pool/xrdp
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b6769c9e38
xrdp/xrdp-CVE-2022-23482.patch
Yifan Jiang f0ddc89311 Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop 
- xrdp-CVE-2022-23477.patch (bsc#1206301)
  + Buffer over flow in audin_send_open() function

- Security fixes:
  + xrdp-CVE-2022-23468.patch (bsc#1206300)
    * Buffer overflow in xrdp_login_wnd_create()
  + xrdp-CVE-2022-23478.patch (bsc#1206302)
    * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
  + xrdp-CVE-2022-23479.patch (bsc#1206303)
    * Buffer overflow in xrdp_mm_chan_data_in() function
  + xrdp-CVE-2022-23480.patch (bsc#1206306)
    * Buffer overflow in devredir_proc_client_devlist_announce_req
  + xrdp-CVE-2022-23481.patch (bsc#1206307)
    * Out of Bound Read in xrdp_caps_process_confirm_active()
  + xrdp-CVE-2022-23482.patch (bsc#1206310)
    + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
  + xrdp-CVE-2022-23483.patch (bsc#1206311)
    + Out of Bound REad in libxrdp_send_to_channel()
  + xrdp-CVE-2022-23484.patch (bsc#1206312)
    + Integer Overflow in xrdp_mm_process_rail_update_window_text()
  + xrdp-CVE-2022-23493.patch (bsc#1206313)
    + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()

OBS-URL: https://build.opensuse.org/request/show/1057176
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106
2023-01-10 03:10:49 +00:00

69 lines
2.3 KiB
Diff
Raw Blame History

From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:05:46 +0000
Subject: [PATCH 6/9] CVE-2022-23482
Check minimum length of TS_UD_CS_CORE message
---
libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 691d4f04..084fca6b 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
static int
xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
{
+#define CS_CORE_MIN_LENGTH \
+ (\
+ 4 + /* Version */ \
+ 2 + 2 + /* desktopWidth + desktopHeight */ \
+ 2 + 2 + /* colorDepth + SASSequence */ \
+ 4 + /* keyboardLayout */ \
+ 4 + 32 + /* clientBuild + clientName */ \
+ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
+ 64 + /* imeFileName */ \
+ 0)
+
int version;
int colorDepth;
int postBeta2ColorDepth;
@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
UNUSED_VAR(version);
- /* TS_UD_CS_CORE requiered fields */
+ /* TS_UD_CS_CORE required fields */
+ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+ {
+ return 1;
+ }
in_uint32_le(s, version);
in_uint16_le(s, self->rdp_layer->client_info.width);
in_uint16_le(s, self->rdp_layer->client_info.height);
@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
clientName);
/* TS_UD_CS_CORE optional fields */
+ if (!s_check_rem(s, 2))
+ {
+ return 0;
+ }
in_uint16_le(s, postBeta2ColorDepth);
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
"<Optional Field> postBeta2ColorDepth %s",
@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
"<Optional Field> desktopOrientation (ignored)");
return 0;
+#undef CS_CORE_MIN_LENGTH
}
/*****************************************************************************/
--
2.39.0
Reference in New Issue View Git Blame Copy Permalink