freerdp3: patch CVE-2025-4478

Details https://nvd.nist.gov/vuln/detail/CVE-2025-4478 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-14 05:49:57 +00:00 · 2025-11-19 00:03:18 +13:00
parent e2bf6a8064
commit 3c45985620
2 changed files with 61 additions and 0 deletions
@@ -0,0 +1,60 @@
+From 36cd5554b50656f3492197f0fc02534dcc6b980f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
+Date: Tue, 13 May 2025 10:34:08 +0200
+Subject: [PATCH] transport: Initialize function pointers after resource
+ allocation
+
+The transport instance is freed when an error occurs.
+If the TransportDisconnect function pointer is initialized it
+causes SIGSEGV during free.
+
+CVE: CVE-2025-4478
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/a4bb702aa62e4fad91ca99142de075265555ec18]
+(cherry picked from commit a4bb702aa62e4fad91ca99142de075265555ec18)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libfreerdp/core/transport.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
+index a2a899b79..552a28a60 100644
+--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
+@@ -1560,18 +1560,6 @@ rdpTransport* transport_new(rdpContext* context)
+ 	if (!transport->log)
+ 		goto fail;
+ 
+-	// transport->io.DataHandler = transport_data_handler;
+-	transport->io.TCPConnect = freerdp_tcp_default_connect;
+-	transport->io.TLSConnect = transport_default_connect_tls;
+-	transport->io.TLSAccept = transport_default_accept_tls;
+-	transport->io.TransportAttach = transport_default_attach;
+-	transport->io.TransportDisconnect = transport_default_disconnect;
+-	transport->io.ReadPdu = transport_default_read_pdu;
+-	transport->io.WritePdu = transport_default_write;
+-	transport->io.ReadBytes = transport_read_layer;
+-	transport->io.GetPublicKey = transport_default_get_public_key;
+-	transport->io.SetBlockingMode = transport_default_set_blocking_mode;
+-
+ 	transport->context = context;
+ 	transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE);
+ 
+@@ -1610,6 +1598,18 @@ rdpTransport* transport_new(rdpContext* context)
+ 	if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000))
+ 		goto fail;
+ 
+	// transport->io.DataHandler = transport_data_handler;
+	transport->io.TCPConnect = freerdp_tcp_default_connect;
+	transport->io.TLSConnect = transport_default_connect_tls;
+	transport->io.TLSAccept = transport_default_accept_tls;
+	transport->io.TransportAttach = transport_default_attach;
+	transport->io.TransportDisconnect = transport_default_disconnect;
+	transport->io.ReadPdu = transport_default_read_pdu;
+	transport->io.WritePdu = transport_default_write;
+	transport->io.ReadBytes = transport_read_layer;
+	transport->io.GetPublicKey = transport_default_get_public_key;
+	transport->io.SetBlockingMode = transport_default_set_blocking_mode;
+
+ 	return transport;
+ fail:
+ 	WINPR_PRAGMA_DIAG_PUSH
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
           file://CVE-2024-32660.patch \
           file://CVE-2024-32661.patch \
           file://CVE-2024-32662.patch \
+           file://CVE-2025-4478.patch \
           "

 S = "${WORKDIR}/git"