File xrdp-CVE-2022-23481.patch of Package xrdp.27351
From 356fb45702890acc91bde9c19eb5fe07ca0316c4 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:40:25 +0000
Subject: [PATCH 06/10] CVE-2022-23481
Add length checks to client confirm active PDU parsing
---
libxrdp/xrdp_caps.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
index ead495ca..ba24eb31 100644
--- a/libxrdp/xrdp_caps.c
+++ b/libxrdp/xrdp_caps.c
@@ -606,11 +606,23 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s)
int len;
char *p;
- DEBUG(("in xrdp_caps_process_confirm_active"));
+ if (!s_check_rem_and_log(s, 10,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header"))
+ {
+ return 1;
+ }
in_uint8s(s, 4); /* rdp_shareid */
in_uint8s(s, 2); /* userid */
in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
in_uint16_le(s, cap_len);
+
+ if (!s_check_rem_and_log(s, source_len + 2 + 2,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header2"))
+ {
+ return 1;
+ }
in_uint8s(s, source_len);
in_uint16_le(s, num_caps);
in_uint8s(s, 2); /* pad */
--
2.39.0