Headline
CVE-2020-11048: memory out of bounds read in rdp_read_flow_control_pdu · Issue #6007 · FreeRDP/FreeRDP
In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. It only allows to abort a session. No data extraction is possible. This has been fixed in 2.0.0.
version
https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/rdp.c#L1129
vuln code
rdp_read_share_control_header could read 2 byte from stream, if *length == 0x8000 , it could call rdp_read_flow_control_pdu.
BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id)
{
if (Stream_GetRemainingLength(s) < 2)
return FALSE;
Stream_Read_UINT16(s, *length); /* totalLength */
if (*length == 0x8000)
{
rdp_read_flow_control_pdu(s, type); // vuln function
rdp_read_flow_control_pdu just read 1byte and seek some byte from stream without check length, it could lead _s->pointer - _s->buffer > _s->length, then the check in other function could failed
void rdp_read_flow_control_pdu(wStream* s, UINT16* type)
{
UINT8 pduType;
Stream_Read_UINT8(s, pduType); /* pduTypeFlow */
*type = pduType;
Stream_Seek_UINT8(s); /* pad8bits */
Stream_Seek_UINT8(s); /* flowIdentifier */
Stream_Seek_UINT8(s); /* flowNumber */
Stream_Seek_UINT16(s); /* pduSource */
}