From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH 7/9] CVE-2022-23483

Sanitise channel data being passed from application

Avoids OOB read if the size field is incorrect.
---
 xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index c91e03ab..bc7b1b83 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
 static int
 xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
 {
-    int size;
-    int total_size;
+    unsigned int size;
+    unsigned int total_size;
     int chan_id;
     int chan_flags;
-    int rv;
-
-    in_uint16_le(s, chan_id);
-    in_uint16_le(s, chan_flags);
-    in_uint16_le(s, size);
-    in_uint32_le(s, total_size);
-    rv = 0;
+    int rv = 0;
 
-    if (rv == 0)
+    if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+    {
+        rv = 1;
+    }
+    else
     {
-        rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
-                                     chan_flags);
+        in_uint16_le(s, chan_id);
+        in_uint16_le(s, chan_flags);
+        in_uint16_le(s, size);
+        in_uint32_le(s, total_size);
+        if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+        {
+            rv = 1;
+        }
+        else
+        {
+            rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+                                         s->p, size, total_size, chan_flags);
+        }
     }
 
     return rv;
-- 
2.39.0