From dc197d4dd11608332975d521b797e50006a9eb7f Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Thu, 18 Oct 2018 10:15:51 +0200 Subject: [PATCH] Fixed tsg abort condition. --- libfreerdp/core/gateway/tsg.c | 76 +++++++++++++++-------------------- 1 file changed, 32 insertions(+), 44 deletions(-) diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c index 899743a68..8492e62f4 100644 --- a/libfreerdp/core/gateway/tsg.c +++ b/libfreerdp/core/gateway/tsg.c @@ -229,6 +229,22 @@ struct rdp_tsg TSG_PACKET_VERSIONCAPS packetVersionCaps; }; +static BOOL tsg_stream_align(wStream* s) +{ + size_t pos; + size_t offset = 0; + + if (!s) + return FALSE; + + pos = Stream_GetPosition(s); + + if ((pos % 4) != 0) + offset = 4 - pos % 4; + + return Stream_SafeSeek(s, offset); +} + static BIO_METHOD* BIO_s_tsg(void); /** * RPC Functions: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378623/ @@ -559,12 +575,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, goto fail; /* 4-byte alignment */ - { - UINT32 offset = Stream_GetPosition(pdu->s); - - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4))) - goto fail; - } + if (!tsg_stream_align(pdu->s)) + goto fail; } else { @@ -600,17 +612,11 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, Stream_Read_UINT16(pdu->s, versionCaps->minorVersion); /* MinorVersion (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ + /* 4-byte alignment */ - { - size_t loffset = Stream_GetPosition(pdu->s); - UINT32 offset = (UINT32) loffset; + if (!tsg_stream_align(pdu->s)) + goto fail; - if (loffset > UINT32_MAX) - goto fail; - - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4))) - goto fail; - } tsgCaps = (PTSG_PACKET_CAPABILITIES) calloc(1, sizeof(TSG_PACKET_CAPABILITIES)); if (!tsgCaps) @@ -670,14 +676,7 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, case TSG_ASYNC_MESSAGE_REAUTH: { - size_t loffset = Stream_GetPosition(pdu->s); - UINT32 offset = (UINT32)loffset; - - if (loffset > UINT32_MAX) - goto fail; - - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 8) || - (Stream_GetRemainingLength(pdu->s) < 8))) + if (!tsg_stream_align(pdu->s)) goto fail; Stream_Seek_UINT64(pdu->s); /* TunnelContext (8 bytes) */ @@ -689,12 +688,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, goto fail; } - { - UINT32 offset = Stream_GetPosition(pdu->s); - - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4))) - goto fail; - } + if (!tsg_stream_align(pdu->s)) + goto fail; /* TunnelContext (20 bytes) */ if (Stream_GetRemainingLength(pdu->s) < 24) @@ -744,12 +739,8 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, goto fail; /* 4-byte alignment */ - { - UINT32 offset = Stream_GetPosition(pdu->s); - - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4))) - goto fail; - } + if (!tsg_stream_align(pdu->s)) + goto fail; } else { @@ -785,13 +776,10 @@ static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, Stream_Read_UINT16(pdu->s, versionCaps->majorVersion); /* MinorVersion (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ - /* 4-byte alignment */ - { - UINT32 offset = Stream_GetPosition(pdu->s); - if (!Stream_SafeSeek(pdu->s, rpc_offset_align(&offset, 4))) - goto fail; - } + /* 4-byte alignment */ + if (!tsg_stream_align(pdu->s)) + goto fail; if (Stream_GetRemainingLength(pdu->s) < 36) goto fail; @@ -847,7 +835,7 @@ static BOOL TsProxyAuthorizeTunnelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* tunn count = _wcslen(tsg->MachineName) + 1; rpc = tsg->rpc; WLog_DBG(TAG, "TsProxyAuthorizeTunnelWriteRequest"); - s = Stream_New(NULL, 1024); + s = Stream_New(NULL, 1024 + count * 2); if (!s) return FALSE; @@ -1735,10 +1723,10 @@ BOOL tsg_recv_pdu(rdpTsg* tsg, RPC_PDU* pdu) BOOL tsg_check_event_handles(rdpTsg* tsg) { - if (!rpc_client_in_channel_recv(tsg->rpc)) + if (rpc_client_in_channel_recv(tsg->rpc) < 0) return FALSE; - if (!rpc_client_out_channel_recv(tsg->rpc)) + if (rpc_client_out_channel_recv(tsg->rpc) < 0) return FALSE; return TRUE;