This commit includes fixes for a set of 21 vulnerabilities in
rdesktop when a malicious RDP server is used.
All vulnerabilities was identified and reported by Eyal Itkin.
* Add rdp_protocol_error function that is used in several fixes
* Refactor of process_bitmap_updates
* Fix possible integer overflow in s_check_rem() on 32bit arch
* Fix memory corruption in process_bitmap_data - CVE-2018-8794
* Fix remote code execution in process_bitmap_data - CVE-2018-8795
* Fix remote code execution in process_plane - CVE-2018-8797
* Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
* Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
* Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
* Fix Denial of Service in sec_recv - CVE-2018-20176
* Fix minor information leak in rdpdr_process - CVE-2018-8791
* Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
* Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
* Fix Denial of Service in process_bitmap_data - CVE-2018-8796
* Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
* Fix Denial of Service in process_secondary_order - CVE-2018-8799
* Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
* Fix major information leak in ui_clip_handle_data - CVE-2018-20174
* Fix memory corruption in rdp_in_unistr - CVE-2018-20177
* Fix Denial of Service in process_demand_active - CVE-2018-20178
* Fix remote code execution in lspci_process - CVE-2018-20179
* Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
* Fix remote code execution in seamless_process - CVE-2018-20181
* Fix remote code execution in seamless_process_line - CVE-2018-20182
We have seen different behaviour between versions of Windows RDP
servers how a connection should be closed and rdesktop should exit.
Windows 2008 server and earlier versions sets an error info value of
0 and then sends deactivate PDU. Later versions sends a error info
of vlaue 12 (User initiated logoff) but does not send deactivate PDU.
A work around was added to translate this case for Windows 2008 and
earlier to newer aporach to get proper handling.
This prevents reconnect loop introduced when hitting ESC or wait for
timeout at logon screen against 2008 server or earlier.
This commit also fixes a problem where a reconnect loop was triggerd
even if no required 'auto-reconnect cookie' is received from the server.
A correct user initated disconnect sequence should send
a MCS Disconnect Provider Ultimatum PDU defined in T.128
upon a disconnect. This commit adds the implementation
the mentioned PDU and the actual write of the packet.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
This matches how they're described in MS-RDPBCGR. Also add the proper
constant name as comments.
Signed-off-by: Henrik Andersson <hean01@cendio.com>
Signed-off-by: Thomas Nilefalk <thoni56@cendio.se>
The cursor-handling code already handles larger pointer sizes. This
advertises that rdesktop has the capability to handle large cursors
and adjusts the maximum size of fragmented packets to suit the large
cursor requirements.
Solves issue #173.
Fragmented updates are concatenated into temporary streams (one per
update type) that are processed when receiving an update with the
FASTPATH_FRAGMENT_LAST bit set.
Most of the RPD protocol errors (reason > 0x1000) would only be
triggered by coding errors in the client. A few of them can occur due
to server errors however. We should attempt to handle these cases.
magic character numbers found in protocol stream for clarity.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1828 423420c4-83ab-492f-b58f-81f9feb106b5
Fixes bug #384
Thanks to Alexander Zakharov for pinpointing
the core issue.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1816 423420c4-83ab-492f-b58f-81f9feb106b5
Renamed redirect cookie to proper redirect load balance info,
also made it dynamically allocated due to its variable length.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1756 423420c4-83ab-492f-b58f-81f9feb106b5
disabled by default and is enabled using argument --enable-credssp
to configure script.
git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1676 423420c4-83ab-492f-b58f-81f9feb106b5