Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed OOB Read in license_read_new_or_upgrade_license_packet
CVE-2020-11099 thanks to @antonio-morales for finding this.
  • Loading branch information
akallabeth committed Jun 22, 2020
1 parent 152bf0c commit 6ade7b4
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions libfreerdp/core/license.c
Expand Up @@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
if (!licenseStream)
goto out_free_blob;

if (Stream_GetRemainingLength(licenseStream) < 8)
goto out_free_stream;

Stream_Read_UINT16(licenseStream, os_minor);
Stream_Read_UINT16(licenseStream, os_major);

Expand All @@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbScope);

/* CompanyName */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbCompanyName);
if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
goto out_free_stream;
Expand All @@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbCompanyName);

/* productId */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbProductId);
if (Stream_GetRemainingLength(licenseStream) < cbProductId)
goto out_free_stream;
Expand All @@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbProductId);

/* licenseInfo */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbLicenseInfo);
if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
goto out_free_stream;
Expand Down

0 comments on commit 6ade7b4

Please sign in to comment.