mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[core,rdstls] Avoid Stream_SafeSeek on pdu parsing

This commit is contained in:
Joan Torres 2023-04-18 17:57:55 +02:00 committed by akallabeth
parent 4d663682bc
commit 3bcbdeb9fc
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libfreerdp/core/rdstls.c
View File

@ -874,24 +874,27 @@ static SSIZE_T rdstls_parse_pdu_data_type(wLog* log, UINT16 dataType, wStream* s
return 0; return 0;
Stream_Read_UINT16(s, redirGuidLength); Stream_Read_UINT16(s, redirGuidLength);
if (!Stream_SafeSeek(s, redirGuidLength)) if (Stream_GetRemainingLength(s) < redirGuidLength)
return 0; return 0;
Stream_Seek(s, redirGuidLength);
UINT16 usernameLength; UINT16 usernameLength;
if (Stream_GetRemainingLength(s) < 2) if (Stream_GetRemainingLength(s) < 2)
return 0; return 0;
Stream_Read_UINT16(s, usernameLength); Stream_Read_UINT16(s, usernameLength);
if (!Stream_SafeSeek(s, usernameLength)) if (Stream_GetRemainingLength(s) < usernameLength)
return 0; return 0;
Stream_Seek(s, usernameLength);
UINT16 domainLength; UINT16 domainLength;
if (Stream_GetRemainingLength(s) < 2) if (Stream_GetRemainingLength(s) < 2)
return 0; return 0;
Stream_Read_UINT16(s, domainLength); Stream_Read_UINT16(s, domainLength);
if (!Stream_SafeSeek(s, domainLength)) if (Stream_GetRemainingLength(s) < domainLength)
return 0; return 0;
Stream_Seek(s, domainLength);
UINT16 passwordLength; UINT16 passwordLength;
if (Stream_GetRemainingLength(s) < 2) if (Stream_GetRemainingLength(s) < 2)
@ -902,8 +905,9 @@ static SSIZE_T rdstls_parse_pdu_data_type(wLog* log, UINT16 dataType, wStream* s
} }
case RDSTLS_DATA_AUTORECONNECT_COOKIE: case RDSTLS_DATA_AUTORECONNECT_COOKIE:
{ {
if (!Stream_SafeSeek(s, 4)) if (Stream_GetRemainingLength(s) < 4)
return 0; return 0;
Stream_Seek(s, 4);
UINT16 cookieLength; UINT16 cookieLength;
if (Stream_GetRemainingLength(s) < 2) if (Stream_GetRemainingLength(s) < 2)