diff options
author | jsorg71 <jsorg71> | 2009-12-23 07:04:32 +0000 |
---|---|---|
committer | jsorg71 <jsorg71> | 2009-12-23 07:04:32 +0000 |
commit | bb4a15b5dcaf8668687d0b62d6b50985561c4155 (patch) | |
tree | 7d5b48e1475f7cd61e04f3275cce3e8cca154732 | |
parent | 6cf7c913f8ff27a6efc0eac9cd08880f12f5ff48 (diff) | |
download | xrdp-proprietary-bb4a15b5dcaf8668687d0b62d6b50985561c4155.tar.gz xrdp-proprietary-bb4a15b5dcaf8668687d0b62d6b50985561c4155.zip |
check for RDP PDU size too small and remove 0x8000 length check
-rw-r--r-- | libxrdp/xrdp_rdp.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index c8e9698b..1eea4f46 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -226,14 +226,16 @@ xrdp_rdp_recv(struct xrdp_rdp* self, struct stream* s, int* code) { s->p = s->next_packet; } - in_uint16_le(s, len); - if (len == 0x8000) + if (!s_check_rem(s, 6)) { - s->next_packet += 8; + s->next_packet = 0; *code = 0; DEBUG(("out xrdp_rdp_recv")); + len = (int)(s->end - s->p); + g_writeln("xrdp_rdp_recv: bad RDP packet, length [%d]", len); return 0; } + in_uint16_le(s, len); in_uint16_le(s, pdu_code); *code = pdu_code & 0xf; in_uint8s(s, 2); /* mcs user id */ |