libfreerdp-core: don't add sec_bytes in fastpath_send_input_pdu

fastpath_input_pdu_init already reserved space for fastpath_get_sec_bytes()
which thus already was included in stream_get_length() in
fastpath_send_input_pdu(). Adding sec_bytes again just added extra invalid (but
correctly hashed/encrypted) bytes to the PDU.

libfreerdp-core/fastpath.c

@@ -553,23 +553,25 @@ boolean fastpath_send_input_pdu(rdpFastPath* fastpath, STREAM* s)
 	 * because we can leave room for fixed-length header, store all
 	 * the data first and then store the header.
 	 */
-	stream_write_uint16_be(s, 0x8000 | (length + sec_bytes));
+	stream_write_uint16_be(s, 0x8000 | length);
 
 	if (sec_bytes > 0)
 	{
-		uint8* ptr;
+		uint8* fpInputEvents;
+		uint16 fpInputEvents_length;
 
-		ptr = stream_get_tail(s) + sec_bytes;
+		fpInputEvents = stream_get_tail(s) + sec_bytes;
+		fpInputEvents_length = length - 3 - sec_bytes;
 		if (rdp->sec_flags & SEC_SECURE_CHECKSUM)
-			security_salted_mac_signature(rdp, ptr, length - 3, true, stream_get_tail(s));
+			security_salted_mac_signature(rdp, fpInputEvents, fpInputEvents_length, true, stream_get_tail(s));
 		else
-			security_mac_signature(rdp, ptr, length - 3, stream_get_tail(s));
+			security_mac_signature(rdp, fpInputEvents, fpInputEvents_length, stream_get_tail(s));
-		security_encrypt(ptr, length - 3, rdp);
+		security_encrypt(fpInputEvents, fpInputEvents_length, rdp);
 	}
 
 	rdp->sec_flags = 0;
 
-	stream_set_pos(s, length + sec_bytes);
+	stream_set_pos(s, length);
 	if (transport_write(fastpath->rdp->transport, s) < 0)
 		return false;