mirrors
/
xrdp
mirror of https://github.com/neutrinolabs/xrdp
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-pgx2-3fjj-fqqh 

CVE-2022-23479
This commit is contained in:
metalefty 2022-12-09 22:10:58 +09:00 committed by GitHub
parent 0418502eb3 ba2b9fc606
commit 8484767250
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
common/trans.c
View File

@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
tbus in_sck = (tbus) 0;
struct trans *in_trans = (struct trans *) NULL;
int read_bytes = 0;
int to_read = 0;
int read_so_far = 0;
unsigned int to_read = 0;
unsigned int read_so_far = 0;
int rv = 0;
enum xrdp_source cur_source;
@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
}
else if (self->trans_can_recv(self, self->sck, 0))
{
/* CVE-2022-23479 - check a malicious caller hasn't managed
* to set the header_size to an unreasonable value */
if (self->header_size > (unsigned int)self->in_s->size)
{
LOG(LOG_LEVEL_ERROR,
"trans_check_wait_objs: Reading %u bytes beyond buffer",
self->header_size - (unsigned int)self->in_s->size);
self->status = TRANS_STATUS_DOWN;
return 1;
}
cur_source = XRDP_SOURCE_NONE;
if (self->si != 0)
{
cur_source = self->si->cur_source;
self->si->cur_source = self->my_source;
}
read_so_far = (int) (self->in_s->end - self->in_s->data);
read_so_far = self->in_s->end - self->in_s->data;
to_read = self->header_size - read_so_far;
if (to_read > 0)
@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
}
}
read_so_far = (int) (self->in_s->end - self->in_s->data);
read_so_far = self->in_s->end - self->in_s->data;
if (read_so_far == self->header_size)
{

2
common/trans.h
View File

@ -98,7 +98,7 @@ struct trans
ttrans_data_in trans_data_in;
ttrans_conn_in trans_conn_in;
void *callback_data;
int header_size;
unsigned int header_size;
struct stream *in_s;
struct stream *out_s;
char *listen_filename;

4
xrdp/xrdp_process.c
View File

@ -172,7 +172,7 @@ xrdp_process_data_in(struct trans *self)
}
len = (int) (s->end - s->data);
if (pro->server_trans->header_size > len)
if (pro->server_trans->header_size > (unsigned int)len)
{
/* not enough data read yet */
break;
@ -192,7 +192,7 @@ xrdp_process_data_in(struct trans *self)
pro->server_trans->extra_flags = 3;
len = (int) (s->end - s->data);
if (pro->server_trans->header_size > len)
if (pro->server_trans->header_size > (unsigned int)len)
{
/* not enough data read yet */
break;