Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
freerdp
freerdp-CVE-2022-39319.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File freerdp-CVE-2022-39319.patch of Package freerdp
From 8ad8607f80597285fb366ee3b5ddd0530be2ee29 Mon Sep 17 00:00:00 2001 From: akallabeth <akallabeth@posteo.net> Date: Thu, 13 Oct 2022 08:47:51 +0200 Subject: [PATCH] Fixed missing input buffer length check in urbdrc (cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d) --- channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c index ecacc695f..bbb6104e3 100644 --- a/channels/urbdrc/client/data_transfer.c +++ b/channels/urbdrc/client/data_transfer.c @@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c Stream_Read_UINT32(s, OutputBufferSize); Stream_Read_UINT32(s, RequestId); + + if (OutputBufferSize > UINT32_MAX - 4) + return ERROR_INVALID_DATA; + InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev)); out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize); @@ -714,6 +718,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */ Stream_Read_UINT32(s, OutputBufferSize); EndpointAddress = (PipeHandle & 0x000000ff); + + if (transferDir == USBD_TRANSFER_DIRECTION_OUT) + { + if (Stream_GetRemainingLength(s) < OutputBufferSize) + { + return ERROR_INVALID_DATA; + } + } + /** process TS_URB_BULK_OR_INTERRUPT_TRANSFER */ return pdev->bulk_or_interrupt_transfer(pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck, OutputBufferSize, @@ -799,6 +812,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback packetDescriptorData = Stream_Pointer(s); Stream_Seek(s, NumberOfPackets * 12); Stream_Read_UINT32(s, OutputBufferSize); + + if (transferDir == USBD_TRANSFER_DIRECTION_OUT) + { + if (Stream_GetRemainingLength(s) < OutputBufferSize) + return ERROR_INVALID_DATA; + } + return pdev->isoch_transfer( pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame, ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize, -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
