File xrdp-CVE-2022-23482.patch of Package xrdp.27288

Overview Repositories Revisions Requests Users Attributes Meta

File xrdp-CVE-2022-23482.patch of Package xrdp.27288

From d5d066276f360846ace6b1cacaa7a5aecbb6c312 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:05:46 +0000
Subject: [PATCH 07/10] CVE-2022-23482

Check minimum length of TS_UD_CS_CORE message
---
 libxrdp/xrdp_sec.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index c0e513e4..922383ff 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1601,6 +1601,18 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
 static int
 xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec* self, struct stream* s)
 {
+#define CS_CORE_MIN_LENGTH \
+    (\
+     4 +            /* Version */ \
+     2 + 2 +        /* desktopWidth + desktopHeight */ \
+     2 + 2 +        /* colorDepth + SASSequence */ \
+     4 +            /* keyboardLayout */ \
+     4 + 32 +       /* clientBuild + clientName */ \
+     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
+     64 +           /* imeFileName */ \
+     0)
+
+    int version;
     int colorDepth;
     int postBeta2ColorDepth;
     int highColorDepth;
@@ -1608,7 +1620,13 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec* self, struct stream* s)
     int earlyCapabilityFlags;
     char clientName[INFO_CLIENT_NAME_BYTES / 2] = { '\0' };
 
-    in_uint8s(s, 4); /* version */
+    /* TS_UD_CS_CORE required fields */
+    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+    {
+        return 1;
+    }
+    in_uint32_le(s, version);
     in_uint16_le(s, self->rdp_layer->client_info.width);
     in_uint16_le(s, self->rdp_layer->client_info.height);
     in_uint16_le(s, colorDepth);
@@ -1631,6 +1649,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec* self, struct stream* s)
     in_uint8s(s, 4); /* keyboardSubType */
     in_uint8s(s, 4); /* keyboardFunctionKey */
     in_uint8s(s, 64); /* imeFileName */
+
+    /* TS_UD_CS_CORE optional fields */
+    if (!s_check_rem(s, 2))
+    {
+        return 0;
+    }
     in_uint16_le(s, postBeta2ColorDepth);
     g_writeln("postBeta2ColorDepth 0x%4.4x (0xca00 4bpp 0xca01 8bpp "
               "0xca02 15bpp 0xca03 16bpp 0xca04 24bpp)", postBeta2ColorDepth);
@@ -1740,6 +1764,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec* self, struct stream* s)
     in_uint8s(s, 2); /* reserved */
 
     return 0;
+#undef CS_CORE_MIN_LENGTH
 }
 
 /*****************************************************************************/
-- 
2.39.0

Places

File xrdp-CVE-2022-23482.patch of Package xrdp.27288

Places