Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xrdp for openSUSE:Factory checked in
at 2023-01-10 14:59:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xrdp (Old)
and /work/SRC/openSUSE:Factory/.xrdp.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xrdp"
Tue Jan 10 14:59:58 2023 rev:48 rq:1057178 version:0.9.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/xrdp/xrdp.changes 2022-12-05
18:01:30.388681338 +0100
+++ /work/SRC/openSUSE:Factory/.xrdp.new.32243/xrdp.changes 2023-01-10
15:00:25.905416543 +0100
@@ -1,0 +2,29 @@
+Tue Jan 10 02:08:45 UTC 2023 - Daike Yu <yu.da...@suse.com>
+
+- xrdp-CVE-2022-23477.patch (bsc#1206301)
+ + Buffer over flow in audin_send_open() function
+
+-------------------------------------------------------------------
+Wed Dec 28 04:47:31 UTC 2022 - Daike Yu <yu.da...@suse.com>
+
+- Security fixes:
+ + xrdp-CVE-2022-23468.patch (bsc#1206300)
+ * Buffer overflow in xrdp_login_wnd_create()
+ + xrdp-CVE-2022-23478.patch (bsc#1206302)
+ * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
+ + xrdp-CVE-2022-23479.patch (bsc#1206303)
+ * Buffer overflow in xrdp_mm_chan_data_in() function
+ + xrdp-CVE-2022-23480.patch (bsc#1206306)
+ * Buffer overflow in devredir_proc_client_devlist_announce_req
+ + xrdp-CVE-2022-23481.patch (bsc#1206307)
+ * Out of Bound Read in xrdp_caps_process_confirm_active()
+ + xrdp-CVE-2022-23482.patch (bsc#1206310)
+ + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
+ + xrdp-CVE-2022-23483.patch (bsc#1206311)
+ + Out of Bound REad in libxrdp_send_to_channel()
+ + xrdp-CVE-2022-23484.patch (bsc#1206312)
+ + Integer Overflow in xrdp_mm_process_rail_update_window_text()
+ + xrdp-CVE-2022-23493.patch (bsc#1206313)
+ + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
+
+-------------------------------------------------------------------
New:
----
xrdp-CVE-2022-23468.patch
xrdp-CVE-2022-23477.patch
xrdp-CVE-2022-23478.patch
xrdp-CVE-2022-23479.patch
xrdp-CVE-2022-23480.patch
xrdp-CVE-2022-23481.patch
xrdp-CVE-2022-23482.patch
xrdp-CVE-2022-23483.patch
xrdp-CVE-2022-23484.patch
xrdp-CVE-2022-23493.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xrdp.spec ++++++
--- /var/tmp/diff_new_pack.jr57wM/_old 2023-01-10 15:00:26.777421552 +0100
+++ /var/tmp/diff_new_pack.jr57wM/_new 2023-01-10 15:00:26.781421574 +0100
@@ -1,7 +1,7 @@
#
# spec file for package xrdp
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -44,16 +44,37 @@
Patch5: xrdp-support-KillDisconnected-for-Xvnc.patch
# PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 -
fezh...@suse.com -- Let systemd handle the daemons
Patch6: xrdp-systemd-services.patch
+# PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 -
yu.da...@suse.com -- update install script to accommodate with pam.d path move
+Patch7: xrdp-update-pam.d-path.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23468.patch bsc#1206300 - yu.da...@suse.com
-- Buffer overflow in xrdp_login_wnd_create()
+Patch8: xrdp-CVE-2022-23468.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23478.patch bsc#1206302 - yu.da...@suse.com
-- Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
+Patch9: xrdp-CVE-2022-23478.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23479.patch bsc#1206303 - yu.da...@suse.com
-- Buffer overflow in xrdp_mm_chan_data_in() function
+Patch10: xrdp-CVE-2022-23479.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23480.patch bsc#1206306 - yu.da...@suse.com
-- Buffer overflow in devredir_proc_client_devlist_announce_req
+Patch11: xrdp-CVE-2022-23480.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23481.patch bsc#1206307 - yu.da...@suse.com
-- Out of Bound Read in xrdp_caps_process_confirm_active()
+Patch12: xrdp-CVE-2022-23481.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23482.patch bsc#1206310 - yu.da...@suse.com
-- Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
+Patch13: xrdp-CVE-2022-23482.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23483.patch bsc#1206311 - yu.da...@suse.com
-- Out of Bound Read in libxrdp_send_to_channel()
+Patch14: xrdp-CVE-2022-23483.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23484.patch bsc#1206312 - yu.da...@suse.com
-- Integer Overflow in xrdp_mm_process_rail_update_window_text()
+Patch15: xrdp-CVE-2022-23484.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23493.patch bsc#1206313 - yu.da...@suse.com
-- Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
+Patch16: xrdp-CVE-2022-23493.patch
+# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23477.patch bsc#1206301 - yu.da...@suse.com
-- Buffer over flow in audin_send_open() function
+Patch17: xrdp-CVE-2022-23477.patch
+# Keep SLE only patches on the bottom starting from patch number 1001
# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfigui...@novell.com -- Add
Avahi support.
-Patch11: xrdp-avahi.diff
+Patch1001: xrdp-avahi.diff
# PATCH-FIX-SLE xrdp-filter-tab-from-mstsc-on-focus-change.patch bnc#601996
bnc#623534 - dli...@novell.com -- filter the fake tab key which is used to
notify the session
-Patch12: xrdp-filter-tab-from-mstsc-on-focus-change.patch
+Patch1002: xrdp-filter-tab-from-mstsc-on-focus-change.patch
# PATCH-FIX-SLE xrdp-bsc965647-allow-admin-choose-desktop.patch bsc#965647 -
fezh...@suse.com -- Allow administrator choose the desktop displayed
-Patch13: xrdp-bsc965647-allow-admin-choose-desktop.patch
+Patch1003: xrdp-bsc965647-allow-admin-choose-desktop.patch
# PATCH-FEATURE-SLE xrdp-fate318398-change-expired-password.patch fate#318398
- fezh...@suse.com -- enable user to update expired password via PAM
-Patch14: xrdp-fate318398-change-expired-password.patch
-# PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 -
yu.da...@suse.com -- update install script to accommodate with pam.d path move
-Patch15: xrdp-update-pam.d-path.patch
+Patch1004: xrdp-fate318398-change-expired-password.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -106,13 +127,23 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
-%if 0%{?sle_version}
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
-%endif
%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%if 0%{?sle_version}
+%patch1001 -p1
+%patch1002 -p1
+%patch1003 -p1
+%patch1004 -p1
+%endif
%build
sh ./bootstrap
++++++ xrdp-CVE-2022-23468.patch ++++++
>From a0b5de1d09ed149cbbee8697f001adbbe9476a06 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:16:44 +0000
Subject: [PATCH 1/9] CVE-2022-23468
Login window - replace g_sprintf() withl g_snprintf() calls
---
xrdp/xrdp_login_wnd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
index 7a3134fd..28748676 100644
--- a/xrdp/xrdp_login_wnd.c
+++ b/xrdp/xrdp_login_wnd.c
@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
if (globals->ls_title[0] == 0)
{
g_gethostname(buf1, 256);
- g_sprintf(buf, "Login to %s", buf1);
+ g_snprintf(buf, sizeof(buf), "Login to %s", buf1);
set_string(&self->login_window->caption1, buf);
}
else
{
/*self->login_window->caption1 = globals->ls_title[0];*/
- g_sprintf(buf, "%s", globals->ls_title);
+ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title);
set_string(&self->login_window->caption1, buf);
}
--
2.39.0
++++++ xrdp-CVE-2022-23477.patch ++++++
>From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477
Prevent buffer overflow for oversized audio format from client
---
sesman/chansrv/audin.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index cd802fa5..36a8027a 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
int error;
int bytes;
struct stream *s;
- struct xr_wave_format_ex *wf;
+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
make_stream(s);
- init_stream(s, 8192);
+ /* wf->cbSize was checked when the format was received */
+ init_stream(s, wf->cbSize + 64);
+
out_uint8(s, MSG_SNDIN_OPEN);
out_uint32_le(s, 2048); /* FramesPerPacket */
out_uint32_le(s, g_current_format); /* initialFormat */
- wf = g_client_formats[g_current_format];
out_uint16_le(s, wf->wFormatTag);
out_uint16_le(s, wf->nChannels);
out_uint32_le(s, wf->nSamplesPerSec);
--
2.39.0
++++++ xrdp-CVE-2022-23478.patch ++++++
>From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:12:42 +0000
Subject: [PATCH 2/9] CVE-2022-23478
Fix potential OOB write if invalid chansrv channel opened
Also removed an unnecessary dynamic memory allocation
---
xrdp/xrdp_mm.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 74b0516a..c91e03ab 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm
*self,
int error;
int chan_id;
int chansrv_chan_id;
- char *name;
+ char name[1024 + 1];
struct xrdp_drdynvc_procs procs;
if (!s_check_rem(s, 2))
@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct
xrdp_mm *self,
return 1;
}
in_uint32_le(s, name_bytes);
- if ((name_bytes < 1) || (name_bytes > 1024))
- {
- return 1;
- }
- name = g_new(char, name_bytes + 1);
- if (name == NULL)
+ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
{
return 1;
}
if (!s_check_rem(s, name_bytes))
{
- g_free(name);
return 1;
}
in_uint8a(s, name, name_bytes);
name[name_bytes] = 0;
if (!s_check_rem(s, 8))
{
- g_free(name);
return 1;
}
in_uint32_le(s, flags);
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
+
if (flags == 0)
{
/* open static channel, not supported */
- g_free(name);
return 1;
}
else
@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct
xrdp_mm *self,
&chan_id);
if (error != 0)
{
- g_free(name);
return 1;
}
self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
}
- g_free(name);
return 0;
}
--
2.39.0
++++++ xrdp-CVE-2022-23479.patch ++++++
>From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:44:56 +0000
Subject: [PATCH 3/9] CVE-2022-23479
Detect attempts to overflow input buffer
If application code hasn't properly sanitised the header_size
for a transport, it is possible for read requests to be issued
which overflow the input buffer. This change detects this
at a low level and bounces the read request.
---
common/trans.c | 19 +++++++++++++++----
common/trans.h | 2 +-
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/common/trans.c b/common/trans.c
index 55d2a638..1d2d3e68 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
tbus in_sck = (tbus) 0;
struct trans *in_trans = (struct trans *) NULL;
int read_bytes = 0;
- int to_read = 0;
- int read_so_far = 0;
+ unsigned int to_read = 0;
+ unsigned int read_so_far = 0;
int rv = 0;
enum xrdp_source cur_source;
@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
}
else if (self->trans_can_recv(self, self->sck, 0))
{
+ /* CVE-2022-23479 - check a malicious caller hasn't managed
+ * to set the header_size to an unreasonable value */
+ if (self->header_size > (unsigned int)self->in_s->size)
+ {
+ LOG(LOG_LEVEL_ERROR,
+ "trans_check_wait_objs: Reading %u bytes beyond buffer",
+ self->header_size - (unsigned int)self->in_s->size);
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+
cur_source = XRDP_SOURCE_NONE;
if (self->si != 0)
{
cur_source = self->si->cur_source;
self->si->cur_source = self->my_source;
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
to_read = self->header_size - read_so_far;
if (to_read > 0)
@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
}
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
if (read_so_far == self->header_size)
{
diff --git a/common/trans.h b/common/trans.h
index 1cd89fda..313c543b 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -98,7 +98,7 @@ struct trans
ttrans_data_in trans_data_in;
ttrans_conn_in trans_conn_in;
void *callback_data;
- int header_size;
+ unsigned int header_size;
struct stream *in_s;
struct stream *out_s;
char *listen_filename;
--
2.39.0
++++++ xrdp-CVE-2022-23480.patch ++++++
>From 6680c506e4562715e3ff500c114208dac88863cb Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Tue, 6 Dec 2022 12:48:57 +0000
Subject: [PATCH 4/9] CVE-2022-23480
Added length checking to redirector response parsing
---
sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++-------
1 file changed, 123 insertions(+), 28 deletions(-)
diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
index a44d47e6..7faa9bfc 100644
--- a/sesman/chansrv/devredir.c
+++ b/sesman/chansrv/devredir.c
@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
static void devredir_send_server_clientID_confirm(void);
static void devredir_send_server_user_logged_on(void);
-static void devredir_proc_client_core_cap_resp(struct stream *s);
-static void devredir_proc_client_devlist_announce_req(struct stream *s);
-static void devredir_proc_client_devlist_remove_req(struct stream *s);
-static void devredir_proc_device_iocompletion(struct stream *s);
+static int devredir_proc_client_core_cap_resp(struct stream *s);
+static int devredir_proc_client_devlist_announce_req(struct stream *s);
+static int devredir_proc_client_devlist_remove_req(struct stream *s);
+static int devredir_proc_device_iocompletion(struct stream *s);
static void devredir_proc_query_dir_response(IRP *irp,
struct stream *s_in,
tui32 DeviceId,
@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int
chan_flags, int length,
}
/* read header from incoming data */
+ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
+ {
+ rv = -1;
+ goto done;
+ }
xstream_rd_u16_le(ls, comp_type);
xstream_rd_u16_le(ls, pktID);
@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int
chan_flags, int length,
switch (pktID)
{
case PAKID_CORE_CLIENTID_CONFIRM:
- xstream_seek(ls, 2); /* major version, we ignore it */
- xstream_rd_u16_le(ls, minor_ver);
- xstream_rd_u32_le(ls, g_clientID);
+ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS]
DR_CORE_CLIENT_ANNOUNCE_RSP"))
+ {
+ rv = -1;
+ }
+ else
+ {
+ xstream_seek(ls, 2); /* major version, we ignore it */
+ xstream_rd_u16_le(ls, minor_ver);
+ xstream_rd_u32_le(ls, g_clientID);
- g_client_rdp_version = minor_ver;
+ g_client_rdp_version = minor_ver;
- switch (minor_ver)
- {
- case RDP_CLIENT_50:
- break;
+ switch (minor_ver)
+ {
+ case RDP_CLIENT_50:
+ break;
- case RDP_CLIENT_51:
- break;
+ case RDP_CLIENT_51:
+ break;
- case RDP_CLIENT_52:
- break;
+ case RDP_CLIENT_52:
+ break;
- case RDP_CLIENT_60_61:
- break;
+ case RDP_CLIENT_60_61:
+ break;
+ }
+ // LK_TODO devredir_send_server_clientID_confirm();
}
- // LK_TODO devredir_send_server_clientID_confirm();
break;
case PAKID_CORE_CLIENT_NAME:
@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int
chan_flags, int length,
break;
case PAKID_CORE_CLIENT_CAPABILITY:
- devredir_proc_client_core_cap_resp(ls);
+ rv = devredir_proc_client_core_cap_resp(ls);
break;
case PAKID_CORE_DEVICELIST_ANNOUNCE:
- devredir_proc_client_devlist_announce_req(ls);
+ rv = devredir_proc_client_devlist_announce_req(ls);
break;
case PAKID_CORE_DEVICELIST_REMOVE:
- devredir_proc_client_devlist_remove_req(ls);
+ rv = devredir_proc_client_devlist_remove_req(ls);
break;
case PAKID_CORE_DEVICE_IOCOMPLETION:
- devredir_proc_device_iocompletion(ls);
+ rv = devredir_proc_device_iocompletion(ls);
break;
default:
@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
* @brief process client's response to our core_capability_req() msg
*
* @param s stream containing client's response
+ * @return 0 for success, -1 otherwise
*****************************************************************************/
-static void
+static int
devredir_proc_client_core_cap_resp(struct stream *s)
{
int i;
@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
tui32 cap_version;
char *holdp;
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CORE_CAPABLITY_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, num_caps);
xstream_seek(s, 2); /* padding */
for (i = 0; i < num_caps; i++)
{
holdp = s->p;
+ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS]
CAPABILITY_HEADER"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, cap_type);
xstream_rd_u16_le(s, cap_len);
xstream_rd_u32_le(s, cap_version);
+ /* Convert the length to a remaining length. Underflow is possible,
+ * but this is an unsigned type so that's OK */
+ cap_len -= (s->p - holdp);
+ if (cap_len > 0 &&
+ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS]
CAPABILITY_HEADER length"))
+ {
+ return -1;
+ }
switch (cap_type)
{
@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
scard_init();
break;
}
- s->p = holdp + cap_len;
+ xstream_seek(s, cap_len);
}
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_announce_req(struct stream *s)
{
unsigned int i;
@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream
*s)
enum NTSTATUS response_status;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
+ {
+ return -1;
+ }
+
xstream_rd_u32_le(s, device_count);
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
for (i = 0; i < device_count; i++)
{
+ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_type);
xstream_rd_u32_le(s, g_device_id);
/* get preferred DOS name
@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
/* Read the device data length from the stream */
xstream_rd_u32_le(s, device_data_len);
+ if (device_data_len > 0 && !
+ !s_check_rem_and_log(s, device_data_len,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE
devdata"))
+ {
+ return -1;
+ }
switch (device_type)
{
@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
devredir_send_server_device_announce_resp(g_device_id,
response_status);
}
+
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_remove_req(struct stream *s)
{
unsigned int i;
@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
tui32 device_id;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_count);
+ if (!s_check_rem_and_log(s, 4 * device_count,
+ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
+ {
+ return -1;
+ }
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
{
@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
xfuse_delete_share(device_id);
}
}
+ return 0;
}
-static void
+static int
devredir_proc_device_iocompletion(struct stream *s)
{
IRP *irp = NULL;
@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
tui32 Length;
enum COMPLETION_TYPE comp_type;
+ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS]
DR_DEVICE_IOCOMPLETION"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, DeviceId);
xstream_rd_u32_le(s, CompletionId);
xstream_rd_u32_le(s, IoStatus32);
@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
}
else
{
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_send_drive_dir_request(irp, DeviceId,
1, irp->pathname);
@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_CREATE_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_create_file(
@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_OPEN_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_open_file((struct state_open *)
irp->fuse_info,
@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_READ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_READ_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
+ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS]
DR_READ_RSP"))
+ {
+ return -1;
+ }
xfuse_devredir_cb_read_file((struct state_read *)
irp->fuse_info,
IoStatus,
s->p, Length);
@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_WRITE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_WRITE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
xfuse_devredir_cb_write_file((struct state_write *)
irp->fuse_info,
IoStatus,
@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RMDIR_OR_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rmdir_or_file(irp, IoStatus);
break;
@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RENAME_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS]
DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rename_file(irp, IoStatus);
break;
@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
}
}
+ return 0;
}
static void
--
2.39.0
++++++ xrdp-CVE-2022-23481.patch ++++++
>From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:40:25 +0000
Subject: [PATCH 5/9] CVE-2022-23481
Add length checks to client confirm active PDU parsing
---
libxrdp/xrdp_caps.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
index 5c5e74a5..ac21cc0a 100644
--- a/libxrdp/xrdp_caps.c
+++ b/libxrdp/xrdp_caps.c
@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self,
struct stream *s)
int len;
char *p;
+ if (!s_check_rem_and_log(s, 10,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header"))
+ {
+ return 1;
+ }
in_uint8s(s, 4); /* rdp_shareid */
in_uint8s(s, 2); /* userid */
in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
in_uint16_le(s, cap_len);
+
+ if (!s_check_rem_and_log(s, source_len + 2 + 2,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header2"))
+ {
+ return 1;
+ }
in_uint8s(s, source_len);
in_uint16_le(s, num_caps);
in_uint8s(s, 2); /* pad */
+
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU "
"shareID (ignored), originatorID (ignored),
lengthSourceDescriptor %d, "
"lengthCombinedCapabilities %d, sourceDescriptor (ignored), "
--
2.39.0
++++++ xrdp-CVE-2022-23482.patch ++++++
>From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:05:46 +0000
Subject: [PATCH 6/9] CVE-2022-23482
Check minimum length of TS_UD_CS_CORE message
---
libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 691d4f04..084fca6b 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct
stream *s)
static int
xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
{
+#define CS_CORE_MIN_LENGTH \
+ (\
+ 4 + /* Version */ \
+ 2 + 2 + /* desktopWidth + desktopHeight */ \
+ 2 + 2 + /* colorDepth + SASSequence */ \
+ 4 + /* keyboardLayout */ \
+ 4 + 32 + /* clientBuild + clientName */ \
+ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */
\
+ 64 + /* imeFileName */ \
+ 0)
+
int version;
int colorDepth;
int postBeta2ColorDepth;
@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self,
struct stream *s)
UNUSED_VAR(version);
- /* TS_UD_CS_CORE requiered fields */
+ /* TS_UD_CS_CORE required fields */
+ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+ {
+ return 1;
+ }
in_uint32_le(s, version);
in_uint16_le(s, self->rdp_layer->client_info.width);
in_uint16_le(s, self->rdp_layer->client_info.height);
@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self,
struct stream *s)
clientName);
/* TS_UD_CS_CORE optional fields */
+ if (!s_check_rem(s, 2))
+ {
+ return 0;
+ }
in_uint16_le(s, postBeta2ColorDepth);
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
"<Optional Field> postBeta2ColorDepth %s",
@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self,
struct stream *s)
"<Optional Field> desktopOrientation (ignored)");
return 0;
+#undef CS_CORE_MIN_LENGTH
}
/*****************************************************************************/
--
2.39.0
++++++ xrdp-CVE-2022-23483.patch ++++++
>From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH 7/9] CVE-2022-23483
Sanitise channel data being passed from application
Avoids OOB read if the size field is incorrect.
---
xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index c91e03ab..bc7b1b83 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self,
struct trans *trans)
static int
xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
{
- int size;
- int total_size;
+ unsigned int size;
+ unsigned int total_size;
int chan_id;
int chan_flags;
- int rv;
-
- in_uint16_le(s, chan_id);
- in_uint16_le(s, chan_flags);
- in_uint16_le(s, size);
- in_uint32_le(s, total_size);
- rv = 0;
+ int rv = 0;
- if (rv == 0)
+ if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+ {
+ rv = 1;
+ }
+ else
{
- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size,
total_size,
- chan_flags);
+ in_uint16_le(s, chan_id);
+ in_uint16_le(s, chan_flags);
+ in_uint16_le(s, size);
+ in_uint32_le(s, total_size);
+ if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+ {
+ rv = 1;
+ }
+ else
+ {
+ rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+ s->p, size, total_size, chan_flags);
+ }
}
return rv;
--
2.39.0
++++++ xrdp-CVE-2022-23484.patch ++++++
>From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:03:24 +0000
Subject: [PATCH 8/9] CVE-2022-23484
Add check for RAIL window text size
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index bc7b1b83..b59345d7 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm
*self, struct stream *s)
g_memset(&rwso, 0, sizeof(rwso));
in_uint32_le(s, size); /* title size */
+ if (size < 0 || !s_check_rem(s, size))
+ {
+ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d",
+ __func__, size);
+ return 1;
+ }
rwso.title_info = g_new(char, size + 1);
in_uint8a(s, rwso.title_info, size);
rwso.title_info[size] = 0;
--
2.39.0
++++++ xrdp-CVE-2022-23493.patch ++++++
>From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335...@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:49:06 +0000
Subject: [PATCH 9/9] CVE-2022-23493
Check chansrv channel ID on a channel close
Prevent OOB read if an invalid channel ID is sent.
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index b59345d7..c27c2341 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct
xrdp_mm *self,
return 1;
}
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
chan_id = self->cs2xr_cid_map[chansrv_chan_id];
/* close dynamic channel */
error = libxrdp_drdynvc_close(self->wm->session, chan_id);
--
2.39.0
