CVE-2022-23479

Detect attempts to overflow input buffer If application code hasn't properly sanitised the header_size for a transport, it is possible for read requests to be issued which overflow the input buffer. This change detects this at a low level and bounces the read request.
2022-12-07 09:44:56 +00:00 · 2022-12-07 09:44:56 +00:00 · b1147f5faa
parent cea7313257
commit b1147f5faa
2 changed files with 16 additions and 5 deletions
--- a/common/trans.c
+++ b/common/trans.c
@ -309,8 +309,8 @@ trans_check_wait_objs(struct trans *self)
    tbus in_sck = (tbus) 0;
    struct trans *in_trans = (struct trans *) NULL;
    int read_bytes = 0;
-    int to_read = 0;
-    int read_so_far = 0;
+    unsigned int to_read = 0;
+    unsigned int read_so_far = 0;
    int rv = 0;
    enum xrdp_source cur_source;

@ -375,13 +375,24 @@ trans_check_wait_objs(struct trans *self)
        }
        else if (self->trans_can_recv(self, self->sck, 0))
        {
+            /* CVE-2022-23479 - check a malicious caller hasn't managed
+             * to set the header_size to an unreasonable value */
+            if (self->header_size > (unsigned int)self->in_s->size)
+            {
+                LOG(LOG_LEVEL_ERROR,
+                    "trans_check_wait_objs: Reading %u bytes beyond buffer",
+                    self->header_size - (unsigned int)self->in_s->size);
+                self->status = TRANS_STATUS_DOWN;
+                return 1;
+            }
+
            cur_source = XRDP_SOURCE_NONE;
            if (self->si != 0)
            {
                cur_source = self->si->cur_source;
                self->si->cur_source = self->my_source;
            }
-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;
            to_read = self->header_size - read_so_far;

            if (to_read > 0)
@ -421,7 +432,7 @@ trans_check_wait_objs(struct trans *self)
                }
            }

-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;

            if (read_so_far == self->header_size)
            {
--- a/common/trans.h
+++ b/common/trans.h
@ -98,7 +98,7 @@ struct trans
    ttrans_data_in trans_data_in;
    ttrans_conn_in trans_conn_in;
    void *callback_data;
-    int header_size;
+    unsigned int header_size;
    struct stream *in_s;
    struct stream *out_s;
    char *listen_filename;