mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
freerdp3: fix CVE-2026-24491
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi
Anuj Mittal
@@ -0,0 +1,52 @@
|
||||
From ef948ef4659f59c10a71083fa8cb5d5da77e94a9 Mon Sep 17 00:00:00 2001
|
||||
From: akallabeth <akallabeth@posteo.net>
|
||||
Date: Mon, 26 Jan 2026 10:06:29 +0100
|
||||
Subject: [PATCH] [channels,drdynvc] reset channel_callback before close
|
||||
|
||||
The channel_callback usually frees up the memory of the callback. To
|
||||
ensure that there is no access to any of the data structures in it
|
||||
invalidate the pointer used to access it before a free.
|
||||
|
||||
CVE: CVE-2026-24491
|
||||
Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2]
|
||||
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||
---
|
||||
channels/drdynvc/client/drdynvc_main.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/channels/drdynvc/client/drdynvc_main.c b/channels/drdynvc/client/drdynvc_main.c
|
||||
index 0b85c0fe3..64c83333a 100644
|
||||
--- a/channels/drdynvc/client/drdynvc_main.c
|
||||
+++ b/channels/drdynvc/client/drdynvc_main.c
|
||||
@@ -485,14 +485,13 @@ static UINT dvcman_channel_close(DVCMAN_CHANNEL* channel, BOOL perRequest, BOOL
|
||||
channel->state = DVC_CHANNEL_CLOSED;
|
||||
|
||||
IWTSVirtualChannelCallback* cb = channel->channel_callback;
|
||||
+ channel->channel_callback = NULL;
|
||||
if (cb)
|
||||
{
|
||||
check_open_close_receive(channel);
|
||||
IFCALL(cb->OnClose, cb);
|
||||
}
|
||||
|
||||
- channel->channel_callback = NULL;
|
||||
-
|
||||
if (channel->dvcman && channel->dvcman->drdynvc)
|
||||
{
|
||||
if (context)
|
||||
@@ -763,14 +762,13 @@ out:
|
||||
*/
|
||||
static UINT dvcman_open_channel(drdynvcPlugin* drdynvc, DVCMAN_CHANNEL* channel)
|
||||
{
|
||||
- IWTSVirtualChannelCallback* pCallback = NULL;
|
||||
UINT error = CHANNEL_RC_OK;
|
||||
|
||||
WINPR_ASSERT(drdynvc);
|
||||
WINPR_ASSERT(channel);
|
||||
if (channel->state == DVC_CHANNEL_RUNNING)
|
||||
{
|
||||
- pCallback = channel->channel_callback;
|
||||
+ IWTSVirtualChannelCallback* pCallback = channel->channel_callback;
|
||||
|
||||
if (pCallback->OnOpen)
|
||||
{
|
||||
@@ -23,6 +23,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
|
||||
file://CVE-2026-25941.patch \
|
||||
file://CVE-2026-33952.patch \
|
||||
file://CVE-2026-23948.patch \
|
||||
file://CVE-2026-24491.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
Reference in New Issue
Block a user