File xrdp-CVE-2022-23483.patch of Package xrdp.29105

From 99c1704f1e0408d9f71c1b06af3ae164e2315009 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH] CVE-2022-23483

Sanitise channel data being passed from application

Avoids OOB read if the size field is incorrect.
---
 xrdp/xrdp_mm.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 77a607c6..27f138d8 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -731,11 +731,11 @@ static int APP_CC
 xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct trans *trans)
 {
     struct stream *s;
-    int size;
-    int total_size;
+    unsigned int size;
+    unsigned int total_size;
     int chan_id;
     int chan_flags;
-    int rv;
+    int rv = 0;
 
     s = trans_get_in_s(trans);
 
@@ -750,10 +750,25 @@ xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct trans *trans)
     in_uint32_le(s, total_size);
     rv = xrdp_mm_trans_send_channel_data_response(self, trans);
 
-    if (rv == 0)
+    if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+    {
+        rv = 1;
+    }
+    else
     {
-        rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
-                                     chan_flags);
+        in_uint16_le(s, chan_id);
+        in_uint16_le(s, chan_flags);
+        in_uint16_le(s, size);
+        in_uint32_le(s, total_size);
+        if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+        {
+            rv = 1;
+        }
+        else
+        {
+            rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+                                         s->p, size, total_size, chan_flags);
+        }
     }
 
     return rv;
-- 
2.39.0