Add checks for DR channel

This commit is contained in:
David Fort 2017-10-02 21:28:02 +02:00
parent b624ecbfce
commit a132922376
6 changed files with 56 additions and 7 deletions

View File

@ -561,6 +561,9 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
switch (FsInformationClass) switch (FsInformationClass)
{ {
case FileBasicInformation: case FileBasicInformation:
if (Stream_GetRemainingLength(input) < 36)
return FALSE;
/* http://msdn.microsoft.com/en-us/library/cc232094.aspx */ /* http://msdn.microsoft.com/en-us/library/cc232094.aspx */
Stream_Read_UINT64(input, liCreationTime.QuadPart); Stream_Read_UINT64(input, liCreationTime.QuadPart);
Stream_Read_UINT64(input, liLastAccessTime.QuadPart); Stream_Read_UINT64(input, liLastAccessTime.QuadPart);
@ -620,6 +623,9 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
/* http://msdn.microsoft.com/en-us/library/cc232067.aspx */ /* http://msdn.microsoft.com/en-us/library/cc232067.aspx */
case FileAllocationInformation: case FileAllocationInformation:
if (Stream_GetRemainingLength(input) < 8)
return FALSE;
/* http://msdn.microsoft.com/en-us/library/cc232076.aspx */ /* http://msdn.microsoft.com/en-us/library/cc232076.aspx */
Stream_Read_INT64(input, size); Stream_Read_INT64(input, size);
@ -656,7 +662,12 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
break; /* TODO: SetLastError ??? */ break; /* TODO: SetLastError ??? */
if (Length) if (Length)
{
if (Stream_GetRemainingLength(input) < 1)
return FALSE;
Stream_Read_UINT8(input, delete_pending); Stream_Read_UINT8(input, delete_pending);
}
else else
delete_pending = 1; delete_pending = 1;
@ -676,13 +687,19 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
break; break;
case FileRenameInformation: case FileRenameInformation:
if (Stream_GetRemainingLength(input) < 6)
return FALSE;
/* http://msdn.microsoft.com/en-us/library/cc232085.aspx */ /* http://msdn.microsoft.com/en-us/library/cc232085.aspx */
Stream_Read_UINT8(input, ReplaceIfExists); Stream_Read_UINT8(input, ReplaceIfExists);
Stream_Seek_UINT8(input); /* RootDirectory */ Stream_Seek_UINT8(input); /* RootDirectory */
Stream_Read_UINT32(input, FileNameLength); Stream_Read_UINT32(input, FileNameLength);
if (Stream_GetRemainingLength(input) < FileNameLength)
return FALSE;
fullpath = drive_file_combine_fullpath(file->basepath, (WCHAR*)Stream_Pointer(input), fullpath = drive_file_combine_fullpath(file->basepath, (WCHAR*)Stream_Pointer(input),
FileNameLength); FileNameLength);
if (!fullpath) if (!fullpath)
{ {
WLog_ERR(TAG, "drive_file_combine_fullpath failed!"); WLog_ERR(TAG, "drive_file_combine_fullpath failed!");

View File

@ -274,10 +274,13 @@ static UINT drive_process_irp_read(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->output || !irp->Complete) if (!drive || !irp || !irp->output || !irp->Complete)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 12)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, Length); Stream_Read_UINT32(irp->input, Length);
Stream_Read_UINT64(irp->input, Offset); Stream_Read_UINT64(irp->input, Offset);
file = drive_get_file_by_id(drive, irp->FileId);
file = drive_get_file_by_id(drive, irp->FileId);
if (!file) if (!file)
{ {
irp->IoStatus = STATUS_UNSUCCESSFUL; irp->IoStatus = STATUS_UNSUCCESSFUL;
@ -328,11 +331,14 @@ static UINT drive_process_irp_write(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->input || !irp->output || !irp->Complete) if (!drive || !irp || !irp->input || !irp->output || !irp->Complete)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 32)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, Length); Stream_Read_UINT32(irp->input, Length);
Stream_Read_UINT64(irp->input, Offset); Stream_Read_UINT64(irp->input, Offset);
Stream_Seek(irp->input, 20); /* Padding */ Stream_Seek(irp->input, 20); /* Padding */
file = drive_get_file_by_id(drive, irp->FileId);
file = drive_get_file_by_id(drive, irp->FileId);
if (!file) if (!file)
{ {
irp->IoStatus = STATUS_UNSUCCESSFUL; irp->IoStatus = STATUS_UNSUCCESSFUL;
@ -367,9 +373,12 @@ static UINT drive_process_irp_query_information(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->Complete) if (!drive || !irp || !irp->Complete)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
Stream_Read_UINT32(irp->input, FsInformationClass); if (Stream_GetRemainingLength(irp->input) < 4)
file = drive_get_file_by_id(drive, irp->FileId); return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, FsInformationClass);
file = drive_get_file_by_id(drive, irp->FileId);
if (!file) if (!file)
{ {
irp->IoStatus = STATUS_UNSUCCESSFUL; irp->IoStatus = STATUS_UNSUCCESSFUL;
@ -396,11 +405,14 @@ static UINT drive_process_irp_set_information(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->Complete || !irp->input || !irp->output) if (!drive || !irp || !irp->Complete || !irp->input || !irp->output)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 32)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, FsInformationClass); Stream_Read_UINT32(irp->input, FsInformationClass);
Stream_Read_UINT32(irp->input, Length); Stream_Read_UINT32(irp->input, Length);
Stream_Seek(irp->input, 24); /* Padding */ Stream_Seek(irp->input, 24); /* Padding */
file = drive_get_file_by_id(drive, irp->FileId);
file = drive_get_file_by_id(drive, irp->FileId);
if (!file) if (!file)
{ {
irp->IoStatus = STATUS_UNSUCCESSFUL; irp->IoStatus = STATUS_UNSUCCESSFUL;
@ -442,6 +454,9 @@ static UINT drive_process_irp_query_volume_information(DRIVE_DEVICE* drive,
if (!drive || !irp) if (!drive || !irp)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 4)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, FsInformationClass); Stream_Read_UINT32(irp->input, FsInformationClass);
GetDiskFreeSpaceW(drive->path, &lpSectorsPerCluster, &lpBytesPerSector, &lpNumberOfFreeClusters, GetDiskFreeSpaceW(drive->path, &lpSectorsPerCluster, &lpBytesPerSector, &lpNumberOfFreeClusters,
&lpTotalNumberOfClusters); &lpTotalNumberOfClusters);
@ -574,7 +589,11 @@ static UINT drive_process_irp_silent_ignore(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->output || !irp->Complete) if (!drive || !irp || !irp->output || !irp->Complete)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 4)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, FsInformationClass); Stream_Read_UINT32(irp->input, FsInformationClass);
Stream_Write_UINT32(irp->output, 0); /* Length */ Stream_Write_UINT32(irp->output, 0); /* Length */
return irp->Complete(irp); return irp->Complete(irp);
} }
@ -595,13 +614,16 @@ static UINT drive_process_irp_query_directory(DRIVE_DEVICE* drive, IRP* irp)
if (!drive || !irp || !irp->Complete) if (!drive || !irp || !irp->Complete)
return ERROR_INVALID_PARAMETER; return ERROR_INVALID_PARAMETER;
if (Stream_GetRemainingLength(irp->input) < 32)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, FsInformationClass); Stream_Read_UINT32(irp->input, FsInformationClass);
Stream_Read_UINT8(irp->input, InitialQuery); Stream_Read_UINT8(irp->input, InitialQuery);
Stream_Read_UINT32(irp->input, PathLength); Stream_Read_UINT32(irp->input, PathLength);
Stream_Seek(irp->input, 23); /* Padding */ Stream_Seek(irp->input, 23); /* Padding */
path = (WCHAR*) Stream_Pointer(irp->input); path = (WCHAR*) Stream_Pointer(irp->input);
file = drive_get_file_by_id(drive, irp->FileId);
file = drive_get_file_by_id(drive, irp->FileId);
if (file == NULL) if (file == NULL)
{ {
irp->IoStatus = STATUS_UNSUCCESSFUL; irp->IoStatus = STATUS_UNSUCCESSFUL;
@ -756,11 +778,13 @@ static void* drive_thread_func(void* arg)
irp = (IRP*) message.wParam; irp = (IRP*) message.wParam;
if (irp) if (irp)
{
if ((error = drive_process_irp(drive, irp))) if ((error = drive_process_irp(drive, irp)))
{ {
WLog_ERR(TAG, "drive_process_irp failed with error %"PRIu32"!", error); WLog_ERR(TAG, "drive_process_irp failed with error %"PRIu32"!", error);
break; break;
} }
}
} }
fail: fail:

View File

@ -110,6 +110,7 @@ BOOL freerdp_channel_send(rdpRdp* rdp, UINT16 channelId, BYTE* data, int size)
Stream_Write(s, data, chunkSize); Stream_Write(s, data, chunkSize);
WLog_DBG(TAG, "%s: sending data (flags=0x%x size=%d)", __FUNCTION__, flags, size);
if (!rdp_send(rdp, s, channelId)) if (!rdp_send(rdp, s, channelId))
{ {
Stream_Release(s); Stream_Release(s);

View File

@ -604,6 +604,7 @@ BOOL rdp_send_data_pdu(rdpRdp* rdp, wStream* s, BYTE type, UINT16 channel_id)
Stream_SetPosition(s, length); Stream_SetPosition(s, length);
Stream_SealLength(s); Stream_SealLength(s);
WLog_DBG(TAG, "%s: sending data (type=0x%x size=%d channelId)", __FUNCTION__, type, Stream_Length(s), channel_id);
if (transport_write(rdp->transport, s) < 0) if (transport_write(rdp->transport, s) < 0)
return FALSE; return FALSE;
@ -1224,6 +1225,7 @@ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
case PDU_TYPE_FLOW_RESPONSE: case PDU_TYPE_FLOW_RESPONSE:
case PDU_TYPE_FLOW_STOP: case PDU_TYPE_FLOW_STOP:
case PDU_TYPE_FLOW_TEST: case PDU_TYPE_FLOW_TEST:
WLog_DBG(TAG, "flow message 0x%04"PRIX16"", pduType);
break; break;
default: default:

View File

@ -592,6 +592,7 @@ BOOL security_key_update(BYTE* key, BYTE* update_key, int key_len, rdpRdp* rdp)
BYTE salt[] = { 0xD1, 0x26, 0x9E }; /* 40 bits: 3 bytes, 56 bits: 1 byte */ BYTE salt[] = { 0xD1, 0x26, 0x9E }; /* 40 bits: 3 bytes, 56 bits: 1 byte */
BOOL result = FALSE; BOOL result = FALSE;
WLog_DBG(TAG, "updating RDP key");
if (!(sha1 = winpr_Digest_New())) if (!(sha1 = winpr_Digest_New()))
goto out; goto out;
if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1)) if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))

View File

@ -562,6 +562,10 @@ BOOL update_recv(rdpUpdate* update, wStream* s)
update_read_synchronize(update, s); update_read_synchronize(update, s);
IFCALL(update->Synchronize, context); IFCALL(update->Synchronize, context);
break; break;
default:
WLog_ERR(TAG, "unknown update type %"PRIu16"", updateType);
break;
} }
IFCALL(update->EndPaint, context); IFCALL(update->EndPaint, context);