From b40e20ce8578e51f08a6620b3f0ff882c623f6cf Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 5 Jun 2023 15:16:52 +0200
Subject: [PATCH] [gateway,rdg] fix a leak and NULL access in RDG

---
 libfreerdp/core/gateway/rdg.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index 59e084955..b057c5207 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -571,6 +571,9 @@ static BOOL rdg_websocket_reply_close(BIO* bio, wStream* s)
 		closeDataLen = 2;
 
 	closeFrame = Stream_New(NULL, 6 + closeDataLen);
+	if (!closeFrame)
+		return FALSE;
+
 	Stream_Write_UINT8(closeFrame, WEBSOCKET_FIN_BIT | WebsocketPongOpcode);
 	Stream_Write_UINT8(closeFrame, closeDataLen | WEBSOCKET_MASK_BIT); /* no payload */
 	winpr_RAND((BYTE*)&maskingKey1, 2);
@@ -607,6 +610,9 @@ static BOOL rdg_websocket_reply_pong(BIO* bio, wStream* s)
 		return rdg_write_websocket(bio, s, WebsocketPongOpcode);
 
 	closeFrame = Stream_New(NULL, 6);
+	if (!closeFrame)
+		return FALSE;
+
 	Stream_Write_UINT8(closeFrame, WEBSOCKET_FIN_BIT | WebsocketPongOpcode);
 	Stream_Write_UINT8(closeFrame, 0 | WEBSOCKET_MASK_BIT); /* no payload */
 	winpr_RAND((BYTE*)&maskingKey, 4);
@@ -615,6 +621,7 @@ static BOOL rdg_websocket_reply_pong(BIO* bio, wStream* s)
 
 	ERR_clear_error();
 	status = BIO_write(bio, Stream_Buffer(closeFrame), Stream_Length(closeFrame));
+	Stream_Free(closeFrame, TRUE);
 
 	if (status < 0)
 		return FALSE;
@@ -977,9 +984,8 @@ static wStream* rdg_receive_packet(rdpRdg* rdg)
 
 static BOOL rdg_send_handshake(rdpRdg* rdg)
 {
-	wStream* s;
-	BOOL status;
-	s = Stream_New(NULL, 14);
+	BOOL status = FALSE;
+	wStream* s = Stream_New(NULL, 14);
 
 	if (!s)
 		return FALSE;