We don't know when the caller might be done with a stream, so we
can end up with code overwriting things in a stream that is in use
elsewhere.
Solve the issue by returning a new stream each time and leave it
up to the callers to free it.
Make them more match in_uint8a and in_uint8p in that one copies and
the other just gives you a pointer and it is up to the caller how
to fill it in. This can be useful when other APIs are used to
generate the data as it avoids a temporary buffer.
This macro checks if a pointer is valid _after_ we've already used
that pointer. So it will only trigger if we're already performed some
for of buffer overflow. As such, it provides little to no value and
can only server to encourage broken behaviour.
Let's remove it and replace it with proper bounds checking before
access instead.
The entire device redirection framework is documented to use 64-bit
offsets rather than 32-bit offsets. This should fix any problems
transfering large files with rdesktop.
Co-Authored-By: gpatel-fr <44170243+gpatel-fr@users.noreply.github.com>
Even though we can detect that the server buffer is too small to
receive the APDU result we don't prevent the actual copy of this result
to allocated buffer which results in overflow.
This commit includes fixes for a set of 21 vulnerabilities in
rdesktop when a malicious RDP server is used.
All vulnerabilities was identified and reported by Eyal Itkin.
* Add rdp_protocol_error function that is used in several fixes
* Refactor of process_bitmap_updates
* Fix possible integer overflow in s_check_rem() on 32bit arch
* Fix memory corruption in process_bitmap_data - CVE-2018-8794
* Fix remote code execution in process_bitmap_data - CVE-2018-8795
* Fix remote code execution in process_plane - CVE-2018-8797
* Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
* Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
* Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
* Fix Denial of Service in sec_recv - CVE-2018-20176
* Fix minor information leak in rdpdr_process - CVE-2018-8791
* Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
* Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
* Fix Denial of Service in process_bitmap_data - CVE-2018-8796
* Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
* Fix Denial of Service in process_secondary_order - CVE-2018-8799
* Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
* Fix major information leak in ui_clip_handle_data - CVE-2018-20174
* Fix memory corruption in rdp_in_unistr - CVE-2018-20177
* Fix Denial of Service in process_demand_active - CVE-2018-20178
* Fix remote code execution in lspci_process - CVE-2018-20179
* Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
* Fix remote code execution in seamless_process - CVE-2018-20181
* Fix remote code execution in seamless_process_line - CVE-2018-20182
This remove the use of deprecated rdp_out_unistr() and
uses correct string length instead of assumition that all
utf16 symbols are represented by 2 bytes.
This commit will add a logging system to solve the problem that
one actually need to recompile rdesktop from source to enable
different debug logging.
- Same logging api for all kind of logging and messages to
end user.
- Adding -v for verbose output when running rdesktop.
- All messages are logged into a subject and with a type, eg:
logger(Keyboard, Notice, "Autos-electing %s based on locale.", locale);
- Debug logging is enabled trough a environment variable RDEKSTOP_DEBUG,
which specifies subjects of interest, comma separated. There is a special
subject named All which includes all subject for debug loggin. There is also
a simple logic opeartor '!' = NOT which can be used in combination like:
RDESKTOP_DEBUG=All,!Graphics,!Sound
Which would give debug log output for All subject except Graphics and Sound.
Store the full drive name in a new disk-specific pdevice_data
struct. Bump Drive Redirection version to 02, and send the full name
as part of the Device Announcement message.
redirection were the RDPDR channel is shutdown by server.
The RDPDR channel is shutdown by server when responses from
abdonend iorequests are received on a reinitialized RDPDR
channel. This fix adds epochs for RDPDR channel and tags
iorequest to specific epoch to handle abdonend iorequest.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1836 423420c4-83ab-492f-b58f-81f9feb106b5
- Make sure to use server supplied ClientID if
server VersionMinor is >= 12.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1833 423420c4-83ab-492f-b58f-81f9feb106b5
- Make sure to send DR_CORE_CAPABILITY_RSP as response
to DR_CORE_SERVER_ANNOUNCE_REQ.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1832 423420c4-83ab-492f-b58f-81f9feb106b5
magic character numbers found in protocol stream for clarity.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1828 423420c4-83ab-492f-b58f-81f9feb106b5
Simplified FileRenameInformation in disk_set_information()
and handle error if newname is null.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1775 423420c4-83ab-492f-b58f-81f9feb106b5
instead of using hardcoded buffer sizes and assumtion that conversion
just fits the size.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1773 423420c4-83ab-492f-b58f-81f9feb106b5
- Changes to always start the rdpdr channel
due assumtions that this channel is supposed
to always be up and running.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1607 423420c4-83ab-492f-b58f-81f9feb106b5
the rdpdr channel to be initiated.
RDPEA nor RDPBCGR mention a relation between audio and
the rdpdr channel.
See. support request #2717082
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1604 423420c4-83ab-492f-b58f-81f9feb106b5
stat:ing each file many times.
The patch modifies rdesktop so that the g_notify_stamp is only set
when writing. Also, the stamp is not set before disk_create_notify(),
since this would mean that NotifyInfo would be called twice directly.
With this patch, the number of stat:s has dropped from 24 to 4, using
my tests.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/trunk/rdesktop@1401 423420c4-83ab-492f-b58f-81f9feb106b5
