Overview

File xrdp-CVE-2022-23479.patch of Package xrdp.27289

From 8caf9ee35da5e6d5838e260e694352214f489d20 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:44:56 +0000
Subject: [PATCH 3/8] CVE-2022-23479

Detect attempts to overflow input buffer

If application code hasn't properly sanitised the header_size
for a transport, it is possible for read requests to be issued
which overflow the input buffer. This change detects this
at a low level and bounces the read request.
---
 common/trans.c | 16 ++++++++++++----
 common/trans.h |  2 +-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/common/trans.c b/common/trans.c
index 9448760c..c86cbbb3 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -281,8 +281,8 @@ trans_check_wait_objs(struct trans *self)
     tbus in_sck = (tbus) 0;
     struct trans *in_trans = (struct trans *) NULL;
     int read_bytes = 0;
-    int to_read = 0;
-    int read_so_far = 0;
+    unsigned int to_read = 0;
+    unsigned int read_so_far = 0;
     int rv = 0;
     int cur_source;
 
@@ -353,13 +353,21 @@ trans_check_wait_objs(struct trans *self)
         }
         else if (self->trans_can_recv(self, self->sck, 0))
         {
+            /* CVE-2022-23479 - check a malicious caller hasn't managed
+             * to set the header_size to an unreasonable value */
+            if (self->header_size > (unsigned int)self->in_s->size)
+            {
+                self->status = TRANS_STATUS_DOWN;
+                return 1;
+            }
+
             cur_source = 0;
             if (self->si != 0)
             {
                 cur_source = self->si->cur_source;
                 self->si->cur_source = self->my_source;
             }
-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;
             to_read = self->header_size - read_so_far;
 
             if (to_read > 0)
@@ -399,7 +407,7 @@ trans_check_wait_objs(struct trans *self)
                 }
             }
 
-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;
 
             if (read_so_far == self->header_size)
             {
diff --git a/common/trans.h b/common/trans.h
index 57a0fd6a..1236866d 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -69,7 +69,7 @@ struct trans
     ttrans_data_in trans_data_in;
     ttrans_conn_in trans_conn_in;
     void* callback_data;
-    int header_size;
+    unsigned int header_size;
     struct stream* in_s;
     struct stream* out_s;
     char* listen_filename;
-- 
2.39.0
openSUSE Build Service is sponsored by
Places