File xrdp-CVE-2022-23478.patch of Package xrdp.27288

Overview Repositories Revisions Requests Users Attributes Meta

File xrdp-CVE-2022-23478.patch of Package xrdp.27288

From 0cff055b45311b456f8abbcfc397333f96979102 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:12:42 +0000
Subject: [PATCH 03/10] CVE-2022-23478

Fix potential OOB write if invalid chansrv channel opened

Also removed an unnecessary dynamic memory allocation
---
 xrdp/xrdp_mm.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 64c75605..f31e05e2 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1154,7 +1154,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm* self,
     int error;
     int chan_id;
     int chansrv_chan_id;
-    char *name;
+    char name[1024 + 1];
     struct xrdp_drdynvc_procs procs;
 
     if (!s_check_rem(s, 2))
@@ -1162,33 +1162,30 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm* self,
         return 1;
     }
     in_uint32_le(s, name_bytes);
-    if ((name_bytes < 1) || (name_bytes > 1024))
-    {
-        return 1;
-    }
-    name = g_new(char, name_bytes + 1);
-    if (name == NULL)
+    if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
     {
         return 1;
     }
     if (!s_check_rem(s, name_bytes))
     {
-        g_free(name);
         return 1;
     }
     in_uint8a(s, name, name_bytes);
     name[name_bytes] = 0;
     if (!s_check_rem(s, 8))
     {
-        g_free(name);
         return 1;
     }
     in_uint32_le(s, flags);
     in_uint32_le(s, chansrv_chan_id);
+    if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+    {
+        return 1;
+    }
+
     if (flags == 0)
     {
         /* open static channel, not supported */
-        g_free(name);
         return 1;
     }
     else
@@ -1204,13 +1201,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm* self,
                                      &chan_id);
         if (error != 0)
         {
-            g_free(name);
             return 1;
         }
         self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
         self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
     }
-    g_free(name);
     return 0;
 }
 
-- 
2.39.0

Places

File xrdp-CVE-2022-23478.patch of Package xrdp.27288

Places