akallabeth
daf4e11324
Silence valgrind in rdp_read_header
...
If a disconnect message is received, we returned success but did
not initialize the return arguments.
2020-05-08 11:04:03 +02:00
akallabeth
a73adecaf4
Fixed #6112 : Segfault in update_decompress_brush
...
The iterators need to be signed for the loop check to work.
2020-05-06 13:31:57 +02:00
akallabeth
0332cad015
Fixed oob read in update_recv
...
properly use update_type_to_string to print update type.
Thanks to hac425 CVE-2020-11019
2020-05-06 13:31:57 +02:00
akallabeth
66d3b77d88
update_decompress_brush: explicit output length checks
...
The output length was just assumed to be >= 256 bytes, with this
commit it is explicitly checked.
2020-05-06 13:31:57 +02:00
akallabeth
873ed92a84
Remove unnecessary cast.
2020-05-06 13:31:57 +02:00
akallabeth
6b485b146a
Fixed oob read in irp_write and similar
2020-05-06 13:31:57 +02:00
Linus Heckemann
5ce0ab909f
shadow_server: allow specifying IP addresses to listen on ( #6050 )
...
* shadow_server: allow specifying IP addresses to listen on
This allows using IPv6 as well as listening only on specific
interfaces. Additionally, it enables listening on local and TCP
sockets simultaneously.
* listener: log address with square brackets
This disambiguates IPv6 addresses.
* shadow_server: check error on each socket binding
* Refactored shadow /bind-address for 2.0 compiatibility.
* Made /ipc-socket and /bind-address incompatible arguments.
* Fixed shadow /bind-address handling and description
* Allow multiple bind addresses for shadow server.
Co-authored-by: akallabeth <akallabeth@posteo.net>
2020-05-05 08:35:19 +02:00
David Fort
5b98aa7515
Merge pull request #6063 from akallabeth/expert_settings
...
Added expert settings /tune and /tune-list
2020-05-04 12:09:39 +02:00
akallabeth
cb4d90fc0a
Fixed #6101 : POINTER_LARGE_UPDATE serialization
...
The length check and field sizes in _update_read_pointer_large
were off, corrected according to [MS-RDPBCGR] 2.2.9.1.2.1.11
Fast-Path Large Pointer Update (TS_FP_LARGEPOINTERATTRIBUTE)
2020-04-22 14:21:47 +02:00
akallabeth
0a86090ff1
Fix initialization of LargePointer flags
...
Capability exchange is first reading server capabilities,
mask these with local settings and send only what both support.
2020-04-22 11:10:56 +02:00
akallabeth
a75280300a
Fixed [MS-RDPBCGR] 2.2.9.1.1.4.4 Color Pointer Update
...
The pointer size is limited to 32 pixel in width and height
unless LARGE_POINTER_FLAG_96x96 is set which increases the size
to 96 pixel.
2020-04-22 11:10:56 +02:00
Armin Novak
58be47bc63
Added expert settings /tune and /tune-list
2020-04-21 17:30:24 +02:00
Armin Novak
24bd601f8d
Fixed data type warnings
2020-04-11 09:43:14 +02:00
akallabeth
6c0aeb10d2
Allow icon info with empty bitmap data.
2020-04-09 18:00:51 +02:00
akallabeth
232c7f4783
Abort order read on invalid element count.
2020-04-09 18:00:51 +02:00
akallabeth
97efff4e90
Refactored order stream manipulation
...
* Use stream seek instead of setting pointer directly
* Add log messages in case of inconsistencies
* Fixed missing stream advance in update_decompress_brush
2020-04-09 18:00:51 +02:00
akallabeth
17f547ae11
Fixed CVE-2020-11521: Out of bounds write in planar codec.
...
Thanks to Sunglin and HuanGMz from Knownsec 404
2020-04-09 18:00:51 +02:00
akallabeth
907640a924
Fixed CVE-2020-11522: Limit number of DELTA_RECT to 45.
...
Thanks to Sunglin and HuanGMz from Knownsec 404
2020-04-09 18:00:51 +02:00
akallabeth
192856cb59
Fixed #6012 : CVE-2020-11526: Out of bounds read in update_recv_orders
...
Thanks to @hac425xxx and Sunglin and HuanGMz from Knownsec 404
2020-04-09 18:00:51 +02:00
akallabeth
e6d10041c1
Fix #6033 : freeaddrinfo must not be called with NULL arguments.
2020-04-09 14:26:46 +02:00
Norbert Federa
c367f65d42
Merge pull request #6019 from akallabeth/bound_access_fixes
...
Fix issues with boundary access.
2020-04-06 13:53:28 +02:00
akallabeth
6f00add067
Export remaining packet length from rdp_read_share_control_header
2020-04-06 13:18:35 +02:00
akallabeth
0ad894adbc
Fixed substream read in rdp_recv_tpkt_pdu
2020-04-06 11:58:48 +02:00
akallabeth
0533c05be3
Fixed rdp_recv_tpkt_pdu parsing, use substream.
2020-04-06 11:22:18 +02:00
akallabeth
df55f40ecf
Fixed incorrect parser error message.
2020-04-06 10:42:06 +02:00
akallabeth
a022958ddf
Better error message for partial parsed capability
2020-04-03 15:10:49 +02:00
akallabeth
cba63b6d43
Added fallback to CMDTYPE_STREAM_SURFACE_BITS
...
Since our samples were incorrect, add a fallback with a log warnings
to the old CMDTYPE_STREAM_SURFACE_BITS by default behaviour.
2020-04-03 12:18:59 +02:00
akallabeth
88ad9ca56b
Fix sending/receiving surface bits command.
...
* Pass on proper command type to application
* On send let the server implementation decide to send
2.2.9.2.1 Set Surface Bits Command (TS_SURFCMD_SET_SURF_BITS) or
2.2.9.2.2 Stream Surface Bits Command (TS_SURFCMD_STREAM_SURF_BITS)
Thanks to @viniciusjarina for tracing the issue down.
2020-04-03 12:00:53 +02:00
akallabeth
2a379bfe09
Fixed invalid seek size in patrial pdu parse case
2020-04-02 17:41:49 +02:00
akallabeth
21320d973c
Use safe seek for capability parsing
...
thanks to @hardening for pointing that one out.
2020-04-02 17:39:51 +02:00
akallabeth
ddfd0cdccf
Use substreams to parse gcc_read_server_data_blocks
2020-04-02 17:39:43 +02:00
akallabeth
6b2bc41935
Fix #6010 : Check length in read_icon_info
2020-04-02 17:34:02 +02:00
akallabeth
67c2aa52b2
Fixed #6013 : Check new length is > 0
2020-04-02 17:33:54 +02:00
akallabeth
3627aaf7d2
Fixed #6011 : Bounds check in rdp_read_font_capability_set
2020-04-02 17:28:17 +02:00
akallabeth
f8890a645c
Fixed #6005 : Bounds checks in update_read_bitmap_data
2020-04-02 17:28:10 +02:00
akallabeth
ed53cd148f
Fixed #6006 : bounds checks in update_read_synchronize
2020-04-02 17:28:04 +02:00
akallabeth
f5e73cc7c9
Fixed #6009 : Bounds checks in autodetect_recv_bandwidth_measure_results
2020-04-02 17:27:59 +02:00
akallabeth
9301bfe730
Fixed #6007 : Boundary checks in rdp_read_flow_control_pdu
2020-04-02 17:27:53 +02:00
akallabeth
bc33a50c5a
Treat NULL and empty string as the same for credentials.
2020-03-24 12:34:35 +01:00
akallabeth
cf2f674283
Initialize KeyboardHook with define instead of magic number
2020-03-18 17:22:08 +01:00
Armin Novak
4216646746
Fixed length checks for compressed rdp data.
2020-03-10 14:05:10 +01:00
Armin Novak
297ad536a2
Cleaned up bulk_compress/decompress, prettified log.
2020-03-10 14:05:10 +01:00
Armin Novak
49b17e4e03
Refactored bulk compression
...
* Arguments now opaque
* Removed internal functions from external interface
2020-03-10 14:05:10 +01:00
Armin Novak
3ba66db99d
Unify pReceiveChannelData and psPeerReceiveChannelData
...
Fix definitions of the two function pointers.
Use and definition did not match, fix that.
Will create warnings in external projects
2020-03-10 12:21:14 +01:00
Armin Novak
d5b5088eac
Fixed misinterpretation of SendChannelData
...
SendChannelData was defined with a return value of type int, but
used as BOOL everywhere. Fix the definition to match use.
2020-03-10 12:21:14 +01:00
Armin Novak
c7187928e9
Fix tpkt header length checks for encrypted packets
...
If securityFlag SEC_ENCRYPT is set, remove the encryption headers from
the TPKT header length on comparison.
2020-03-10 12:20:50 +01:00
Armin Novak
cc49a212bd
Default to positive return for missing callbacks
...
When using +async-update, default to positive return if some
client callback is not implemented.
2020-03-10 08:59:52 +01:00
Armin Novak
d3b36ab299
Added CertificateAcceptedFingerprints to settings
2020-03-06 11:37:35 +01:00
Armin Novak
07605b0281
Consume all TPKT data reading new/upgrade license
2020-03-05 13:48:58 +01:00
Armin Novak
f1098aa17c
rdp_recv_tpkt_pdu verbose debug parsing issues
...
Print out parsing issues found in MCS Channel 1003 parsing.
2020-03-05 13:48:58 +01:00