xrdp/xrdp-CVE-2022-23478.patch

From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:12:42 +0000
Subject: [PATCH 2/9] CVE-2022-23478

Fix potential OOB write if invalid chansrv channel opened

Also removed an unnecessary dynamic memory allocation
---
 xrdp/xrdp_mm.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 74b0516a..c91e03ab 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
     int error;
     int chan_id;
     int chansrv_chan_id;
-    char *name;
+    char name[1024 + 1];
     struct xrdp_drdynvc_procs procs;
 
     if (!s_check_rem(s, 2))
@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
         return 1;
     }
     in_uint32_le(s, name_bytes);
-    if ((name_bytes < 1) || (name_bytes > 1024))
-    {
-        return 1;
-    }
-    name = g_new(char, name_bytes + 1);
-    if (name == NULL)
+    if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
     {
         return 1;
     }
     if (!s_check_rem(s, name_bytes))
     {
-        g_free(name);
         return 1;
     }
     in_uint8a(s, name, name_bytes);
     name[name_bytes] = 0;
     if (!s_check_rem(s, 8))
     {
-        g_free(name);
         return 1;
     }
     in_uint32_le(s, flags);
     in_uint32_le(s, chansrv_chan_id);
+    if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+    {
+        LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",
+            chansrv_chan_id);
+        return 1;
+    }
+
     if (flags == 0)
     {
         /* open static channel, not supported */
-        g_free(name);
         return 1;
     }
     else
@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
                                      &chan_id);
         if (error != 0)
         {
-            g_free(name);
             return 1;
         }
         self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
         self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
     }
-    g_free(name);
     return 0;
 }
 
-- 
2.39.0
Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop - xrdp-CVE-2022-23477.patch (bsc#1206301) + Buffer over flow in audin_send_open() function - Security fixes: + xrdp-CVE-2022-23468.patch (bsc#1206300) * Buffer overflow in xrdp_login_wnd_create() + xrdp-CVE-2022-23478.patch (bsc#1206302) * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan + xrdp-CVE-2022-23479.patch (bsc#1206303) * Buffer overflow in xrdp_mm_chan_data_in() function + xrdp-CVE-2022-23480.patch (bsc#1206306) * Buffer overflow in devredir_proc_client_devlist_announce_req + xrdp-CVE-2022-23481.patch (bsc#1206307) * Out of Bound Read in xrdp_caps_process_confirm_active() + xrdp-CVE-2022-23482.patch (bsc#1206310) + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() + xrdp-CVE-2022-23483.patch (bsc#1206311) + Out of Bound REad in libxrdp_send_to_channel() + xrdp-CVE-2022-23484.patch (bsc#1206312) + Integer Overflow in xrdp_mm_process_rail_update_window_text() + xrdp-CVE-2022-23493.patch (bsc#1206313) + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() OBS-URL: https://build.opensuse.org/request/show/1057176 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106 2023-01-10 04:10:49 +01:00			`From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001`
			`From: matt335672 <30179339+matt335672@users.noreply.github.com>`
			`Date: Wed, 7 Dec 2022 11:12:42 +0000`
			`Subject: [PATCH 2/9] CVE-2022-23478`

			`Fix potential OOB write if invalid chansrv channel opened`

			`Also removed an unnecessary dynamic memory allocation`
			`---`
			`xrdp/xrdp_mm.c \| 21 +++++++++------------`
			`1 file changed, 9 insertions(+), 12 deletions(-)`

			`diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c`
			`index 74b0516a..c91e03ab 100644`
			`--- a/xrdp/xrdp_mm.c`
			`+++ b/xrdp/xrdp_mm.c`
			`@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,`
			`int error;`
			`int chan_id;`
			`int chansrv_chan_id;`
			`- char *name;`
			`+ char name[1024 + 1];`
			`struct xrdp_drdynvc_procs procs;`

			`if (!s_check_rem(s, 2))`
			`@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,`
			`return 1;`
			`}`
			`in_uint32_le(s, name_bytes);`
			`- if ((name_bytes < 1) \|\| (name_bytes > 1024))`
			`- {`
			`- return 1;`
			`- }`
			`- name = g_new(char, name_bytes + 1);`
			`- if (name == NULL)`
			`+ if ((name_bytes < 1) \|\| (name_bytes > (int)(sizeof(name) - 1)))`
			`{`
			`return 1;`
			`}`
			`if (!s_check_rem(s, name_bytes))`
			`{`
			`- g_free(name);`
			`return 1;`
			`}`
			`in_uint8a(s, name, name_bytes);`
			`name[name_bytes] = 0;`
			`if (!s_check_rem(s, 8))`
			`{`
			`- g_free(name);`
			`return 1;`
			`}`
			`in_uint32_le(s, flags);`
			`in_uint32_le(s, chansrv_chan_id);`
			`+ if (chansrv_chan_id < 0 \|\| chansrv_chan_id > 255)`
			`+ {`
			`+ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",`
			`+ chansrv_chan_id);`
			`+ return 1;`
			`+ }`
			`+`
			`if (flags == 0)`
			`{`
			`/* open static channel, not supported */`
			`- g_free(name);`
			`return 1;`
			`}`
			`else`
			`@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,`
			`&chan_id);`
			`if (error != 0)`
			`{`
			`- g_free(name);`
			`return 1;`
			`}`
			`self->xr2cr_cid_map[chan_id] = chansrv_chan_id;`
			`self->cs2xr_cid_map[chansrv_chan_id] = chan_id;`
			`}`
			`- g_free(name);`
			`return 0;`
			`}`

			`--`
			`2.39.0`