Replaces the existing licensing exchange with a single PDU
saying the user will not issue a license.
This is necessary for clients on FIPS-compliant systems, as these
are unable to decode the licensing exchange packets, due to outdated
cyphers.
(cherry picked from commit cc4a4c95f206697833082dc099b26dbd8102e170)
The state buffers used by the following structs in chansrv_fuse.c
are one byte too small for filenames of length XFS_MAXFILENAMELEN:-
- struct state_lookup
- struct state_create
- struct state_rename
In practice, there is no runtime danger, as XFS_MAXFILENAMELEN is 255,
and these buffers will be followed by non-byte aligned data. Nevertheless
this should be fixed to prevent problems if the value is changed.
(cherry picked from commit c9e84dc16ced157fed9cb0f7d3bcc19782fb8551)
struct pre_session_item has an entry for the start_ip_addr which is not
being filled in. This is not normally needed, as the IP address of the
session is passed into the session another way, but it is needed if the
session selection Policy contains the 'I' selector.
(cherry picked from commit a4f57572e65f97b2ea9ca748b5ad2762913b4703)
If the setting require_credentials is true, there should be no way
for the user to get to a login screen.
This commit makes the following changes if this flag is active:-
- Makes the checks around TS_INFO_PACKET more explicit.
- Closes the connection if the first login attempt fails.
(cherry picked from commit 8ac2f6db34649a93d3c9c4fe8fda61203702e615)
when a multi-monitor session has the top-left vertex of the primary
monitor at a desktop location other than (0,0), minimising and maximising
the session results in the (0,0) co-ordinate of the entire desktop being
placed at the top-left of the primary monitor.
The implementation seems to be at odds with [MS-RDPEGFX] 2.2.2.14 which
suggests the monitorDefArray of the RDPGFX_RESET_GRAPHICS_PDU should be
the same as that in the Monitor Layout PDU ([MS-RDPBCGR] 2.2.12.1)
(cherry picked from commit 095f0d0e4cd2589bcd6ab995a1f4c29c7fbc3d33)
In the words of @iskunk
It is no longer possible to refer to the Dvorak layout as just "dvorak"
(as when one would run "setxkbmap dvorak"); one must now use either
"us dvorak" or "us(dvorak)"
See https://bugs.debian.org/1063725
(cherry picked from commit a1b7c1790651dc3fef5ac43657620a670e2e68af)
On a resize, the encoder is deleted. At present this is done by asking
the encoder to exit, and then waiting a second.
- On slower systems, a second may not be enough, and so the encoder
data structures are freed while they are still being used by the
encoder.
- On quicker systems, resizes are delayed by hundreds of milliseconds
longer than they need to be.
This commit adds a wait object which the encoder can use to signal it
has actually finished.
(cherry picked from commit 985b0de35e84ae5e7e46bd1a2b2e9fa1e31e53c0)
The xrdp_enc_data contains a union for handling surface commands
and gfx commands. Memory processing is different for these two
options.
The default destructor for the encoder FIFO only knows about surface
commands. Consequently, if the encoder has queued GFX data when the
encoder is closed, the destructor processes the queued data as if
it contained surface commands rather than GFX commands. This typically
causes a SEGV as the drects field of the overlaid surface command
structure is not pointing at anything valid when it is freed.
(cherry picked from commit 809df89c0869e6c595c19ef6b4b1d2cbfab802ff)
The get_sorted_session_displays() is broken in that it
doesn't produce a sorted list of displays.
The problem is the qsort comparison function which has 2 errors in 4 lines:-
1) The test is the wrong way round (i.e. arg1 < arg2 produces a +ve
result instead of -ve)
2) Subtracting two unsigned ints in C will never return < 0
The broken function has been masked by other display checks which mean
that it is only visible in a few situations:-
1) Starting two sessions very closely to each other may allocate the
same display to both sessions.
2) If /tmp is namespaced, the other display checks do not work, and
more than two sessions cannot be started.
(cherry picked from commit 70f1b685ba6a93dc3eb5f7537d933430097d6a61)
- Fix a problem that the xrdp.service fail to auto-start when instructed to listen on a specific interface
- By changing the "network.target" systemd dependency to "network-online.target"
- The "network-online.target", in short, means at least one network interface has finished IP level setup.
- The previously used "network.target" is vague and does not provide such guarantee (ref: man systemd.special(7)).
- Which often cause "xrdp.service" fail to auto-start when the service is configured to listen on a specific interface (e.g. in xrdp.ini, "port=tcp://192.168.0.1:3389"). Because the interface may have not finish setting up its IP, when "xrdp.service" starts.
(cherry picked from commit 21e11de15762a7cfb65083c2b9a19a197587dae8)
1) [Regression] If the specified mountpoint is not immediately below an
existing directory, the directory is not created.
2) The message to ask the user to unmount an existing mounted directory
has been moved to the right place.
(cherry picked from commit e0a1339b34b0d235e93efaf2c512c7284548d20b)
1) add SSE2 simd for dwt_shift_rem and diff_count
make dwt_shift_rem easier to read
move common rlgr defines to common file
move common dwt defines to common file
2) Fix 'make distcheck'
3) Fix compiler warnings on tests
- The command 'systemd-analyze syscall-filter' shows that the group
@system-service added to the xrdp-service SystemCallFilter
actually includes all of the other listed groups and individual
services. Consequently this line can be simplified to just specify
@system-service.
- (reversion) The SystemCallErrorNumber setting in xrdp.service has been
removed so that unauthorized system calls cause an immediate process exit.
(cherry picked from commit e0e9177f5ede99096ec37072d01ea625c939d805)
The user socket directory needs to be SGID so that they inherit
the group ownnership. Then xrdp can write to them.
(cherry picked from commit 200e4d84f44fd44d332915c5ca55d59092d8dc31)
This script now works the same way as cppcheck. The version to
be used is specified once in the github CI action
(cherry picked from commit b9fd19e6b50dbcc28be1129f5e35714a0522fc9b)
The '-lrt' added to the Makefile for the common library appears
to be unnecessary.
- On modern Linuxes, this library has been merged with libc, and the
supplied library is empty.
- On older ones (e.g. Devuan 4), the library contains routines we
do not use in xrdp (although we use 'shm_open()' in xorgxrdp).
- On FreeBSD 14 the library contains only mq_* and timer_* routines
which, again, are not required.
(cherry picked from commit e821eddb62c5dc4872922e9244d2e407e0361b57)
On Linux, the TCP send buffer size is increased to 32768 if it is less
that this (which it normally is). This however has the effect of disabling
dynamic buffer sizing, leading to a maximum available bandwidth of
max_bandwidth = 262144 (bits) / round_trip_time (secs)
This is not noticeable on a LAN with an RTT of around 0.5ms, but
very noticeable on a WAN with an RTT of 0.25s.
Comments in the config file and manpage in this area are improved, as
is the logging if the parameters are actually set.
(cherry picked from commit b23d6f89d5512bef68ab1d07fd84f25b44b99e6d)
