Skip to content

memory out of bounds read in rdp_read_share_control_header #6008

Closed
@hac425xxx

Description

@hac425xxx

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129

vuln code

if Stream_GetRemainingLength(s) = 5 and *length = 5, it could one byte overflow read in Stream_Read_UINT16(s, *channel_id);

BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
{
	if (Stream_GetRemainingLength(s) < 2)
		return FALSE;

	Stream_Read_UINT16(s, *length); /* totalLength */

	if (((size_t)*length - 2) > Stream_GetRemainingLength(s))
		return FALSE;

	Stream_Read_UINT16(s, *type); /* pduType */
	*type &= 0x0F;                /* type is in the 4 least significant bits */

	if (*length > 4)
		Stream_Read_UINT16(s, *channel_id);   // memory out of bounds read
	return TRUE;
}

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions