diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c index d5282ec1..1ea67016 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages-file-info.c @@ -137,9 +137,10 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, /* Check stream size prior to reading. */ if (Stream_GetRemainingLength(input_stream) < 6) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the required number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileRenameInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); return; } @@ -148,6 +149,14 @@ void guac_rdpdr_fs_process_set_rename_info(guac_rdp_common_svc* svc, Stream_Seek_UINT8(input_stream); /* RootDirectory */ Stream_Read_UINT32(input_stream, filename_length); /* FileNameLength */ + if (Stream_GetRemainingLength(input_stream) < filename_length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileRenameInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Convert name to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), filename_length/2, destination_path, sizeof(destination_path)); @@ -200,6 +209,15 @@ void guac_rdpdr_fs_process_set_allocation_info(guac_rdp_common_svc* svc, UINT64 size; wStream* output_stream; + /* Check to make sure the stream has at least 8 bytes (UINT64) */ + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileAllocationInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Read new size */ Stream_Read_UINT64(input_stream, size); /* AllocationSize */ @@ -252,6 +270,15 @@ void guac_rdpdr_fs_process_set_end_of_file_info(guac_rdp_common_svc* svc, UINT64 size; wStream* output_stream; + /* Check to make sure stream contains at least 8 bytes (UINT64) */ + if (Stream_GetRemainingLength(input_stream) < 8) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information Request (FileEndOfFileInformation) PDU does not " + "contain the expected number of bytes. File redirection " + "may not work as expected."); + return; + } + /* Read new size */ Stream_Read_UINT64(input_stream, size); /* AllocationSize */ diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c index 25e1e158..facba6f3 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-fs-messages.c @@ -50,9 +50,9 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, /* Check remaining stream data prior to reading. */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Create Drive " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -65,6 +65,14 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc, Stream_Read_UINT32(input_stream, create_options); Stream_Read_UINT32(input_stream, path_length); + /* Check to make sure the stream contains path_length bytes. */ + if(Stream_GetRemainingLength(input_stream) < path_length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Create Drive " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); + return; + } + /* Convert path to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), path_length/2 - 1, path, sizeof(path)); @@ -133,9 +141,9 @@ void guac_rdpdr_fs_process_read(guac_rdp_common_svc* svc, /* Check remaining bytes before reading stream. */ if (Stream_GetRemainingLength(input_stream) < 12) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Read " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -190,9 +198,9 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, /* Check remaining length. */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Write " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -205,6 +213,14 @@ void guac_rdpdr_fs_process_write(guac_rdp_common_svc* svc, "%s: [file_id=%i] length=%i, offset=%" PRIu64, __func__, iorequest->file_id, length, (uint64_t) offset); + /* Check to make sure stream contains at least length bytes */ + if (Stream_GetRemainingLength(input_stream) < length) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Write " + "Request PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); + return; + } + /* Attempt write */ bytes_written = guac_rdp_fs_write((guac_rdp_fs*) device->data, iorequest->file_id, offset, Stream_Pointer(input_stream), length); @@ -270,9 +286,9 @@ void guac_rdpdr_fs_process_volume_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Volume Information PDU does not contain the expected number " + "of bytes. Drive redirection may not work as expected."); return; } @@ -316,9 +332,9 @@ void guac_rdpdr_fs_process_file_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File Stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Information PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } @@ -370,9 +386,9 @@ void guac_rdpdr_fs_process_set_file_info(guac_rdp_common_svc* svc, /* Check remaining length */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Set " + "Information PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } @@ -455,9 +471,9 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, return; if (Stream_GetRemainingLength(input_stream) < 9) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does not " - "contain the expected number of bytes. File sharing may not " - "work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Directory PDU does not contain the expected number of bytes. " + "Drive redirection may not work as expected."); return; } @@ -473,15 +489,15 @@ void guac_rdpdr_fs_process_query_directory(guac_rdp_common_svc* svc, * Check to make sure Stream has at least the 23 padding bytes in it * prior to seeking. */ - if (Stream_GetRemainingLength(input_stream) < 23) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "File stream does " - "not contain the expected number of bytes. File sharing " - "may not work as expected."); + if (Stream_GetRemainingLength(input_stream) < (23 + path_length)) { + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Drive Query " + "Directory PDU does not contain the expected number of " + "bytes. Drive redirection may not work as expected."); return; } Stream_Seek(input_stream, 23); /* Padding */ - + /* Convert path to UTF-8 */ guac_rdp_utf16_to_utf8(Stream_Pointer(input_stream), path_length/2 - 1, file->dir_pattern, sizeof(file->dir_pattern)); diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c index 213da916..c03d0b95 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-messages.c @@ -249,9 +249,9 @@ void guac_rdpdr_process_device_reply(guac_rdp_common_svc* svc, /* Stream should contain at least 8 bytes (UINT32 + UINT32 ) */ if (Stream_GetRemainingLength(input_stream) < 8) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " - "contain the expected number of bytes. Device redirection may " - "not work."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Device Announce" + "Response PDU does not contain the expected number of bytes." + "Device redirection may not work as expected."); return; } @@ -292,9 +292,9 @@ void guac_rdpdr_process_device_iorequest(guac_rdp_common_svc* svc, /* Check to make sure the Stream contains at least 20 bytes (5 x UINT32 ). */ if (Stream_GetRemainingLength(input_stream) < 20) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Device Stream does not " - "contain the expected number of bytes. Device redirection may " - "not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Device I/O Request PDU " + "does not contain the expected number of bytes. Device " + "redirection may not work as expected."); return; } @@ -328,9 +328,9 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Check to make sure the Stream has at least 4 bytes (UINT16 + 2) */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core Capability " + "Request PDU does not contain the expected number of bytes." + "Device redirection may not work as expected."); return; } @@ -346,9 +346,10 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Make sure Stream has at least 4 bytes (UINT16 + UINT16) */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core " + "Capability Request PDU does not contain the expected " + "number of bytes. Device redirection may not work as " + "expected."); break; } @@ -357,9 +358,10 @@ void guac_rdpdr_process_server_capability(guac_rdp_common_svc* svc, /* Make sure Stream has required length remaining for Seek below. */ if (Stream_GetRemainingLength(input_stream) < (length - 4)) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Redirection Stream " - "does not contain the expected number of bytes. Device " - "redirection may not work as expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Server Core " + "Capability Request PDU does not contain the expected " + "number of bytes. Device redirection may not work as " + "expected."); break; } diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c index f810143c..4ff70535 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr-printer.c @@ -69,9 +69,9 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, /* Verify that Stream contains at least 32 bytes (UINT32 + 8 + 20) */ if (Stream_GetRemainingLength(input_stream) < 32) { - guac_client_log(client, GUAC_LOG_WARNING, "Printer Stream does not " - "contain the required number of bytes. Print redirection may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Print job write stream does " + "not contain the expected number of bytes. Printer redirection " + "may not work as expected."); return; } @@ -81,6 +81,14 @@ void guac_rdpdr_process_print_job_write(guac_rdp_common_svc* svc, Stream_Seek(input_stream, 20); /* Padding */ buffer = Stream_Pointer(input_stream); + /* Verify the stream has at least length number of bytes remaining. */ + if (Stream_GetRemainingLength(input_stream) < length) { + guac_client_log(client, GUAC_LOG_WARNING, "Print job write stream does " + "not contain the expected number of bytes. Printer redirection " + "may not work as expected."); + return; + } + /* Write data only if job exists, translating status for RDP */ if (job != NULL && (length = guac_rdp_print_job_write(job, buffer, length)) >= 0) { diff --git a/src/protocols/rdp/channels/rdpdr/rdpdr.c b/src/protocols/rdp/channels/rdpdr/rdpdr.c index 5be2c813..d01abf42 100644 --- a/src/protocols/rdp/channels/rdpdr/rdpdr.c +++ b/src/protocols/rdp/channels/rdpdr/rdpdr.c @@ -44,8 +44,8 @@ void guac_rdpdr_process_receive(guac_rdp_common_svc* svc, */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Device redirection " - "Stream does not contain the required number of bytes. Device " - "redirection may not function as expected."); + "channel receive Stream does not contain the expected number " + "of bytes. Device redirection may not function as expected."); return; } diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c index af847022..be3a3772 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd-messages.c @@ -52,9 +52,9 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check to make sure the stream has at least 20 bytes, which */ if (Stream_GetRemainingLength(input_stream) < 20) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio Formats and " + "Version PDU does not contain the expected number of bytes. " + "Audio redirection may not work as expected."); return; } @@ -106,9 +106,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check to make sure Stream has at least 18 bytes. */ if (Stream_GetRemainingLength(input_stream) < 18) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " - "not contain the expected number of bytes. Sound may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio " + "Formats and Version PDU does not contain the expected " + "number of bytes. Audio redirection may not work as " + "expected."); return; } @@ -125,9 +126,10 @@ void guac_rdpsnd_formats_handler(guac_rdp_common_svc* svc, /* Check that Stream has at least body_size bytes remaining. */ if (Stream_GetRemainingLength(input_stream) < body_size) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio Stream does " - "not contain the expected number of bytes. Sound may " - "not work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Server Audio " + "Formats and Version PDU does not contain the expected " + "number of bytes. Audio redirection may not work as " + "expected."); return; } @@ -232,9 +234,9 @@ void guac_rdpsnd_training_handler(guac_rdp_common_svc* svc, /* Check to make sure audio stream contains a minimum number of bytes. */ if (Stream_GetRemainingLength(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Training PDU " + "does not contain the expected number of bytes. Audio " + "redirection may not work as expected."); return; } @@ -267,9 +269,9 @@ void guac_rdpsnd_wave_info_handler(guac_rdp_common_svc* svc, /* Check to make sure audio stream contains a minimum number of bytes. */ if (Stream_GetRemainingLength(input_stream) < 12) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio WaveInfo PDU " + "does not contain the expected number of bytes. Sound may not " + "work as expected."); return; } @@ -310,9 +312,9 @@ void guac_rdpsnd_wave_handler(guac_rdp_common_svc* svc, /* Verify we have at least 4 bytes, which is manually copied below. */ if (Stream_Length(input_stream) < 4) { - guac_client_log(svc->client, GUAC_LOG_WARNING, "Sound stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Wave PDU does " + "not contain the expected number of bytes. Sound may not work " + "as expected."); return; } diff --git a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c index 6050ddb4..2950d1fd 100644 --- a/src/protocols/rdp/channels/rdpsnd/rdpsnd.c +++ b/src/protocols/rdp/channels/rdpsnd/rdpsnd.c @@ -38,8 +38,8 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc, /* Check that we at least the 4 byte header (UINT8 + UINT8 + UINT16) */ if (Stream_GetRemainingLength(input_stream) < 4) { guac_client_log(svc->client, GUAC_LOG_WARNING, "Audio Stream does not " - "contain the expected number of bytes. Sound may not work as " - "expected."); + "contain the expected number of bytes. Audio redirection may " + "not work as expected."); return; } diff --git a/src/protocols/rdp/plugins/guacai/guacai-messages.c b/src/protocols/rdp/plugins/guacai/guacai-messages.c index 1b15ef72..7ac0fb0b 100644 --- a/src/protocols/rdp/plugins/guacai/guacai-messages.c +++ b/src/protocols/rdp/plugins/guacai/guacai-messages.c @@ -239,9 +239,9 @@ void guac_rdp_ai_process_version(guac_client* client, /* Verify we have at least 4 bytes available (UINT32) */ if (Stream_GetRemainingLength(stream) < 4) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Versoin PDU " + "does not contain the expected number of bytes. Audio input " + "redirection may not work as expected."); return; } @@ -273,9 +273,9 @@ void guac_rdp_ai_process_formats(guac_client* client, /* Verify we have at least 8 bytes available (2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 8) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Sound Formats " + "PDU does not contain the expected number of bytes. Audio " + "input redirection may not work as expected."); return; } @@ -329,9 +329,9 @@ void guac_rdp_ai_process_open(guac_client* client, /* Verify we have at least 8 bytes available (2 x UINT32) */ if (Stream_GetRemainingLength(stream) < 8) { - guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + guac_client_log(client, GUAC_LOG_WARNING, "Audio input Open PDU does " + "not contain the expected number of bytes. Audio input " + "redirection may not work as expected."); return; } diff --git a/src/protocols/rdp/plugins/guacai/guacai.c b/src/protocols/rdp/plugins/guacai/guacai.c index b0b0cb0d..577c2eff 100644 --- a/src/protocols/rdp/plugins/guacai/guacai.c +++ b/src/protocols/rdp/plugins/guacai/guacai.c @@ -55,8 +55,8 @@ static void guac_rdp_ai_handle_data(guac_client* client, /* Verify we have at least 1 byte in the stream (UINT8) */ if (Stream_GetRemainingLength(stream) < 1) { guac_client_log(client, GUAC_LOG_WARNING, "Audio input stream does not " - "contain the expected number of bytes. Audio input may not " - "work as expected."); + "contain the expected number of bytes. Audio input redirection " + "may not work as expected."); return; }