CVE-2022-23482

Check minimum length of TS_UD_CS_CORE message
This commit is contained in:
matt335672 2022-12-07 11:05:46 +00:00
parent bc6b052959
commit 1e42426db5

View File

@ -1944,6 +1944,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
static int
xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
{
#define CS_CORE_MIN_LENGTH \
(\
4 + /* Version */ \
2 + 2 + /* desktopWidth + desktopHeight */ \
2 + 2 + /* colorDepth + SASSequence */ \
4 + /* keyboardLayout */ \
4 + 32 + /* clientBuild + clientName */ \
4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
64 + /* imeFileName */ \
0)
int version;
int colorDepth;
int postBeta2ColorDepth;
@ -1959,6 +1970,11 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
client_info->session_physical_height = 0;
/* TS_UD_CS_CORE required fields */
if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
"Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
{
return 1;
}
in_uint32_le(s, version);
in_uint16_le(s, client_info->display_sizes.session_width);
in_uint16_le(s, client_info->display_sizes.session_height);
@ -1996,6 +2012,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
clientName);
/* TS_UD_CS_CORE optional fields */
if (!s_check_rem(s, 2))
{
return 0;
}
in_uint16_le(s, postBeta2ColorDepth);
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
"<Optional Field> postBeta2ColorDepth %s",
@ -2161,6 +2181,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
"<Optional Field> desktopOrientation (ignored)");
return 0;
#undef CS_CORE_MIN_LENGTH
}
/*****************************************************************************/