CVE-2022-23482

Check minimum length of TS_UD_CS_CORE message

libxrdp/xrdp_sec.c

@@ -1944,6 +1944,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
 static int
 xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
 {
+#define CS_CORE_MIN_LENGTH \
+    (\
+     4 +            /* Version */ \
+     2 + 2 +        /* desktopWidth + desktopHeight */ \
+     2 + 2 +        /* colorDepth + SASSequence */ \
+     4 +            /* keyboardLayout */ \
+     4 + 32 +       /* clientBuild + clientName */ \
+     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
+     64 +           /* imeFileName */ \
+     0)
+
     int version;
     int colorDepth;
     int postBeta2ColorDepth;
@@ -1959,6 +1970,11 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
     client_info->session_physical_height = 0;
 
     /* TS_UD_CS_CORE required fields */
+    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+    {
+        return 1;
+    }
     in_uint32_le(s, version);
     in_uint16_le(s, client_info->display_sizes.session_width);
     in_uint16_le(s, client_info->display_sizes.session_height);
@@ -1996,6 +2012,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
               clientName);
 
     /* TS_UD_CS_CORE optional fields */
+    if (!s_check_rem(s, 2))
+    {
+        return 0;
+    }
     in_uint16_le(s, postBeta2ColorDepth);
     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
               "<Optional Field> postBeta2ColorDepth %s",
@@ -2161,6 +2181,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
               "<Optional Field> desktopOrientation (ignored)");
 
     return 0;
+#undef CS_CORE_MIN_LENGTH
 }
 
 /*****************************************************************************/