#219 Ccrashes upon reception of message from Windows Server 2008 R2 Enterprise
rdesktop 1.7.1 (SVN trunk) crashes upon reception of message from Windows Server 2008 R2 Enterprise.
--- rdpdr_process ---
0000 72 44 52 49 ff ff ff ff 01 00 00 00 02 00 00 00 rDRI............
0010 03 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 ........
This message is handled in rdpdr.c
static void
rdpdr_process_irp(STREAM s)
{
Pretty early in this procedure the 'device' is read from the stream:
in_uint32_le(s, device);
The without any sanitizing the device is used to address the fixed length array g_rdpdr_device
switch (g_rdpdr_device[device].device_type)
in the message sent by the server the value for device is 0xFFFFFFFF which is clearly out of bounds.
The folowing lines do some sanitizing and drop the message with an error:
buffer[0] = 0;
if ((device<0) || (device>=RDPDR_MAX_DEVICES)) {
error("IRP for bad device %ld\n", device);
return;
}
switch (g_rdpdr_device[device].device_type)
BTW. Copy left on the snippet, fell free to use for any purpose , blah blah, I am not responsible, blah blah.
I ran into the same problem, only connecting to Windows 7 Enterprise, Service Pack 1. The patch posted above leaks memory in buffer, here is a version that doesn't and adds fixes another memory leak. It would be nice to know why this is failing, but I don't know enough about the protocol to say.