Shadow server crash with rdp8.0 with gfx enabled.
Root Cause: rdp8.0 is not support in shadow gfx and rdpgfx_caps_advertise returns an error. However setChannelError crashs because context->errorDescription is NULL
1. Fix shadow gfx to handle rdp8.0
2. Initialize context->errorDescription for server side new-context
transport_write did not check if transport or bio are
set. The transport read checks it. In using fastpath
and for example a mouse input is sent, the transport
is never checked and can cause a segfault.
1. Fix stream leak in rdpgfx
2. Make src data const in zgfx. Harden zgfx to be independent to byte order
3. Fix written bytes return value in channel write
4. Add check for return value in shadow_client.c
5. Add gfx callback to send surface command with frame marker pdu.
6. Check remain length for recv subroutine
7. Fix compile errors
According to [MS-RDPBCGR 2.2.1.3.4.1 Channel Definition Structure]
the channel name must be an 8-byte array containing a null-terminated
collection of seven ANSI characters that uniquely identify the channel.
We did not check if the transmitted name was null-terminated which
could have the usual severe effects on stabiliy and security since
the channel name is used in several functions expecting a null-
terminated string (strlen, printf, etc.)
Details: cbSecurityTrailer was assumed to be a fixed length for all signatures, however for Kerberos authentication the signature may generate smaller than this value
If support for multi layout PDUs is advertised there are known issues
with Windows 7 and Windows 2008R2. Until those are resolved generally
disable multi layout PDUs.
See #3114 for details.
According to [MS-RDPBCGR 2.2.1.11.1.1.1] the TS_EXTENDED_INFO_PACKET
structure's cbClientAddress field must include the _mandatory_ NULL
terminator of the clientAddress field in its byte count.
However, connections proxied via Microsoft's TS Gateway set the
cbClientDir value to 0.
According to [MS-RDPBCGR 2.2.1.11.1.1.1] the TS_EXTENDED_INFO_PACKET
structure's cbClientDir field must include the _mandatory_ NULL
terminator of the ClientDir field.
However, since version 8.1.31.44, the Microsoft Remote Desktop Client
for Android sets cbClientDir to 0.
If a target is linked against libraries with cmake
(target_link_libraries) and the libraries are not marked as PRIVATE
they are "exported" and in case a other target is linked against this
target it is also linked against *all* (not private) libraries.
Without declaring private libraries PRIVATE a lot of over linking
(linking against unneeded libraries) was done.
since there have been reports that certain windows versions send
zero values in the cbDomain field of the Logon Info Version 2
(TS_LOGON_INFO_VERSION_2) struct we allow zero values for cbUserName
and cbDomain in rdp_recv_logon_info_v1 and rdp_recv_logon_info_v2.
- Added missing ConvertFromUnicode checks
- If ConvertToUnicode allocates memory, guarantee the null termination
similar to ConvertFromUnicode's implementation
- Fixed some TestUnicodeConversion.c CTest return values
- Added some CTests for ConvertFromUnicode and ConvertToUnicode
- Misc code and protocol hardening fixes in the surrounding code regions
that have been touched