File freerdp-CVE-2022-24882.patch of Package freerdp.27686
From d13bd3a09d26b293a945ea7fa1d4b2f2375bcd58 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 28 Mar 2022 12:58:19 +0200
Subject: [PATCH] Fixed missing field read.
(cherry picked from commit cb538114ed0e0739ccc6c65754462265ba1072ed)
---
winpr/libwinpr/sspi/NTLM/ntlm_message.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_message.c b/winpr/libwinpr/sspi/NTLM/ntlm_message.c
index 34813a414..0143ec0c2 100644
--- a/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_message.c
@@ -71,6 +71,7 @@ static const char* const NTLM_NEGOTIATE_STRINGS[] = { "NTLMSSP_NEGOTIATE_56",
"NTLMSSP_REQUEST_TARGET",
"NTLMSSP_NEGOTIATE_OEM",
"NTLMSSP_NEGOTIATE_UNICODE" };
+static void ntlm_free_message_fields_buffer(NTLM_MESSAGE_FIELDS* fields);
static void ntlm_print_negotiate_flags(UINT32 flags)
{
@@ -120,6 +121,8 @@ static int ntlm_read_message_fields(wStream* s, NTLM_MESSAGE_FIELDS* fields)
if (Stream_GetRemainingLength(s) < 8)
return -1;
+ ntlm_free_message_fields_buffer(fields);
+
Stream_Read_UINT16(s, fields->Len); /* Len (2 bytes) */
Stream_Read_UINT16(s, fields->MaxLen); /* MaxLen (2 bytes) */
Stream_Read_UINT32(s, fields->BufferOffset); /* BufferOffset (4 bytes) */
@@ -169,7 +172,7 @@ static void ntlm_write_message_fields_buffer(wStream* s, NTLM_MESSAGE_FIELDS* fi
}
}
-static void ntlm_free_message_fields_buffer(NTLM_MESSAGE_FIELDS* fields)
+void ntlm_free_message_fields_buffer(NTLM_MESSAGE_FIELDS* fields)
{
if (fields)
{
--
2.26.2