From 9d8676f89d110ac5381e71ec123a146fd9936ea3 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:28:19 +0100 Subject: [PATCH 1/4] Corrected size of filename in struct clip_file_desc --- sesman/chansrv/clipboard_common.h | 2 +- sesman/chansrv/clipboard_file.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sesman/chansrv/clipboard_common.h b/sesman/chansrv/clipboard_common.h index 0405af8f..739fa63b 100644 --- a/sesman/chansrv/clipboard_common.h +++ b/sesman/chansrv/clipboard_common.h @@ -77,7 +77,7 @@ struct clip_file_desc /* CLIPRDR_FILEDESCRIPTOR */ tui32 lastWriteTimeHigh; tui32 fileSizeHigh; tui32 fileSizeLow; - char cFileName[256]; + char cFileName[260 * 4]; /* Allow each UCS-16 char to become 32 bits */ }; int clipboard_out_unicode(struct stream *s, const char *text, diff --git a/sesman/chansrv/clipboard_file.c b/sesman/chansrv/clipboard_file.c index bedfa9bd..8625d0e9 100644 --- a/sesman/chansrv/clipboard_file.c +++ b/sesman/chansrv/clipboard_file.c @@ -575,7 +575,7 @@ clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) in_uint32_le(s, cfd->lastWriteTimeHigh); in_uint32_le(s, cfd->fileSizeHigh); in_uint32_le(s, cfd->fileSizeLow); - num_chars = 256; + num_chars = sizeof(cfd->cFileName); clipboard_in_unicode(s, cfd->cFileName, &num_chars); ex_bytes = 512 - num_chars * 2; ex_bytes -= 2; From 6a5895ce37f192173304e67a957f0d61bee66467 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:31:38 +0100 Subject: [PATCH 2/4] Remove unnecessary malloc/free --- sesman/chansrv/clipboard_file.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/sesman/chansrv/clipboard_file.c b/sesman/chansrv/clipboard_file.c index 8625d0e9..c1cdc94c 100644 --- a/sesman/chansrv/clipboard_file.c +++ b/sesman/chansrv/clipboard_file.c @@ -600,7 +600,7 @@ clipboard_c2s_in_files(struct stream *s, char *file_list) int lindex; int str_len; int file_count; - struct clip_file_desc *cfd; + struct clip_file_desc cfd; char *ptr; if (!s_check_rem(s, 4)) @@ -616,22 +616,20 @@ clipboard_c2s_in_files(struct stream *s, char *file_list) } xfuse_clear_clip_dir(); LOG_DEVEL(LOG_LEVEL_DEBUG, "clipboard_c2s_in_files: cItems %d", cItems); - cfd = (struct clip_file_desc *) - g_malloc(sizeof(struct clip_file_desc), 0); file_count = 0; ptr = file_list; for (lindex = 0; lindex < cItems; lindex++) { - g_memset(cfd, 0, sizeof(struct clip_file_desc)); - clipboard_c2s_in_file_info(s, cfd); - if ((g_pos(cfd->cFileName, "\\") >= 0) || - (cfd->fileAttributes & CB_FILE_ATTRIBUTE_DIRECTORY)) + g_memset(&cfd, 0, sizeof(struct clip_file_desc)); + clipboard_c2s_in_file_info(s, &cfd); + if ((g_pos(cfd.cFileName, "\\") >= 0) || + (cfd.fileAttributes & CB_FILE_ATTRIBUTE_DIRECTORY)) { LOG_DEVEL(LOG_LEVEL_ERROR, "clipboard_c2s_in_files: skipping directory not " - "supported [%s]", cfd->cFileName); + "supported [%s]", cfd.cFileName); continue; } - if (xfuse_add_clip_dir_item(cfd->cFileName, 0, cfd->fileSizeLow, lindex) == -1) + if (xfuse_add_clip_dir_item(cfd.cFileName, 0, cfd.fileSizeLow, lindex) == -1) { LOG_DEVEL(LOG_LEVEL_ERROR, "clipboard_c2s_in_files: failed to add clip dir item"); continue; @@ -654,11 +652,10 @@ clipboard_c2s_in_files(struct stream *s, char *file_list) *ptr = '/'; ptr++; - str_len = g_strlen(cfd->cFileName); - g_strcpy(ptr, cfd->cFileName); + str_len = g_strlen(cfd.cFileName); + g_strcpy(ptr, cfd.cFileName); ptr += str_len; } *ptr = 0; - g_free(cfd); return 0; } From 8fdf7b518ca08d7b596ea15c5c7325be43ae976f Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:34:27 +0100 Subject: [PATCH 3/4] Correct filename padding skip in CLIPRDR_FILEDESCRIPTOR --- sesman/chansrv/clipboard_file.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sesman/chansrv/clipboard_file.c b/sesman/chansrv/clipboard_file.c index c1cdc94c..a1a464ca 100644 --- a/sesman/chansrv/clipboard_file.c +++ b/sesman/chansrv/clipboard_file.c @@ -565,6 +565,7 @@ static int clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) { int num_chars; + int filename_bytes; int ex_bytes; in_uint32_le(s, cfd->flags); @@ -576,11 +577,9 @@ clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) in_uint32_le(s, cfd->fileSizeHigh); in_uint32_le(s, cfd->fileSizeLow); num_chars = sizeof(cfd->cFileName); - clipboard_in_unicode(s, cfd->cFileName, &num_chars); - ex_bytes = 512 - num_chars * 2; - ex_bytes -= 2; + filename_bytes = clipboard_in_unicode(s, cfd->cFileName, &num_chars); + ex_bytes = 520 - filename_bytes; in_uint8s(s, ex_bytes); - in_uint8s(s, 8); /* pad */ LOG_DEVEL(LOG_LEVEL_DEBUG, "clipboard_c2s_in_file_info:"); LOG_DEVEL(LOG_LEVEL_DEBUG, " flags 0x%8.8x", cfd->flags); LOG_DEVEL(LOG_LEVEL_DEBUG, " fileAttributes 0x%8.8x", cfd->fileAttributes); From e1bbef99aa5682e0219faba86e10b93bc7f80991 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:35:44 +0100 Subject: [PATCH 4/4] Check CLIPRDR_FILEDESCRIPTOR is present before reading it --- sesman/chansrv/clipboard_file.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/sesman/chansrv/clipboard_file.c b/sesman/chansrv/clipboard_file.c index a1a464ca..c317da79 100644 --- a/sesman/chansrv/clipboard_file.c +++ b/sesman/chansrv/clipboard_file.c @@ -560,7 +560,7 @@ clipboard_process_file_response(struct stream *s, int clip_msg_status, } /*****************************************************************************/ -/* read in CLIPRDR_FILEDESCRIPTOR */ +/* read in CLIPRDR_FILEDESCRIPTOR [MS-RDPECLIP] 2.2.5.2.3.1 */ static int clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) { @@ -568,6 +568,11 @@ clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) int filename_bytes; int ex_bytes; + if (!s_check_rem_and_log(s, 4 + 32 + 4 + 16 + 8 + 8 + 520, + "Parsing [MS-RDPECLIP] CLIPRDR_FILEDESCRIPTOR")) + { + return 1; + } in_uint32_le(s, cfd->flags); in_uint8s(s, 32); /* reserved1 */ in_uint32_le(s, cfd->fileAttributes); @@ -592,6 +597,7 @@ clipboard_c2s_in_file_info(struct stream *s, struct clip_file_desc *cfd) } /*****************************************************************************/ +/* See [MS-RDPECLIP] 2.2.5.2.3 */ int clipboard_c2s_in_files(struct stream *s, char *file_list) { @@ -620,7 +626,10 @@ clipboard_c2s_in_files(struct stream *s, char *file_list) for (lindex = 0; lindex < cItems; lindex++) { g_memset(&cfd, 0, sizeof(struct clip_file_desc)); - clipboard_c2s_in_file_info(s, &cfd); + if (clipboard_c2s_in_file_info(s, &cfd) != 0) + { + return 1; + } if ((g_pos(cfd.cFileName, "\\") >= 0) || (cfd.fileAttributes & CB_FILE_ATTRIBUTE_DIRECTORY)) {