xrdp: patch CVE-2022-23479

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-14 05:49:57 +00:00 · 2025-12-04 08:56:27 +01:00
parent 63b5fff975
commit 19e076e66b
2 changed files with 84 additions and 0 deletions
@@ -0,0 +1,83 @@
+From 60864014b733c10881c078048560858067fe5d0f Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 09:44:56 +0000
+Subject: [PATCH] CVE-2022-23479
+
+Detect attempts to overflow input buffer
+
+If application code hasn't properly sanitised the header_size
+for a transport, it is possible for read requests to be issued
+which overflow the input buffer. This change detects this
+at a low level and bounces the read request.
+
+CVE: CVE-2022-23479
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ common/trans.c | 19 +++++++++++++++----
+ common/trans.h |  2 +-
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/common/trans.c b/common/trans.c
+index 55d2a63812..1d2d3e68ae 100644
+--- a/common/trans.c
+++ b/common/trans.c
+@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
+     tbus in_sck = (tbus) 0;
+     struct trans *in_trans = (struct trans *) NULL;
+     int read_bytes = 0;
+-    int to_read = 0;
+-    int read_so_far = 0;
+    unsigned int to_read = 0;
+    unsigned int read_so_far = 0;
+     int rv = 0;
+     enum xrdp_source cur_source;
+ 
+@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
+         }
+         else if (self->trans_can_recv(self, self->sck, 0))
+         {
+            /* CVE-2022-23479 - check a malicious caller hasn't managed
+             * to set the header_size to an unreasonable value */
+            if (self->header_size > (unsigned int)self->in_s->size)
+            {
+                LOG(LOG_LEVEL_ERROR,
+                    "trans_check_wait_objs: Reading %u bytes beyond buffer",
+                    self->header_size - (unsigned int)self->in_s->size);
+                self->status = TRANS_STATUS_DOWN;
+                return 1;
+            }
+
+             cur_source = XRDP_SOURCE_NONE;
+             if (self->si != 0)
+             {
+                 cur_source = self->si->cur_source;
+                 self->si->cur_source = self->my_source;
+             }
+-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;
+             to_read = self->header_size - read_so_far;
+ 
+             if (to_read > 0)
+@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
+                 }
+             }
+ 
+-            read_so_far = (int) (self->in_s->end - self->in_s->data);
+            read_so_far = self->in_s->end - self->in_s->data;
+ 
+             if (read_so_far == self->header_size)
+             {
+diff --git a/common/trans.h b/common/trans.h
+index 1cd89fdac2..313c543b60 100644
+--- a/common/trans.h
+++ b/common/trans.h
+@@ -98,7 +98,7 @@ struct trans
+     ttrans_data_in trans_data_in;
+     ttrans_conn_in trans_conn_in;
+     void *callback_data;
+-    int header_size;
+    unsigned int header_size;
+     struct stream *in_s;
+     struct stream *out_s;
+     char *listen_filename;
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
           file://CVE-2022-23468.patch \
           file://CVE-2022-23477.patch \
           file://CVE-2022-23478.patch \
+           file://CVE-2022-23479.patch \
           "

 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"