stream_read_UINT32(s, rdp->settings->ShareId); /* shareId (4 bytes) */
stream_read_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */
stream_read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */
- if (!stream_skip(s, lengthSourceDescriptor) || stream_get_left(s) < 4)
+ if (!stream_skip(s, lengthSourceDescriptor) || stream_get_left(s) < 4) /* sourceDescriptor */
return FALSE;
- stream_seek(s, lengthSourceDescriptor); /* sourceDescriptor */
stream_read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */
stream_seek(s, 2); /* pad2Octets (2 bytes) */
goto error1;
/* signature */
- if(!ber_read_sequence_tag(s, &length) || stream_get_left(s) < length) /* AlgorithmIdentifier (SEQUENCE) */
+ if(!ber_read_sequence_tag(s, &length) || !stream_skip(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
goto error1;
- stream_seek(s, length);
/* issuer */
- if(!ber_read_sequence_tag(s, &length) || stream_get_left(s) < length) /* Name (SEQUENCE) */
+ if(!ber_read_sequence_tag(s, &length) || !stream_skip(s, length)) /* Name (SEQUENCE) */
goto error1;
- stream_seek(s, length);
/* validity */
- if(!ber_read_sequence_tag(s, &length) || stream_get_left(s) < length) /* Validity (SEQUENCE) */
+ if(!ber_read_sequence_tag(s, &length) || !stream_skip(s, length)) /* Validity (SEQUENCE) */
goto error1;
- stream_seek(s, length);
/* subject */
- if(!ber_read_sequence_tag(s, &length) || stream_get_left(s) < length) /* Name (SEQUENCE) */
+ if(!ber_read_sequence_tag(s, &length) || !stream_skip(s, length)) /* Name (SEQUENCE) */
goto error1;
- stream_seek(s, length);
/* subjectPublicKeyInfo */
if(!ber_read_sequence_tag(s, &length)) /* SubjectPublicKeyInfo (SEQUENCE) */
goto error1;
/* subjectPublicKeyInfo::AlgorithmIdentifier */
- if(!ber_read_sequence_tag(s, &length) || stream_get_left(s) < length) /* AlgorithmIdentifier (SEQUENCE) */
+ if(!ber_read_sequence_tag(s, &length) || !stream_skip(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
goto error1;
- stream_seek(s, length);
/* subjectPublicKeyInfo::subjectPublicKey */
if(!ber_read_bit_string(s, &length, &padding)) /* BIT_STRING */
error2:
free(info->Modulus);
+ info->Modulus = 0;
error1:
stream_detach(s);
stream_free(s);
stream_read(s, certificate->cert_info.exponent, 4);
modlen = keylen - 8;
- if(stream_get_left(s) < modlen + 8)
+ if(stream_get_left(s) < modlen + 8) // count padding
return FALSE;
certificate->cert_info.ModulusLength = modlen;
certificate->cert_info.Modulus = malloc(certificate->cert_info.ModulusLength);
return TRUE;
}
-static BOOL certificate_process_server_public_signature(rdpCertificate* certificate, BYTE* sigdata, int sigdatalen, STREAM* s, UINT32 siglen)
+static BOOL certificate_process_server_public_signature(rdpCertificate* certificate,
+ const BYTE* sigdata, int sigdatalen, STREAM* s, UINT32 siglen)
{
int i, sum;
CryptoMd5 md5ctx;
int i;
UINT32 certLength;
UINT32 numCertBlobs;
+ BOOL ret;
DEBUG_CERTIFICATE("Server X.509 Certificate Chain");
{
rdpCertInfo cert_info;
DEBUG_CERTIFICATE("License Server Certificate");
- certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &cert_info);
+ ret = certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &cert_info);
DEBUG_LICENSE("modulus length:%d", (int) cert_info.ModulusLength);
free(cert_info.Modulus);
+ if(!ret)
+ return FALSE;
}
else if (numCertBlobs - i == 1)
{
DEBUG_CERTIFICATE("Terminal Server Certificate");
- certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &certificate->cert_info);
+ if (!certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &certificate->cert_info))
+ return FALSE;
DEBUG_CERTIFICATE("modulus length:%d", (int) certificate->cert_info.ModulusLength);
}
}
UINT32 flags;
int chunk_length;
- if(stream_get_left(s) < 4)
+ if(stream_get_left(s) < 8)
return FALSE;
stream_read_UINT32(s, length);
stream_read_UINT32(s, flags);
stream_write_BYTE(s, updateHeader);
}
-UINT16 fastpath_read_header_rdp(rdpFastPath* fastpath, STREAM* s)
+BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, STREAM* s, UINT16 *length)
{
BYTE header;
- UINT16 length;
stream_read_BYTE(s, header);
fastpath->numberEvents = (header & 0x3C) >> 2;
}
- per_read_length(s, &length);
+ if (!per_read_length(s, length))
+ return FALSE;
- return length - stream_get_length(s);
+ *length = *length - stream_get_length(s);
+ return TRUE;
}
static BOOL fastpath_recv_orders(rdpFastPath* fastpath, STREAM* s)
case FASTPATH_UPDATETYPE_BITMAP:
case FASTPATH_UPDATETYPE_PALETTE:
- return fastpath_recv_update_common(fastpath, s);
+ if(!fastpath_recv_update_common(fastpath, s))
+ return FALSE;
+ break;
case FASTPATH_UPDATETYPE_SYNCHRONIZE:
if (!fastpath_recv_update_synchronize(fastpath, s))
break;
case FASTPATH_UPDATETYPE_POINTER:
- update_read_pointer_new(s, &pointer->pointer_new);
+ if (!update_read_pointer_new(s, &pointer->pointer_new))
+ return FALSE;
IFCALL(pointer->PointerNew, context, &pointer->pointer_new);
break;
compressionFlags = 0;
stream_read_UINT16(s, size);
+ if(stream_get_left(s) < size)
+ return FALSE;
next_pos = stream_get_pos(s) + size;
comp_stream = s;
stream_check_size(fastpath->updateData, size);
stream_copy(fastpath->updateData, comp_stream, size);
+ /* TODO: add a limit on the fragmentation buffer size */
if (fragmentation == FASTPATH_FRAGMENT_LAST)
{
UINT16 fastpath_header_length(STREAM* s);
UINT16 fastpath_read_header(rdpFastPath* fastpath, STREAM* s);
-UINT16 fastpath_read_header_rdp(rdpFastPath* fastpath, STREAM* s);
+BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, STREAM* s, UINT16 *length);
BOOL fastpath_recv_updates(rdpFastPath* fastpath, STREAM* s);
BOOL fastpath_recv_inputs(rdpFastPath* fastpath, STREAM* s);
switch (bMsgType)
{
case LICENSE_REQUEST:
- license_read_license_request_packet(license, s);
+ if (!license_read_license_request_packet(license, s))
+ return FALSE;
license_send_new_license_request_packet(license);
break;
case PLATFORM_CHALLENGE:
- license_read_platform_challenge_packet(license, s);
+ if (!license_read_platform_challenge_packet(license, s))
+ return FALSE;
license_send_platform_challenge_response_packet(license);
break;
break;
case ERROR_ALERT:
- license_read_error_alert_packet(license, s);
+ if (!license_read_error_alert_packet(license, s))
+ return FALSE;
break;
default:
stream_read(s, license->server_random, 32);
/* ProductInfo */
- license_read_product_info(s, license->product_info);
+ if (!license_read_product_info(s, license->product_info))
+ return FALSE;
/* KeyExchangeList */
- license_read_binary_blob(s, license->key_exchange_list);
+ if (!license_read_binary_blob(s, license->key_exchange_list))
+ return FALSE;
/* ServerCertificate */
- license_read_binary_blob(s, license->server_certificate);
+ if (!license_read_binary_blob(s, license->server_certificate))
+ return FALSE;
/* ScopeList */
- license_read_scope_list(s, license->scope_list);
+ if (!license_read_scope_list(s, license->scope_list))
+ return FALSE;
/* Parse Server Certificate */
- certificate_read_server_certificate(license->certificate,
- license->server_certificate->data, license->server_certificate->length);
+ if (!certificate_read_server_certificate(license->certificate,
+ license->server_certificate->data, license->server_certificate->length))
+ return FALSE;
license_generate_keys(license);
license_generate_hwid(license);
license->encrypted_platform_challenge->type = BB_ENCRYPTED_DATA_BLOB;
/* MACData (16 bytes) */
- if(stream_get_left(s) < 16)
+ if(!stream_skip(s, 16))
return FALSE;
- stream_seek(s, 16);
license_decrypt_platform_challenge(license);
return TRUE;
STREAM* s = transport_recv_stream_init(nego->transport, 1024);
if (transport_read(nego->transport, s) < 0)
- return -1;
+ return FALSE;
return ((nego_recv(nego->transport, s, nego) < 0) ? FALSE : TRUE);
}
BOOL deleteListPresent;
OFFSCREEN_DELETE_LIST* deleteList;
- if(stream_get_left(s) < 4)
+ if(stream_get_left(s) < 6)
return FALSE;
stream_read_UINT16(s, flags); /* flags (2 bytes) */
create_offscreen_bitmap->id = flags & 0x7FFF;
rdp = client->context->rdp;
fastpath = rdp->fastpath;
- length = fastpath_read_header_rdp(fastpath, s);
+ if (!fastpath_read_header_rdp(fastpath, s, &length))
+ return -1;
if ((length == 0) || (length > stream_get_left(s)))
{
rdpFastPath* fastpath;
fastpath = rdp->fastpath;
- length = fastpath_read_header_rdp(fastpath, s);
+ if (!fastpath_read_header_rdp(fastpath, s, &length))
+ return -1;
if ((length == 0) || (length > stream_get_left(s)))
{
#include "surface.h"
-static int update_recv_surfcmd_surface_bits(rdpUpdate* update, STREAM* s)
+static BOOL update_recv_surfcmd_surface_bits(rdpUpdate* update, STREAM* s, UINT32 *length)
{
int pos;
SURFACE_BITS_COMMAND* cmd = &update->surface_bits_command;
+ if(stream_get_left(s) < 20)
+ return FALSE;
stream_read_UINT16(s, cmd->destLeft);
stream_read_UINT16(s, cmd->destTop);
stream_read_UINT16(s, cmd->destRight);
stream_read_UINT16(s, cmd->width);
stream_read_UINT16(s, cmd->height);
stream_read_UINT32(s, cmd->bitmapDataLength);
+ if(stream_get_left(s) < cmd->bitmapDataLength)
+ return FALSE;
pos = stream_get_pos(s) + cmd->bitmapDataLength;
cmd->bitmapData = stream_get_tail(s);
stream_set_pos(s, pos);
- return 20 + cmd->bitmapDataLength;
+ *length = 20 + cmd->bitmapDataLength;
+ return TRUE;
}
static void update_send_frame_acknowledge(rdpRdp* rdp, UINT32 frameId)
rdp_send_data_pdu(rdp, s, DATA_PDU_TYPE_FRAME_ACKNOWLEDGE, rdp->mcs->user_id);
}
-static int update_recv_surfcmd_frame_marker(rdpUpdate* update, STREAM* s)
+static BOOL update_recv_surfcmd_frame_marker(rdpUpdate* update, STREAM* s, UINT32 *length)
{
SURFACE_FRAME_MARKER* marker = &update->surface_frame_marker;
+ if(stream_get_left(s) < 6)
+ return FALSE;
stream_read_UINT16(s, marker->frameAction);
stream_read_UINT32(s, marker->frameId);
update_send_frame_acknowledge(update->context->rdp, marker->frameId);
}
- return 6;
+ *length = 6;
+ return TRUE;
}
int update_recv_surfcmds(rdpUpdate* update, UINT32 size, STREAM* s)
{
case CMDTYPE_SET_SURFACE_BITS:
case CMDTYPE_STREAM_SURFACE_BITS:
- cmdLength = update_recv_surfcmd_surface_bits(update, s);
+ if (!update_recv_surfcmd_surface_bits(update, s, &cmdLength))
+ return -1;
break;
case CMDTYPE_FRAME_MARKER:
- cmdLength = update_recv_surfcmd_frame_marker(update, s);
+ if (!update_recv_surfcmd_frame_marker(update, s, &cmdLength))
+ return -1;
break;
default:
/* rectangles */
for (i = 0; i < (int) bitmap_update->number; i++)
{
- if(!update_read_bitmap_data(s, &bitmap_update->rectangles[i]))
+ if (!update_read_bitmap_data(s, &bitmap_update->rectangles[i]))
return FALSE;
}
return TRUE;
BOOL update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new)
{
+ if(stream_get_left(s) < 2)
+ return FALSE;
stream_read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */
return update_read_pointer_color(s, &pointer_new->colorPtrAttr); /* colorPtrAttr */
}
switch (messageType)
{
case PTR_MSG_TYPE_POSITION:
- if(update_read_pointer_position(s, &pointer->pointer_position) == FALSE)
+ if (!update_read_pointer_position(s, &pointer->pointer_position))
return FALSE;
IFCALL(pointer->PointerPosition, context, &pointer->pointer_position);
break;
case PTR_MSG_TYPE_SYSTEM:
- if(update_read_pointer_system(s, &pointer->pointer_system) == FALSE)
+ if (!update_read_pointer_system(s, &pointer->pointer_system))
return FALSE;
IFCALL(pointer->PointerSystem, context, &pointer->pointer_system);
break;
case PTR_MSG_TYPE_COLOR:
- if(update_read_pointer_color(s, &pointer->pointer_color) == FALSE)
+ if (!update_read_pointer_color(s, &pointer->pointer_color))
return FALSE;
IFCALL(pointer->PointerColor, context, &pointer->pointer_color);
break;
case PTR_MSG_TYPE_POINTER:
- if(update_read_pointer_new(s, &pointer->pointer_new) == FALSE)
+ if (!update_read_pointer_new(s, &pointer->pointer_new))
return FALSE;
IFCALL(pointer->PointerNew, context, &pointer->pointer_new);
break;
case PTR_MSG_TYPE_CACHED:
- if(update_read_pointer_cached(s, &pointer->pointer_cached) == FALSE)
+ if (!update_read_pointer_cached(s, &pointer->pointer_cached))
return FALSE;
IFCALL(pointer->PointerCached, context, &pointer->pointer_cached);
break;
break;
case UPDATE_TYPE_BITMAP:
- update_read_bitmap(update, s, &update->bitmap_update);
+ if (!update_read_bitmap(update, s, &update->bitmap_update))
+ return FALSE;
IFCALL(update->BitmapUpdate, context, &update->bitmap_update);
break;
case UPDATE_TYPE_PALETTE:
- if(update_read_palette(update, s, &update->palette_update) == FALSE)
+ if (!update_read_palette(update, s, &update->palette_update))
return FALSE;
IFCALL(update->Palette, context, &update->palette_update);
break;
stream_read_BYTE(s, numberOfAreas);
stream_seek(s, 3); /* pad3Octects */
+ if(stream_get_left(s) < numberOfAreas * 4 * 2)
+ return FALSE;
areas = (RECTANGLE_16*) malloc(sizeof(RECTANGLE_16) * numberOfAreas);
for (index = 0; index < numberOfAreas; index++)