xrdp/xrdp-CVE-2022-23481.patch

From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:40:25 +0000
Subject: [PATCH 5/9] CVE-2022-23481

Add length checks to client confirm active PDU parsing
---
 libxrdp/xrdp_caps.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
index 5c5e74a5..ac21cc0a 100644
--- a/libxrdp/xrdp_caps.c
+++ b/libxrdp/xrdp_caps.c
@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s)
     int len;
     char *p;
 
+    if (!s_check_rem_and_log(s, 10,
+                             "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+                             " - header"))
+    {
+        return 1;
+    }
     in_uint8s(s, 4); /* rdp_shareid */
     in_uint8s(s, 2); /* userid */
     in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
     in_uint16_le(s, cap_len);
+
+    if (!s_check_rem_and_log(s, source_len + 2 + 2,
+                             "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+                             " - header2"))
+    {
+        return 1;
+    }
     in_uint8s(s, source_len);
     in_uint16_le(s, num_caps);
     in_uint8s(s, 2); /* pad */
+
     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU "
               "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, "
               "lengthCombinedCapabilities  %d, sourceDescriptor (ignored), "
-- 
2.39.0