Add some more warnings and sanity checks.

git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/trunk/rdesktop@1425 423420c4-83ab-492f-b58f-81f9feb106b5

disk.c

@@ -802,7 +802,7 @@ disk_set_information(RD_NTHANDLE handle, uint32 info_class, STREAM in, STREAM ou
 
 			if (length && (length / 2) < 256)
 			{
-				rdp_in_unistr(in, newname, length);
+				rdp_in_unistr(in, newname, sizeof(newname), length);
 				convert_to_unix_filename(newname);
 			}
 			else

printercache.c

@@ -245,8 +245,8 @@ printercache_process(STREAM s)
 
 			/* NOTE - 'driver' doesn't contain driver, it contains the new printer name */
 
-			rdp_in_unistr(s, printer, printer_length);
-			rdp_in_unistr(s, driver, driver_length);
+			rdp_in_unistr(s, printer, sizeof(printer), printer_length);
+			rdp_in_unistr(s, driver, sizeof(driver), driver_length);
 
 			printercache_rename_blob(printer, driver);
 			break;
@@ -254,7 +254,7 @@ printercache_process(STREAM s)
 		case 3:	/* delete item */
 			in_uint8(s, printer_unicode_length);
 			in_uint8s(s, 0x3);	/* padding */
-			printer_length = rdp_in_unistr(s, printer, printer_unicode_length);
+			rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
 			printercache_unlink_blob(printer);
 			break;
 
@@ -264,7 +264,7 @@ printercache_process(STREAM s)
 
 			if (printer_unicode_length < 2 * 255)
 			{
-				rdp_in_unistr(s, printer, printer_unicode_length);
+				rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
 				printercache_save_blob(printer, s->p, blob_length);
 			}
 			break;

proto.h

@@ -111,7 +111,7 @@ void generate_random(uint8 * random);
 void *xmalloc(int size);
 void exit_if_null(void *ptr);
 char *xstrdup(const char *s);
-void *xrealloc(void *oldmem, int size);
+void *xrealloc(void *oldmem, size_t size);
 void xfree(void *mem);
 void error(char *format, ...);
 void warning(char *format, ...);
@@ -137,7 +137,7 @@ RD_BOOL rd_lock_file(int fd, int start, int len);
 void rdp5_process(STREAM s);
 /* rdp.c */
 void rdp_out_unistr(STREAM s, char *string, int len);
-int rdp_in_unistr(STREAM s, char *string, int uni_len);
+int rdp_in_unistr(STREAM s, char *string, int str_len, int in_len);
 void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1,
 		    uint16 param2);
 void rdp_send_client_window_status(int status);

rdesktop.c

@@ -1131,16 +1131,16 @@ xstrdup(const char *s)
 
 /* realloc; exit if out of memory */
 void *
-xrealloc(void *oldmem, int size)
+xrealloc(void *oldmem, size_t size)
 {
 	void *mem;
 
-	if (size < 1)
+	if (size == 0)
 		size = 1;
 	mem = realloc(oldmem, size);
 	if (mem == NULL)
 	{
-		error("xrealloc %d\n", size);
+		error("xrealloc %ld\n", size);
 		exit(1);
 	}
 	return mem;

rdp.c

@@ -243,10 +243,10 @@ rdp_out_unistr(STREAM s, char *string, int len)
  * Returns str_len of string
  */
 int
-rdp_in_unistr(STREAM s, char *string, int uni_len)
+rdp_in_unistr(STREAM s, char *string, int str_size, int in_len)
 {
 #ifdef HAVE_ICONV
-	size_t ibl = uni_len, obl = uni_len;
+	size_t ibl = in_len, obl = str_size-1;
 	char *pin = (char *) s->p, *pout = string;
 	static iconv_t iconv_h = (iconv_t) - 1;
 
@@ -260,37 +260,56 @@ rdp_in_unistr(STREAM s, char *string, int uni_len)
 					WINDOWS_CODEPAGE, g_codepage, iconv_h);
 
 				g_iconv_works = False;
-				return rdp_in_unistr(s, string, uni_len);
+				return rdp_in_unistr(s, string, str_size, in_len);
 			}
 		}
 
 		if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout, &obl) == (size_t) - 1)
+		{
+			if (errno == E2BIG)
+			{
+				warning("server sent an unexpectedly long string, truncating\n");
+			}
+			else
 			{
 				iconv_close(iconv_h);
 				iconv_h = (iconv_t) - 1;
 				warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
 
 				g_iconv_works = False;
-			return rdp_in_unistr(s, string, uni_len);
+				return rdp_in_unistr(s, string, str_size, in_len);
+			}
 		}
 
 		/* we must update the location of the current STREAM for future reads of s->p */
-		s->p += uni_len;
+		s->p += in_len;
 
+		*pout = 0;
 		return pout - string;
 	}
 	else
 #endif
 	{
 		int i = 0;
+		int len = in_len/2;
+		int rem = 0;
 
-		while (i < uni_len / 2)
+		if (len > str_size-1)
+		{
+			warning("server sent an unexpectedly long string, truncating\n");
+			len = str_size-1;
+			rem = in_len - 2*len;
+		}
+
+		while (i < len)
 		{
 			in_uint8a(s, &string[i++], 1);
 			in_uint8s(s, 1);
 		}
 
-		return i - 1;
+		in_uint8s(s, rem);
+		string[len] = 0;
+		return len;
 	}
 }
 
@@ -1325,32 +1344,44 @@ process_redirect_pdu(STREAM s /*, uint32 * ext_disc_reason */ )
 	in_uint32_le(s, len);
 
 	/* read ip string */
-	rdp_in_unistr(s, g_redirect_server, len);
+	rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len);
 
 	/* read length of cookie string */
 	in_uint32_le(s, len);
 
 	/* read cookie string (plain ASCII) */
+	if (len > sizeof(g_redirect_cookie)-1)
+	{
+		uint32 rem = len - (sizeof(g_redirect_cookie)-1);
+		len = sizeof(g_redirect_cookie)-1;
+
+		warning("Unexpectedly large redirection cookie\n");
 		in_uint8a(s, g_redirect_cookie, len);
+		in_uint8s(s, rem);
+	}
+	else
+	{
+		in_uint8a(s, g_redirect_cookie, len);
+	}
 	g_redirect_cookie[len] = 0;
 
 	/* read length of username string */
 	in_uint32_le(s, len);
 
 	/* read username string */
-	rdp_in_unistr(s, g_redirect_username, len);
+	rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len);
 
 	/* read length of domain string */
 	in_uint32_le(s, len);
 
 	/* read domain string */
-	rdp_in_unistr(s, g_redirect_domain, len);
+	rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len);
 
 	/* read length of password string */
 	in_uint32_le(s, len);
 
 	/* read password string */
-	rdp_in_unistr(s, g_redirect_password, len);
+	rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len);
 
 	g_redirect = True;
 

rdpdr.c

@@ -429,7 +429,7 @@ rdpdr_process_irp(STREAM s)
 
 			if (length && (length / 2) < 256)
 			{
-				rdp_in_unistr(s, filename, length);
+				rdp_in_unistr(s, filename, sizeof(filename), length);
 				convert_to_unix_filename(filename);
 			}
 			else
@@ -622,7 +622,7 @@ rdpdr_process_irp(STREAM s)
 					in_uint8s(s, 0x17);
 					if (length && length < 2 * 255)
 					{
-						rdp_in_unistr(s, filename, length);
+						rdp_in_unistr(s, filename, sizeof(filename), length);
 						convert_to_unix_filename(filename);
 					}
 					else