CVE-2022-41877 - Missing input length validation in drive channel
This commit is contained in:
Tobias Frost
parent
eb2c3e598e
commit
b7fad42bde
1
debian/changelog
vendored
1
debian/changelog
vendored
@ -14,6 +14,7 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium
|
||||
- CVE-2022-39318 - Division by zero in urbdrc channel
|
||||
- CVE-2022-39319 - Missing length validation in urbdrc channel
|
||||
- CVE-2022-39347 - Missing path sanitation with `drive` channel
|
||||
- CVE-2022-41877 - Missing input length validation in `drive` channel
|
||||
|
||||
-- Tobias Frost <tobi@debian.org> Sat, 28 Oct 2023 18:12:57 +0200
|
||||
|
||||
|
||||
38
debian/patches/0057-CVE-2022-41877.patch
vendored
Normal file
38
debian/patches/0057-CVE-2022-41877.patch
vendored
Normal file
@ -0,0 +1,38 @@
|
||||
Description: CVE-2022-41877
|
||||
Origin: https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba
|
||||
Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024511
|
||||
From 6655841cf2a00b764f855040aecb8803cfc5eaba Mon Sep 17 00:00:00 2001
|
||||
From: akallabeth <akallabeth@posteo.net>
|
||||
Date: Mon, 24 Oct 2022 08:45:05 +0200
|
||||
Subject: [PATCH] Fixed missing stream length check in
|
||||
drive_file_query_directory
|
||||
|
||||
(cherry picked from commit 4e4bb79795d6ac85473fb7a83e53ccf63d204b93)
|
||||
---
|
||||
channels/drive/client/drive_main.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/channels/drive/client/drive_main.c
|
||||
+++ b/channels/drive/client/drive_main.c
|
||||
@@ -46,6 +46,10 @@
|
||||
|
||||
#include "drive_file.h"
|
||||
|
||||
+#define Stream_CheckAndLogRequiredLength(tag, s, len) \
|
||||
+ Stream_CheckAndLogRequiredLengthWLogEx(WLog_Get(tag), WLOG_WARN, s, len, "%s(%s:%" PRIuz ")", __FUNCTION__, \
|
||||
+ __FILE__, __LINE__)
|
||||
+
|
||||
typedef struct _DRIVE_DEVICE DRIVE_DEVICE;
|
||||
|
||||
struct _DRIVE_DEVICE
|
||||
@@ -629,6 +633,9 @@
|
||||
Stream_Read_UINT32(irp->input, PathLength);
|
||||
Stream_Seek(irp->input, 23); /* Padding */
|
||||
path = (WCHAR*)Stream_Pointer(irp->input);
|
||||
+ if (!Stream_CheckAndLogRequiredLength(TAG, irp->input, PathLength))
|
||||
+ return ERROR_INVALID_DATA;
|
||||
+
|
||||
file = drive_get_file_by_id(drive, irp->FileId);
|
||||
|
||||
if (file == NULL)
|
||||
1
debian/patches/series
vendored
1
debian/patches/series
vendored
@ -46,3 +46,4 @@
|
||||
0054-CVE-2022-39318.patch
|
||||
0055-CVE-2022-39319.patch
|
||||
0056-CVE-2022-39347.patch
|
||||
0057-CVE-2022-41877.patch
|
||||
|
||||
Loading…
Reference in New Issue
Block a user