From 8479c824fd4de7ac998ca9b2fc287fb95e253c0a Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 1 Jul 2015 15:28:35 +0200 Subject: [PATCH 1/2] Fixed handling of optional TSPasswordCreds field. --- libfreerdp/core/nla.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c index 8a47f329a..c2c742df3 100644 --- a/libfreerdp/core/nla.c +++ b/libfreerdp/core/nla.c @@ -916,15 +916,31 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) return FALSE; } - /* TSPasswordCreds (SEQUENCE) */ - if (!ber_read_sequence_tag(s, &length) || + /* TSPasswordCreds (SEQUENCE) + * Initialise to default values. */ + nla->identity->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; - /* [0] domainName (OCTET STRING) */ - !ber_read_contextual_tag(s, 0, &length, TRUE) || + nla->identity->UserLength = (UINT32) 0; + nla->identity->User = NULL; + + nla->identity->DomainLength = (UINT32) 0; + nla->identity->Domain = NULL; + + nla->identity->Password = NULL; + nla->identity->PasswordLength = (UINT32) 0; + + /* The sequence is empty, return early, + * TSPasswordCreds (SEQUENCE) is optional. */ + if (!ber_read_sequence_tag(s, &length)) + return TRUE; + + /* [0] domainName (OCTET STRING) */ + if (!ber_read_contextual_tag(s, 0, &length, TRUE) || !ber_read_octet_string_tag(s, &length)) { return FALSE; } + nla->identity->DomainLength = (UINT32) length; if (nla->identity->DomainLength > 0) { @@ -935,8 +951,6 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) Stream_Seek(s, nla->identity->DomainLength); nla->identity->DomainLength /= 2; } - else - nla->identity->Domain = NULL; /* [1] userName (OCTET STRING) */ if (!ber_read_contextual_tag(s, 1, &length, TRUE) || @@ -944,6 +958,7 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) { return FALSE; } + nla->identity->UserLength = (UINT32) length; if (nla->identity->UserLength > 0) { @@ -954,8 +969,6 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) Stream_Seek(s, nla->identity->UserLength); nla->identity->UserLength /= 2; } - else - nla->identity->User = NULL; /* [2] password (OCTET STRING) */ if (!ber_read_contextual_tag(s, 2, &length, TRUE) || @@ -963,6 +976,7 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) { return FALSE; } + nla->identity->PasswordLength = (UINT32) length; if (nla->identity->PasswordLength > 0) { @@ -973,10 +987,6 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) Stream_Seek(s, nla->identity->PasswordLength); nla->identity->PasswordLength /= 2; } - else - nla->identity->Password = NULL; - - nla->identity->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; return TRUE; } From 3a9db563fdd883d179aae7573d2b997b57a917bc Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 1 Jul 2015 16:05:11 +0200 Subject: [PATCH 2/2] NLA: Fixed length check. --- libfreerdp/core/nla.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c index c2c742df3..88192b916 100644 --- a/libfreerdp/core/nla.c +++ b/libfreerdp/core/nla.c @@ -929,9 +929,12 @@ BOOL nla_read_ts_password_creds(rdpNla* nla, wStream* s) nla->identity->Password = NULL; nla->identity->PasswordLength = (UINT32) 0; + if (!ber_read_sequence_tag(s, &length)) + return FALSE; + /* The sequence is empty, return early, * TSPasswordCreds (SEQUENCE) is optional. */ - if (!ber_read_sequence_tag(s, &length)) + if (length == 0) return TRUE; /* [0] domainName (OCTET STRING) */