Skip to content

memory out of bounds read in rdp_read_flow_control_pdu #6007

Closed
@hac425xxx

Description

@hac425xxx

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129

vuln code
rdp_read_share_control_header could read 2 byte from stream, if *length == 0x8000 , it could call rdp_read_flow_control_pdu.

BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
{
	if (Stream_GetRemainingLength(s) < 2)
		return FALSE;

	Stream_Read_UINT16(s, *length); /* totalLength */

	if (*length == 0x8000)
	{
		rdp_read_flow_control_pdu(s, type);   // vuln function

rdp_read_flow_control_pdu just read 1byte and seek some byte from stream without check length, it could lead _s->pointer - _s->buffer > _s->length, then the check in other function could failed

void rdp_read_flow_control_pdu(wStream* s, UINT16* type)
{

	UINT8 pduType;
	Stream_Read_UINT8(s, pduType); /* pduTypeFlow */
	*type = pduType;
	Stream_Seek_UINT8(s);  /* pad8bits */
	Stream_Seek_UINT8(s);  /* flowIdentifier */
	Stream_Seek_UINT8(s);  /* flowNumber */
	Stream_Seek_UINT16(s); /* pduSource */
}

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions