CVE-2022-39319

(cherry picked from commit 8c1bdb7d4f578fd4cfbe21704e375c2c9c3b232c)
2022-11-19 02:44:17 +08:00 · 2022-11-19 02:44:17 +08:00 · 91ccc81b00
commit 91ccc81b00
parent 3ba0630a7b
2 changed files with 60 additions and 1 deletions
--- a/CVE-2022-39319.patch
+++ b/CVE-2022-39319.patch
@ -0,0 +1,55 @@
+From 11555828d2cf289b350baba5ad1f462f10b80b76 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:47:51 +0200
+Subject: [PATCH] Fixed missing input buffer length check in urbdrc
+
+(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
+---
+ channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index d8725c02cf3..aabeef84752 100644
+--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
+@@ -247,6 +247,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
+ 
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	Stream_Read_UINT32(s, RequestId);
+
+	if (OutputBufferSize > UINT32_MAX - 4)
+		return ERROR_INVALID_DATA;
+
+ 	InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
+ 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
+ 
+@@ -726,6 +730,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
+ 	Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	EndpointAddress = (PipeHandle & 0x000000ff);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+		{
+			return ERROR_INVALID_DATA;
+		}
+	}
+
+ 	/**  process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
+ 	return pdev->bulk_or_interrupt_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
+@@ -810,6 +823,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
+ 	packetDescriptorData = Stream_Pointer(s);
+ 	Stream_Seek(s, NumberOfPackets * 12);
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+			return ERROR_INVALID_DATA;
+	}
+
+ 	return pdev->isoch_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
+ 	    ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
--- a/freerdp.spec
+++ b/freerdp.spec
@ -1,6 +1,6 @@
 Name:           freerdp
 Version:        2.8.1
-Release:        1
+Release:        2
 Epoch:          2
 Summary:        A Remote Desktop Protocol Implementation
 License:        Apache-2.0
@ -8,6 +8,7 @@ URL:            http://www.freerdp.com

 Source0:        https://github.com/FreeRDP/FreeRDP/archive/refs/tags/%{version}.tar.gz
 Patch0001:	Fix-freerdp-shadow-cli-exit-codes-for-help-and-version.patch
+Patch0002:	CVE-2022-39319.patch

 BuildRequires:  gcc gcc-c++ alsa-lib-devel cmake >= 2.8 cups-devel gsm-devel libXrandr-devel libXv-devel
 BuildRequires:  libjpeg-turbo-devel libjpeg-turbo-devel libX11-devel libXcursor-devel libxkbfile-devel
@ -137,6 +138,9 @@ echo "%{_libdir}/freerdp2" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_
 %{_mandir}/*/*

 %changelog
+* Mon Nov 21 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 2:2.8.1-2
+- Fix CVE-2022-39319
+
 * Thu Oct 20 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 2:2.8.1-1
 - Upgrade to 2.8.1
 - Fix CVE-2022-39282