Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory out of bounds read in rdp_read_flow_control_pdu #6007

Closed
hac425xxx opened this issue Mar 31, 2020 · 0 comments
Closed

memory out of bounds read in rdp_read_flow_control_pdu #6007

hac425xxx opened this issue Mar 31, 2020 · 0 comments

Comments

@hac425xxx
Copy link

hac425xxx commented Mar 31, 2020

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129

vuln code
rdp_read_share_control_header could read 2 byte from stream, if *length == 0x8000 , it could call rdp_read_flow_control_pdu.

BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
{
	if (Stream_GetRemainingLength(s) < 2)
		return FALSE;

	Stream_Read_UINT16(s, *length); /* totalLength */

	if (*length == 0x8000)
	{
		rdp_read_flow_control_pdu(s, type);   // vuln function

rdp_read_flow_control_pdu just read 1byte and seek some byte from stream without check length, it could lead _s->pointer - _s->buffer > _s->length, then the check in other function could failed

void rdp_read_flow_control_pdu(wStream* s, UINT16* type)
{

	UINT8 pduType;
	Stream_Read_UINT8(s, pduType); /* pduTypeFlow */
	*type = pduType;
	Stream_Seek_UINT8(s);  /* pad8bits */
	Stream_Seek_UINT8(s);  /* flowIdentifier */
	Stream_Seek_UINT8(s);  /* flowNumber */
	Stream_Seek_UINT16(s); /* pduSource */
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants