mirror of https://github.com/FreeRDP/FreeRDP
Merge pull request #1395 from richterger/client_redir
Fix memory corruption in client redirection
This commit is contained in:
Marc-André Moreau
commit
efff23acb5
|
|
@ -292,24 +292,38 @@ BOOL rdp_client_redirect(rdpRdp* rdp)
|
|||
rdp_client_disconnect(rdp);
|
||||
|
||||
/* FIXME: this is a subset of rdp_free */
|
||||
/* --> this should really go into rdp.c */
|
||||
crypto_rc4_free(rdp->rc4_decrypt_key);
|
||||
rdp->rc4_decrypt_key = NULL ;
|
||||
crypto_rc4_free(rdp->rc4_encrypt_key);
|
||||
rdp->rc4_encrypt_key = NULL;
|
||||
crypto_des3_free(rdp->fips_encrypt);
|
||||
rdp->fips_encrypt = NULL ;
|
||||
crypto_des3_free(rdp->fips_decrypt);
|
||||
rdp->fips_decrypt = NULL ;
|
||||
crypto_hmac_free(rdp->fips_hmac);
|
||||
rdp->fips_hmac = NULL ;
|
||||
|
||||
free(settings->ServerRandom);
|
||||
settings->ServerRandom = NULL ;
|
||||
free(settings->ServerCertificate);
|
||||
settings->ServerCertificate = NULL ;
|
||||
free(settings->ClientAddress);
|
||||
settings->ClientAddress = NULL ;
|
||||
|
||||
mppc_enc_free(rdp->mppc_enc);
|
||||
mppc_dec_free(rdp->mppc_dec);
|
||||
mcs_free(rdp->mcs);
|
||||
nego_free(rdp->nego);
|
||||
license_free(rdp->license);
|
||||
transport_free(rdp->transport);
|
||||
|
||||
free(settings->ServerRandom);
|
||||
free(settings->ServerCertificate);
|
||||
free(settings->ClientAddress);
|
||||
|
||||
rdp->transport = transport_new(settings);
|
||||
rdp->license = license_new(rdp);
|
||||
rdp->nego = nego_new(rdp->transport);
|
||||
rdp->mcs = mcs_new(rdp->transport);
|
||||
rdp->mppc_dec = mppc_dec_new();
|
||||
rdp->mppc_enc = mppc_enc_new(PROTO_RDP_50);
|
||||
|
||||
rdp->transport->layer = TRANSPORT_LAYER_TCP;
|
||||
settings->RedirectedSessionId = redirection->sessionID;
|
||||
|
|
|
|||
|
|
@ -739,7 +739,11 @@ int transport_check_fds(rdpTransport** ptransport)
|
|||
|
||||
recv_status = transport->ReceiveCallback(transport, received, transport->ReceiveExtra);
|
||||
|
||||
Stream_Release(received);
|
||||
if (transport == *ptransport)
|
||||
/* transport might now have been freed by rdp_client_redirect and a new rdp->transport created */
|
||||
/* so only release if still valid */
|
||||
Stream_Release(received);
|
||||
|
||||
|
||||
if (recv_status < 0)
|
||||
status = -1;
|
||||
|
|
|
|||
|
|
@ -44,7 +44,8 @@ void StreamPool_ShiftUsed(wStreamPool* pool, int index, int count)
|
|||
}
|
||||
else if (count < 0)
|
||||
{
|
||||
MoveMemory(&pool->uArray[index], &pool->uArray[index - count], (pool->uSize - index) * sizeof(wStream*));
|
||||
if (pool->uSize - index + count > 0)
|
||||
MoveMemory(&pool->uArray[index], &pool->uArray[index - count], (pool->uSize - index + count) * sizeof(wStream*));
|
||||
pool->uSize += count;
|
||||
}
|
||||
}
|
||||
|
|
@ -101,7 +102,8 @@ void StreamPool_ShiftAvailable(wStreamPool* pool, int index, int count)
|
|||
}
|
||||
else if (count < 0)
|
||||
{
|
||||
MoveMemory(&pool->aArray[index], &pool->aArray[index - count], (pool->aSize - index) * sizeof(wStream*));
|
||||
if (pool->aSize - index + count > 0)
|
||||
MoveMemory(&pool->aArray[index], &pool->aArray[index - count], (pool->aSize - index + count) * sizeof(wStream*));
|
||||
pool->aSize += count;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue