Merge pull request #2507 from nfedera/fix-2015-03-30-02

nego: fixed X.224 Connection Request PDU parsing
2015-03-30 08:23:40 -04:00 · 2015-03-30 08:23:40 -04:00 · 644fafab8e
commit 644fafab8e
parent aa2181dcf2 abeb79f2bb
1 changed files with 92 additions and 18 deletions
--- a/libfreerdp/core/nego.c
+++ b/libfreerdp/core/nego.c
@ -626,6 +626,95 @@ int nego_recv(rdpTransport* transport, wStream* s, void* extra)
 	return 0;
 }
 /**
 * Read optional routing token or cookie of X.224 Connection Request PDU.
 * @msdn{cc240470}
 * @param nego
 * @param s stream
 */
 static BOOL nego_read_request_token_or_cookie(rdpNego* nego, wStream* s)
 {
 	/* routingToken and cookie are optional and mutually exclusive!
 	 *
 	 * routingToken (variable): An optional and variable-length routing
 	 * token (used for load balancing) terminated by a 0x0D0A two-byte
 	 * sequence: (check [MSFT-SDLBTS] for details!)
 	 * Cookie:[space]msts=[ip address].[port].[reserved][\x0D\x0A]
 	 *
 	 * cookie (variable): An optional and variable-length ANSI character
 	 * string terminated by a 0x0D0A two-byte sequence:
 	 * Cookie:[space]mstshash=[ANSISTRING][\x0D\x0A]
 	 */
 	BYTE *str = NULL;
 	UINT16 crlf = 0;
 	int pos, len;
 	BOOL result = FALSE;
 	BOOL isToken = FALSE;
 	str = Stream_Pointer(s);
 	pos = Stream_GetPosition(s);
 	/* minimum length for cookie is 15 */
 	if (Stream_GetRemainingLength(s) < 15)
 		return TRUE;
 	if (!memcmp(Stream_Pointer(s), "Cookie: msts=", 13))
 	{
 		isToken = TRUE;
 		Stream_Seek(s, 13);
 	}
 	else
 	{
 		/* not a cookie, minimum length for token is 19 */
 		if (Stream_GetRemainingLength(s) < 19)
 			return TRUE;
 		if (memcmp(Stream_Pointer(s), "Cookie: mstshash=", 17))
 			return TRUE;
 		Stream_Seek(s, 17);
 	}
 	while (Stream_GetRemainingLength(s) >= 2)
 	{
 		Stream_Read_UINT16(s, crlf);
 		if (crlf == 0x0A0D)
 			break;
 		Stream_Rewind(s, 1);
 	}
 	if (crlf == 0x0A0D)
 	{
 		Stream_Rewind(s, 2);
 		len = Stream_GetPosition(s) - pos;
 		Stream_Write_UINT16(s, 0);
 		if (strlen((char*)str) == len)
 		{
 			if (isToken)
 				result = nego_set_routing_token(nego, str, len);
 			else
 				result = nego_set_cookie(nego, (char*)str);
 		}
 	}
 	if (!result)
 	{
 		Stream_SetPosition(s, pos);
 		WLog_ERR(TAG, "invalid %s received",
 			isToken ? "routing token" : "cookie");
 	}
 	else
 	{
 		WLog_DBG(TAG, "received %s [%s]",
 			isToken ? "routing token" : "cookie", str);
 	}
 	return result;
 }
 /**
 * Read protocol security negotiation request message.\n
 * @param nego
@ -635,7 +724,6 @@ int nego_recv(rdpTransport* transport, wStream* s, void* extra)
 BOOL nego_read_request(rdpNego* nego, wStream* s)
 {
 	BYTE li;
 	BYTE c;
 	BYTE type;
 	tpkt_read_header(s);
@ -649,24 +737,10 @@ BOOL nego_read_request(rdpNego* nego, wStream* s)
 		return FALSE;
 	}
-	if (Stream_GetRemainingLength(s) > 8)
+	if (!nego_read_request_token_or_cookie(nego, s))
 	{
-		/* Optional routingToken or cookie, ending with CR+LF */
+		WLog_ERR(TAG, "Failed to parse routing token or cookie.");
-		while (Stream_GetRemainingLength(s) > 0)
+		return FALSE;
 		{
 			Stream_Read_UINT8(s, c);
 			if (c != '\x0D')
 				continue;
 			Stream_Peek_UINT8(s, c);
 			if (c != '\x0A')
 				continue;
 			Stream_Seek_UINT8(s);
 			break;
 		}
 	}
 	if (Stream_GetRemainingLength(s) >= 8)