mike-jumper commented on a change in pull request #274:
URL: https://github.com/apache/guacamole-server/pull/274#discussion_r419753435
##########
File path: src/protocols/rdp/channels/rdpsnd/rdpsnd.c
##########
@@ -48,6 +52,10 @@ void guac_rdpsnd_process_receive(guac_rdp_common_svc* svc,
guac_rdpsnd_wave_handler(svc, input_stream, &header);
return;
}
+
+ /* Check body size */
+ if (Stream_GetRemainingLength(input_stream) < header.body_size)
Review comment:
Yeah, I think so. The value of `body_size` is needed, but as it doesn't
(necessarily) correspond to the size of the PDU, it can't really be used as a
sanity check for PDU size.
I think the critical thing is simply that a check of remaining buffer size
is made before any attempt to read/seek through a block of the input stream. In
the case of the code above, this would be both within that function (making
sure there is enough space for the header that the function reads) and within
the PDU-specific handlers invoked by that function (making sure there is enough
space for whatever data those handlers read, which only those handlers should
be aware of).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
