Better packet length checking.

diff --git a/libfreerdp-core/rdp.c b/libfreerdp-core/rdp.c
index c7bb019..5784929 100644 (file)
--- a/libfreerdp-core/rdp.c
+++ b/libfreerdp-core/rdp.c
@@ -93,13 +93,14 @@ boolean rdp_read_share_control_header(STREAM* s, uint16* length, uint16* type, u
 {
        /* Share Control Header */
        stream_read_uint16(s, *length); /* totalLength */
+
+       if (*length - 2 > stream_get_left(s))
+               return false;
+
        stream_read_uint16(s, *type); /* pduType */
        stream_read_uint16(s, *channel_id); /* pduSource */
        *type &= 0x0F; /* type is in the 4 least significant bits */
 
-       if (*length - 6 > stream_get_left(s))
-               return false;
-
        return true;
 }
 
@@ -229,6 +230,9 @@ boolean rdp_read_header(rdpRdp* rdp, STREAM* s, uint16* length, uint16* channel_
        MCSPDU = (rdp->settings->server_mode) ? DomainMCSPDU_SendDataRequest : DomainMCSPDU_SendDataIndication;
        mcs_read_domain_mcspdu_header(s, &MCSPDU, length);
 
+       if (*length - 8 > stream_get_left(s))
+               return false;
+
        per_read_integer16(s, &initiator, MCS_BASE_CHANNEL_ID); /* initiator (UserId) */
        per_read_integer16(s, channel_id, 0); /* channelId */
        stream_seek(s, 1); /* dataPriority + Segmentation (0x70) */