mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed RDP gateway types and use after free

Browse Source 
(cherry picked from commit 8c78e67425)
This commit is contained in:
akallabeth 2021-01-25 08:07:43 +01:00 committed by akallabeth
parent b3be5e49b3
commit 971341dd37
1 changed files with 21 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
libfreerdp/core/gateway/rdg.c
View File

@ -148,7 +148,7 @@ struct rdp_rdg
int timeout; int timeout;
UINT16 extAuth; UINT16 extAuth;
UINT16 reserved2; UINT16 reserved2;
rdg_http_encoding_context* transferEncoding; rdg_http_encoding_context transferEncoding;
}; };
enum enum
@ -484,7 +484,7 @@ static wStream* rdg_receive_packet(rdpRdg* rdg)
if (!s) if (!s)
return NULL; return NULL;
if (!rdg_read_all(rdg->tlsOut, Stream_Buffer(s), header, rdg->transferEncoding)) if (!rdg_read_all(rdg->tlsOut, Stream_Buffer(s), header, &rdg->transferEncoding))
{ {
Stream_Free(s, TRUE); Stream_Free(s, TRUE);
return NULL; return NULL;
@ -501,7 +501,7 @@ static wStream* rdg_receive_packet(rdpRdg* rdg)
} }
if (!rdg_read_all(rdg->tlsOut, Stream_Buffer(s) + header, (int)packetLength - (int)header, if (!rdg_read_all(rdg->tlsOut, Stream_Buffer(s) + header, (int)packetLength - (int)header,
rdg->transferEncoding)) &rdg->transferEncoding))
{ {
Stream_Free(s, TRUE); Stream_Free(s, TRUE);
return NULL; return NULL;
@ -1321,6 +1321,7 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char*
long statusCode; long statusCode;
SSIZE_T bodyLength; SSIZE_T bodyLength;
long StatusCode; long StatusCode;
TRANSFER_ENCODING encoding;
if (!rdg_tls_connect(rdg, tls, peerAddress, timeout)) if (!rdg_tls_connect(rdg, tls, peerAddress, timeout))
return FALSE; return FALSE;
@ -1377,6 +1378,7 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char*
statusCode = http_response_get_status_code(response); statusCode = http_response_get_status_code(response);
bodyLength = http_response_get_body_length(response); bodyLength = http_response_get_body_length(response);
encoding = http_response_get_transfer_encoding(response);
http_response_free(response); http_response_free(response);
WLog_DBG(TAG, "%s authorization result: %d", method, statusCode); WLog_DBG(TAG, "%s authorization result: %d", method, statusCode);
@ -1393,17 +1395,17 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char*
if (strcmp(method, "RDG_OUT_DATA") == 0) if (strcmp(method, "RDG_OUT_DATA") == 0)
{ {
if (http_response_get_transfer_encoding(response) == TransferEncodingChunked) if (encoding == TransferEncodingChunked)
{ {
rdg->transferEncoding->httpTransferEncoding = TransferEncodingChunked; rdg->transferEncoding.httpTransferEncoding = TransferEncodingChunked;
rdg->transferEncoding->context.chunked = (rdg_http_encoding_chunked_context*)calloc( rdg->transferEncoding.context.chunked = (rdg_http_encoding_chunked_context*)calloc(
1, sizeof(rdg_http_encoding_chunked_context)); 1, sizeof(rdg_http_encoding_chunked_context));
rdg->transferEncoding->context.chunked->nextOffset = 0; rdg->transferEncoding.context.chunked->nextOffset = 0;
rdg->transferEncoding->context.chunked->headerFooterPos = 0; rdg->transferEncoding.context.chunked->headerFooterPos = 0;
rdg->transferEncoding->context.chunked->state = ChunkStateLenghHeader; rdg->transferEncoding.context.chunked->state = ChunkStateLenghHeader;
rdg->transferEncoding->context.chunked->lenBuffer = (char*)calloc(11, sizeof(char)); rdg->transferEncoding.context.chunked->lenBuffer = (char*)calloc(11, sizeof(char));
} }
if (!rdg_skip_seed_payload(tls, bodyLength, rdg->transferEncoding)) if (!rdg_skip_seed_payload(tls, bodyLength, &rdg->transferEncoding))
{ {
return FALSE; return FALSE;
} }
@ -1636,7 +1638,7 @@ static BOOL rdg_process_control_packet(rdpRdg* rdg, int type, size_t packetLengt
while (readCount < payloadSize) while (readCount < payloadSize)
{ {
status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount, status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount,
rdg->transferEncoding); &rdg->transferEncoding);
if (status <= 0) if (status <= 0)
{ {
@ -1710,7 +1712,7 @@ static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, int size)
{ {
status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount, status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount,
(int)sizeof(RdgPacketHeader) - (int)readCount, (int)sizeof(RdgPacketHeader) - (int)readCount,
rdg->transferEncoding); &rdg->transferEncoding);
if (status <= 0) if (status <= 0)
{ {
@ -1746,7 +1748,7 @@ static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, int size)
{ {
status = status =
rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount, rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount,
2 - (int)readCount, rdg->transferEncoding); 2 - (int)readCount, &rdg->transferEncoding);
if (status < 0) if (status < 0)
{ {
@ -1762,7 +1764,7 @@ static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, int size)
} }
readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size; readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size;
status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, rdg->transferEncoding); status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, &rdg->transferEncoding);
if (status <= 0) if (status <= 0)
{ {
@ -2027,10 +2029,7 @@ rdpRdg* rdg_new(rdpContext* context)
BIO_set_data(rdg->frontBio, rdg); BIO_set_data(rdg->frontBio, rdg);
InitializeCriticalSection(&rdg->writeSection); InitializeCriticalSection(&rdg->writeSection);
rdg->transferEncoding = rdg->transferEncoding.httpTransferEncoding = TransferEncodingIdentity;
(rdg_http_encoding_context*)calloc(1, sizeof(rdg_http_encoding_context));
rdg->transferEncoding->httpTransferEncoding = TransferEncodingIdentity;
} }
return rdg; return rdg;
@ -2054,12 +2053,11 @@ void rdg_free(rdpRdg* rdg)
DeleteCriticalSection(&rdg->writeSection); DeleteCriticalSection(&rdg->writeSection);
if (rdg->transferEncoding->httpTransferEncoding == TransferEncodingChunked) if (rdg->transferEncoding.httpTransferEncoding == TransferEncodingChunked)
{ {
free(rdg->transferEncoding->context.chunked->lenBuffer); free(rdg->transferEncoding.context.chunked->lenBuffer);
free(rdg->transferEncoding->context.chunked); free(rdg->transferEncoding.context.chunked);
} }
free(rdg->transferEncoding);
free(rdg); free(rdg);
} }