We don't know when the caller might be done with a stream, so we
can end up with code overwriting things in a stream that is in use
elsewhere.
Solve the issue by returning a new stream each time and leave it
up to the callers to free it.
Make them more match in_uint8a and in_uint8p in that one copies and
the other just gives you a pointer and it is up to the caller how
to fill it in. This can be useful when other APIs are used to
generate the data as it avoids a temporary buffer.
Avoids mistakes by making sure everyone allocates these the same
way.
The smart card code still has manual allocation because it has it's
own magical memory management.
This macro checks if a pointer is valid _after_ we've already used
that pointer. So it will only trigger if we're already performed some
for of buffer overflow. As such, it provides little to no value and
can only server to encourage broken behaviour.
Let's remove it and replace it with proper bounds checking before
access instead.
Before this change we announce that we support redirection
packet version 3 (Microsoft RDP 5.1 and 5.2 clients), this
makes the server to only send back LB_TARGET_NET_ADDRESS which
includes an IP address for the redirection. Announcing version
4 (Microsoft RDP 6.0 and 6.1 clients) will make the server to
send a LB_TARGET_FQDN which solves a few problems, for example
using kerberos authentication.
Fixes issue #303
This commit includes fixes for a set of 21 vulnerabilities in
rdesktop when a malicious RDP server is used.
All vulnerabilities was identified and reported by Eyal Itkin.
* Add rdp_protocol_error function that is used in several fixes
* Refactor of process_bitmap_updates
* Fix possible integer overflow in s_check_rem() on 32bit arch
* Fix memory corruption in process_bitmap_data - CVE-2018-8794
* Fix remote code execution in process_bitmap_data - CVE-2018-8795
* Fix remote code execution in process_plane - CVE-2018-8797
* Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
* Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
* Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
* Fix Denial of Service in sec_recv - CVE-2018-20176
* Fix minor information leak in rdpdr_process - CVE-2018-8791
* Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
* Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
* Fix Denial of Service in process_bitmap_data - CVE-2018-8796
* Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
* Fix Denial of Service in process_secondary_order - CVE-2018-8799
* Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
* Fix major information leak in ui_clip_handle_data - CVE-2018-20174
* Fix memory corruption in rdp_in_unistr - CVE-2018-20177
* Fix Denial of Service in process_demand_active - CVE-2018-20178
* Fix remote code execution in lspci_process - CVE-2018-20179
* Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
* Fix remote code execution in seamless_process - CVE-2018-20181
* Fix remote code execution in seamless_process_line - CVE-2018-20182
A correct user initated disconnect sequence should send
a MCS Disconnect Provider Ultimatum PDU defined in T.128
upon a disconnect. This commit adds the implementation
the mentioned PDU and the actual write of the packet.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
This adds support for resizing the RDP session dynamically based on
the window size. Some complicated logic has been added to avoid
sending excessive amounts of resize requests to the RDP server.
When supported, this resize mechanism should use the RDPEDISP way of
signalling the server to initiate a Deactivate/Activate sequence, but
rdesktop will fall back on Disconnect/Reconnect if RDPEDISP is not
supported by the server.
ui_select has been refactored and most functionality has been broken
out into three new functions, simplifying ui_select into a loop.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Karl Mikaelsson <derfian@cendio.se>
Signed-off-by: Thomas Nilefalk <thoni56@cendio.se>
To enable 32-bit color depths a earlyCapabilityFlag in the CS_CORE
packet is required. When 32-bit color depth is requested, this
RNS_UD_CS_WANT_32BPP_SESSION flag will now be set. We also advertise
support for 32-bit color depths through the RNS_UD_32BPP_SUPPORT flag.
If sec_parse_crypt_info returns false, it's not always a problem with
parsing the crypt info. It could very well be that Enhanced RDP
Security is used, which would trigger a false return value from the
function.
This commit adds new log messages to sec_parse_crypt_info for cases it
would return false and removes the incorrect catch-all message from
the caller.
This commit will add a logging system to solve the problem that
one actually need to recompile rdesktop from source to enable
different debug logging.
- Same logging api for all kind of logging and messages to
end user.
- Adding -v for verbose output when running rdesktop.
- All messages are logged into a subject and with a type, eg:
logger(Keyboard, Notice, "Autos-electing %s based on locale.", locale);
- Debug logging is enabled trough a environment variable RDEKSTOP_DEBUG,
which specifies subjects of interest, comma separated. There is a special
subject named All which includes all subject for debug loggin. There is also
a simple logic opeartor '!' = NOT which can be used in combination like:
RDESKTOP_DEBUG=All,!Graphics,!Sound
Which would give debug log output for All subject except Graphics and Sound.
disabled by default and is enabled using argument --enable-credssp
to configure script.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1676 423420c4-83ab-492f-b58f-81f9feb106b5
rdssl_ to prevent nameclashing with openssl library now
when we link against ssl library.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1665 423420c4-83ab-492f-b58f-81f9feb106b5
adding Enhanced RDP Security support to rdesktop and brings
support for TLSv1 tunnel functionality.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1659 423420c4-83ab-492f-b58f-81f9feb106b5
- Added helper functions for SHA1 hash to hash the hostname used for
licenses filename to hide information of what host user X connects
from in a infrastructure with NFS mounted home directories.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1644 423420c4-83ab-492f-b58f-81f9feb106b5
secure.c: Dereference of null pointer
xkeymap.c: Pass-by-value argument in function call is undefined
both seem to be noncritical, as sec_recv is never called with a null
pointer and ensure_remote_modifiers only accesses initialized fields
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1589 423420c4-83ab-492f-b58f-81f9feb106b5
client can re-connect using a cookie, instead of going through the
normal authentication. This patch saves those cookies, and uses them
during logon.
Note that this feature is currently unused. It remains to add support
for, say, detecting when the TCP connection has gone done and restart
a new one.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1539 423420c4-83ab-492f-b58f-81f9feb106b5
