pool/xrdp
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b6769c9e38
xrdp/xrdp-CVE-2022-23479.patch
Yifan Jiang f0ddc89311 Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop 
- xrdp-CVE-2022-23477.patch (bsc#1206301)
  + Buffer over flow in audin_send_open() function

- Security fixes:
  + xrdp-CVE-2022-23468.patch (bsc#1206300)
    * Buffer overflow in xrdp_login_wnd_create()
  + xrdp-CVE-2022-23478.patch (bsc#1206302)
    * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
  + xrdp-CVE-2022-23479.patch (bsc#1206303)
    * Buffer overflow in xrdp_mm_chan_data_in() function
  + xrdp-CVE-2022-23480.patch (bsc#1206306)
    * Buffer overflow in devredir_proc_client_devlist_announce_req
  + xrdp-CVE-2022-23481.patch (bsc#1206307)
    * Out of Bound Read in xrdp_caps_process_confirm_active()
  + xrdp-CVE-2022-23482.patch (bsc#1206310)
    + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
  + xrdp-CVE-2022-23483.patch (bsc#1206311)
    + Out of Bound REad in libxrdp_send_to_channel()
  + xrdp-CVE-2022-23484.patch (bsc#1206312)
    + Integer Overflow in xrdp_mm_process_rail_update_window_text()
  + xrdp-CVE-2022-23493.patch (bsc#1206313)
    + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()

OBS-URL: https://build.opensuse.org/request/show/1057176
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106
2023-01-10 03:10:49 +00:00

83 lines
2.8 KiB
Diff
Raw Blame History

From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:44:56 +0000
Subject: [PATCH 3/9] CVE-2022-23479
Detect attempts to overflow input buffer
If application code hasn't properly sanitised the header_size
for a transport, it is possible for read requests to be issued
which overflow the input buffer. This change detects this
at a low level and bounces the read request.
---
common/trans.c | 19 +++++++++++++++----
common/trans.h | 2 +-
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/common/trans.c b/common/trans.c
index 55d2a638..1d2d3e68 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
tbus in_sck = (tbus) 0;
struct trans *in_trans = (struct trans *) NULL;
int read_bytes = 0;
- int to_read = 0;
- int read_so_far = 0;
+ unsigned int to_read = 0;
+ unsigned int read_so_far = 0;
int rv = 0;
enum xrdp_source cur_source;
@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
}
else if (self->trans_can_recv(self, self->sck, 0))
{
+ /* CVE-2022-23479 - check a malicious caller hasn't managed
+ * to set the header_size to an unreasonable value */
+ if (self->header_size > (unsigned int)self->in_s->size)
+ {
+ LOG(LOG_LEVEL_ERROR,
+ "trans_check_wait_objs: Reading %u bytes beyond buffer",
+ self->header_size - (unsigned int)self->in_s->size);
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+
cur_source = XRDP_SOURCE_NONE;
if (self->si != 0)
{
cur_source = self->si->cur_source;
self->si->cur_source = self->my_source;
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
to_read = self->header_size - read_so_far;
if (to_read > 0)
@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
}
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
if (read_so_far == self->header_size)
{
diff --git a/common/trans.h b/common/trans.h
index 1cd89fda..313c543b 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -98,7 +98,7 @@ struct trans
ttrans_data_in trans_data_in;
ttrans_conn_in trans_conn_in;
void *callback_data;
- int header_size;
+ unsigned int header_size;
struct stream *in_s;
struct stream *out_s;
char *listen_filename;
--
2.39.0
Reference in New Issue View Git Blame Copy Permalink