From fd27451768c398867ee626383fcd34c2f7c9b151 Mon Sep 17 00:00:00 2001
From: Jiajun Wang <account.github@me.jiajunw.com>
Date: Sat, 23 Feb 2019 00:31:42 +0800
Subject: [PATCH] Fixed TS_INFO_PACKET (#5275)

Those fields exclude the length of the mandatory null terminator:
* cbDomain
* cbUserName
* cbPassword
* cbAlternateShell
* cbWorkingDir
---
 libfreerdp/core/info.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
index 4f54d78cf..a985e3d20 100644
--- a/libfreerdp/core/info.c
+++ b/libfreerdp/core/info.c
@@ -772,6 +772,9 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 		cbDomain = 0;
 	}
 
+	/* excludes (!) the length of the mandatory null terminator */
+	cbDomain = cbDomain >= 2 ? cbDomain - 2 : cbDomain;
+
 	if (!settings->RemoteAssistanceMode)
 	{
 		cbUserName = ConvertToUnicode(CP_UTF8, 0, settings->Username, -1, &userNameW, 0) * 2;
@@ -782,13 +785,16 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 		cbUserName = ConvertToUnicode(CP_UTF8, 0, settings->Username, -1, &userNameW, 0) * 2;
 	}
 
+	/* excludes (!) the length of the mandatory null terminator */
+	cbUserName = cbUserName >= 2 ? cbUserName - 2 : cbUserName;
+
 	if (!settings->RemoteAssistanceMode)
 	{
 		if (settings->RedirectionPassword && settings->RedirectionPasswordLength > 0)
 		{
 			usedPasswordCookie = TRUE;
 			passwordW = (WCHAR*) settings->RedirectionPassword;
-			cbPassword = settings->RedirectionPasswordLength - 2; /* Strip double zero termination */
+			cbPassword = settings->RedirectionPasswordLength;
 		}
 		else
 		{
@@ -801,6 +807,9 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 		cbPassword = ConvertToUnicode(CP_UTF8, 0, "*", -1, &passwordW, 0) * 2;
 	}
 
+	/* excludes (!) the length of the mandatory null terminator */
+	cbPassword = cbPassword >= 2 ? cbPassword - 2 : cbPassword;
+
 	if (!settings->RemoteAssistanceMode)
 	{
 		cbAlternateShell = ConvertToUnicode(CP_UTF8, 0, settings->AlternateShell, -1, &alternateShellW,
@@ -821,6 +830,9 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 		}
 	}
 
+	/* excludes (!) the length of the mandatory null terminator */
+	cbAlternateShell = cbAlternateShell >= 2 ? cbAlternateShell - 2 : cbAlternateShell;
+
 	if (!settings->RemoteAssistanceMode)
 	{
 		cbWorkingDir = ConvertToUnicode(CP_UTF8, 0, settings->ShellWorkingDirectory, -1, &workingDirW,
@@ -833,6 +845,9 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 		                                0) * 2;
 	}
 
+	/* excludes (!) the length of the mandatory null terminator */
+	cbWorkingDir = cbWorkingDir >= 2 ? cbWorkingDir - 2 : cbWorkingDir;
+
 	Stream_Write_UINT32(s, 0); /* CodePage (4 bytes) */
 	Stream_Write_UINT32(s, flags); /* flags (4 bytes) */
 	Stream_Write_UINT16(s, cbDomain); /* cbDomain (2 bytes) */
@@ -844,27 +859,33 @@ static void rdp_write_info_packet(rdpRdp* rdp, wStream* s)
 	if (cbDomain > 0)
 		Stream_Write(s, domainW, cbDomain);
 
+	/* the mandatory null terminator */
 	Stream_Write_UINT16(s, 0);
 
 	if (cbUserName > 0)
 		Stream_Write(s, userNameW, cbUserName);
 
+	/* the mandatory null terminator */
 	Stream_Write_UINT16(s, 0);
 
 	if (cbPassword > 0)
 		Stream_Write(s, passwordW, cbPassword);
 
+	/* the mandatory null terminator */
 	Stream_Write_UINT16(s, 0);
 
 	if (cbAlternateShell > 0)
 		Stream_Write(s, alternateShellW, cbAlternateShell);
 
+	/* the mandatory null terminator */
 	Stream_Write_UINT16(s, 0);
 
 	if (cbWorkingDir > 0)
 		Stream_Write(s, workingDirW, cbWorkingDir);
 
+	/* the mandatory null terminator */
 	Stream_Write_UINT16(s, 0);
+
 	free(domainW);
 	free(userNameW);
 	free(alternateShellW);