mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[core,rdstls] fix rdstls_parse_pdu

Browse Source 
When this function returns <= 0 the caller was considering it a pduLength
creating a bug.

Also fixed length calculation on some rdstls pdu types.
This commit is contained in:
Joan Torres 2023-03-08 17:56:41 +01:00 committed by Martin Fleisz
parent b469f53c43
commit 5bcc5326d0
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libfreerdp/core/rdstls.c
View File

@ -908,18 +908,19 @@ static SSIZE_T rdstls_parse_pdu_data_type(wLog* log, UINT16 dataType, wStream* s
return 0; return 0;
Stream_Read_UINT16(s, passwordLength); Stream_Read_UINT16(s, passwordLength);
if (!Stream_SafeSeek(s, passwordLength)) return Stream_GetPosition(s) + passwordLength;
return 0;
return Stream_GetPosition(s) + 2ull;
} }
case RDSTLS_DATA_AUTORECONNECT_COOKIE: case RDSTLS_DATA_AUTORECONNECT_COOKIE:
{ {
SSIZE_T pduLength; if (!Stream_SafeSeek(s, 4))
return 0;
UINT16 cookieLength;
if (Stream_GetRemainingLength(s) < 2) if (Stream_GetRemainingLength(s) < 2)
return 0; return 0;
Stream_Read_UINT16(s, pduLength); Stream_Read_UINT16(s, cookieLength);
return pduLength + 12u;
return 12u + cookieLength;
} }
default: default:
WLog_Print(log, WLOG_ERROR, "invalid RDSLTS dataType"); WLog_Print(log, WLOG_ERROR, "invalid RDSLTS dataType");

4
libfreerdp/core/transport.c
View File

@ -854,7 +854,11 @@ SSIZE_T transport_parse_pdu(rdpTransport* transport, wStream* s, BOOL* incomplet
} }
} }
else if (transport->RdstlsMode) else if (transport->RdstlsMode)
{
pduLength = rdstls_parse_pdu(transport->log, s); pduLength = rdstls_parse_pdu(transport->log, s);
if (pduLength <= 0)
return pduLength;
}
else else
{ {
UINT8 version; UINT8 version;