Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129
vuln code rdp_read_share_control_header could read 2 byte from stream, if *length == 0x8000 , it could call rdp_read_flow_control_pdu.
rdp_read_share_control_header
*length == 0x8000
rdp_read_flow_control_pdu
BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id) { if (Stream_GetRemainingLength(s) < 2) return FALSE; Stream_Read_UINT16(s, *length); /* totalLength */ if (*length == 0x8000) { rdp_read_flow_control_pdu(s, type); // vuln function
rdp_read_flow_control_pdu just read 1byte and seek some byte from stream without check length, it could lead _s->pointer - _s->buffer > _s->length, then the check in other function could failed
lead _s->pointer - _s->buffer > _s->length
void rdp_read_flow_control_pdu(wStream* s, UINT16* type) { UINT8 pduType; Stream_Read_UINT8(s, pduType); /* pduTypeFlow */ *type = pduType; Stream_Seek_UINT8(s); /* pad8bits */ Stream_Seek_UINT8(s); /* flowIdentifier */ Stream_Seek_UINT8(s); /* flowNumber */ Stream_Seek_UINT16(s); /* pduSource */ }
The text was updated successfully, but these errors were encountered:
9301bfe
No branches or pull requests
version
vuln code
rdp_read_share_control_headercould read 2 byte from stream, if*length == 0x8000, it could callrdp_read_flow_control_pdu.rdp_read_flow_control_pdujust read 1byte and seek some byte from stream without check length, it couldlead _s->pointer - _s->buffer > _s->length, then the check in other function could failedThe text was updated successfully, but these errors were encountered: