From d15e80e2660bd3b01bb5c0d3a4af7aa8953bfbc8 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Fri, 21 Oct 2022 09:19:29 +0200 Subject: [PATCH] Fixed return of tpkt_verify_header Allow detection of an error (e.g. not enough data in stream) --- libfreerdp/core/nego.c | 6 ++++-- libfreerdp/core/peer.c | 7 +++++-- libfreerdp/core/rdp.c | 7 +++++-- libfreerdp/core/tpkt.c | 9 +++++---- libfreerdp/core/tpkt.h | 2 +- 5 files changed, 20 insertions(+), 11 deletions(-) diff --git a/libfreerdp/core/nego.c b/libfreerdp/core/nego.c index cae5dd967..29b618fbf 100644 --- a/libfreerdp/core/nego.c +++ b/libfreerdp/core/nego.c @@ -960,8 +960,10 @@ BOOL nego_send_negotiation_request(rdpNego* nego) em = Stream_GetPosition(s); Stream_SetPosition(s, bm); - tpkt_write_header(s, (UINT16)length); - tpdu_write_connection_request(s, (UINT16)length - 5); + if (!tpkt_write_header(s, (UINT16)length)) + goto fail; + if (!tpdu_write_connection_request(s, (UINT16)length - 5)) + goto fail; Stream_SetPosition(s, em); Stream_SealLength(s); rc = (transport_write(nego->transport, s) >= 0); diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c index fe6301245..9f131f091 100644 --- a/libfreerdp/core/peer.c +++ b/libfreerdp/core/peer.c @@ -550,10 +550,13 @@ static int peer_recv_fastpath_pdu(freerdp_peer* client, wStream* s) static int peer_recv_pdu(freerdp_peer* client, wStream* s) { - if (tpkt_verify_header(s)) + int rc = tpkt_verify_header(s); + if (rc > 0) return peer_recv_tpkt_pdu(client, s); - else + else if (rc == 0) return peer_recv_fastpath_pdu(client, s); + else + return rc; } static int peer_recv_callback_internal(rdpTransport* transport, wStream* s, void* extra) diff --git a/libfreerdp/core/rdp.c b/libfreerdp/core/rdp.c index b10aed05a..6946c4ab3 100644 --- a/libfreerdp/core/rdp.c +++ b/libfreerdp/core/rdp.c @@ -1592,10 +1592,13 @@ static int rdp_recv_fastpath_pdu(rdpRdp* rdp, wStream* s) static int rdp_recv_pdu(rdpRdp* rdp, wStream* s) { - if (tpkt_verify_header(s)) + const int rc = tpkt_verify_header(s); + if (rc > 0) return rdp_recv_tpkt_pdu(rdp, s); - else + else if (rc == 0) return rdp_recv_fastpath_pdu(rdp, s); + else + return rc; } int rdp_recv_callback(rdpTransport* transport, wStream* s, void* extra) diff --git a/libfreerdp/core/tpkt.c b/libfreerdp/core/tpkt.c index e36c7f330..ff17925f2 100644 --- a/libfreerdp/core/tpkt.c +++ b/libfreerdp/core/tpkt.c @@ -65,18 +65,19 @@ * @return BOOL */ -BOOL tpkt_verify_header(wStream* s) +int tpkt_verify_header(wStream* s) { BYTE version; - WINPR_ASSERT(s); + if (!Stream_CheckAndLogRequiredLength(TAG, s, 1)) + return -1; Stream_Peek_UINT8(s, version); if (version == 3) - return TRUE; + return 1; else - return FALSE; + return 0; } /** diff --git a/libfreerdp/core/tpkt.h b/libfreerdp/core/tpkt.h index a604a455d..17fa756f5 100644 --- a/libfreerdp/core/tpkt.h +++ b/libfreerdp/core/tpkt.h @@ -28,7 +28,7 @@ #define TPKT_HEADER_LENGTH 4 -FREERDP_LOCAL BOOL tpkt_verify_header(wStream* s); +FREERDP_LOCAL int tpkt_verify_header(wStream* s); FREERDP_LOCAL BOOL tpkt_read_header(wStream* s, UINT16* length); FREERDP_LOCAL BOOL tpkt_write_header(wStream* s, UINT16 length); #define tpkt_ensure_stream_consumed(s, length) \