Fixed tsg abort condition.

This commit is contained in:
Armin Novak 2018-10-18 10:15:51 +02:00
parent 88d310ff2c
commit dc197d4dd1

View File

@ -229,6 +229,22 @@ struct rdp_tsg
TSG_PACKET_VERSIONCAPS packetVersionCaps;
};
static BOOL tsg_stream_align(wStream* s)
{
size_t pos;
size_t offset = 0;
if (!s)
return FALSE;
pos = Stream_GetPosition(s);
if ((pos % 4) != 0)
offset = 4 - pos % 4;
return Stream_SafeSeek(s, offset);
}
static BIO_METHOD* BIO_s_tsg(void);
/**
* RPC Functions: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378623/
@ -559,12 +575,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
goto fail;
/* 4-byte alignment */
{
UINT32 offset = Stream_GetPosition(pdu->s);
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4)))
goto fail;
}
if (!tsg_stream_align(pdu->s))
goto fail;
}
else
{
@ -600,17 +612,11 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
Stream_Read_UINT16(pdu->s, versionCaps->minorVersion); /* MinorVersion (2 bytes) */
Stream_Read_UINT16(pdu->s,
versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */
/* 4-byte alignment */
{
size_t loffset = Stream_GetPosition(pdu->s);
UINT32 offset = (UINT32) loffset;
if (!tsg_stream_align(pdu->s))
goto fail;
if (loffset > UINT32_MAX)
goto fail;
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4)))
goto fail;
}
tsgCaps = (PTSG_PACKET_CAPABILITIES) calloc(1, sizeof(TSG_PACKET_CAPABILITIES));
if (!tsgCaps)
@ -670,14 +676,7 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
case TSG_ASYNC_MESSAGE_REAUTH:
{
size_t loffset = Stream_GetPosition(pdu->s);
UINT32 offset = (UINT32)loffset;
if (loffset > UINT32_MAX)
goto fail;
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 8) ||
(Stream_GetRemainingLength(pdu->s) < 8)))
if (!tsg_stream_align(pdu->s))
goto fail;
Stream_Seek_UINT64(pdu->s); /* TunnelContext (8 bytes) */
@ -689,12 +688,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
goto fail;
}
{
UINT32 offset = Stream_GetPosition(pdu->s);
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4)))
goto fail;
}
if (!tsg_stream_align(pdu->s))
goto fail;
/* TunnelContext (20 bytes) */
if (Stream_GetRemainingLength(pdu->s) < 24)
@ -744,12 +739,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
goto fail;
/* 4-byte alignment */
{
UINT32 offset = Stream_GetPosition(pdu->s);
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4)))
goto fail;
}
if (!tsg_stream_align(pdu->s))
goto fail;
}
else
{
@ -785,13 +776,10 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu,
Stream_Read_UINT16(pdu->s, versionCaps->majorVersion); /* MinorVersion (2 bytes) */
Stream_Read_UINT16(pdu->s,
versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */
/* 4-byte alignment */
{
UINT32 offset = Stream_GetPosition(pdu->s);
if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4)))
goto fail;
}
/* 4-byte alignment */
if (!tsg_stream_align(pdu->s))
goto fail;
if (Stream_GetRemainingLength(pdu->s) < 36)
goto fail;
@ -847,7 +835,7 @@ static BOOL TsProxyAuthorizeTunnelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* tunn
count = _wcslen(tsg->MachineName) + 1;
rpc = tsg->rpc;
WLog_DBG(TAG, "TsProxyAuthorizeTunnelWriteRequest");
s = Stream_New(NULL, 1024);
s = Stream_New(NULL, 1024 + count * 2);
if (!s)
return FALSE;
@ -1735,10 +1723,10 @@ BOOL tsg_recv_pdu(rdpTsg* tsg, RPC_PDU* pdu)
BOOL tsg_check_event_handles(rdpTsg* tsg)
{
if (!rpc_client_in_channel_recv(tsg->rpc))
if (rpc_client_in_channel_recv(tsg->rpc) < 0)
return FALSE;
if (!rpc_client_out_channel_recv(tsg->rpc))
if (rpc_client_out_channel_recv(tsg->rpc) < 0)
return FALSE;
return TRUE;