xrdp/xrdp-CVE-2022-23477.patch

From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477

Prevent buffer overflow for oversized audio format from client
---
 sesman/chansrv/audin.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index cd802fa5..36a8027a 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
     int error;
     int bytes;
     struct stream *s;
-    struct xr_wave_format_ex *wf;
+    struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
 
     LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
     make_stream(s);
-    init_stream(s, 8192);
+    /* wf->cbSize was checked when the format was received */
+    init_stream(s, wf->cbSize + 64);
+
     out_uint8(s, MSG_SNDIN_OPEN);
     out_uint32_le(s, 2048); /* FramesPerPacket */
     out_uint32_le(s, g_current_format); /* initialFormat */
-    wf = g_client_formats[g_current_format];
     out_uint16_le(s, wf->wFormatTag);
     out_uint16_le(s, wf->nChannels);
     out_uint32_le(s, wf->nSamplesPerSec);
-- 
2.39.0
Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop - xrdp-CVE-2022-23477.patch (bsc#1206301) + Buffer over flow in audin_send_open() function - Security fixes: + xrdp-CVE-2022-23468.patch (bsc#1206300) * Buffer overflow in xrdp_login_wnd_create() + xrdp-CVE-2022-23478.patch (bsc#1206302) * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan + xrdp-CVE-2022-23479.patch (bsc#1206303) * Buffer overflow in xrdp_mm_chan_data_in() function + xrdp-CVE-2022-23480.patch (bsc#1206306) * Buffer overflow in devredir_proc_client_devlist_announce_req + xrdp-CVE-2022-23481.patch (bsc#1206307) * Out of Bound Read in xrdp_caps_process_confirm_active() + xrdp-CVE-2022-23482.patch (bsc#1206310) + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() + xrdp-CVE-2022-23483.patch (bsc#1206311) + Out of Bound REad in libxrdp_send_to_channel() + xrdp-CVE-2022-23484.patch (bsc#1206312) + Integer Overflow in xrdp_mm_process_rail_update_window_text() + xrdp-CVE-2022-23493.patch (bsc#1206313) + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() OBS-URL: https://build.opensuse.org/request/show/1057176 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106 2023-01-10 04:10:49 +01:00			`From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001`
			`From: matt335672 <30179339+matt335672@users.noreply.github.com>`
			`Date: Tue, 6 Dec 2022 11:31:31 +0000`
			`Subject: [PATCH] CVE-2022-23477`

			`Prevent buffer overflow for oversized audio format from client`
			`---`
			`sesman/chansrv/audin.c \| 7 ++++---`
			`1 file changed, 4 insertions(+), 3 deletions(-)`

			`diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c`
			`index cd802fa5..36a8027a 100644`
			`--- a/sesman/chansrv/audin.c`
			`+++ b/sesman/chansrv/audin.c`
			`@@ -181,15 +181,16 @@ audin_send_open(int chan_id)`
			`int error;`
			`int bytes;`
			`struct stream *s;`
			`- struct xr_wave_format_ex *wf;`
			`+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format];`

			`LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");`
			`make_stream(s);`
			`- init_stream(s, 8192);`
			`+ /* wf->cbSize was checked when the format was received */`
			`+ init_stream(s, wf->cbSize + 64);`
			`+`
			`out_uint8(s, MSG_SNDIN_OPEN);`
			`out_uint32_le(s, 2048); /* FramesPerPacket */`
			`out_uint32_le(s, g_current_format); /* initialFormat */`
			`- wf = g_client_formats[g_current_format];`
			`out_uint16_le(s, wf->wFormatTag);`
			`out_uint16_le(s, wf->nChannels);`
			`out_uint32_le(s, wf->nSamplesPerSec);`
			`--`
			`2.39.0`