From 153639624b54f3a77214bf0a4ff39a3e35fc00bd Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Thu, 7 Nov 2019 07:41:48 +0100 Subject: [PATCH] Fixed NULL checks for strnlen calls, limit static channel name length. As reported by @metametaclass in #5687 check the strings for NULL before using strnlen. Also extend the same checks to static channel loading. --- channels/client/addin.c | 22 ++++++++++++---------- libfreerdp/common/addin.c | 17 ++++++++++++----- 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/channels/client/addin.c b/channels/client/addin.c index d7c4d9d..5bd6276 100644 --- a/channels/client/addin.c +++ b/channels/client/addin.c @@ -332,14 +332,13 @@ extern const STATIC_ENTRY CLIENT_VirtualChannelEntryEx_TABLE[]; BOOL freerdp_channels_is_virtual_channel_entry_ex(LPCSTR pszName) { - int i; - STATIC_ENTRY* entry; + size_t i; for (i = 0; CLIENT_VirtualChannelEntryEx_TABLE[i].name != NULL; i++) { - entry = (STATIC_ENTRY*)&CLIENT_VirtualChannelEntryEx_TABLE[i]; + const STATIC_ENTRY* entry = &CLIENT_VirtualChannelEntryEx_TABLE[i]; - if (!strcmp(entry->name, pszName)) + if (!strncmp(entry->name, pszName, MAX_PATH)) return TRUE; } @@ -350,24 +349,27 @@ PVIRTUALCHANNELENTRY freerdp_channels_load_static_addin_entry(LPCSTR pszName, LP LPCSTR pszType, DWORD dwFlags) { const STATIC_ADDIN_TABLE* table = CLIENT_STATIC_ADDIN_TABLE; + if (!pszName) + return NULL; + for (; table->name != NULL; table++) { - if (strcmp(table->name, pszName) == 0) + if (strncmp(table->name, pszName, MAX_PATH) == 0) { if (pszSubsystem != NULL) { - const STATIC_SUBSYSTEM_ENTRY* subsystems = - (const STATIC_SUBSYSTEM_ENTRY*)table->table; + const STATIC_SUBSYSTEM_ENTRY* subsystems = table->table; for (; subsystems->name != NULL; subsystems++) { /* If the pszSubsystem is an empty string use the default backend. */ - if ((strlen(pszSubsystem) == 0) || - (strcmp(subsystems->name, pszSubsystem) == 0)) + if ((strnlen(pszSubsystem, 1) == + 0) || /* we only want to know if strnlen is > 0 */ + (strncmp(subsystems->name, pszSubsystem, MAX_PATH) == 0)) { if (pszType) { - if (strcmp(subsystems->type, pszType) == 0) + if (strncmp(subsystems->type, pszType, MAX_PATH) == 0) return (PVIRTUALCHANNELENTRY)subsystems->entry; } else diff --git a/libfreerdp/common/addin.c b/libfreerdp/common/addin.c index a5383f3..f1957b2 100644 --- a/libfreerdp/common/addin.c +++ b/libfreerdp/common/addin.c @@ -241,12 +241,19 @@ PVIRTUALCHANNELENTRY freerdp_load_dynamic_channel_addin_entry(LPCSTR pszName, LP const size_t cchBaseFileName = sizeof(FREERDP_SHARED_LIBRARY_PREFIX) + 32; LPCSTR pszExtension; LPCSTR pszPrefix = FREERDP_SHARED_LIBRARY_PREFIX; - const size_t nameLen = strnlen(pszName, MAX_PATH); - const size_t subsystemLen = strnlen(pszSubsystem, MAX_PATH); - const size_t typeLen = strlen(pszType); - size_t extensionLen; + size_t nameLen = 0; + size_t subsystemLen = 0; + size_t typeLen = 0; + size_t extensionLen = 0; pszExtension = PathGetSharedLibraryExtensionA(0); - extensionLen = strnlen(pszExtension, MAX_PATH); + if (pszName) + nameLen = strnlen(pszName, MAX_PATH); + if (pszSubsystem) + subsystemLen = strnlen(pszSubsystem, MAX_PATH); + if (pszType) + typeLen = strnlen(pszType, MAX_PATH); + if (pszExtension) + extensionLen = strnlen(pszExtension, MAX_PATH); if (pszName && pszSubsystem && pszType) { -- 2.7.4