Old versions of Windows (e.g. XP) sends a cropped packet in some
cases. It still contains all the important parts, so let's be
tolerant of this misbehaviour.
We don't know when the caller might be done with a stream, so we
can end up with code overwriting things in a stream that is in use
elsewhere.
Solve the issue by returning a new stream each time and leave it
up to the callers to free it.
Make them more match in_uint8a and in_uint8p in that one copies and
the other just gives you a pointer and it is up to the caller how
to fill it in. This can be useful when other APIs are used to
generate the data as it avoids a temporary buffer.
This macro checks if a pointer is valid _after_ we've already used
that pointer. So it will only trigger if we're already performed some
for of buffer overflow. As such, it provides little to no value and
can only server to encourage broken behaviour.
Let's remove it and replace it with proper bounds checking before
access instead.
We accidentally just changed the pointer rather than copying the
cookie in to our freshly allocated buffer. This caused problems
after 74b2129e as we started freeing the stream buffers on
disconnect.
This commit includes fixes for a set of 21 vulnerabilities in
rdesktop when a malicious RDP server is used.
All vulnerabilities was identified and reported by Eyal Itkin.
* Add rdp_protocol_error function that is used in several fixes
* Refactor of process_bitmap_updates
* Fix possible integer overflow in s_check_rem() on 32bit arch
* Fix memory corruption in process_bitmap_data - CVE-2018-8794
* Fix remote code execution in process_bitmap_data - CVE-2018-8795
* Fix remote code execution in process_plane - CVE-2018-8797
* Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
* Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
* Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
* Fix Denial of Service in sec_recv - CVE-2018-20176
* Fix minor information leak in rdpdr_process - CVE-2018-8791
* Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
* Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
* Fix Denial of Service in process_bitmap_data - CVE-2018-8796
* Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
* Fix Denial of Service in process_secondary_order - CVE-2018-8799
* Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
* Fix major information leak in ui_clip_handle_data - CVE-2018-20174
* Fix memory corruption in rdp_in_unistr - CVE-2018-20177
* Fix Denial of Service in process_demand_active - CVE-2018-20178
* Fix remote code execution in lspci_process - CVE-2018-20179
* Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
* Fix remote code execution in seamless_process - CVE-2018-20181
* Fix remote code execution in seamless_process_line - CVE-2018-20182
Upon a redirection, we have received a cookie that is used
for authentication and we should not flag this as a pin
code for the smartcard. This solves a problem with incorrect
pin code when using smart card authentication and if
redirected to a server were a session exists.
When the server does not comply with our initial session size
request, we disable the dynamic session resize feature.
Co-authored-by: Henrik Andersson <hean01@cendio.com>
Co-authored-by: Karl Mikaelsson <derfian@cendio.se>
Given that a fullscreen window should have the same size as the
screen, when the server tells us a session size, then we can't
resize the fullscreen window.
Co-authored-by: Henrik Andersson <hean01@cendio.com>
Co-authored-by: Karl Mikaelsson <derfian@cendio.se>
Resize session using disconnect/reconnect sequence should not be
performed before we have received an auto-reconnect cookie which is
used for reconnecting to the session. There is a race when trying to
reconnect at this point so a defer timer is used to delay this further
from the point where the auto-reconnect cookie is received.
Fixes a problem where a login prompt is shown upon reconnect even if
the auto-reconnect cookie is available and used.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Karl Mikaelsson <derfian@cendio.se>
This matches how they're described in MS-RDPBCGR. Also add the proper
constant name as comments.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Thomas Nilefalk <thoni56@cendio.se>
Reuse of g_exit_mainloop can occur at various situations
such as on redirection, when a new connection is initialized.
If you call rdp_loop with this flag set, things will not work as
you'd expect.
Fixes issue #228
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Karl Mikaelsson <derfian@cendio.se>
Renamed to function to match the PDU it was processing. Removed the
function from proto.h and made it static - there's nothing calling
this from outside of rdp.c. Fixed the logging output to output the
error code instead of the pointer value.
This adds support for resizing the RDP session dynamically based on
the window size. Some complicated logic has been added to avoid
sending excessive amounts of resize requests to the RDP server.
When supported, this resize mechanism should use the RDPEDISP way of
signalling the server to initiate a Deactivate/Activate sequence, but
rdesktop will fall back on Disconnect/Reconnect if RDPEDISP is not
supported by the server.
ui_select has been refactored and most functionality has been broken
out into three new functions, simplifying ui_select into a loop.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Karl Mikaelsson <derfian@cendio.se>
Signed-off-by: Thomas Nilefalk <thoni56@cendio.se>
The cursor-handling code already handles larger pointer sizes. This
advertises that rdesktop has the capability to handle large cursors
and adjusts the maximum size of fragmented packets to suit the large
cursor requirements.
Solves issue #173.
g_bitmap_compression is a global variable scattered through the code
but only accessed and used in one place; rdp_out_bitmap_caps().
Demoted it to localvariable and replaced with hardcoded value.
Fragmented updates are concatenated into temporary streams (one per
update type) that are processed when receiving an update with the
FASTPATH_FRAGMENT_LAST bit set.
Solves problem with hidden cursors at login screen (part of
issue #165)
Signed-off-by: Karl Mikaelsson <derfian@cendio.se>
Signed-off-by: Henrik Andersson <hean01@cendio.se>
The use of redirection cookie was never done due to global
g_redirect flag was cleared on the wrong place. This fixes
the problem with dual authentication prompts when redirect
to another server upon connect.
Fixes issue #18
