libfreerdp-core: enforce checking of NLA packets in transport only when expecting NLA

2014-03-27 14:24:15 -04:00 · 2014-03-27 14:24:15 -04:00 · 3f07157637
commit 3f07157637
parent 75302e2cc2
2 changed files with 103 additions and 73 deletions
--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
@ -317,6 +317,7 @@ BOOL transport_connect_nla(rdpTransport* transport)
 	if (!transport->credssp)
 	{
 		transport->credssp = credssp_new(instance, transport, settings);
 		transport_set_nla_mode(transport, TRUE);
 		if (settings->AuthenticationServiceClass)
 		{
@ -338,11 +339,14 @@ BOOL transport_connect_nla(rdpTransport* transport)
 		fprintf(stderr, "Authentication failure, check credentials.\n"
 			"If credentials are valid, the NTLMSSP implementation may be to blame.\n");
 		transport_set_nla_mode(transport, FALSE);
 		credssp_free(transport->credssp);
 		transport->credssp = NULL;
 		return FALSE;
 	}
 	transport_set_nla_mode(transport, FALSE);
 	credssp_free(transport->credssp);
 	transport->credssp = NULL;
@ -481,11 +485,16 @@ BOOL transport_accept_nla(rdpTransport* transport)
 		return TRUE;
 	if (!transport->credssp)
 	{
 		transport->credssp = credssp_new(instance, transport, settings);
 		transport_set_nla_mode(transport, TRUE);
 	}
 	if (credssp_authenticate(transport->credssp) < 0)
 	{
 		fprintf(stderr, "client authentication failure\n");
 		transport_set_nla_mode(transport, FALSE);
 		credssp_free(transport->credssp);
 		transport->credssp = NULL;
@ -495,6 +504,7 @@ BOOL transport_accept_nla(rdpTransport* transport)
 	}
 	/* don't free credssp module yet, we need to copy the credentials from it first */
 	transport_set_nla_mode(transport, FALSE);
 	return TRUE;
 }
@ -643,49 +653,56 @@ int transport_read(rdpTransport* transport, wStream* s)
 	CopyMemory(header, Stream_Buffer(s), 4); /* peek at first 4 bytes */
-	/* if header is present, read in exactly one PDU */
+	/* if header is present, read exactly one PDU */
 	if (header[0] == 0x03)
 	{
 		/* TPKT header */
-		pduLength = (header[2] << 8) | header[3];
+	if (transport->NlaMode)
 	}
 	else if (header[0] == 0x30)
 	{
-		/* TSRequest (NLA) */
+		if (header[0] == 0x30)
 		if (header[1] & 0x80)
 		{
-			if ((header[1] & ~(0x80)) == 1)
+			/* TSRequest (NLA) */
 			if (header[1] & 0x80)
 			{
-				pduLength = header[2];
+				if ((header[1] & ~(0x80)) == 1)
-				pduLength += 3;
+				{
-			}
+					pduLength = header[2];
-			else if ((header[1] & ~(0x80)) == 2)
+					pduLength += 3;
-			{
+				}
-				pduLength = (header[2] << 8) | header[3];
+				else if ((header[1] & ~(0x80)) == 2)
-				pduLength += 4;
+				{
 					pduLength = (header[2] << 8) | header[3];
 					pduLength += 4;
 				}
 				else
 				{
 					fprintf(stderr, "Error reading TSRequest!\n");
 					return -1;
 				}
 			}
 			else
 			{
-				fprintf(stderr, "Error reading TSRequest!\n");
+				pduLength = header[1];
-				return -1;
+				pduLength += 2;
 			}
 		}
 		else
 		{
 			pduLength = header[1];
 			pduLength += 2;
 		}
 	}
 	else
 	{
-		/* Fast-Path Header */
+		if (header[0] == 0x03)
 		{
 			/* TPKT header */
-		if (header[1] & 0x80)
+			pduLength = (header[2] << 8) | header[3];
-			pduLength = ((header[1] & 0x7F) << 8) | header[2];
+		}
 		else
-			pduLength = header[1];
+		{
 			/* Fast-Path Header */
 			if (header[1] & 0x80)
 				pduLength = ((header[1] & 0x7F) << 8) | header[2];
 			else
 				pduLength = header[1];
 		}
 	}
 	status = transport_read_layer(transport, Stream_Buffer(s) + position, pduLength - position);
@ -889,7 +906,7 @@ int transport_check_fds(rdpTransport* transport)
 	 * Loop through and read all available PDUs.  Since multiple
 	 * PDUs can exist, it's important to deliver them all before
 	 * returning.  Otherwise we run the risk of having a thread
-	 * wait for a socket to get signalled that data is available
+	 * wait for a socket to get signaled that data is available
 	 * (which may never happen).
 	 */
 	for (;;)
@ -903,58 +920,64 @@ int transport_check_fds(rdpTransport* transport)
 		{
 			Stream_SetPosition(transport->ReceiveBuffer, 0);
-			if (tpkt_verify_header(transport->ReceiveBuffer)) /* TPKT */
+			if (transport->NlaMode)
 			{
-				/* Ensure the TPKT header is available. */
+				if (nla_verify_header(transport->ReceiveBuffer))
 				if (pos <= 4)
 				{
-					Stream_SetPosition(transport->ReceiveBuffer, pos);
+					/* TSRequest */
 					return 0;
 				}
-				length = tpkt_read_header(transport->ReceiveBuffer);
+					/* Ensure the TSRequest header is available. */
 					if (pos <= 4)
 					{
 						Stream_SetPosition(transport->ReceiveBuffer, pos);
 						return 0;
 					}
 					/* TSRequest header can be 2, 3 or 4 bytes long */
 					length = nla_header_length(transport->ReceiveBuffer);
 					if (pos < length)
 					{
 						Stream_SetPosition(transport->ReceiveBuffer, pos);
 						return 0;
 					}
 					length = nla_read_header(transport->ReceiveBuffer);
 				}
 			}
-			else if (nla_verify_header(transport->ReceiveBuffer))
+			else
 			{
-				/* TSRequest */
+				if (tpkt_verify_header(transport->ReceiveBuffer)) /* TPKT */
 				/* Ensure the TSRequest header is available. */
 				if (pos <= 4)
 				{
-					Stream_SetPosition(transport->ReceiveBuffer, pos);
+					/* Ensure the TPKT header is available. */
-					return 0;
+					if (pos <= 4)
 					{
 						Stream_SetPosition(transport->ReceiveBuffer, pos);
 						return 0;
 					}
 					length = tpkt_read_header(transport->ReceiveBuffer);
 				}
-
+				else /* Fast Path */
 				/* TSRequest header can be 2, 3 or 4 bytes long */
 				length = nla_header_length(transport->ReceiveBuffer);
 				if (pos < length)
 				{
-					Stream_SetPosition(transport->ReceiveBuffer, pos);
+					/* Ensure the Fast Path header is available. */
-					return 0;
+					if (pos <= 2)
 					{
 						Stream_SetPosition(transport->ReceiveBuffer, pos);
 						return 0;
 					}
 					/* Fastpath header can be two or three bytes long. */
 					length = fastpath_header_length(transport->ReceiveBuffer);
 					if (pos < length)
 					{
 						Stream_SetPosition(transport->ReceiveBuffer, pos);
 						return 0;
 					}
 					length = fastpath_read_header(NULL, transport->ReceiveBuffer);
 				}
 				length = nla_read_header(transport->ReceiveBuffer);
 			}
 			else /* Fast Path */
 			{
 				/* Ensure the Fast Path header is available. */
 				if (pos <= 2)
 				{
 					Stream_SetPosition(transport->ReceiveBuffer, pos);
 					return 0;
 				}
 				/* Fastpath header can be two or three bytes long. */
 				length = fastpath_header_length(transport->ReceiveBuffer);
 				if (pos < length)
 				{
 					Stream_SetPosition(transport->ReceiveBuffer, pos);
 					return 0;
 				}
 				length = fastpath_read_header(NULL, transport->ReceiveBuffer);
 			}
 			if (length == 0)
@ -1039,6 +1062,11 @@ void transport_set_gateway_enabled(rdpTransport* transport, BOOL GatewayEnabled)
 	transport->GatewayEnabled = GatewayEnabled;
 }
 void transport_set_nla_mode(rdpTransport* transport, BOOL NlaMode)
 {
 	transport->NlaMode = NlaMode;
 }
 static void* transport_client_thread(void* arg)
 {
 	DWORD status;
--- a/libfreerdp/core/transport.h
+++ b/libfreerdp/core/transport.h
@ -75,6 +75,7 @@ struct rdp_transport
 	HANDLE stopEvent;
 	HANDLE thread;
 	BOOL async;
 	BOOL NlaMode;
 	BOOL GatewayEnabled;
 	CRITICAL_SECTION ReadLock;
 	CRITICAL_SECTION WriteLock;
@ -99,6 +100,7 @@ void transport_get_fds(rdpTransport* transport, void** rfds, int* rcount);
 int transport_check_fds(rdpTransport* transport);
 BOOL transport_set_blocking_mode(rdpTransport* transport, BOOL blocking);
 void transport_set_gateway_enabled(rdpTransport* transport, BOOL GatewayEnabled);
 void transport_set_nla_mode(rdpTransport* transport, BOOL NlaMode);
 void transport_get_read_handles(rdpTransport* transport, HANDLE* events, DWORD* count);
 wStream* transport_receive_pool_take(rdpTransport* transport);