libfreerdp-core: fix potential overflow in parsing of fragmented RemoteFX packets

.gitignore

@@ -30,9 +30,6 @@ docs/api
 ipch
 Debug
 
-# test files
-*.pcap
-
 # Binaries
 *.a
 *.so

libfreerdp-core/fastpath.c

@@ -142,7 +142,7 @@ static void fastpath_recv_update_common(rdpFastPath* fastpath, STREAM* s)
 	}
 }
 
-static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint16 size, STREAM* s)
+static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint32 size, STREAM* s)
 {
 	switch (updateCode)
 	{
@@ -195,13 +195,14 @@ static void fastpath_recv_update(rdpFastPath* fastpath, uint8 updateCode, uint16
 
 static void fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
 {
+	uint16 size;
+	int next_pos;
+	uint32 totalSize;
 	uint8 updateCode;
 	uint8 fragmentation;
 	uint8 compression;
 	uint8 compressionFlags;
-	uint16 size;
 	STREAM* update_stream;
-	int next_pos;
 
 	fastpath_read_update_header(s, &updateCode, &fragmentation, &compression);
 
@@ -223,14 +224,13 @@ static void fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
 	update_stream = NULL;
 	if (fragmentation == FASTPATH_FRAGMENT_SINGLE)
 	{
+		totalSize = size;
 		update_stream = s;
 	}
 	else
 	{
 		if (fragmentation == FASTPATH_FRAGMENT_FIRST)
-		{
 			stream_set_pos(fastpath->updateData, 0);
-		}
 
 		stream_check_size(fastpath->updateData, size);
 		stream_copy(fastpath->updateData, s, size);
@@ -238,13 +238,13 @@ static void fastpath_recv_update_data(rdpFastPath* fastpath, STREAM* s)
 		if (fragmentation == FASTPATH_FRAGMENT_LAST)
 		{
 			update_stream = fastpath->updateData;
-			size = stream_get_length(update_stream);
+			totalSize = stream_get_length(update_stream);
 			stream_set_pos(update_stream, 0);
 		}
 	}
 
 	if (update_stream)
-		fastpath_recv_update(fastpath, updateCode, size, update_stream);
+		fastpath_recv_update(fastpath, updateCode, totalSize, update_stream);
 
 	stream_set_pos(s, next_pos);
 }
@@ -499,7 +499,6 @@ boolean fastpath_send_fragmented_update_pdu(rdpFastPath* fastpath, STREAM* s)
 	int fragment;
 	uint16 length;
 	uint16 maxLength;
-	uint16 fragLength;
 	uint32 totalLength;
 	uint8 fragmentation;
 	STREAM* update;
@@ -512,7 +511,6 @@ boolean fastpath_send_fragmented_update_pdu(rdpFastPath* fastpath, STREAM* s)
 	{
 		update = fastpath_update_pdu_init(fastpath);
 		length = MIN(maxLength, totalLength);
-		fragLength = length - 3;
 		totalLength -= length;
 
 		if (totalLength == 0)
@@ -522,8 +520,8 @@ boolean fastpath_send_fragmented_update_pdu(rdpFastPath* fastpath, STREAM* s)
 
 		fastpath_write_update_header(update, FASTPATH_UPDATETYPE_SURFCMDS, fragmentation, 0);
 		stream_write_uint16(update, length);
-		stream_write(update, s->p, fragLength);
-		stream_seek(s, fragLength);
+		stream_write(update, s->p, length);
+		stream_seek(s, length);
 
 		fastpath_send_update_pdu(fastpath, update);
 	}

libfreerdp-core/surface.c

@@ -58,11 +58,11 @@ static int update_recv_surfcmd_frame_marker(rdpUpdate* update, STREAM* s)
 	return 6;
 }
 
-boolean update_recv_surfcmds(rdpUpdate* update, uint16 size, STREAM* s)
+boolean update_recv_surfcmds(rdpUpdate* update, uint32 size, STREAM* s)
 {
 	uint8* mark;
 	uint16 cmdType;
-	uint16 cmdLength;
+	uint32 cmdLength;
 
 	while (size > 2)
 	{

libfreerdp-core/surface.h

@@ -39,7 +39,7 @@ enum SURFCMD_FRAMEACTION
 	SURFACECMD_FRAMEACTION_END = 0x0001
 };
 
-boolean update_recv_surfcmds(rdpUpdate* update, uint16 size, STREAM* s);
+boolean update_recv_surfcmds(rdpUpdate* update, uint32 size, STREAM* s);
 
 void update_write_surfcmd_surface_bits_header(STREAM* s, SURFACE_BITS_COMMAND* cmd);
 void update_write_surfcmd_frame_marker(STREAM* s, uint16 frameAction, uint32 frameId);

libfreerdp-utils/pcap.c

@@ -149,7 +149,7 @@ rdpPcap* pcap_open(char* name, boolean write)
 			pcap->header.version_minor = 4;
 			pcap->header.thiszone = 0;
 			pcap->header.sigfigs = 0;
-			pcap->header.snaplen = 65535;
+			pcap->header.snaplen = 0xFFFFFFFF;
 			pcap->header.network = 0;
 			pcap_write_header(pcap, &pcap->header);
 		}