From ce28575b3a5e0441b715f2644181a538473eb786 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 5 Apr 2020 13:34:53 -0400 Subject: [PATCH 1/9] GUACAMOLE-1059: Use FreeRDP function for verifying Stream length before reading. --- .../rdpdr/rdpdr-fs-messages-file-info.c | 4 +++ .../rdp/channels/rdpdr/rdpdr-fs-messages.c | 30 +++++++++++++++++++ .../rdp/channels/rdpdr/rdpdr-messages.c | 18 +++++++++++ .../rdp/channels/rdpdr/rdpdr-printer.c | 3 ++ src/protocols/rdp/channels/rdpdr/rdpdr.c | 3 ++ .../rdp/channels/rdpsnd/rdpsnd-messages.c | 16 ++++++++++ src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 14 ++++++++- .../plugins/guac-common-svc/guac-common-svc.c | 5 ++++ .../rdp/plugins/guacai/guacai-messages.c | 20 +++++++++++-- src/protocols/rdp/plugins/guacai/guacai.c | 5 +++- 10 files changed, 114 insertions(+), 4 deletions(-) diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c index 0f453038..52201a27 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c @@ -135,6 +135,10 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, wStream* output_stream; char destination_path[GUAC_RDP_FS_MAX_PATH]; + /* Check stream size prior to reading. */ + if (Stream_GetRemainingLength(input_stream) < 6) + return; + /* Read structure */ Stream_Seek_UINT8(input_stream); /* ReplaceIfExists */ Stream_Seek_UINT8(input_stream); /* RootDirectory */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c index 529eea57..0e9581cc 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c @@ -48,6 +48,10 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, int create_disposition, create_options, path_length; char path[GUAC_RDP_FS_MAX_PATH]; + /* Check remaining stream data prior to reading. */ + if (Stream_GetRemainingLength(input_stream) < 32) + return; + /* Read "create" information */ Stream_Read_UINT32(input_stream, desired_access); Stream_Seek_UINT64(input_stream); /* allocation size */ @@ -123,6 +127,10 @@ void guac_rdpdr_fs_process_read(guac_rdp_common_svc* svc, wStream* output_stream; + /* Check remaining bytes before reading stream. */ + if (Stream_GetRemainingLength(input_stream) < 12) + return; + /* Read packet */ Stream_Read_UINT32(input_stream, length); Stream_Read_UINT64(input_stream, offset); @@ -172,6 +180,10 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, wStream* output_stream; + /* Check remaining length. */ + if (Stream_GetRemainingLength(input_stream) < 32) + return; + /* Read packet */ Stream_Read_UINT32(input_stream, length); Stream_Read_UINT64(input_stream, offset); @@ -244,6 +256,10 @@ void guac_rdpdr_fs_process_volume_info(guac_rdp_common_svc* svc, int fs_information_class; + /* Check remaining length */ + if (Stream_GetRemainingLength(input_stream) < 4) + return; + Stream_Read_UINT32(input_stream, fs_information_class); /* Dispatch to appropriate class-specific handler */ @@ -282,6 +298,10 @@ void guac_rdpdr_fs_process_file_info(guac_rdp_common_svc* svc, int fs_information_class; + /* Check remaining length */ + if (Stream_GetRemainingLength(input_stream) < 4) + return; + Stream_Read_UINT32(input_stream, fs_information_class); /* Dispatch to appropriate class-specific handler */ @@ -328,6 +348,10 @@ void guac_rdpdr_fs_process_set_file_info(guac_rdp_common_svc* svc, int fs_information_class; int length; + /* Check remaining length */ + if (Stream_GetRemainingLength(input_stream) < 32) + return; + Stream_Read_UINT32(input_stream, fs_information_class); Stream_Read_UINT32(input_stream, length); /* Length */ Stream_Seek(input_stream, 24); /* Padding */ @@ -406,6 +430,9 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, if (file == NULL) return; + if (Stream_GetRemainingLength(input_stream) < 9) + return; + /* Read main header */ Stream_Read_UINT32(input_stream, fs_information_class); Stream_Read_UINT8(input_stream, initial_query); @@ -414,6 +441,9 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, /* If this is the first query, the path is included after padding */ if (initial_query) { + if (Stream_GetRemainingLength(input_stream) < 23) + return; + Stream_Seek(input_stream, 23); /* Padding */ /* Convert path to UTF-8 */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c index 28a27e67..76808fac 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c @@ -212,6 +212,9 @@ void guac_rdpdr_process_server_announce(guac_rdp_common_svc* svc, unsigned int major, minor, client_id; + if (Stream_GetRemainingLength(input_stream) < 8) + return; + Stream_Read_UINT16(input_stream, major); Stream_Read_UINT16(input_stream, minor); Stream_Read_UINT32(input_stream, client_id); @@ -243,6 +246,9 @@ void guac_rdpdr_process_device_reply(guac_rdp_common_svc* svc, unsigned int device_id, ntstatus; int severity, c, n, facility, code; + if (Stream_GetRemainingLength(input_stream) < 8) + return; + Stream_Read_UINT32(input_stream, device_id); Stream_Read_UINT32(input_stream, ntstatus); @@ -278,6 +284,9 @@ void guac_rdpdr_process_device_iorequest(guac_rdp_common_svc* svc, guac_rdpdr* rdpdr = (guac_rdpdr*) svc->data; guac_rdpdr_iorequest iorequest; + if (Stream_GetRemainingLength(input_stream) < 20) + return; + /* Read header */ Stream_Read_UINT32(input_stream, iorequest.device_id); Stream_Read_UINT32(input_stream, iorequest.file_id); @@ -306,6 +315,9 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, int count; int i; + if (Stream_GetRemainingLength(input_stream) < 4) + return; + /* Read header */ Stream_Read_UINT16(input_stream, count); Stream_Seek(input_stream, 2); @@ -316,9 +328,15 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, int type; int length; + if (Stream_GetRemainingLength(input_stream) < 4) + break; + Stream_Read_UINT16(input_stream, type); Stream_Read_UINT16(input_stream, length); + if (Stream_GetRemainingLength(input_stream) < (length - 4)) + break; + /* Ignore all for now */ guac_client_log(svc->client, GUAC_LOG_DEBUG, "Ignoring server capability set type=0x%04x, length=%i", type, length); Stream_Seek(input_stream, length - 4); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c index d90116f5..fb0b1c95 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c @@ -67,6 +67,9 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, int length; int status; + if (Stream_GetRemainingLength(input_stream) < 32) + return; + /* Read buffer of print data */ Stream_Read_UINT32(input_stream, length); Stream_Seek(input_stream, 8); /* Offset */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr.c b/src/protocols/rdp/channels/rdpdr/rdpdr.c index e04bc9d7..5499e717 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr.c @@ -38,6 +38,9 @@ void guac_rdpdr_process_receive(guac_rdp_common_svc* svc, int component; int packet_id; + if (Stream_GetRemainingLength(input_stream) < 4) + return; + /* Read header */ Stream_Read_UINT16(input_stream, component); Stream_Read_UINT16(input_stream, packet_id); diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index 1d69e069..9e33c0e7 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -50,6 +50,9 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Reset own format count */ rdpsnd->format_count = 0; + if (Stream_GetRemainingLength(input_stream) < 20) + return; + /* Format header */ Stream_Seek(input_stream, 14); Stream_Read_UINT16(input_stream, server_format_count); @@ -96,6 +99,9 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Remember position in stream */ Stream_GetPointer(input_stream, format_start); + if (Stream_GetRemainingLength(input_stream) < 18) + return; + /* Read format */ Stream_Read_UINT16(input_stream, format_tag); Stream_Read_UINT16(input_stream, channels); @@ -106,6 +112,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Skip past extra data */ Stream_Read_UINT16(input_stream, body_size); + + if (Stream_GetRemainingLength(input_stream) < body_size) + return; + Stream_Seek(input_stream, body_size); /* If PCM, accept */ @@ -205,6 +215,9 @@ void guac_rdpsnd_training_handler(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; + if (Stream_GetRemainingLength(input_stream) < 4) + return; + /* Read timestamp and data size */ Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp); Stream_Read_UINT16(input_stream, data_size); @@ -232,6 +245,9 @@ void guac_rdpsnd_wave_info_handler(guac_rdp_common_svc* svc, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_audio_stream* audio = rdp_client->audio; + if (Stream_GetRemainingLength(input_stream) < 12) + return; + /* Read wave information */ Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp); Stream_Read_UINT16(input_stream, format); diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index be6034d2..0873a946 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -35,11 +35,23 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; guac_rdpsnd_pdu_header header; + /* Check that we at least have a header. */ + if (Stream_GetRemainingLength(input_stream) < 4) + return; + /* Read RDPSND PDU header */ Stream_Read_UINT8(input_stream, header.message_type); Stream_Seek_UINT8(input_stream); Stream_Read_UINT16(input_stream, header.body_size); - + + if (Stream_GetRemainingLength(input_stream) < header.body_size) { + guac_client_log(svc->client, GUAC_LOG_DEBUG, "Not enough bytes in stream." + " Remaining: %d, Body size: %d", + Stream_GetRemainingLength(input_stream), + header.body_size); + return; + } + /* * If next PDU is SNDWAVE (due to receiving WaveInfo PDU previously), * ignore the header and parse as a Wave PDU. diff --git a/src/protocols/rdp/plugins/guac-common-svc/guac-common-svc.c b/src/protocols/rdp/plugins/guac-common-svc/guac-common-svc.c index 535cb453..91dee29b 100644 --- a/src/protocols/rdp/plugins/guac-common-svc/guac-common-svc.c +++ b/src/protocols/rdp/plugins/guac-common-svc/guac-common-svc.c @@ -116,6 +116,10 @@ static VOID guac_rdp_common_svc_handle_open_event(LPVOID user_param, svc->_input_stream = Stream_New(NULL, total_length); } + /* leave if we don't have a stream. */ + if (svc->_input_stream == NULL) + return; + /* Add chunk to buffer only if sufficient space remains */ if (Stream_EnsureRemainingCapacity(svc->_input_stream, data_length)) Stream_Write(svc->_input_stream, data, data_length); @@ -137,6 +141,7 @@ static VOID guac_rdp_common_svc_handle_open_event(LPVOID user_param, svc->_receive_handler(svc, svc->_input_stream); Stream_Free(svc->_input_stream, TRUE); + svc->_input_stream = NULL; } diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index 38f7a7c4..8641002c 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -39,6 +39,9 @@ static void guac_rdp_ai_read_format(wStream* stream, guac_rdp_ai_format* format) { + if (Stream_GetRemainingLength(stream) < 18) + return; + /* Read audio format into structure */ Stream_Read_UINT16(stream, format->tag); /* wFormatTag */ Stream_Read_UINT16(stream, format->channels); /* nChannels */ @@ -49,7 +52,8 @@ static void guac_rdp_ai_read_format(wStream* stream, Stream_Read_UINT16(stream, format->data_size); /* cbSize */ /* Read arbitrary data block (if applicable) */ - if (format->data_size != 0) { + if (format->data_size != 0 + && Stream_GetRemainingLength(stream) >= format->data_size) { format->data = Stream_Pointer(stream); /* data */ Stream_Seek(stream, format->data_size); } @@ -232,6 +236,12 @@ static void guac_rdp_ai_send_formatchange(IWTSVirtualChannel* channel, void guac_rdp_ai_process_version(guac_client* client, IWTSVirtualChannel* channel, wStream* stream) { + if (Stream_GetRemainingLength(stream) < 4) { + guac_client_log(client, GUAC_LOG_WARNING, + "Invalid value provided for AUDIO_INPUT version."); + return; + } + UINT32 version; Stream_Read_UINT32(stream, version); @@ -258,10 +268,13 @@ void guac_rdp_ai_process_formats(guac_client* client, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_rdp_audio_buffer* audio_buffer = rdp_client->audio_input; + if (Stream_GetRemainingLength(stream) < 8) + return; + UINT32 num_formats; Stream_Read_UINT32(stream, num_formats); /* NumFormats */ Stream_Seek_UINT32(stream); /* cbSizeFormatsPacket (MUST BE IGNORED) */ - + UINT32 index; for (index = 0; index < num_formats; index++) { @@ -306,6 +319,9 @@ void guac_rdp_ai_process_open(guac_client* client, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_rdp_audio_buffer* audio_buffer = rdp_client->audio_input; + if (Stream_GetRemainingLength(stream) < 8) + return; + UINT32 packet_frames; UINT32 initial_format; diff --git a/src/protocols/rdp/plugins/guacai/guacai.c b/src/protocols/rdp/plugins/guacai/guacai.c index 15de8655..5f2319d6 100644 --- a/src/protocols/rdp/plugins/guacai/guacai.c +++ b/src/protocols/rdp/plugins/guacai/guacai.c @@ -52,10 +52,13 @@ static void guac_rdp_ai_handle_data(guac_client* client, IWTSVirtualChannel* channel, wStream* stream) { + if (Stream_GetRemainingLength(stream) < 1) + return; + /* Read message ID from received PDU */ BYTE message_id; Stream_Read_UINT8(stream, message_id); - + /* Invoke appropriate message processor based on ID */ switch (message_id) { From 8560ff9718cc462fecf1b48ef556429869813bd7 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Mon, 4 May 2020 12:11:37 -0400 Subject: [PATCH 2/9] GUACAMOLE-1059: Move rdpsnd body size check to correct location. --- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 0873a946..522ddc49 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -44,14 +44,6 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, Stream_Seek_UINT8(input_stream); Stream_Read_UINT16(input_stream, header.body_size); - if (Stream_GetRemainingLength(input_stream) < header.body_size) { - guac_client_log(svc->client, GUAC_LOG_DEBUG, "Not enough bytes in stream." - " Remaining: %d, Body size: %d", - Stream_GetRemainingLength(input_stream), - header.body_size); - return; - } - /* * If next PDU is SNDWAVE (due to receiving WaveInfo PDU previously), * ignore the header and parse as a Wave PDU. @@ -60,6 +52,10 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd_wave_handler(svc, input_stream, &header); return; } + + /* Check body size */ + if (Stream_GetRemainingLength(input_stream) < header.body_size) + return; /* Dispatch message to standard handlers */ switch (header.message_type) { From 98f0c271fbf3197b0831ebb2695fb364e4e7745a Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Mon, 4 May 2020 17:44:15 -0400 Subject: [PATCH 3/9] GUACAMOLE-1059: Add explanatory comments and additional logging. --- .../rdpdr/rdpdr-fs-messages-file-info.c | 8 ++- .../rdp/channels/rdpdr/rdpdr-fs-messages.c | 52 ++++++++++++++++--- .../rdp/channels/rdpdr/rdpdr-messages.c | 36 +++++++++++-- .../rdp/channels/rdpdr/rdpdr-printer.c | 7 ++- src/protocols/rdp/channels/rdpdr/rdpdr.c | 10 +++- .../rdp/channels/rdpsnd/rdpsnd-messages.c | 35 +++++++++++-- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 16 ++++-- .../rdp/plugins/guacai/guacai-messages.c | 23 ++++++-- src/protocols/rdp/plugins/guacai/guacai.c | 7 ++- 9 files changed, 162 insertions(+), 32 deletions(-) diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c index 52201a27..d5282ec1 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c @@ -136,9 +136,13 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, char destination_path[GUAC_RDP_FS_MAX_PATH]; /* Check stream size prior to reading. */ - if (Stream_GetRemainingLength(input_stream) < 6) + if (Stream_GetRemainingLength(input_stream) < 6) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " + "contain the required number of bytes. File sharing may not " + "work as expected."); return; - + } + /* Read structure */ Stream_Seek_UINT8(input_stream); /* ReplaceIfExists */ Stream_Seek_UINT8(input_stream); /* RootDirectory */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c index 0e9581cc..25e1e158 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c @@ -49,8 +49,12 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, char path[GUAC_RDP_FS_MAX_PATH]; /* Check remaining stream data prior to reading. */ - if (Stream_GetRemainingLength(input_stream) < 32) + if (Stream_GetRemainingLength(input_stream) < 32) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } /* Read "create" information */ Stream_Read_UINT32(input_stream, desired_access); @@ -128,8 +132,12 @@ void guac_rdpdr_fs_process_read(guac_rdp_common_svc* svc, wStream* output_stream; /* Check remaining bytes before reading stream. */ - if (Stream_GetRemainingLength(input_stream) < 12) + if (Stream_GetRemainingLength(input_stream) < 12) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } /* Read packet */ Stream_Read_UINT32(input_stream, length); @@ -181,8 +189,12 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, wStream* output_stream; /* Check remaining length. */ - if (Stream_GetRemainingLength(input_stream) < 32) + if (Stream_GetRemainingLength(input_stream) < 32) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } /* Read packet */ Stream_Read_UINT32(input_stream, length); @@ -257,8 +269,12 @@ void guac_rdpdr_fs_process_volume_info(guac_rdp_common_svc* svc, int fs_information_class; /* Check remaining length */ - if (Stream_GetRemainingLength(input_stream) < 4) + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } Stream_Read_UINT32(input_stream, fs_information_class); @@ -299,8 +315,12 @@ void guac_rdpdr_fs_process_file_info(guac_rdp_common_svc* svc, int fs_information_class; /* Check remaining length */ - if (Stream_GetRemainingLength(input_stream) < 4) + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } Stream_Read_UINT32(input_stream, fs_information_class); @@ -349,8 +369,12 @@ void guac_rdpdr_fs_process_set_file_info(guac_rdp_common_svc* svc, int length; /* Check remaining length */ - if (Stream_GetRemainingLength(input_stream) < 32) + if (Stream_GetRemainingLength(input_stream) < 32) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } Stream_Read_UINT32(input_stream, fs_information_class); Stream_Read_UINT32(input_stream, length); /* Length */ @@ -430,8 +454,12 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, if (file == NULL) return; - if (Stream_GetRemainingLength(input_stream) < 9) + if (Stream_GetRemainingLength(input_stream) < 9) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " + "contain the expected number of bytes. File sharing may not " + "work as expected."); return; + } /* Read main header */ Stream_Read_UINT32(input_stream, fs_information_class); @@ -441,8 +469,16 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, /* If this is the first query, the path is included after padding */ if (initial_query) { - if (Stream_GetRemainingLength(input_stream) < 23) + /* + * Check to make sure Stream has at least the 23 padding bytes in it + * prior to seeking. + */ + if (Stream_GetRemainingLength(input_stream) < 23) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does " + "not contain the expected number of bytes. File sharing " + "may not work as expected."); return; + } Stream_Seek(input_stream, 23); /* Padding */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c index 76808fac..213da916 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c @@ -212,6 +212,7 @@ void guac_rdpdr_process_server_announce(guac_rdp_common_svc* svc, unsigned int major, minor, client_id; + /* Stream should contain at least 8 bytes (UINT16 + UINT16 + UINT32) */ if (Stream_GetRemainingLength(input_stream) < 8) return; @@ -246,8 +247,13 @@ void guac_rdpdr_process_device_reply(guac_rdp_common_svc* svc, unsigned int device_id, ntstatus; int severity, c, n, facility, code; - if (Stream_GetRemainingLength(input_stream) < 8) + /* Stream should contain at least 8 bytes (UINT32 + UINT32 ) */ + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " + "contain the expected number of bytes. Device redirection may " + "not work."); return; + } Stream_Read_UINT32(input_stream, device_id); Stream_Read_UINT32(input_stream, ntstatus); @@ -284,8 +290,13 @@ void guac_rdpdr_process_device_iorequest(guac_rdp_common_svc* svc, guac_rdpdr* rdpdr = (guac_rdpdr*) svc->data; guac_rdpdr_iorequest iorequest; - if (Stream_GetRemainingLength(input_stream) < 20) + /* Check to make sure the Stream contains at least 20 bytes (5 x UINT32 ). */ + if (Stream_GetRemainingLength(input_stream) < 20) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " + "contain the expected number of bytes. Device redirection may " + "not work as expected."); return; + } /* Read header */ Stream_Read_UINT32(input_stream, iorequest.device_id); @@ -315,8 +326,13 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, int count; int i; - if (Stream_GetRemainingLength(input_stream) < 4) + /* Check to make sure the Stream has at least 4 bytes (UINT16 + 2) */ + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " + "does not contain the expected number of bytes. Device " + "redirection may not work as expected."); return; + } /* Read header */ Stream_Read_UINT16(input_stream, count); @@ -328,14 +344,24 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, int type; int length; - if (Stream_GetRemainingLength(input_stream) < 4) + /* Make sure Stream has at least 4 bytes (UINT16 + UINT16) */ + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " + "does not contain the expected number of bytes. Device " + "redirection may not work as expected."); break; + } Stream_Read_UINT16(input_stream, type); Stream_Read_UINT16(input_stream, length); - if (Stream_GetRemainingLength(input_stream) < (length - 4)) + /* Make sure Stream has required length remaining for Seek below. */ + if (Stream_GetRemainingLength(input_stream) < (length - 4)) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " + "does not contain the expected number of bytes. Device " + "redirection may not work as expected."); break; + } /* Ignore all for now */ guac_client_log(svc->client, GUAC_LOG_DEBUG, "Ignoring server capability set type=0x%04x, length=%i", type, length); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c index fb0b1c95..f810143c 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c @@ -67,8 +67,13 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, int length; int status; - if (Stream_GetRemainingLength(input_stream) < 32) + /* Verify that Stream contains at least 32 bytes (UINT32 + 8 + 20) */ + if (Stream_GetRemainingLength(input_stream) < 32) { + guac_client_log(client, GUAC_LOG_WARNING, "Printer Stream does not " + "contain the required number of bytes. Print redirection may " + "not work as expected."); return; + } /* Read buffer of print data */ Stream_Read_UINT32(input_stream, length); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr.c b/src/protocols/rdp/channels/rdpdr/rdpdr.c index 5499e717..5be2c813 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr.c @@ -38,8 +38,16 @@ void guac_rdpdr_process_receive(guac_rdp_common_svc* svc, int component; int packet_id; - if (Stream_GetRemainingLength(input_stream) < 4) + /* + * Check that device redirection stream contains at least 4 bytes + * (UINT16 + UINT16). + */ + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Device redirection " + "Stream does not contain the required number of bytes. Device " + "redirection may not function as expected."); return; + } /* Read header */ Stream_Read_UINT16(input_stream, component); diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index 9e33c0e7..cd1ed8ba 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -50,8 +50,13 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Reset own format count */ rdpsnd->format_count = 0; - if (Stream_GetRemainingLength(input_stream) < 20) + /* Check to make sure the stream has at least 20 bytes, which */ + if (Stream_GetRemainingLength(input_stream) < 20) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); return; + } /* Format header */ Stream_Seek(input_stream, 14); @@ -99,8 +104,13 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Remember position in stream */ Stream_GetPointer(input_stream, format_start); - if (Stream_GetRemainingLength(input_stream) < 18) + /* Check to make sure Stream has at least 18 bytes. */ + if (Stream_GetRemainingLength(input_stream) < 18) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " + "not contain the expected number of bytes. Sound may " + "not work as expected."); return; + } /* Read format */ Stream_Read_UINT16(input_stream, format_tag); @@ -113,8 +123,13 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Skip past extra data */ Stream_Read_UINT16(input_stream, body_size); - if (Stream_GetRemainingLength(input_stream) < body_size) + /* Check that Stream has at least body_size bytes remaining. */ + if (Stream_GetRemainingLength(input_stream) < body_size) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " + "not contain the expected number of bytes. Sound may " + "not work as expected."); return; + } Stream_Seek(input_stream, body_size); @@ -215,8 +230,13 @@ void guac_rdpsnd_training_handler(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; - if (Stream_GetRemainingLength(input_stream) < 4) + /* Check to make sure audio stream contains a minimum number of bytes. */ + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); return; + } /* Read timestamp and data size */ Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp); @@ -245,8 +265,13 @@ void guac_rdpsnd_wave_info_handler(guac_rdp_common_svc* svc, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_audio_stream* audio = rdp_client->audio; - if (Stream_GetRemainingLength(input_stream) < 12) + /* Check to make sure audio stream contains a minimum number of bytes. */ + if (Stream_GetRemainingLength(input_stream) < 12) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); return; + } /* Read wave information */ Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp); diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 522ddc49..cc65a161 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -35,9 +35,13 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; guac_rdpsnd_pdu_header header; - /* Check that we at least have a header. */ - if (Stream_GetRemainingLength(input_stream) < 4) + /* Check that we at least the 4 byte header (UINT8 + UINT8 + UINT16) */ + if (Stream_GetRemainingLength(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); return; + } /* Read RDPSND PDU header */ Stream_Read_UINT8(input_stream, header.message_type); @@ -53,9 +57,13 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, return; } - /* Check body size */ - if (Stream_GetRemainingLength(input_stream) < header.body_size) + /* Check Stream size against body size */ + if (Stream_GetRemainingLength(input_stream) < header.body_size) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); return; + } /* Dispatch message to standard handlers */ switch (header.message_type) { diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index 8641002c..1b15ef72 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -39,6 +39,7 @@ static void guac_rdp_ai_read_format(wStream* stream, guac_rdp_ai_format* format) { + /* Check that we have at least 18 bytes (5 x UINT16, 2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 18) return; @@ -51,7 +52,7 @@ static void guac_rdp_ai_read_format(wStream* stream, Stream_Read_UINT16(stream, format->bps); /* wBitsPerSample */ Stream_Read_UINT16(stream, format->data_size); /* cbSize */ - /* Read arbitrary data block (if applicable) */ + /* Read arbitrary data block (if applicable) and data is available. */ if (format->data_size != 0 && Stream_GetRemainingLength(stream) >= format->data_size) { format->data = Stream_Pointer(stream); /* data */ @@ -236,9 +237,11 @@ static void guac_rdp_ai_send_formatchange(IWTSVirtualChannel* channel, void guac_rdp_ai_process_version(guac_client* client, IWTSVirtualChannel* channel, wStream* stream) { + /* Verify we have at least 4 bytes available (UINT32) */ if (Stream_GetRemainingLength(stream) < 4) { - guac_client_log(client, GUAC_LOG_WARNING, - "Invalid value provided for AUDIO_INPUT version."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " + "contain the expected number of bytes. Audio input may not " + "work as expected."); return; } @@ -268,8 +271,13 @@ void guac_rdp_ai_process_formats(guac_client* client, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_rdp_audio_buffer* audio_buffer = rdp_client->audio_input; - if (Stream_GetRemainingLength(stream) < 8) + /* Verify we have at least 8 bytes available (2 x UINT32) */ + if (Stream_GetRemainingLength(stream) < 8) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " + "contain the expected number of bytes. Audio input may not " + "work as expected."); return; + } UINT32 num_formats; Stream_Read_UINT32(stream, num_formats); /* NumFormats */ @@ -319,8 +327,13 @@ void guac_rdp_ai_process_open(guac_client* client, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_rdp_audio_buffer* audio_buffer = rdp_client->audio_input; - if (Stream_GetRemainingLength(stream) < 8) + /* Verify we have at least 8 bytes available (2 x UINT32) */ + if (Stream_GetRemainingLength(stream) < 8) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " + "contain the expected number of bytes. Audio input may not " + "work as expected."); return; + } UINT32 packet_frames; UINT32 initial_format; diff --git a/src/protocols/rdp/plugins/guacai/guacai.c b/src/protocols/rdp/plugins/guacai/guacai.c index 5f2319d6..b0b0cb0d 100644 --- a/src/protocols/rdp/plugins/guacai/guacai.c +++ b/src/protocols/rdp/plugins/guacai/guacai.c @@ -52,8 +52,13 @@ static void guac_rdp_ai_handle_data(guac_client* client, IWTSVirtualChannel* channel, wStream* stream) { - if (Stream_GetRemainingLength(stream) < 1) + /* Verify we have at least 1 byte in the stream (UINT8) */ + if (Stream_GetRemainingLength(stream) < 1) { + guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " + "contain the expected number of bytes. Audio input may not " + "work as expected."); return; + } /* Read message ID from received PDU */ BYTE message_id; From ac9e5e91f62d8b9d4945a2e828e62db79c563411 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Mon, 4 May 2020 17:53:17 -0400 Subject: [PATCH 4/9] GUACAMOLE-1059: Remove bad check of audio stream against body_size. --- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index cc65a161..6050ddb4 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -56,14 +56,6 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd_wave_handler(svc, input_stream, &header); return; } - - /* Check Stream size against body size */ - if (Stream_GetRemainingLength(input_stream) < header.body_size) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); - return; - } /* Dispatch message to standard handlers */ switch (header.message_type) { From 71769b971559d0e4fa744d628cab392eb6551b0e Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Mon, 4 May 2020 19:49:15 -0400 Subject: [PATCH 5/9] GUACAMOLE-1059: Add missing check for manually copied buffer. --- src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index cd1ed8ba..af847022 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -307,6 +307,14 @@ void guac_rdpsnd_wave_handler(guac_rdp_common_svc* svc, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_audio_stream* audio = rdp_client->audio; + + /* Verify we have at least 4 bytes, which is manually copied below. */ + if (Stream_Length(input_stream) < 4) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Sound stream does not " + "contain the expected number of bytes. Sound may not work as " + "expected."); + return; + } /* Wave Confirmation PDU */ wStream* output_stream = Stream_New(NULL, 8); From e761e47cd057c054130580c7654e40bacc745cb9 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Tue, 5 May 2020 16:33:59 -0400 Subject: [PATCH 6/9] GUACAMOLE-1059: Add missing checks and fix up warning messages. --- .../rdpdr/rdpdr-fs-messages-file-info.c | 33 ++++++++- .../rdp/channels/rdpdr/rdpdr-fs-messages.c | 68 ++++++++++++------- .../rdp/channels/rdpdr/rdpdr-messages.c | 32 +++++---- .../rdp/channels/rdpdr/rdpdr-printer.c | 14 +++- src/protocols/rdp/channels/rdpdr/rdpdr.c | 4 +- .../rdp/channels/rdpsnd/rdpsnd-messages.c | 38 ++++++----- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 4 +- .../rdp/plugins/guacai/guacai-messages.c | 18 ++--- src/protocols/rdp/plugins/guacai/guacai.c | 4 +- 9 files changed, 135 insertions(+), 80 deletions(-) diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c index d5282ec1..1ea67016 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c @@ -137,9 +137,10 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, /* Check stream size prior to reading. */ if (Stream_GetRemainingLength(input_stream) < 6) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the required number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileRenameInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); return; } @@ -148,6 +149,14 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, Stream_Seek_UINT8(input_stream); /* RootDirectory */ Stream_Read_UINT32(input_stream, filename_length); /* FileNameLength */ + if (Stream_GetRemainingLength(input_stream) < filename_length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileRenameInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Convert name to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), filename_length/2, destination_path, sizeof(destination_path)); @@ -200,6 +209,15 @@ void guac_rdpdr_fs_process_set_allocation_info(guac_rdp_common_svc* svc, UINT64 size; wStream* output_stream; + /* Check to make sure the stream has at least 8 bytes (UINT64) */ + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileAllocationInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Read new size */ Stream_Read_UINT64(input_stream, size); /* AllocationSize */ @@ -252,6 +270,15 @@ void guac_rdpdr_fs_process_set_end_of_file_info(guac_rdp_common_svc* svc, UINT64 size; wStream* output_stream; + /* Check to make sure stream contains at least 8 bytes (UINT64) */ + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileEndOfFileInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Read new size */ Stream_Read_UINT64(input_stream, size); /* AllocationSize */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c index 25e1e158..facba6f3 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c @@ -50,9 +50,9 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, /* Check remaining stream data prior to reading. */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Create Drive " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -65,6 +65,14 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, Stream_Read_UINT32(input_stream, create_options); Stream_Read_UINT32(input_stream, path_length); + /* Check to make sure the stream contains path_length bytes. */ + if(Stream_GetRemainingLength(input_stream) < path_length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Create Drive " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); + return; + } + /* Convert path to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), path_length/2 - 1, path, sizeof(path)); @@ -133,9 +141,9 @@ void guac_rdpdr_fs_process_read(guac_rdp_common_svc* svc, /* Check remaining bytes before reading stream. */ if (Stream_GetRemainingLength(input_stream) < 12) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Read " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -190,9 +198,9 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, /* Check remaining length. */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Write " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -205,6 +213,14 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, "%s: [file_id=%i] length=%i, offset=%" PRIu64, __func__, iorequest->file_id, length, (uint64_t) offset); + /* Check to make sure stream contains at least length bytes */ + if (Stream_GetRemainingLength(input_stream) < length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Write " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); + return; + } + /* Attempt write */ bytes_written = guac_rdp_fs_write((guac_rdp_fs*) device->data, iorequest->file_id, offset, Stream_Pointer(input_stream), length); @@ -270,9 +286,9 @@ void guac_rdpdr_fs_process_volume_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Volume Information PDU does not contain the expected number " + "of bytes. Drive redirection may not work as expected."); return; } @@ -316,9 +332,9 @@ void guac_rdpdr_fs_process_file_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Information PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } @@ -370,9 +386,9 @@ void guac_rdpdr_fs_process_set_file_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } @@ -455,9 +471,9 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, return; if (Stream_GetRemainingLength(input_stream) < 9) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Directory PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -473,15 +489,15 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, * Check to make sure Stream has at least the 23 padding bytes in it * prior to seeking. */ - if (Stream_GetRemainingLength(input_stream) < 23) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does " - "not contain the expected number of bytes. File sharing " - "may not work as expected."); + if (Stream_GetRemainingLength(input_stream) < (23 + path_length)) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Directory PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } Stream_Seek(input_stream, 23); /* Padding */ - + /* Convert path to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), path_length/2 - 1, file->dir_pattern, sizeof(file->dir_pattern)); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c index 213da916..c03d0b95 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c @@ -249,9 +249,9 @@ void guac_rdpdr_process_device_reply(guac_rdp_common_svc* svc, /* Stream should contain at least 8 bytes (UINT32 + UINT32 ) */ if (Stream_GetRemainingLength(input_stream) < 8) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " - "contain the expected number of bytes. Device redirection may " - "not work."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Device Announce" + "Response PDU does not contain the expected number of bytes." + "Device redirection may not work as expected."); return; } @@ -292,9 +292,9 @@ void guac_rdpdr_process_device_iorequest(guac_rdp_common_svc* svc, /* Check to make sure the Stream contains at least 20 bytes (5 x UINT32 ). */ if (Stream_GetRemainingLength(input_stream) < 20) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " - "contain the expected number of bytes. Device redirection may " - "not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Device I/O Request PDU " + "does not contain the expected number of bytes. Device " + "redirection may not work as expected."); return; } @@ -328,9 +328,9 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Check to make sure the Stream has at least 4 bytes (UINT16 + 2) */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core Capability " + "Request PDU does not contain the expected number of bytes." + "Device redirection may not work as expected."); return; } @@ -346,9 +346,10 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Make sure Stream has at least 4 bytes (UINT16 + UINT16) */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core " + "Capability Request PDU does not contain the expected " + "number of bytes. Device redirection may not work as " + "expected."); break; } @@ -357,9 +358,10 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Make sure Stream has required length remaining for Seek below. */ if (Stream_GetRemainingLength(input_stream) < (length - 4)) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core " + "Capability Request PDU does not contain the expected " + "number of bytes. Device redirection may not work as " + "expected."); break; } diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c index f810143c..4ff70535 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c @@ -69,9 +69,9 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, /* Verify that Stream contains at least 32 bytes (UINT32 + 8 + 20) */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(client, GUAC_LOG_WARNING, "Printer Stream does not " - "contain the required number of bytes. Print redirection may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Print job write stream does " + "not contain the expected number of bytes. Printer redirection " + "may not work as expected."); return; } @@ -81,6 +81,14 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, Stream_Seek(input_stream, 20); /* Padding */ buffer = Stream_Pointer(input_stream); + /* Verify the stream has at least length number of bytes remaining. */ + if (Stream_GetRemainingLength(input_stream) < length) { + guac_client_log(client, GUAC_LOG_WARNING, "Print job write stream does " + "not contain the expected number of bytes. Printer redirection " + "may not work as expected."); + return; + } + /* Write data only if job exists, translating status for RDP */ if (job != NULL && (length = guac_rdp_print_job_write(job, buffer, length)) >= 0) { diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr.c b/src/protocols/rdp/channels/rdpdr/rdpdr.c index 5be2c813..d01abf42 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr.c @@ -44,8 +44,8 @@ void guac_rdpdr_process_receive(guac_rdp_common_svc* svc, */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Device redirection " - "Stream does not contain the required number of bytes. Device " - "redirection may not function as expected."); + "channel receive Stream does not contain the expected number " + "of bytes. Device redirection may not function as expected."); return; } diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index af847022..be3a3772 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -52,9 +52,9 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check to make sure the stream has at least 20 bytes, which */ if (Stream_GetRemainingLength(input_stream) < 20) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio Formats and " + "Version PDU does not contain the expected number of bytes. " + "Audio redirection may not work as expected."); return; } @@ -106,9 +106,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check to make sure Stream has at least 18 bytes. */ if (Stream_GetRemainingLength(input_stream) < 18) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " - "not contain the expected number of bytes. Sound may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio " + "Formats and Version PDU does not contain the expected " + "number of bytes. Audio redirection may not work as " + "expected."); return; } @@ -125,9 +126,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check that Stream has at least body_size bytes remaining. */ if (Stream_GetRemainingLength(input_stream) < body_size) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " - "not contain the expected number of bytes. Sound may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio " + "Formats and Version PDU does not contain the expected " + "number of bytes. Audio redirection may not work as " + "expected."); return; } @@ -232,9 +234,9 @@ void guac_rdpsnd_training_handler(guac_rdp_common_svc* svc, /* Check to make sure audio stream contains a minimum number of bytes. */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Training PDU " + "does not contain the expected number of bytes. Audio " + "redirection may not work as expected."); return; } @@ -267,9 +269,9 @@ void guac_rdpsnd_wave_info_handler(guac_rdp_common_svc* svc, /* Check to make sure audio stream contains a minimum number of bytes. */ if (Stream_GetRemainingLength(input_stream) < 12) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio WaveInfo PDU " + "does not contain the expected number of bytes. Sound may not " + "work as expected."); return; } @@ -310,9 +312,9 @@ void guac_rdpsnd_wave_handler(guac_rdp_common_svc* svc, /* Verify we have at least 4 bytes, which is manually copied below. */ if (Stream_Length(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Sound stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Wave PDU does " + "not contain the expected number of bytes. Sound may not work " + "as expected."); return; } diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 6050ddb4..2950d1fd 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -38,8 +38,8 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, /* Check that we at least the 4 byte header (UINT8 + UINT8 + UINT16) */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + "contain the expected number of bytes. Audio redirection may " + "not work as expected."); return; } diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index 1b15ef72..7ac0fb0b 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -239,9 +239,9 @@ void guac_rdp_ai_process_version(guac_client* client, /* Verify we have at least 4 bytes available (UINT32) */ if (Stream_GetRemainingLength(stream) < 4) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Versoin PDU " + "does not contain the expected number of bytes. Audio input " + "redirection may not work as expected."); return; } @@ -273,9 +273,9 @@ void guac_rdp_ai_process_formats(guac_client* client, /* Verify we have at least 8 bytes available (2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 8) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Sound Formats " + "PDU does not contain the expected number of bytes. Audio " + "input redirection may not work as expected."); return; } @@ -329,9 +329,9 @@ void guac_rdp_ai_process_open(guac_client* client, /* Verify we have at least 8 bytes available (2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 8) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Open PDU does " + "not contain the expected number of bytes. Audio input " + "redirection may not work as expected."); return; } diff --git a/src/protocols/rdp/plugins/guacai/guacai.c b/src/protocols/rdp/plugins/guacai/guacai.c index b0b0cb0d..577c2eff 100644 --- a/src/protocols/rdp/plugins/guacai/guacai.c +++ b/src/protocols/rdp/plugins/guacai/guacai.c @@ -55,8 +55,8 @@ static void guac_rdp_ai_handle_data(guac_client* client, /* Verify we have at least 1 byte in the stream (UINT8) */ if (Stream_GetRemainingLength(stream) < 1) { guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + "contain the expected number of bytes. Audio input redirection " + "may not work as expected."); return; } From 315a8a7179dff222c9ed2c6c7d617663d537c463 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Tue, 5 May 2020 16:38:36 -0400 Subject: [PATCH 7/9] GUACAMOLE-1059: Correctly handle issues processing audio input formats. --- .../rdp/plugins/guacai/guacai-messages.c | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index 7ac0fb0b..eb9a79da 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -35,13 +35,16 @@ * * @param format * The structure to populate with data from the stream. + * + * @return + * Zero on success or non-zero if an error occurs processing the format. */ -static void guac_rdp_ai_read_format(wStream* stream, +static int guac_rdp_ai_read_format(wStream* stream, guac_rdp_ai_format* format) { /* Check that we have at least 18 bytes (5 x UINT16, 2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 18) - return; + return 1; /* Read audio format into structure */ Stream_Read_UINT16(stream, format->tag); /* wFormatTag */ @@ -53,11 +56,18 @@ static void guac_rdp_ai_read_format(wStream* stream, Stream_Read_UINT16(stream, format->data_size); /* cbSize */ /* Read arbitrary data block (if applicable) and data is available. */ - if (format->data_size != 0 - && Stream_GetRemainingLength(stream) >= format->data_size) { + if (format->data_size != 0) { + + /* Check to make sure Stream contains expected bytes. */ + if (Stream_GetRemainingLength(stream) < format->data_size) + return 1; + format->data = Stream_Pointer(stream); /* data */ Stream_Seek(stream, format->data_size); + } + + return 0; } @@ -287,7 +297,12 @@ void guac_rdp_ai_process_formats(guac_client* client, for (index = 0; index < num_formats; index++) { guac_rdp_ai_format format; - guac_rdp_ai_read_format(stream, &format); + if (guac_rdp_ai_read_format(stream, &format)) { + guac_client_log(client, GUAC_LOG_WARNING, "Error occurred " + "processing audio input formats. Audio input redirection " + "may not work as expected."); + return; + } /* Ignore anything but WAVE_FORMAT_PCM */ if (format.tag != GUAC_RDP_WAVE_FORMAT_PCM) From 47bf3ab6725f3ae90066c60420e5e1856218a3f2 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Tue, 5 May 2020 17:15:47 -0400 Subject: [PATCH 8/9] GUACAMOLE-1059: Verify correct number of bytes for incoming wave. --- src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index be3a3772..e9eb6cc4 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -310,8 +310,8 @@ void guac_rdpsnd_wave_handler(guac_rdp_common_svc* svc, guac_rdp_client* rdp_client = (guac_rdp_client*) client->data; guac_audio_stream* audio = rdp_client->audio; - /* Verify we have at least 4 bytes, which is manually copied below. */ - if (Stream_Length(input_stream) < 4) { + /* Verify that the stream has bytes to cover the wave size plus header. */ + if (Stream_Length(input_stream) < (rdpsnd->incoming_wave_size + 4)) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Wave PDU does " "not contain the expected number of bytes. Sound may not work " "as expected."); From 557e2f594445d7157d0e71da16c5d974f600059c Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Wed, 6 May 2020 10:17:20 -0400 Subject: [PATCH 9/9] GUACAMOLE-1059: Fine tune comments and log messages. --- src/protocols/rdp/channels/rdpdr/rdpdr-messages.c | 6 +++++- src/protocols/rdp/channels/rdpdr/rdpdr.c | 4 ++-- src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c | 5 ++++- src/protocols/rdp/channels/rdpsnd/rdpsnd.c | 2 +- src/protocols/rdp/plugins/guacai/guacai.c | 6 +++--- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c index c03d0b95..5fee4658 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c @@ -213,8 +213,12 @@ void guac_rdpdr_process_server_announce(guac_rdp_common_svc* svc, unsigned int major, minor, client_id; /* Stream should contain at least 8 bytes (UINT16 + UINT16 + UINT32) */ - if (Stream_GetRemainingLength(input_stream) < 8) + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Announce " + "Request PDU does not contain the expected number of bytes. " + "Device redirection may not work as expected."); return; + } Stream_Read_UINT16(input_stream, major); Stream_Read_UINT16(input_stream, minor); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr.c b/src/protocols/rdp/channels/rdpdr/rdpdr.c index d01abf42..68bb73e4 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr.c @@ -44,8 +44,8 @@ void guac_rdpdr_process_receive(guac_rdp_common_svc* svc, */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Device redirection " - "channel receive Stream does not contain the expected number " - "of bytes. Device redirection may not function as expected."); + "channel PDU header does not contain the expected number of " + "bytes. Device redirection may not function as expected."); return; } diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index e9eb6cc4..c057cd11 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -50,7 +50,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Reset own format count */ rdpsnd->format_count = 0; - /* Check to make sure the stream has at least 20 bytes, which */ + /* + * Check to make sure the stream has at least 20 bytes (14 byte seek, + * 2 x UTF16 reads, and 2 x UTF8 seeks). + */ if (Stream_GetRemainingLength(input_stream) < 20) { guac_client_log(client, GUAC_LOG_WARNING, "Server Audio Formats and " "Version PDU does not contain the expected number of bytes. " diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 2950d1fd..40b53150 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -35,7 +35,7 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data; guac_rdpsnd_pdu_header header; - /* Check that we at least the 4 byte header (UINT8 + UINT8 + UINT16) */ + /* Check that we have at least the 4 byte header (UINT8 + UINT8 + UINT16) */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " "contain the expected number of bytes. Audio redirection may " diff --git a/src/protocols/rdp/plugins/guacai/guacai.c b/src/protocols/rdp/plugins/guacai/guacai.c index 577c2eff..b5383c4f 100644 --- a/src/protocols/rdp/plugins/guacai/guacai.c +++ b/src/protocols/rdp/plugins/guacai/guacai.c @@ -54,9 +54,9 @@ static void guac_rdp_ai_handle_data(guac_client* client, /* Verify we have at least 1 byte in the stream (UINT8) */ if (Stream_GetRemainingLength(stream) < 1) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input redirection " - "may not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input PDU header does " + "not contain the expected number of bytes. Audio input " + "redirection may not work as expected."); return; }