Adding checks to prevent buffer overruns during data chunk re-assembly

This commit is contained in:
Alexandre Quesnel 2020-08-23 23:02:50 +00:00
parent f3e42fc209
commit 33d9e1d5d7

View File

@ -463,6 +463,10 @@ xrdp_channel_process_drdynvc(struct xrdp_channel *self,
{ {
case 0: case 0:
length = (int) (s->end - s->p); length = (int) (s->end - s->p);
if (!s_check_rem_out(self->s, length))
{
return 1;
}
out_uint8a(self->s, s->p, length); out_uint8a(self->s, s->p, length);
in_uint8s(s, length); in_uint8s(s, length);
return 0; return 0;
@ -471,11 +475,19 @@ xrdp_channel_process_drdynvc(struct xrdp_channel *self,
make_stream(self->s); make_stream(self->s);
init_stream(self->s, total_length); init_stream(self->s, total_length);
length = (int) (s->end - s->p); length = (int) (s->end - s->p);
if (!s_check_rem_out(self->s, length))
{
return 1;
}
out_uint8a(self->s, s->p, length); out_uint8a(self->s, s->p, length);
in_uint8s(s, length); in_uint8s(s, length);
return 0; return 0;
case 2: case 2:
length = (int) (s->end - s->p); length = (int) (s->end - s->p);
if (!s_check_rem_out(self->s, length))
{
return 1;
}
out_uint8a(self->s, s->p, length); out_uint8a(self->s, s->p, length);
in_uint8s(s, length); in_uint8s(s, length);
ls = self->s; ls = self->s;