libfreerdp-core: fix potential crash on session redirection failure

libfreerdp/core/capabilities.c

@@ -3486,14 +3486,16 @@ BOOL rdp_recv_demand_active(rdpRdp* rdp, wStream* s)
 		return FALSE;
 	}
 
-	rdp->settings->PduSource = pduSource;
-
 	if (pduType != PDU_TYPE_DEMAND_ACTIVE)
 	{
-		fprintf(stderr, "expected PDU_TYPE_DEMAND_ACTIVE %04x, got %04x\n", PDU_TYPE_DEMAND_ACTIVE, pduType);
+		if (pduType != PDU_TYPE_SERVER_REDIRECTION)
+			fprintf(stderr, "expected PDU_TYPE_DEMAND_ACTIVE %04x, got %04x\n", PDU_TYPE_DEMAND_ACTIVE, pduType);
+
 		return FALSE;
 	}
 
+	rdp->settings->PduSource = pduSource;
+
 	if (Stream_GetRemainingLength(s) < 8)
 		return FALSE;
 

libfreerdp/core/connection.c

@@ -179,6 +179,7 @@ BOOL rdp_client_connect(rdpRdp* rdp)
 	}
 
 	rdp->settingsCopy = freerdp_settings_clone(settings);
+
 	if (!rdp->settingsCopy)
 		return FALSE;
 

libfreerdp/core/rdp.c

@@ -1186,7 +1186,14 @@ void rdp_set_blocking_mode(rdpRdp* rdp, BOOL blocking)
 int rdp_check_fds(rdpRdp* rdp)
 {
 	int status;
+
 	status = transport_check_fds(rdp->transport);
+
+	if (status == 1)
+	{
+		status = rdp_client_redirect(rdp); /* session redirection */
+	}
+
 	return status;
 }
 

libfreerdp/core/redirection.c

@@ -314,7 +314,7 @@ BOOL rdp_recv_server_redirection_pdu(rdpRdp* rdp, wStream* s)
 	if (redirection->flags & LB_NOREDIRECT)
 		return 0;
 
-	return rdp_client_redirect(rdp);
+	return 1;
 }
 
 int rdp_recv_redirection_packet(rdpRdp* rdp, wStream* s)
@@ -346,12 +346,10 @@ rdpRedirection* redirection_new()
 {
 	rdpRedirection* redirection;
 
-	redirection = (rdpRedirection*) malloc(sizeof(rdpRedirection));
+	redirection = (rdpRedirection*) calloc(1, sizeof(rdpRedirection));
 
 	if (redirection)
 	{
-		ZeroMemory(redirection, sizeof(rdpRedirection));
-
 		WLog_Init();
 		redirection->log = WLog_Get("com.freerdp.core.redirection");
 

libfreerdp/core/transport.c

@@ -1079,20 +1079,15 @@ int transport_check_fds(rdpTransport* transport)
 
 		recv_status = transport->ReceiveCallback(transport, received, transport->ReceiveExtra);
 
-		if (recv_status == 1)
-		{
-			/**
-			 * Last call to ReceiveCallback resulted in a session redirection,
-			 * which means the current rdpTransport* transport pointer has been freed.
-			 * Return 0 for success, the rest of this function is meant for non-redirected cases.
-			 */
-			return 0;
-		}
-
 		Stream_Release(received);
 
 		if (recv_status < 0)
 			return -1;
+
+		if (recv_status == 1)
+		{
+			return 1; /* session redirection */
+		}
 	}
 
 	return 0;

winpr/libwinpr/utils/collections/StreamPool.c

@@ -324,26 +324,28 @@ wStreamPool* StreamPool_New(BOOL synchronized, size_t defaultSize)
 {
 	wStreamPool* pool = NULL;
 
-	pool = (wStreamPool*) malloc(sizeof(wStreamPool));
+	pool = (wStreamPool*) calloc(1, sizeof(wStreamPool));
 
 	if (pool)
 	{
-		ZeroMemory(pool, sizeof(wStreamPool));
-
 		pool->synchronized = synchronized;
 		pool->defaultSize = defaultSize;
 
-		InitializeCriticalSectionAndSpinCount(&pool->lock, 4000);
-
 		pool->aSize = 0;
 		pool->aCapacity = 32;
-		pool->aArray = (wStream**) malloc(sizeof(wStream*) * pool->aCapacity);
-		ZeroMemory(pool->aArray, sizeof(wStream*) * pool->aCapacity);
+		pool->aArray = (wStream**) calloc(pool->aCapacity, sizeof(wStream*));
+
+		if (!pool->aArray)
+			return NULL;
 
 		pool->uSize = 0;
 		pool->uCapacity = 32;
-		pool->uArray = (wStream**) malloc(sizeof(wStream*) * pool->uCapacity);
-		ZeroMemory(pool->uArray, sizeof(wStream*) * pool->uCapacity);
+		pool->uArray = (wStream**) calloc(pool->uCapacity, sizeof(wStream*));
+
+		if (!pool->uArray)
+			return NULL;
+
+		InitializeCriticalSectionAndSpinCount(&pool->lock, 4000);
 	}
 
 	return pool;