File freerdp-CVE-2026-22859.patch of Package freerdp2
From 7b7e6de8fe427a2f01d331056774aec69710590b Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Sat, 10 Jan 2026 08:43:40 +0100
Subject: [PATCH] [channels,urbdrc] check interface indices before use
---
channels/urbdrc/client/data_transfer.c | 6 +-
.../urbdrc/client/libusb/libusb_udevice.c | 78 ++++++++++++-------
channels/urbdrc/common/msusb.c | 6 +-
3 files changed, 54 insertions(+), 36 deletions(-)
Index: freerdp-2.11.7/channels/urbdrc/client/data_transfer.c
===================================================================
--- freerdp-2.11.7.orig/channels/urbdrc/client/data_transfer.c
+++ freerdp-2.11.7/channels/urbdrc/client/data_transfer.c
@@ -397,13 +397,12 @@ static void func_select_all_interface_fo
{
UINT32 inum;
MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
- BYTE InterfaceNumber, AlternateSetting;
UINT32 NumInterfaces = MsConfig->NumInterfaces;
for (inum = 0; inum < NumInterfaces; inum++)
{
- InterfaceNumber = MsInterfaces[inum]->InterfaceNumber;
- AlternateSetting = MsInterfaces[inum]->AlternateSetting;
+ const BYTE InterfaceNumber = MsInterfaces[inum]->InterfaceNumber;
+ const BYTE AlternateSetting = MsInterfaces[inum]->AlternateSetting;
pdev->select_interface(pdev, InterfaceNumber, AlternateSetting);
}
}
Index: freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c
===================================================================
--- freerdp-2.11.7.orig/channels/urbdrc/client/libusb/libusb_udevice.c
+++ freerdp-2.11.7/channels/urbdrc/client/libusb/libusb_udevice.c
@@ -571,25 +571,13 @@ static MSUSB_CONFIG_DESCRIPTOR*
libusb_udev_complete_msconfig_setup(IUDEVICE* idev, MSUSB_CONFIG_DESCRIPTOR* MsConfig)
{
UDEVICE* pdev = (UDEVICE*)idev;
- MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;
- MSUSB_INTERFACE_DESCRIPTOR* MsInterface;
- MSUSB_PIPE_DESCRIPTOR** MsPipes;
- MSUSB_PIPE_DESCRIPTOR* MsPipe;
- MSUSB_PIPE_DESCRIPTOR** t_MsPipes;
- MSUSB_PIPE_DESCRIPTOR* t_MsPipe;
- LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig;
- const LIBUSB_INTERFACE* LibusbInterface;
- const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting;
- const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint;
- BYTE LibusbNumEndpoint;
- URBDRC_PLUGIN* urbdrc;
UINT32 inum = 0, pnum = 0, MsOutSize = 0;
if (!pdev || !pdev->LibusbConfig || !pdev->urbdrc || !MsConfig)
return NULL;
- urbdrc = pdev->urbdrc;
- LibusbConfig = pdev->LibusbConfig;
+ URBDRC_PLUGIN* urbdrc = pdev->urbdrc;
+ LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig = pdev->LibusbConfig;
if (LibusbConfig->bNumInterfaces != MsConfig->NumInterfaces)
{
@@ -597,28 +585,56 @@ libusb_udev_complete_msconfig_setup(IUDE
"Select Configuration: Libusb NumberInterfaces(%" PRIu8 ") is different "
"with MsConfig NumberInterfaces(%" PRIu32 ")",
LibusbConfig->bNumInterfaces, MsConfig->NumInterfaces);
+ return NULL;
}
/* replace MsPipes for libusb */
- MsInterfaces = MsConfig->MsInterfaces;
+ MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
for (inum = 0; inum < MsConfig->NumInterfaces; inum++)
{
- MsInterface = MsInterfaces[inum];
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
+ if (MsInterface->InterfaceNumber >= MsConfig->NumInterfaces)
+ {
+ WLog_Print(urbdrc->log, WLOG_ERROR,
+ "MSUSB_CONFIG_DESCRIPTOR::NumInterfaces (%" PRIu32
+ " <= MSUSB_INTERFACE_DESCRIPTOR::InterfaceNumber( %" PRIu8 ")",
+ MsConfig->NumInterfaces, MsInterface->InterfaceNumber);
+ return NULL;
+ }
+
+ const LIBUSB_INTERFACE* LibusbInterface =
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
+ if (MsInterface->AlternateSetting >= LibusbInterface->num_altsetting)
+ {
+ WLog_Print(urbdrc->log, WLOG_ERROR,
+ "LIBUSB_INTERFACE::num_altsetting (%" PRId32
+ " <= MSUSB_INTERFACE_DESCRIPTOR::AlternateSetting( %" PRIu8 ")",
+ LibusbInterface->num_altsetting, MsInterface->AlternateSetting);
+ return NULL;
+ }
+ }
+
+ for (UINT32 inum = 0; inum < MsConfig->NumInterfaces; inum++)
+ {
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
/* get libusb's number of endpoints */
- LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber];
- LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting];
- LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
- t_MsPipes =
+ const LIBUSB_INTERFACE* LibusbInterface =
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
+ const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting =
+ &LibusbInterface->altsetting[MsInterface->AlternateSetting];
+ const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
+ MSUSB_PIPE_DESCRIPTOR** t_MsPipes =
(MSUSB_PIPE_DESCRIPTOR**)calloc(LibusbNumEndpoint, sizeof(MSUSB_PIPE_DESCRIPTOR*));
for (pnum = 0; pnum < LibusbNumEndpoint; pnum++)
{
- t_MsPipe = (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));
+ MSUSB_PIPE_DESCRIPTOR* t_MsPipe =
+ (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));
if (pnum < MsInterface->NumberOfPipes && MsInterface->MsPipes)
{
- MsPipe = MsInterface->MsPipes[pnum];
+ MSUSB_PIPE_DESCRIPTOR* MsPipe = MsInterface->MsPipes[pnum];
t_MsPipe->MaximumPacketSize = MsPipe->MaximumPacketSize;
t_MsPipe->MaximumTransferSize = MsPipe->MaximumTransferSize;
t_MsPipe->PipeFlags = MsPipe->PipeFlags;
@@ -656,10 +671,12 @@ libusb_udev_complete_msconfig_setup(IUDE
for (inum = 0; inum < MsConfig->NumInterfaces; inum++)
{
MsOutSize += 16;
- MsInterface = MsInterfaces[inum];
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = MsInterfaces[inum];
/* get libusb's interface */
- LibusbInterface = &LibusbConfig->interface[MsInterface->InterfaceNumber];
- LibusbAltsetting = &LibusbInterface->altsetting[MsInterface->AlternateSetting];
+ const LIBUSB_INTERFACE* LibusbInterface =
+ &LibusbConfig->interface[MsInterface->InterfaceNumber];
+ const LIBUSB_INTERFACE_DESCRIPTOR* LibusbAltsetting =
+ &LibusbInterface->altsetting[MsInterface->AlternateSetting];
/* InterfaceHandle: 4 bytes
* ---------------------------------------------------------------
* ||<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>|<<< 1 byte >>>||
@@ -674,15 +691,15 @@ libusb_udev_complete_msconfig_setup(IUDE
MsInterface->bInterfaceSubClass = LibusbAltsetting->bInterfaceSubClass;
MsInterface->bInterfaceProtocol = LibusbAltsetting->bInterfaceProtocol;
MsInterface->InitCompleted = 1;
- MsPipes = MsInterface->MsPipes;
- LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
+ MSUSB_PIPE_DESCRIPTOR** MsPipes = MsInterface->MsPipes;
+ const BYTE LibusbNumEndpoint = LibusbAltsetting->bNumEndpoints;
for (pnum = 0; pnum < LibusbNumEndpoint; pnum++)
{
MsOutSize += 20;
- MsPipe = MsPipes[pnum];
+ MSUSB_PIPE_DESCRIPTOR* MsPipe = MsPipes[pnum];
/* get libusb's endpoint */
- LibusbEndpoint = &LibusbAltsetting->endpoint[pnum];
+ const LIBUSB_ENDPOINT_DESCEIPTOR* LibusbEndpoint = &LibusbAltsetting->endpoint[pnum];
/* PipeHandle: 4 bytes
* ---------------------------------------------------------------
* ||<<< 1 byte >>>|<<< 1 byte >>>|<<<<<<<<<< 2 byte >>>>>>>>>>>||
Index: freerdp-2.11.7/channels/urbdrc/common/msusb.c
===================================================================
--- freerdp-2.11.7.orig/channels/urbdrc/common/msusb.c
+++ freerdp-2.11.7/channels/urbdrc/common/msusb.c
@@ -139,6 +139,8 @@ BOOL msusb_msinterface_replace(MSUSB_CON
{
if (!MsConfig || !MsConfig->MsInterfaces)
return FALSE;
+ if (MsConfig->NumInterfaces <= InterfaceNumber)
+ return FALSE;
msusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]);
MsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface;
@@ -147,12 +149,10 @@ BOOL msusb_msinterface_replace(MSUSB_CON
MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s)
{
- MSUSB_INTERFACE_DESCRIPTOR* MsInterface;
-
if (Stream_GetRemainingCapacity(s) < 12)
return NULL;
- MsInterface = msusb_msinterface_new();
+ MSUSB_INTERFACE_DESCRIPTOR* MsInterface = msusb_msinterface_new();
if (!MsInterface)
return NULL;
