From 75bff736a655eea16e0856cc591fb5514cd8ad65 Mon Sep 17 00:00:00 2001 From: speidy Date: Wed, 5 Mar 2014 05:46:46 +0200 Subject: libxrdp: xrdp_fastpath_recv cleanup --- libxrdp/xrdp_fastpath.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) (limited to 'libxrdp/xrdp_fastpath.c') diff --git a/libxrdp/xrdp_fastpath.c b/libxrdp/xrdp_fastpath.c index 572b5a98..2fa88ac6 100644 --- a/libxrdp/xrdp_fastpath.c +++ b/libxrdp/xrdp_fastpath.c @@ -59,33 +59,22 @@ xrdp_fastpath_recv(struct xrdp_fastpath *self, struct stream *s) int fp_hdr; int len = 0; int byte; - int hdr_len = 2; /* fastpath header length - can be 2 or 3 bytes long, depends on length */ DEBUG((" in xrdp_fastpath_recv")); in_uint8(s, fp_hdr); /* fpInputHeader (1 byte) */ - g_writeln("xrdp_fastpath_recv: header= 0x%8.8x", fp_hdr); self->numEvents = (fp_hdr & 0x3C) >> 2; self->secFlags = (fp_hdr & 0xC0) >> 6; - // receive fastpath first length packet - in_uint8(s, byte); /* length 1 */ + in_uint8(s, byte); /* length 1 (1 byte) */ if (byte & 0x80) { byte &= ~(0x80); len = (byte << 8); - // receive fastpath second length packet - in_uint8(s, byte); /* length 2 */ - hdr_len++; + in_uint8(s, byte); /* length 2 (1 byte) */ len += byte; } - else - { - len = byte; - } - -// g_writeln("len= %d , numEvents= %d, secFlags= %d, bytesleft: %d", len, self->numEvents, self->secFlags, (s->p - s->data)); DEBUG((" out xrdp_fastpath_recv")); -- cgit v1.2.3 From 44d831f05ec044b1feaf714e53ff233c1fbc1ba7 Mon Sep 17 00:00:00 2001 From: speidy Date: Wed, 5 Mar 2014 06:06:50 +0200 Subject: libxrdp: fastpath, add stream check (all stack) --- libxrdp/xrdp_fastpath.c | 47 +++++++++++++++++++++++++++++++++++++++-------- libxrdp/xrdp_sec.c | 12 ++++++++++++ 2 files changed, 51 insertions(+), 8 deletions(-) (limited to 'libxrdp/xrdp_fastpath.c') diff --git a/libxrdp/xrdp_fastpath.c b/libxrdp/xrdp_fastpath.c index 2fa88ac6..d031f003 100644 --- a/libxrdp/xrdp_fastpath.c +++ b/libxrdp/xrdp_fastpath.c @@ -57,24 +57,37 @@ int APP_CC xrdp_fastpath_recv(struct xrdp_fastpath *self, struct stream *s) { int fp_hdr; - int len = 0; + int len = 0; /* unused */ int byte; DEBUG((" in xrdp_fastpath_recv")); + if (!s_check_rem(s, 2)) + { + return 1; + } in_uint8(s, fp_hdr); /* fpInputHeader (1 byte) */ + in_uint8(s, byte); /* length 1 (1 byte) */ self->numEvents = (fp_hdr & 0x3C) >> 2; self->secFlags = (fp_hdr & 0xC0) >> 6; - in_uint8(s, byte); /* length 1 (1 byte) */ - if (byte & 0x80) { byte &= ~(0x80); len = (byte << 8); + + if (!s_check_rem(s, 1)) + { + return 1; + } in_uint8(s, byte); /* length 2 (1 byte) */ + len += byte; } + else + { + len = byte; + } DEBUG((" out xrdp_fastpath_recv")); @@ -243,8 +256,11 @@ xrdp_fastpath_process_EVENT_SCANCODE(struct xrdp_fastpath *self, int eventFlags, int code; flags = 0; + if (!s_check_rem(s, 1)) + { + return 1; + } in_uint8(s, code); /* keyCode (1 byte) */ - //g_writeln("scan code detected: %d", code); if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE)) flags |= KBD_FLAG_UP; @@ -276,6 +292,10 @@ xrdp_fastpath_process_EVENT_MOUSE(struct xrdp_fastpath *self, int eventFlags, st int xPos; int yPos; + if (!s_check_rem(s, 2 + 2 + 2)) + { + return 1; + } in_uint16_le(s, pointerFlags); /* pointerFlags (2 bytes) */ in_uint16_le(s, xPos); /* xPos (2 bytes) */ in_uint16_le(s, yPos); /* yPos (2 bytes) */ @@ -302,6 +322,10 @@ xrdp_fastpath_process_EVENT_MOUSEX(struct xrdp_fastpath *self, int eventFlags, s int xPos; int yPos; + if (!s_check_rem(s, 2 + 2 + 2)) + { + return 1; + } in_uint16_le(s, pointerFlags); /* pointerFlags (2 bytes) */ in_uint16_le(s, xPos); /* xPos (2 bytes) */ in_uint16_le(s, yPos); /* yPos (2 bytes) */ @@ -347,6 +371,10 @@ xrdp_fastpath_process_EVENT_SYNC(struct xrdp_fastpath *self, int eventCode, int int APP_CC xrdp_fastpath_process_EVENT_UNICODE(struct xrdp_fastpath *self, int eventFlags, struct stream *s) { + if (!s_check_rem(s, 2)) + { + return 1; + } in_uint8s(s, 2); return 0; } @@ -362,13 +390,17 @@ xrdp_fastpath_process_input_event(struct xrdp_fastpath *self, struct stream *s) // process fastpath input events for (i = 0 ; i < self->numEvents ; i++) { + if (!s_check_rem(s, 1)) + { + return 1; + } in_uint8(s, eventHeader); eventFlags = (eventHeader & 0x1F); eventCode = (eventHeader >> 5); -// g_writeln("eventCode= %d, eventFlags= %d, numEvents= %d", -// eventCode, eventFlags, self->sec_layer->fastpath_layer->numEvents); + //DEBUG(("xrdp_fastpath_process_input_event: eventCode= %d, eventFlags= %d, numEvents= %d", + // eventCode, eventFlags, self->sec_layer->fastpath_layer->numEvents)); switch (eventCode) { @@ -402,10 +434,9 @@ xrdp_fastpath_process_input_event(struct xrdp_fastpath *self, struct stream *s) { return 1; } - break; default: - g_writeln("xrdp_rdp_process_fastpath_data_input: unknown eventCode %d", eventCode); + g_writeln("xrdp_fastpath_process_input_event: unknown eventCode %d", eventCode); break; } diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index c99f9188..4ce66c8f 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -961,9 +961,17 @@ xrdp_sec_recv_fastpath(struct xrdp_sec *self, struct stream *s) if (self->crypt_level == CRYPT_LEVEL_FIPS) { + if (!s_check_rem(s, 4)) + { + return 1; + } in_uint8s(s, 4); /* fipsInformation (4 bytes) */ } + if (!s_check_rem(s, 8)) + { + return 1; + } in_uint8s(s, 8); /* dataSignature (8 bytes), skip for now */ if (self->fastpath_layer->secFlags & FASTPATH_INPUT_ENCRYPTED) @@ -976,6 +984,10 @@ xrdp_sec_recv_fastpath(struct xrdp_sec *self, struct stream *s) * If numberEvents is not provided in fpInputHeader, it will be provided * as one additional byte here. */ + if (!s_check_rem(s, 8)) + { + return 1; + } in_uint8(s, self->fastpath_layer->numEvents); /* numEvents (1 byte) (optional) */ } -- cgit v1.2.3