necouchman commented on a change in pull request #274:
URL: https://github.com/apache/guacamole-server/pull/274#discussion_r419550072
##########
File path: src/protocols/rdp/channels/rdpsnd/rdpsnd.c
##########
@@ -35,11 +35,23 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc,
guac_rdpsnd* rdpsnd = (guac_rdpsnd*) svc->data;
guac_rdpsnd_pdu_header header;
+ /* Check that we at least have a header. */
+ if (Stream_GetRemainingLength(input_stream) < 4)
+ return;
+
/* Read RDPSND PDU header */
Stream_Read_UINT8(input_stream, header.message_type);
Stream_Seek_UINT8(input_stream);
Stream_Read_UINT16(input_stream, header.body_size);
-
+
+ if (Stream_GetRemainingLength(input_stream) < header.body_size) {
+ guac_client_log(svc->client, GUAC_LOG_DEBUG, "Not enough bytes in
stream."
+ " Remaining: %d, Body size: %d",
+ Stream_GetRemainingLength(input_stream),
+ header.body_size);
+ return;
+ }
Review comment:
Actually, looking further at the code, it looks like each of the
functions that are called in the switch statement already do the Stream size
verification prior to reading, so maybe there's no need to do it, here??
* `guac_rdpsnd_wave_handler()` is doing Stream write operations, not reads.
* `guac_rdpsnd_formats_handler`, `guac_rdpsnd_training_handler`, and
`guac_rdpsnd_wave_info_handler` already do the check.
* `guac_rdpsnd_close_handler` doesn't do any reads (or anything else).
So, seems like checking within this function may not be necessary?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
