From ceae1b87a5057f7d68eb0b7ee366e991038a0213 Mon Sep 17 00:00:00 2001 From: richterger Date: Wed, 7 Aug 2013 07:58:34 +0200 Subject: [PATCH] Fixed memory corruption problems within client redirect - set freed pointers to NULL to avoid double free - realloc mppc to cleanly restart compression - avoid releaseing StreamPool from already freed transport after client redirect --- libfreerdp/core/connection.c | 22 ++++++++++++++++++---- libfreerdp/core/transport.c | 6 +++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c index 247494e07..9c4c3d756 100644 --- a/libfreerdp/core/connection.c +++ b/libfreerdp/core/connection.c @@ -194,24 +194,38 @@ BOOL rdp_client_redirect(rdpRdp* rdp) rdp_client_disconnect(rdp); /* FIXME: this is a subset of rdp_free */ + /* --> this should really go into rdp.c */ crypto_rc4_free(rdp->rc4_decrypt_key); + rdp->rc4_decrypt_key = NULL ; crypto_rc4_free(rdp->rc4_encrypt_key); + rdp->rc4_encrypt_key = NULL; crypto_des3_free(rdp->fips_encrypt); + rdp->fips_encrypt = NULL ; crypto_des3_free(rdp->fips_decrypt); + rdp->fips_decrypt = NULL ; crypto_hmac_free(rdp->fips_hmac); + rdp->fips_hmac = NULL ; + + free(settings->ServerRandom); + settings->ServerRandom = NULL ; + free(settings->ServerCertificate); + settings->ServerCertificate = NULL ; + free(settings->ClientAddress); + settings->ClientAddress = NULL ; + + mppc_enc_free(rdp->mppc_enc); + mppc_dec_free(rdp->mppc_dec); mcs_free(rdp->mcs); nego_free(rdp->nego); license_free(rdp->license); transport_free(rdp->transport); - free(settings->ServerRandom); - free(settings->ServerCertificate); - free(settings->ClientAddress); - rdp->transport = transport_new(settings); rdp->license = license_new(rdp); rdp->nego = nego_new(rdp->transport); rdp->mcs = mcs_new(rdp->transport); + rdp->mppc_dec = mppc_dec_new(); + rdp->mppc_enc = mppc_enc_new(PROTO_RDP_50); rdp->transport->layer = TRANSPORT_LAYER_TCP; settings->RedirectedSessionId = redirection->sessionID; diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c index 40885442b..0f29c6ca7 100644 --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -740,7 +740,11 @@ int transport_check_fds(rdpTransport** ptransport) recv_status = transport->ReceiveCallback(transport, received, transport->ReceiveExtra); - Stream_Release(received); + if (transport == *ptransport) + /* transport might now have been freed by rdp_client_redirect and a new rdp->transport created */ + /* so only release if still valid */ + Stream_Release(received); + if (recv_status < 0) status = -1;