File freerdp-CVE-2026-22855.patch of Package freerdp.42881

From 57c5647d98c2a026de8b681159cb188ca0439ef8 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Sun, 11 Jan 2026 09:03:57 +0100
Subject: [PATCH] [utils,smartcard] add length validity checks

in smartcard_unpack_set_attrib_call input length validity checks were
missing.
---
 libfreerdp/utils/smartcard_pack.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

Index: FreeRDP-2.4.0/channels/smartcard/client/smartcard_pack.c
===================================================================
--- FreeRDP-2.4.0.orig/channels/smartcard/client/smartcard_pack.c
+++ FreeRDP-2.4.0/channels/smartcard/client/smartcard_pack.c
@@ -25,6 +25,7 @@
 #include "config.h"
 #endif
 
+#include <winpr/assert.h>
 #include <winpr/crt.h>
 #include <winpr/print.h>
 
@@ -98,13 +99,16 @@ static BOOL smartcard_ndr_pointer_read_(
 	return TRUE;
 }
 
-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
-                               ndr_ptr_t type)
+static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
+                                  ndr_ptr_t type, size_t* plen)
 {
 	size_t len, offset, len2;
 	void* r;
 	size_t required;
 
+    if (plen)
+        *plen = 0;
+
 	switch (type)
 	{
 		case NDR_PTR_FULL:
@@ -181,11 +185,20 @@ static LONG smartcard_ndr_read(wStream*
 	if (!r)
 		return SCARD_E_NO_MEMORY;
 	Stream_Read(s, r, len);
-	smartcard_unpack_read_size_align(NULL, s, len, 4);
+    const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
+	len += (size_t)pad;
 	*data = r;
+    if (plen)
+        *plen = len;
 	return STATUS_SUCCESS;
 }
 
+static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
+                               ndr_ptr_t type)
+{
+	return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
+}
+
 static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
 {
 	const UINT32 ndrPtr = 0x20000 + (*index) * 4;
@@ -3427,12 +3440,15 @@ LONG smartcard_unpack_set_attrib_call(SM
 
 	if (ndrPtr)
 	{
-		// TODO: call->cbAttrLen was larger than the pointer value.
-		// TODO: Maybe need to refine the checks?
-		status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
+        size_t len = 0;
+        status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
 		if (status != SCARD_S_SUCCESS)
 			return status;
+        if (call->cbAttrLen > len)
+            call->cbAttrLen = WINPR_ASSERTING_INT_CAST(DWORD, len);
 	}
+	else
+		call->cbAttrLen = 0;
 	smartcard_trace_set_attrib_call(smartcard, call);
 	return SCARD_S_SUCCESS;
 }
openSUSE Build Service is sponsored by