Dirk Mueller
b9b46cb552
+ freerdp-CVE-2026-22852.patch (CVE-2026-22852, bsc#1256718) + freerdp-CVE-2026-22854.patch (CVE-2026-22854, bsc#1256720) + freerdp-CVE-2026-22856.patch (CVE-2026-22856, bsc#1256722) + freerdp-CVE-2026-22859.patch (CVE-2026-22859, bsc#1256725) + freerdp-CVE-2026-23530.patch (CVE-2026-23530, bsc#1256940) + freerdp-CVE-2026-23531.patch (CVE-2026-23531, bsc#1256941) + freerdp-CVE-2026-23532.patch (CVE-2026-23532, bsc#1256942) + freerdp-CVE-2026-23534.patch (CVE-2026-23534, bsc#1256944) * Fix integer overflow in progressive decoder (bsc#1219049, CVE-2024-22211) OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp2?expand=0&rev=21
192 lines
8.1 KiB
Diff
192 lines
8.1 KiB
Diff
From 7b7e6de8fe427a2f01d331056774aec69710590b Mon Sep 17 00:00:00 2001
|
|
From: akallabeth <akallabeth@posteo.net>
|
|
Date: Sat, 10 Jan 2026 08:43:40 +0100
|
|
Subject: [PATCH] [channels,urbdrc] check interface indices before use
|
|
|
|
---
|
|
channels/urbdrc/client/data_transfer.c | 6 +-
|
|
.../urbdrc/client/libusb/libusb_udevice.c | 78 ++++++++++++-------
|
|
channels/urbdrc/common/msusb.c | 6 +-
|
|
3 files changed, 54 insertions(+), 36 deletions(-)
|
|
|
|
Index: freerdp-2.11.7/channels/urbdrc/client/data_transfer.c
|
|
===================================================================
|
|
--- freerdp-2.11.7.orig/channels/urbdrc/client/data_transfer.c
|
|
+++ freerdp-2.11.7/channels/urbdrc/client/data_transfer.c
|
|
@@ -397,13 +397,12 @@ static void func_select_all_interface_fo
|
|
{
|
|
UINT32 inum;
|
|
MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
|
|
- BYTE InterfaceNumber, AlternateSetting;
|
|
UINT32 NumInterfaces = MsConfig->NumInterfaces;
|
|
|
|
for (inum = 0; inum < NumInterfaces; inum++)
|
|
{
|
|
- InterfaceNumber = MsInterfaces[inum]->InterfaceNumber;
|
|
- AlternateSetting = MsInterfaces[inum]->AlternateSetting;
|
|
+ const BYTE InterfaceNumber = MsInterfaces[inum]->InterfaceNumber;
|
|
+ const BYTE AlternateSetting = MsInterfaces[inum]->AlternateSetting;
|
|
pdev->select_interface(pdev, InterfaceNumber, AlternateSetting);
|
|
}
|
|
}
|
|
Index: freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c
|
|
===================================================================
|
|
--- freerdp-2.11.7.orig/channels/urbdrc/client/libusb/libusb_udevice.c
|
|
+++ freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c
|
|
@@ -571,25 +571,13 @@ static MSUSB_CONFIG_DESCRIPTOR*
|
|
libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsConfig)
|
|
{
|
|
UDEVICE* pdev = (UDEVICE*)idev;
|
|
- MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;
|
|
- MSUSB_INTERFACE_DESCRIPTOR* MsInterface;
|
|
- MSUSB_PIPE_DESCRIPTOR** MsPipes;
|
|
- MSUSB_PIPE_DESCRIPTOR* MsPipe;
|
|
- MSUSB_PIPE_DESCRIPTOR** t_MsPipes;
|
|
- MSUSB_PIPE_DESCRIPTOR* t_MsPipe;
|
|
- LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig;
|
|
- const LIBUSB_INTERFACE* LibusbInterface;
|
|
- const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting;
|
|
- const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint;
|
|
- BYTE LibusbNumEndpoint;
|
|
- URBDRC_PLUGIN* urbdrc;
|
|
UINT32 inum = 0, pnum = 0, MsOutSize = 0;
|
|
|
|
if (!pdev || !pdev->LibusbConfig || !pdev->urbdrc || !MsConfig)
|
|
return NULL;
|
|
|
|
- urbdrc = pdev->urbdrc;
|
|
- LibusbConfig = pdev->LibusbConfig;
|
|
+ URBDRC_PLUGIN* urbdrc = pdev->urbdrc;
|
|
+ LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig = pdev->LibusbConfig;
|
|
|
|
if (LibusbConfig->bNumInterfaces != MsConfig->NumInterfaces)
|
|
{
|
|
@@ -597,28 +585,56 @@ libusb_udev_complete_msconfig_setup(IUDE
|
|
"Select Configuration: Libusb NumberInterfaces(%" PRIu8 ") is different "
|
|
"with MsConfig NumberInterfaces(%" PRIu32 ")",
|
|
LibusbConfig->bNumInterfaces, MsConfig->NumInterfaces);
|
|
+ return NULL;
|
|
}
|
|
|
|
/* replace MsPipes for libusb */
|
|
- MsInterfaces = MsConfig->MsInterfaces;
|
|
+ MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
|
|
|
|
for (inum = 0; inum < MsConfig->NumInterfaces; inum++)
|
|
{
|
|
- MsInterface = MsInterfaces[inum];
|
|
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
|
|
+ if (MsInterface->InterfaceNumber >= MsConfig->NumInterfaces)
|
|
+ {
|
|
+ WLog_Print(urbdrc->log, WLOG_ERROR,
|
|
+ "MSUSB_CONFIG_DESCRIPTOR::NumInterfaces (%" PRIu32
|
|
+ " <= MSUSB_INTERFACE_DESCRIPTOR::InterfaceNumber( %" PRIu8 ")",
|
|
+ MsConfig->NumInterfaces, MsInterface->InterfaceNumber);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ const LIBUSB_INTERFACE* LibusbInterface =
|
|
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
|
|
+ if (MsInterface->AlternateSetting >= LibusbInterface->num_altsetting)
|
|
+ {
|
|
+ WLog_Print(urbdrc->log, WLOG_ERROR,
|
|
+ "LIBUSB_INTERFACE::num_altsetting (%" PRId32
|
|
+ " <= MSUSB_INTERFACE_DESCRIPTOR::AlternateSetting( %" PRIu8 ")",
|
|
+ LibusbInterface->num_altsetting, MsInterface->AlternateSetting);
|
|
+ return NULL;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++)
|
|
+ {
|
|
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
|
|
/* get libusb's number of endpoints */
|
|
- LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber];
|
|
- LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting];
|
|
- LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
|
|
- t_MsPipes =
|
|
+ const LIBUSB_INTERFACE* LibusbInterface =
|
|
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
|
|
+ const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting =
|
|
+ &LibusbInterface->altsetting[MsInterface->AlternateSetting];
|
|
+ const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
|
|
+ MSUSB_PIPE_DESCRIPTOR** t_MsPipes =
|
|
(MSUSB_PIPE_DESCRIPTOR**)calloc(LibusbNumEndpoint, sizeof(MSUSB_PIPE_DESCRIPTOR*));
|
|
|
|
for (pnum = 0; pnum < LibusbNumEndpoint; pnum++)
|
|
{
|
|
- t_MsPipe = (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));
|
|
+ MSUSB_PIPE_DESCRIPTOR* t_MsPipe =
|
|
+ (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));
|
|
|
|
if (pnum < MsInterface->NumberOfPipes && MsInterface->MsPipes)
|
|
{
|
|
- MsPipe = MsInterface->MsPipes[pnum];
|
|
+ MSUSB_PIPE_DESCRIPTOR* MsPipe = MsInterface->MsPipes[pnum];
|
|
t_MsPipe->MaximumPacketSize = MsPipe->MaximumPacketSize;
|
|
t_MsPipe->MaximumTransferSize = MsPipe->MaximumTransferSize;
|
|
t_MsPipe->PipeFlags = MsPipe->PipeFlags;
|
|
@@ -656,10 +671,12 @@ libusb_udev_complete_msconfig_setup(IUDE
|
|
for (inum = 0; inum < MsConfig->NumInterfaces; inum++)
|
|
{
|
|
MsOutSize += 16;
|
|
- MsInterface = MsInterfaces[inum];
|
|
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
|
|
/* get libusb's interface */
|
|
- LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber];
|
|
- LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting];
|
|
+ const LIBUSB_INTERFACE* LibusbInterface =
|
|
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
|
|
+ const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting =
|
|
+ &LibusbInterface->altsetting[MsInterface->AlternateSetting];
|
|
/* InterfaceHandle: 4 bytes
|
|
* ---------------------------------------------------------------
|
|
* ||<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>||
|
|
@@ -674,15 +691,15 @@ libusb_udev_complete_msconfig_setup(IUDE
|
|
MsInterface->bInterfaceSubClass = LibusbAltsetting->bInterfaceSubClass;
|
|
MsInterface->bInterfaceProtocol = LibusbAltsetting->bInterfaceProtocol;
|
|
MsInterface->InitCompleted = 1;
|
|
- MsPipes = MsInterface->MsPipes;
|
|
- LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
|
|
+ MSUSB_PIPE_DESCRIPTOR** MsPipes = MsInterface->MsPipes;
|
|
+ const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
|
|
|
|
for (pnum = 0; pnum < LibusbNumEndpoint; pnum++)
|
|
{
|
|
MsOutSize += 20;
|
|
- MsPipe = MsPipes[pnum];
|
|
+ MSUSB_PIPE_DESCRIPTOR* MsPipe = MsPipes[pnum];
|
|
/* get libusb's endpoint */
|
|
- LibusbEndpoint = &LibusbAltsetting->endpoint[pnum];
|
|
+ const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint = &LibusbAltsetting->endpoint[pnum];
|
|
/* PipeHandle: 4 bytes
|
|
* ---------------------------------------------------------------
|
|
* ||<<< 1 byte >>>|<<< 1 byte >>>|<<<<<<<<<< 2 byte >>>>>>>>>>>||
|
|
Index: freerdp-2.11.7/channels/urbdrc/common/msusb.c
|
|
===================================================================
|
|
--- freerdp-2.11.7.orig/channels/urbdrc/common/msusb.c
|
|
+++ freerdp-2.11.7/channels/urbdrc/common/msusb.c
|
|
@@ -139,6 +139,8 @@ BOOL msusb_msinterface_replace(MSUSB_CON
|
|
{
|
|
if (!MsConfig || !MsConfig->MsInterfaces)
|
|
return FALSE;
|
|
+ if (MsConfig->NumInterfaces <= InterfaceNumber)
|
|
+ return FALSE;
|
|
|
|
msusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]);
|
|
MsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface;
|
|
@@ -147,12 +149,10 @@ BOOL msusb_msinterface_replace(MSUSB_CON
|
|
|
|
MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s)
|
|
{
|
|
- MSUSB_INTERFACE_DESCRIPTOR* MsInterface;
|
|
-
|
|
if (Stream_GetRemainingCapacity(s) < 12)
|
|
return NULL;
|
|
|
|
- MsInterface = msusb_msinterface_new();
|
|
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = msusb_msinterface_new();
|
|
|
|
if (!MsInterface)
|
|
return NULL;
|