xrdp/sesman/libscp/libscp_v0.c
matt335672 e593f58a82 Fix for CVE-2020-4044
Reported by: Ashley Newson
2020-06-26 20:06:02 +09:00

553 lines
16 KiB
C

/**
* xrdp: A Remote Desktop Protocol server.
*
* Copyright (C) Jay Sorg 2004-2012
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
*
* @file libscp_v0.c
* @brief libscp version 0 code
* @author Simone Fedele
*
*/
#if defined(HAVE_CONFIG_H)
#include <config_ac.h>
#endif
#include "libscp_v0.h"
#include "os_calls.h"
extern struct log_config *s_log;
/** Maximum length of a string (two bytes + len), excluding the terminator
*
* Practially this is limited by [MS-RDPBCGR] TS_INFO_PACKET
* */
#define STRING16_MAX_LEN 512
/**
* Reads a big-endian uint16 followed by a string into a buffer
*
* Buffer is null-terminated on success
*
* @param s Input stream
* @param [out] Output buffer (must be >= (STRING16_MAX_LEN+1) chars)
* @param param Parameter we're reading
* @param line Line number reference
* @return != 0 if string read OK
*/
static
int in_string16(struct stream *s, char str[], const char *param, int line)
{
int result;
if (!s_check_rem(s, 2))
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: %s len missing",
line, param);
result = 0;
}
else
{
unsigned int sz;
in_uint16_be(s, sz);
if (sz > STRING16_MAX_LEN)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: %s too long (%u chars)",
line, param, sz);
result = 0;
}
else
{
result = s_check_rem(s, sz);
if (!result)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: %s data missing",
line, param);
}
else
{
in_uint8a(s, str, sz);
str[sz] = '\0';
}
}
}
return result;
}
/* client API */
/******************************************************************************/
enum SCP_CLIENT_STATES_E
scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
{
tui32 version;
tui32 size;
tui16 sz;
init_stream(c->in_s, c->in_s->size);
init_stream(c->out_s, c->in_s->size);
LOG_DBG("[v0:%d] starting connection", __LINE__);
g_tcp_set_non_blocking(c->in_sck);
g_tcp_set_no_delay(c->in_sck);
s_push_layer(c->out_s, channel_hdr, 8);
/* code */
if (s->type == SCP_SESSION_TYPE_XVNC)
{
out_uint16_be(c->out_s, 0);
}
else if (s->type == SCP_SESSION_TYPE_XRDP)
{
out_uint16_be(c->out_s, 10);
}
else if (s->type == SCP_SESSION_TYPE_XORG)
{
out_uint16_be(c->out_s, 20);
}
else
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_CLIENT_STATE_INTERNAL_ERR;
}
sz = g_strlen(s->username);
if (sz > STRING16_MAX_LEN)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: username too long",
__LINE__);
return SCP_CLIENT_STATE_SIZE_ERR;
}
out_uint16_be(c->out_s, sz);
out_uint8a(c->out_s, s->username, sz);
sz = g_strlen(s->password);
if (sz > STRING16_MAX_LEN)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: password too long",
__LINE__);
return SCP_CLIENT_STATE_SIZE_ERR;
}
out_uint16_be(c->out_s, sz);
out_uint8a(c->out_s, s->password, sz);
out_uint16_be(c->out_s, s->width);
out_uint16_be(c->out_s, s->height);
out_uint16_be(c->out_s, s->bpp);
s_mark_end(c->out_s);
s_pop_layer(c->out_s, channel_hdr);
/* version */
out_uint32_be(c->out_s, 0);
/* size */
out_uint32_be(c->out_s, c->out_s->end - c->out_s->data);
if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_CLIENT_STATE_NETWORK_ERR;
}
if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, 8))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_CLIENT_STATE_NETWORK_ERR;
}
in_uint32_be(c->in_s, version);
if (0 != version)
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: version error", __LINE__);
return SCP_CLIENT_STATE_VERSION_ERR;
}
in_uint32_be(c->in_s, size);
if (size < (8 + 2 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: msg size = %u",
__LINE__, (unsigned int)size);
return SCP_CLIENT_STATE_SIZE_ERR;
}
/* getting payload */
init_stream(c->in_s, size - 8);
if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_CLIENT_STATE_NETWORK_ERR;
}
c->in_s->end = c->in_s->data + (size - 8);
/* check code */
in_uint16_be(c->in_s, sz);
if (3 != sz)
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: sequence error", __LINE__);
return SCP_CLIENT_STATE_SEQUENCE_ERR;
}
/* message payload */
in_uint16_be(c->in_s, sz);
if (1 != sz)
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: connection denied", __LINE__);
return SCP_CLIENT_STATE_CONNECTION_DENIED;
}
in_uint16_be(c->in_s, sz);
s->display = sz;
LOG_DBG("[v0:%d] connection terminated", __LINE__);
return SCP_CLIENT_STATE_END;
}
/**
* Initialises a V0 session object
*
* At the time of the call, the version has been read from the connection
*
* @param c Connection
* @param [out] session pre-allocated session object
* @return SCP_SERVER_STATE_OK for success
*/
static enum SCP_SERVER_STATES_E
scp_v0s_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
{
tui32 size;
tui16 height;
tui16 width;
tui16 bpp;
tui32 code = 0;
char buf[STRING16_MAX_LEN + 1];
scp_session_set_version(session, 0);
/* Check for a header and a code value in the length */
in_uint32_be(c->in_s, size);
if (size < (8 + 2) || size > SCP_MAX_MESSAGE_SIZE)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: msg size = %u",
__LINE__, (unsigned int)size);
return SCP_SERVER_STATE_SIZE_ERR;
}
init_stream(c->in_s, size - 8);
if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_SERVER_STATE_NETWORK_ERR;
}
c->in_s->end = c->in_s->data + (size - 8);
in_uint16_be(c->in_s, code);
if (code == 0 || code == 10 || code == 20)
{
if (code == 0)
{
scp_session_set_type(session, SCP_SESSION_TYPE_XVNC);
}
else if (code == 10)
{
scp_session_set_type(session, SCP_SESSION_TYPE_XRDP);
}
else if (code == 20)
{
scp_session_set_type(session, SCP_SESSION_TYPE_XORG);
}
/* reading username */
if (!in_string16(c->in_s, buf, "username", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (0 != scp_session_set_username(session, buf))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
return SCP_SERVER_STATE_INTERNAL_ERR;
}
/* reading password */
if (!in_string16(c->in_s, buf, "passwd", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (0 != scp_session_set_password(session, buf))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
return SCP_SERVER_STATE_INTERNAL_ERR;
}
/* width + height + bpp */
if (!s_check_rem(c->in_s, 2 + 2 + 2))
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: width+height+bpp missing",
__LINE__);
return SCP_SERVER_STATE_SIZE_ERR;
}
in_uint16_be(c->in_s, width);
scp_session_set_width(session, width);
in_uint16_be(c->in_s, height);
scp_session_set_height(session, height);
in_uint16_be(c->in_s, bpp);
if (0 != scp_session_set_bpp(session, (tui8)bpp))
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: unsupported bpp: %d",
__LINE__, (tui8)bpp);
return SCP_SERVER_STATE_INTERNAL_ERR;
}
if (s_check_rem(c->in_s, 2))
{
/* reading domain */
if (!in_string16(c->in_s, buf, "domain", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (buf[0] != '\0')
{
scp_session_set_domain(session, buf);
}
}
if (s_check_rem(c->in_s, 2))
{
/* reading program */
if (!in_string16(c->in_s, buf, "program", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (buf[0] != '\0')
{
scp_session_set_program(session, buf);
}
}
if (s_check_rem(c->in_s, 2))
{
/* reading directory */
if (!in_string16(c->in_s, buf, "directory", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (buf[0] != '\0')
{
scp_session_set_directory(session, buf);
}
}
if (s_check_rem(c->in_s, 2))
{
/* reading client IP address */
if (!in_string16(c->in_s, buf, "client IP", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
if (buf[0] != '\0')
{
scp_session_set_client_ip(session, buf);
}
}
}
else if (code == SCP_GW_AUTHENTICATION)
{
scp_session_set_type(session, SCP_GW_AUTHENTICATION);
/* reading username */
if (!in_string16(c->in_s, buf, "username", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
/* g_writeln("Received user name: %s",buf); */
if (0 != scp_session_set_username(session, buf))
{
/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
return SCP_SERVER_STATE_INTERNAL_ERR;
}
/* reading password */
if (!in_string16(c->in_s, buf, "passwd", __LINE__))
{
return SCP_SERVER_STATE_SIZE_ERR;
}
/* g_writeln("Received password: %s",buf); */
if (0 != scp_session_set_password(session, buf))
{
/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
return SCP_SERVER_STATE_INTERNAL_ERR;
}
}
else
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: sequence error", __LINE__);
return SCP_SERVER_STATE_SEQUENCE_ERR;
}
return SCP_SERVER_STATE_OK;
}
/* server API */
/******************************************************************************/
enum SCP_SERVER_STATES_E
scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
{
enum SCP_SERVER_STATES_E result = SCP_SERVER_STATE_OK;
struct SCP_SESSION *session = NULL;
tui32 version = 0;
if (!skipVchk)
{
LOG_DBG("[v0:%d] starting connection", __LINE__);
if (0 == scp_tcp_force_recv(c->in_sck, c->in_s->data, 8))
{
c->in_s->end = c->in_s->data + 8;
in_uint32_be(c->in_s, version);
if (version != 0)
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: version error", __LINE__);
result = SCP_SERVER_STATE_VERSION_ERR;
}
}
else
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
result = SCP_SERVER_STATE_NETWORK_ERR;
}
}
if (result == SCP_SERVER_STATE_OK)
{
session = scp_session_create();
if (NULL == session)
{
log_message(LOG_LEVEL_WARNING,
"[v0:%d] connection aborted: no memory",
__LINE__);
result = SCP_SERVER_STATE_INTERNAL_ERR;
}
else
{
result = scp_v0s_init_session(c, session);
if (result != SCP_SERVER_STATE_OK)
{
scp_session_destroy(session);
session = NULL;
}
}
}
(*s) = session;
return result;
}
/******************************************************************************/
enum SCP_SERVER_STATES_E
scp_v0s_allow_connection(struct SCP_CONNECTION *c, SCP_DISPLAY d, const tui8 *guid)
{
int msg_size;
msg_size = guid == 0 ? 14 : 14 + 16;
out_uint32_be(c->out_s, 0); /* version */
out_uint32_be(c->out_s, msg_size); /* size */
out_uint16_be(c->out_s, 3); /* cmd */
out_uint16_be(c->out_s, 1); /* data */
out_uint16_be(c->out_s, d); /* data */
if (msg_size > 14)
{
out_uint8a(c->out_s, guid, 16);
}
s_mark_end(c->out_s);
if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_SERVER_STATE_NETWORK_ERR;
}
LOG_DBG("[v0:%d] connection terminated (allowed)", __LINE__);
return SCP_SERVER_STATE_OK;
}
/******************************************************************************/
enum SCP_SERVER_STATES_E
scp_v0s_deny_connection(struct SCP_CONNECTION *c)
{
out_uint32_be(c->out_s, 0); /* version */
out_uint32_be(c->out_s, 14); /* size */
out_uint16_be(c->out_s, 3); /* cmd */
out_uint16_be(c->out_s, 0); /* data = 0 - means NOT ok*/
out_uint16_be(c->out_s, 0); /* reserved for display number*/
s_mark_end(c->out_s);
if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data))
{
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
return SCP_SERVER_STATE_NETWORK_ERR;
}
LOG_DBG("[v0:%d] connection terminated (denied)", __LINE__);
return SCP_SERVER_STATE_OK;
}
/******************************************************************************/
enum SCP_SERVER_STATES_E
scp_v0s_replyauthentication(struct SCP_CONNECTION *c, unsigned short int value)
{
out_uint32_be(c->out_s, 0); /* version */
out_uint32_be(c->out_s, 14); /* size */
/* cmd SCP_GW_AUTHENTICATION means authentication reply */
out_uint16_be(c->out_s, SCP_GW_AUTHENTICATION);
out_uint16_be(c->out_s, value); /* reply code */
out_uint16_be(c->out_s, 0); /* dummy data */
s_mark_end(c->out_s);
/* g_writeln("Total number of bytes that will be sent %d",c->out_s->end - c->out_s->data);*/
if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data))
{
/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__); */
return SCP_SERVER_STATE_NETWORK_ERR;
}
/* until syslog merge LOG_DBG(s_log, "[v0:%d] connection terminated (scp_v0s_deny_authentication)", __LINE__);*/
return SCP_SERVER_STATE_OK;
}