summaryrefslogtreecommitdiffstats
path: root/libxrdp
diff options
context:
space:
mode:
authorLawrenceK <github@lklyne.co.uk>2012-12-06 16:03:41 +0000
committerLawrenceK <github@lklyne.co.uk>2012-12-06 16:03:41 +0000
commitcd847eafa148dc62b80e7ae450c78bb141ec1661 (patch)
treed4a233f97a9cb4e42de37670d8733e8c21f0898f /libxrdp
parentb86a80aca61a9d3bea4f05e77f4d338f8a4eb156 (diff)
downloadxrdp-proprietary-cd847eafa148dc62b80e7ae450c78bb141ec1661.tar.gz
xrdp-proprietary-cd847eafa148dc62b80e7ae450c78bb141ec1661.zip
when processing a text order we where not correctly using the text length this resulted in overrunning the order buffer and eventually corrupting the heap. Two fixes uses the data length and if the size is greater than max_packet_size attempt to send anyway otherwise you break the protocol.
Diffstat (limited to 'libxrdp')
-rw-r--r--libxrdp/xrdp_orders.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/libxrdp/xrdp_orders.c b/libxrdp/xrdp_orders.c
index 438151da..a76ecaea 100644
--- a/libxrdp/xrdp_orders.c
+++ b/libxrdp/xrdp_orders.c
@@ -205,11 +205,22 @@ xrdp_orders_check(struct xrdp_orders *self, int max_size)
}
size = (int)(self->out_s->p - self->order_count_ptr);
-
- if ((size < 0) || (size > max_packet_size))
+ if (size < 0)
{
+ g_writeln("error in xrdp_orders_check, size too small, its %d", size);
return 1;
}
+ if (size > max_packet_size)
+ {
+ // this suggests someone calls this function without passing the correct
+ // max_size so we end up putting more into the buffer than we indicate we can
+ g_writeln("error in xrdp_orders_check, size too big, its %d", size);
+ // We where getting called with size allready greater than max_packet_size
+ // Which I suspect was because the sending of text did not include the text len
+ // to check the buffer size. So attempt to send the data anyway.
+ // Lets write the data anyway, somewhere else may barf.
+ // return 1;
+ }
if ((size + max_size + 100) > max_packet_size)
{
@@ -1591,7 +1602,8 @@ xrdp_orders_text(struct xrdp_orders *self,
char *present_ptr = (char *)NULL;
char *order_flags_ptr = (char *)NULL;
- xrdp_orders_check(self, 100);
+ //xrdp_orders_check(self, 100);
+ xrdp_orders_check(self, 44+data_len);
self->order_count++;
order_flags = RDP_ORDER_STANDARD;