mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
freerdp: patch CVE-2026-22855
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22855 The related Github advisory[1] describes the problem along with analyzing where the vulnerability is in the codebase. I looked up the commit that recently performed the changes from the analysis, and backported it. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
@@ -0,0 +1,83 @@
|
|||||||
|
From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
Date: Sun, 11 Jan 2026 09:03:57 +0100
|
||||||
|
Subject: [PATCH] add length validity checks
|
||||||
|
|
||||||
|
From: akallabeth <akallabeth@posteo.net>
|
||||||
|
|
||||||
|
in smartcard_unpack_set_attrib_call input length validity checks were
|
||||||
|
missing.
|
||||||
|
|
||||||
|
CVE: CVE-2026-22855
|
||||||
|
Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
channels/smartcard/client/smartcard_pack.c | 27 +++++++++++++++++-----
|
||||||
|
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c
|
||||||
|
index f70eb4e5d..c0673e066 100644
|
||||||
|
--- a/channels/smartcard/client/smartcard_pack.c
|
||||||
|
+++ b/channels/smartcard/client/smartcard_pack.c
|
||||||
|
@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr,
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
|
||||||
|
- ndr_ptr_t type)
|
||||||
|
+static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
|
||||||
|
+ ndr_ptr_t type, size_t* plen)
|
||||||
|
{
|
||||||
|
size_t len, offset, len2;
|
||||||
|
void* r;
|
||||||
|
@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
|
||||||
|
return STATUS_BUFFER_TOO_SMALL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (plen)
|
||||||
|
+ *plen = 0;
|
||||||
|
+
|
||||||
|
switch (type)
|
||||||
|
{
|
||||||
|
case NDR_PTR_FULL:
|
||||||
|
@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
|
||||||
|
if (!r)
|
||||||
|
return SCARD_E_NO_MEMORY;
|
||||||
|
Stream_Read(s, r, len);
|
||||||
|
- smartcard_unpack_read_size_align(NULL, s, len, 4);
|
||||||
|
+ const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
|
||||||
|
+ len += (size_t)pad;
|
||||||
|
*data = r;
|
||||||
|
+ if (plen)
|
||||||
|
+ *plen = len;
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
|
||||||
|
+ ndr_ptr_t type)
|
||||||
|
+{
|
||||||
|
+ return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
|
||||||
|
{
|
||||||
|
const UINT32 ndrPtr = 0x20000 + (*index) * 4;
|
||||||
|
@@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
|
||||||
|
|
||||||
|
if (ndrPtr)
|
||||||
|
{
|
||||||
|
- // TODO: call->cbAttrLen was larger than the pointer value.
|
||||||
|
- // TODO: Maybe need to refine the checks?
|
||||||
|
- status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
|
||||||
|
+ size_t len = 0;
|
||||||
|
+ status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
|
||||||
|
if (status != SCARD_S_SUCCESS)
|
||||||
|
return status;
|
||||||
|
+ if (call->cbAttrLen > len)
|
||||||
|
+ call->cbAttrLen = (DWORD)(len);
|
||||||
|
}
|
||||||
|
+ else
|
||||||
|
+ call->cbAttrLen = 0;
|
||||||
|
smartcard_trace_set_attrib_call(smartcard, call);
|
||||||
|
return SCARD_S_SUCCESS;
|
||||||
|
}
|
||||||
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
|
|||||||
file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
|
file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
|
||||||
file://CVE-2024-32661.patch \
|
file://CVE-2024-32661.patch \
|
||||||
file://CVE-2026-22854.patch \
|
file://CVE-2026-22854.patch \
|
||||||
|
file://CVE-2026-22855.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user