From 5bcc5326d03cb83326a51fe7c0135a5ddd41d114 Mon Sep 17 00:00:00 2001
From: Joan Torres <joan.torres@suse.com>
Date: Wed, 8 Mar 2023 17:56:41 +0100
Subject: [PATCH] [core,rdstls] fix rdstls_parse_pdu

When this function returns <= 0 the caller was considering it a pduLength
creating a bug.

Also fixed length calculation on some rdstls pdu types.
---
 libfreerdp/core/rdstls.c    | 15 ++++++++-------
 libfreerdp/core/transport.c |  4 ++++
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/libfreerdp/core/rdstls.c b/libfreerdp/core/rdstls.c
index 321251d13..0f7a510d0 100644
--- a/libfreerdp/core/rdstls.c
+++ b/libfreerdp/core/rdstls.c
@@ -908,18 +908,19 @@ static SSIZE_T rdstls_parse_pdu_data_type(wLog* log, UINT16 dataType, wStream* s
 				return 0;
 			Stream_Read_UINT16(s, passwordLength);
 
-			if (!Stream_SafeSeek(s, passwordLength))
-				return 0;
-
-			return Stream_GetPosition(s) + 2ull;
+			return Stream_GetPosition(s) + passwordLength;
 		}
 		case RDSTLS_DATA_AUTORECONNECT_COOKIE:
 		{
-			SSIZE_T pduLength;
+			if (!Stream_SafeSeek(s, 4))
+				return 0;
+
+			UINT16 cookieLength;
 			if (Stream_GetRemainingLength(s) < 2)
 				return 0;
-			Stream_Read_UINT16(s, pduLength);
-			return pduLength + 12u;
+			Stream_Read_UINT16(s, cookieLength);
+
+			return 12u + cookieLength;
 		}
 		default:
 			WLog_Print(log, WLOG_ERROR, "invalid RDSLTS dataType");
diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
index 627928a70..08d510bed 100644
--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
@@ -854,7 +854,11 @@ SSIZE_T transport_parse_pdu(rdpTransport* transport, wStream* s, BOOL* incomplet
 		}
 	}
 	else if (transport->RdstlsMode)
+	{
 		pduLength = rdstls_parse_pdu(transport->log, s);
+		if (pduLength <= 0)
+			return pduLength;
+	}
 	else
 	{
 		UINT8 version;