CVE-2022-39319

(cherry picked from commit 8c1bdb7d4f578fd4cfbe21704e375c2c9c3b232c)
2022-11-19 02:44:17 +08:00 · 2022-11-19 02:44:17 +08:00 · 91ccc81b00
commit 91ccc81b00
parent 3ba0630a7b
2 changed files with 60 additions and 1 deletions
--- a/CVE-2022-39319.patch
+++ b/CVE-2022-39319.patch
@ -0,0 +1,55 @@
 From 11555828d2cf289b350baba5ad1f462f10b80b76 Mon Sep 17 00:00:00 2001
 From: akallabeth <akallabeth@posteo.net>
 Date: Thu, 13 Oct 2022 08:47:51 +0200
 Subject: [PATCH] Fixed missing input buffer length check in urbdrc
 (cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
 ---
 channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
 index d8725c02cf3..aabeef84752 100644
 --- a/channels/urbdrc/client/data_transfer.c
 +++ b/channels/urbdrc/client/data_transfer.c
@@ -247,6 +247,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
 	Stream_Read_UINT32(s, OutputBufferSize);
 	Stream_Read_UINT32(s, RequestId);
 +
 +	if (OutputBufferSize > UINT32_MAX - 4)
 +		return ERROR_INVALID_DATA;
 +
 	InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
@@ -726,6 +730,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
 	Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
 	Stream_Read_UINT32(s, OutputBufferSize);
 	EndpointAddress = (PipeHandle & 0x000000ff);
 +
 +	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
 +	{
 +		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
 +		{
 +			return ERROR_INVALID_DATA;
 +		}
 +	}
 +
 	/**  process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
 	return pdev->bulk_or_interrupt_transfer(
 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
@@ -810,6 +823,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
 	packetDescriptorData = Stream_Pointer(s);
 	Stream_Seek(s, NumberOfPackets * 12);
 	Stream_Read_UINT32(s, OutputBufferSize);
 +
 +	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
 +	{
 +		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
 +			return ERROR_INVALID_DATA;
 +	}
 +
 	return pdev->isoch_transfer(
 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
 	    ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
--- a/freerdp.spec
+++ b/freerdp.spec
@ -1,6 +1,6 @@
 Name:           freerdp
 Version:        2.8.1
-Release:        1
+Release:        2
 Epoch:          2
 Summary:        A Remote Desktop Protocol Implementation
 License:        Apache-2.0
@ -8,6 +8,7 @@ URL:            http://www.freerdp.com
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/refs/tags/%{version}.tar.gz
 Patch0001:	Fix-freerdp-shadow-cli-exit-codes-for-help-and-version.patch
 Patch0002:	CVE-2022-39319.patch
 BuildRequires:  gcc gcc-c++ alsa-lib-devel cmake >= 2.8 cups-devel gsm-devel libXrandr-devel libXv-devel
 BuildRequires:  libjpeg-turbo-devel libjpeg-turbo-devel libX11-devel libXcursor-devel libxkbfile-devel
@ -137,6 +138,9 @@ echo "%{_libdir}/freerdp2" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_
 %{_mandir}/*/*
 %changelog
 * Mon Nov 21 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 2:2.8.1-2
 - Fix CVE-2022-39319
 * Thu Oct 20 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 2:2.8.1-1
 - Upgrade to 2.8.1
 - Fix CVE-2022-39282