File xrdp-CVE-2022-23483.patch of Package xrdp.29800

Overview Repositories Revisions Requests Users Attributes Meta

File xrdp-CVE-2022-23483.patch of Package xrdp.29800

From 3e4f157efed37940e96eba4b03b1a21a90bb1c7a Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH 08/10] CVE-2022-23483

Sanitise channel data being passed from application

Avoids OOB read if the size field is incorrect.
---
 xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index f31e05e2..2a8d29c2 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -685,22 +685,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
 static int
 xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
 {
-    int size;
-    int total_size;
+    unsigned int size;
+    unsigned int total_size;
     int chan_id;
     int chan_flags;
-    int rv;
-
-    in_uint16_le(s, chan_id);
-    in_uint16_le(s, chan_flags);
-    in_uint16_le(s, size);
-    in_uint32_le(s, total_size);
-    rv = 0;
+    int rv = 0;
 
-    if (rv == 0)
+    if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
     {
-        rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
-                                     chan_flags);
+        rv = 1;
+    }
+    else
+    {
+        in_uint16_le(s, chan_id);
+        in_uint16_le(s, chan_flags);
+        in_uint16_le(s, size);
+        in_uint32_le(s, total_size);
+        if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+        {
+            rv = 1;
+        }
+        else
+        {
+            rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+                                         s->p, size, total_size, chan_flags);
+        }
     }
 
     return rv;
-- 
2.39.0

Places

File xrdp-CVE-2022-23483.patch of Package xrdp.29800

Places