xrdp/xrdp-CVE-2022-23493.patch

From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:49:06 +0000
Subject: [PATCH 9/9] CVE-2022-23493

Check chansrv channel ID on a channel close

Prevent OOB read if an invalid channel ID is sent.
---
 xrdp/xrdp_mm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index b59345d7..c27c2341 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self,
         return 1;
     }
     in_uint32_le(s, chansrv_chan_id);
+    if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+    {
+        LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",
+            chansrv_chan_id);
+        return 1;
+    }
     chan_id = self->cs2xr_cid_map[chansrv_chan_id];
     /* close dynamic channel */
     error = libxrdp_drdynvc_close(self->wm->session, chan_id);
-- 
2.39.0
Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop - xrdp-CVE-2022-23477.patch (bsc#1206301) + Buffer over flow in audin_send_open() function - Security fixes: + xrdp-CVE-2022-23468.patch (bsc#1206300) * Buffer overflow in xrdp_login_wnd_create() + xrdp-CVE-2022-23478.patch (bsc#1206302) * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan + xrdp-CVE-2022-23479.patch (bsc#1206303) * Buffer overflow in xrdp_mm_chan_data_in() function + xrdp-CVE-2022-23480.patch (bsc#1206306) * Buffer overflow in devredir_proc_client_devlist_announce_req + xrdp-CVE-2022-23481.patch (bsc#1206307) * Out of Bound Read in xrdp_caps_process_confirm_active() + xrdp-CVE-2022-23482.patch (bsc#1206310) + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() + xrdp-CVE-2022-23483.patch (bsc#1206311) + Out of Bound REad in libxrdp_send_to_channel() + xrdp-CVE-2022-23484.patch (bsc#1206312) + Integer Overflow in xrdp_mm_process_rail_update_window_text() + xrdp-CVE-2022-23493.patch (bsc#1206313) + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() OBS-URL: https://build.opensuse.org/request/show/1057176 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106 2023-01-10 03:10:49 +00:00			`From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001`
			`From: matt335672 <30179339+matt335672@users.noreply.github.com>`
			`Date: Wed, 7 Dec 2022 10:49:06 +0000`
			`Subject: [PATCH 9/9] CVE-2022-23493`

			`Check chansrv channel ID on a channel close`

			`Prevent OOB read if an invalid channel ID is sent.`
			`---`
			`xrdp/xrdp_mm.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c`
			`index b59345d7..c27c2341 100644`
			`--- a/xrdp/xrdp_mm.c`
			`+++ b/xrdp/xrdp_mm.c`
			`@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self,`
			`return 1;`
			`}`
			`in_uint32_le(s, chansrv_chan_id);`
			`+ if (chansrv_chan_id < 0 \|\| chansrv_chan_id > 255)`
			`+ {`
			`+ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",`
			`+ chansrv_chan_id);`
			`+ return 1;`
			`+ }`
			`chan_id = self->cs2xr_cid_map[chansrv_chan_id];`
			`/* close dynamic channel */`
			`error = libxrdp_drdynvc_close(self->wm->session, chan_id);`
			`--`
			`2.39.0`