberCapabilities, count); - } return TRUE; }