diff options
| author | Jay Sorg <jay.sorg@gmail.com> | 2013-09-10 16:20:11 -0700 |
|---|---|---|
| committer | Jay Sorg <jay.sorg@gmail.com> | 2013-09-10 16:20:11 -0700 |
| commit | 445e7d980005503913e77895f5b13097928b3437 (patch) | |
| tree | 152b56be2208bfa3be51aa5ee9fa4dc2a087f29f | |
| parent | f75b9143e2ea5cf487eb76e42f58f816c88e688a (diff) | |
| download | xrdp-proprietary-445e7d980005503913e77895f5b13097928b3437.tar.gz xrdp-proprietary-445e7d980005503913e77895f5b13097928b3437.zip | |
VUL: check bytes remaining in xrdp_rdp_process_data_input
| -rw-r--r-- | libxrdp/xrdp_rdp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index a940a695..0bbd411f 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -1322,12 +1322,20 @@ xrdp_rdp_process_data_input(struct xrdp_rdp *self, struct stream *s) int param2; int time; + if (!s_check_rem(s, 4)) + { + return 1; + } in_uint16_le(s, num_events); in_uint8s(s, 2); /* pad */ DEBUG(("in xrdp_rdp_process_data_input %d events", num_events)); for (index = 0; index < num_events; index++) { + if (!s_check_rem(s, 12)) + { + return 1; + } in_uint32_le(s, time); in_uint16_le(s, msg_type); in_uint16_le(s, device_flags); |