server: proxy: fix race issue

Proxy server might receive input updates while client side being
redirected (and reset), then a heap-after-free might occur. To solve
this, we register server input/update callbacks only after client is
fully activated.

(cherry picked from commit db0196fd01faa4234a4b2cabadb5f4cb16edeef1)

diff --git a/server/proxy/pf_client.c b/server/proxy/pf_client.c
index 4f6d00c..70df81d 100644 (file)
--- a/server/proxy/pf_client.c
+++ b/server/proxy/pf_client.c
@@ -35,6 +35,7 @@
 #include "pf_update.h"
 #include "pf_log.h"
 #include "pf_modules.h"
+#include "pf_input.h"
 #include "pf_capture.h"
 
 #define TAG PROXY_TAG("client")
@@ -72,6 +73,19 @@ static void pf_client_on_error_info(void* ctx, ErrorInfoEventArgs* e)
        freerdp_send_error_info(ps->context.rdp);
 }
 
+static void pf_client_on_activated(void* ctx, ActivatedEventArgs* e)
+{
+       pClientContext* pc = (pClientContext*)ctx;
+       pServerContext* ps = pc->pdata->ps;
+       freerdp_peer* peer = ps->context.peer;
+
+       LOG_INFO(TAG, pc, "client activated, registering server input callbacks");
+
+       /* Register server input/update callbacks only after proxy client is fully activated */
+       pf_server_register_input_callbacks(peer->input);
+       pf_server_register_update_callbacks(peer->update);
+}
+
 static BOOL pf_client_load_rdpsnd(pClientContext* pc)
 {
        rdpContext* context = (rdpContext*)pc;
@@ -197,6 +211,7 @@ static BOOL pf_client_pre_connect(freerdp* instance)
        PubSub_SubscribeChannelDisconnected(instance->context->pubSub,
                                            pf_channels_on_client_channel_disconnect);
        PubSub_SubscribeErrorInfo(instance->context->pubSub, pf_client_on_error_info);
+       PubSub_SubscribeActivated(instance->context->pubSub, pf_client_on_activated);
        /**
         * Load all required plugins / channels / libraries specified by current
         * settings.
@@ -304,7 +319,7 @@ static BOOL pf_client_post_connect(freerdp* instance)
                if (!pf_capture_create_session_directory(pc))
                {
                        LOG_ERR(TAG, pc, "pf_capture_create_session_directory failed!");
-                       return FALSE;
+               return FALSE;
                }
 
                LOG_ERR(TAG, pc, "frames dir created: %s", pc->frames_dir);

diff --git a/server/proxy/pf_server.c b/server/proxy/pf_server.c
index 95165e0..bfeeb61 100644 (file)
--- a/server/proxy/pf_server.c
+++ b/server/proxy/pf_server.c
@@ -36,7 +36,6 @@
 #include "pf_config.h"
 #include "pf_client.h"
 #include "pf_context.h"
-#include "pf_input.h"
 #include "pf_update.h"
 #include "pf_rdpgfx.h"
 #include "pf_disp.h"
@@ -181,8 +180,6 @@ static BOOL pf_server_post_connect(freerdp_peer* peer)
                return FALSE;
        }
 
-       pf_server_register_input_callbacks(peer->input);
-       pf_server_register_update_callbacks(peer->update);
        return pf_modules_run_hook(HOOK_TYPE_SERVER_POST_CONNECT, pdata);
 }