More security fixes for capabilities

This patch fixes a security issue which would allow an attackant to set bytes to 1 at choosen places.
It also fixes a warning when DEBUG_CAPABILITIES is set.
This commit is contained in:
Hardening 2013-12-18 10:54:02 +01:00
parent 72f38ce75a
commit 33f0eb0915

View File

@ -3162,7 +3162,15 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa
rdp_read_capability_set_header(s, &length, &type); rdp_read_capability_set_header(s, &length, &type);
settings->ReceivedCapabilities[type] = TRUE; if (type < 32)
{
settings->ReceivedCapabilities[type] = TRUE;
}
else
{
fprintf(stderr, "%s: not handling capability type %d yet\n", __FUNCTION__, type);
}
em = bm + length; em = bm + length;
if (Stream_GetRemainingLength(s) < length - 4) if (Stream_GetRemainingLength(s) < length - 4)
@ -3333,6 +3341,12 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa
numberCapabilities--; numberCapabilities--;
} }
if (numberCapabilities)
{
fprintf(stderr, "%s: strange we haven't read the number of announced capacity sets, read=%d expected=%d\n",
__FUNCTION__, count-numberCapabilities, count);
}
#ifdef WITH_DEBUG_CAPABILITIES #ifdef WITH_DEBUG_CAPABILITIES
Stream_GetPointer(s, em); Stream_GetPointer(s, em);
Stream_SetPointer(s, mark); Stream_SetPointer(s, mark);
@ -3340,11 +3354,6 @@ BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCa
rdp_print_capability_sets(s, numberCapabilities, TRUE); rdp_print_capability_sets(s, numberCapabilities, TRUE);
Stream_SetPointer(s, em); Stream_SetPointer(s, em);
#endif #endif
if (numberCapabilities)
{
fprintf(stderr, "%s: strange we haven't read the number of announced capacity sets, read=%d expected=%d\n",
__FUNCTION__, count-numberCapabilities, count);
}
return TRUE; return TRUE;
} }