Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
xrdp.27351
xrdp-CVE-2022-23479.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xrdp-CVE-2022-23479.patch of Package xrdp.27351
From 0baca2d0ba3251b41f90f8804eeadf37a8b78bb3 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Wed, 7 Dec 2022 09:44:56 +0000 Subject: [PATCH 04/10] CVE-2022-23479 Detect attempts to overflow input buffer If application code hasn't properly sanitised the header_size for a transport, it is possible for read requests to be issued which overflow the input buffer. This change detects this at a low level and bounces the read request. --- common/trans.c | 16 ++++++++++++---- common/trans.h | 2 +- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/common/trans.c b/common/trans.c index 883d7cbd..3fcac1c6 100644 --- a/common/trans.c +++ b/common/trans.c @@ -299,8 +299,8 @@ trans_check_wait_objs(struct trans *self) tbus in_sck = (tbus) 0; struct trans *in_trans = (struct trans *) NULL; int read_bytes = 0; - int to_read = 0; - int read_so_far = 0; + unsigned int to_read = 0; + unsigned int read_so_far = 0; int rv = 0; int cur_source; @@ -371,13 +371,21 @@ trans_check_wait_objs(struct trans *self) } else if (self->trans_can_recv(self, self->sck, 0)) { + /* CVE-2022-23479 - check a malicious caller hasn't managed + * to set the header_size to an unreasonable value */ + if (self->header_size > (unsigned int)self->in_s->size) + { + self->status = TRANS_STATUS_DOWN; + return 1; + } + cur_source = 0; if (self->si != 0) { cur_source = self->si->cur_source; self->si->cur_source = self->my_source; } - read_so_far = (int) (self->in_s->end - self->in_s->data); + read_so_far = self->in_s->end - self->in_s->data; to_read = self->header_size - read_so_far; if (to_read > 0) @@ -417,7 +425,7 @@ trans_check_wait_objs(struct trans *self) } } - read_so_far = (int) (self->in_s->end - self->in_s->data); + read_so_far = self->in_s->end - self->in_s->data; if (read_so_far == self->header_size) { diff --git a/common/trans.h b/common/trans.h index 1e1efd16..73953417 100644 --- a/common/trans.h +++ b/common/trans.h @@ -71,7 +71,7 @@ struct trans ttrans_data_in trans_data_in; ttrans_conn_in trans_conn_in; void* callback_data; - int header_size; + unsigned int header_size; struct stream* in_s; struct stream* out_s; char* listen_filename; -- 2.39.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor