Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-979

RDP settings strings may be double-freed

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 1.2.0
    • Component/s: RDP
    • Labels:
      None

      Description

      As of 1.1.0, a double-free may occur during cleanup of an RDP connection if RemoteApp was used:

      guacd[6]: INFO:	Guacamole proxy daemon (guacd) version 1.1.0 started
      guacd[6]: INFO:	Listening on host 0.0.0.0, port 4822
      guacd[6]: INFO:	Creating new client for protocol "rdp"
      guacd[6]: INFO:	Connection ID is "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6"
      guacd[254]: INFO:	Security mode: NLA
      guacd[254]: INFO:	Resize method: none
      guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" joined connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" (1 users now present)
      guacd[254]: INFO:	Loading keymap "base"
      guacd[254]: INFO:	Loading keymap "en-us-qwerty"
      guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0008
      guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0007
      guacd[254]: INFO:	RDPDR user logged on
      guacd[254]: INFO:	RDP server closed connection: Manually disconnected.
      guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" disconnected (0 users remain)
      guacd[254]: INFO:	Last user of connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" disconnected
      guacd[254]: INFO:	Internal RDP client disconnected
      double free or corruption (fasttop)
      guacd[6]: INFO:	Connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" removed.
      

      The double-free occurs within guac_rdp_settings_free():

      Thread 2.15 "guacd" received signal SIGABRT, Aborted.
      [Switching to Thread 0x7fbcfbfff700 (LWP 556)]
      __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
      (gdb) bt
      ...
      #5  0x00007fbd005a60bd in guac_rdp_settings_free (settings=0x7fbcf400d200)
          at settings.c:1018
      #6  0x00007fbd005a056d in guac_rdp_client_free_handler (client=<optimized out>)
          at client.c:179
      #7  0x00007fbd029f5442 in guac_client_free (client=0x7fbcfc00b2f0)
          at client.c:195
      #8  0x000055b87847e5c5 in guacd_client_free_thread (data=0x7fbd00dcac40)
          at proc.c:219
      #9  0x00007fbd02606fa3 in start_thread (arg=<optimized out>)
          at pthread_create.c:486
      #10 0x00007fbd01f434cf in clone ()
          at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      (gdb) 
      

      The relevant line is where settings->remote_app is being freed:

          /* Free settings strings */
      ...
          free(settings->remote_app); // <--- Line 1018
          free(settings->remote_app_args);
          free(settings->remote_app_dir);
      

      It appears that the RAIL channel implementation within FreeRDP 2.0.0 now automatically frees these strings, resulting in a double-free when we attempt to do the same.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mjumper Mike Jumper
                Reporter:
                mjumper Mike Jumper
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: