diff options
| author | Jay Sorg <jay.sorg@gmail.com> | 2013-09-10 22:28:30 +0400 |
|---|---|---|
| committer | Jay Sorg <jay.sorg@gmail.com> | 2013-09-13 00:47:57 +0400 |
| commit | 64e2291274063578f3f406dd0b7d1a0aa40cbc4e (patch) | |
| tree | 9d15acb49a3a84781e53f81f2fc433a3c10ec871 | |
| parent | 7ea609e91a1c3b82c2a833550417c37a7dd392db (diff) | |
VUL: check bytes remaining in xrdp_rdp_process_data_input
| -rw-r--r-- | libxrdp/xrdp_rdp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index bd075a59..a1a330c2 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -1237,11 +1237,19 @@ xrdp_rdp_process_data_input(struct xrdp_rdp* self, struct stream* s) int param2; int time; + if (!s_check_rem(s, 4)) + { + return 1; + } in_uint16_le(s, num_events); in_uint8s(s, 2); /* pad */ DEBUG(("in xrdp_rdp_process_data_input %d events", num_events)); for (index = 0; index < num_events; index++) { + if (!s_check_rem(s, 12)) + { + return 1; + } in_uint32_le(s, time); in_uint16_le(s, msg_type); in_uint16_le(s, device_flags); |