3 files changed, 412 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
new file mode 100644
index 0000000000..259044eb00
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
@@ -0,0 +1,356 @@
+From 7ad7b05261c698b867c7c4f1bfffb4f911036847 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Tue, 6 Dec 2022 12:48:57 +0000
+Subject: [PATCH] CVE-2022-23480
+Added length checking to redirector response parsing
+CVE: CVE-2022-23480
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/7ad7b05261c698b867c7c4f1bfffb4f911036847]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 123 insertions(+), 28 deletions(-)
+diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
+index a44d47e635..7faa9bfc7a 100644
+--- a/sesman/chansrv/devredir.c
+++ b/sesman/chansrv/devredir.c
+@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
+ static void devredir_send_server_clientID_confirm(void);
+ static void devredir_send_server_user_logged_on(void);
+ 
+-static void devredir_proc_client_core_cap_resp(struct stream *s);
+-static void devredir_proc_client_devlist_announce_req(struct stream *s);
+-static void devredir_proc_client_devlist_remove_req(struct stream *s);
+-static void devredir_proc_device_iocompletion(struct stream *s);
+static int devredir_proc_client_core_cap_resp(struct stream *s);
+static int devredir_proc_client_devlist_announce_req(struct stream *s);
+static int devredir_proc_client_devlist_remove_req(struct stream *s);
+static int devredir_proc_device_iocompletion(struct stream *s);
+ static void devredir_proc_query_dir_response(IRP *irp,
+         struct stream *s_in,
+         tui32 DeviceId,
+@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+     }
+ 
+     /* read header from incoming data */
+    if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
+    {
+        rv = -1;
+        goto done;
+    }
+     xstream_rd_u16_le(ls, comp_type);
+     xstream_rd_u16_le(ls, pktID);
+ 
+@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+     switch (pktID)
+     {
+         case PAKID_CORE_CLIENTID_CONFIRM:
+-            xstream_seek(ls, 2);  /* major version, we ignore it */
+-            xstream_rd_u16_le(ls, minor_ver);
+-            xstream_rd_u32_le(ls, g_clientID);
+            if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP"))
+            {
+                rv = -1;
+            }
+            else
+            {
+                xstream_seek(ls, 2);  /* major version, we ignore it */
+                xstream_rd_u16_le(ls, minor_ver);
+                xstream_rd_u32_le(ls, g_clientID);
+ 
+-            g_client_rdp_version = minor_ver;
+                g_client_rdp_version = minor_ver;
+ 
+-            switch (minor_ver)
+-            {
+-                case RDP_CLIENT_50:
+-                    break;
+                switch (minor_ver)
+                {
+                    case RDP_CLIENT_50:
+                        break;
+ 
+-                case RDP_CLIENT_51:
+-                    break;
+                    case RDP_CLIENT_51:
+                        break;
+ 
+-                case RDP_CLIENT_52:
+-                    break;
+                    case RDP_CLIENT_52:
+                        break;
+ 
+-                case RDP_CLIENT_60_61:
+-                    break;
+                    case RDP_CLIENT_60_61:
+                        break;
+                }
+                // LK_TODO devredir_send_server_clientID_confirm();
+             }
+-            // LK_TODO devredir_send_server_clientID_confirm();
+             break;
+ 
+         case PAKID_CORE_CLIENT_NAME:
+@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+             break;
+ 
+         case PAKID_CORE_CLIENT_CAPABILITY:
+-            devredir_proc_client_core_cap_resp(ls);
+            rv = devredir_proc_client_core_cap_resp(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICELIST_ANNOUNCE:
+-            devredir_proc_client_devlist_announce_req(ls);
+            rv = devredir_proc_client_devlist_announce_req(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICELIST_REMOVE:
+-            devredir_proc_client_devlist_remove_req(ls);
+            rv = devredir_proc_client_devlist_remove_req(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICE_IOCOMPLETION:
+-            devredir_proc_device_iocompletion(ls);
+            rv = devredir_proc_device_iocompletion(ls);
+             break;
+ 
+         default:
+@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
+  * @brief process client's response to our core_capability_req() msg
+  *
+  * @param   s   stream containing client's response
+ * @return  0   for success, -1 otherwise
+  *****************************************************************************/
+-static void
+static int
+ devredir_proc_client_core_cap_resp(struct stream *s)
+ {
+     int i;
+@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
+     tui32 cap_version;
+     char *holdp;
+ 
+    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP"))
+    {
+        return -1;
+    }
+     xstream_rd_u16_le(s, num_caps);
+     xstream_seek(s, 2);  /* padding */
+ 
+     for (i = 0; i < num_caps; i++)
+     {
+         holdp = s->p;
+        if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER"))
+        {
+            return -1;
+        }
+         xstream_rd_u16_le(s, cap_type);
+         xstream_rd_u16_le(s, cap_len);
+         xstream_rd_u32_le(s, cap_version);
+        /* Convert the length to a remaining length. Underflow is possible,
+         * but this is an unsigned type so that's OK */
+        cap_len -= (s->p - holdp);
+        if (cap_len > 0 &&
+                !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length"))
+        {
+            return -1;
+        }
+ 
+         switch (cap_type)
+         {
+@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
+                 scard_init();
+                 break;
+         }
+-        s->p = holdp + cap_len;
+        xstream_seek(s, cap_len);
+     }
+    return 0;
+ }
+ 
+-static void
+static int
+ devredir_proc_client_devlist_announce_req(struct stream *s)
+ {
+     unsigned int i;
+@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+     enum NTSTATUS response_status;
+ 
+     /* get number of devices being announced */
+    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
+    {
+        return -1;
+    }
+
+     xstream_rd_u32_le(s, device_count);
+ 
+     LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
+ 
+     for (i = 0; i < device_count; i++)
+     {
+        if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
+                                 "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
+        {
+            return -1;
+        }
+         xstream_rd_u32_le(s, device_type);
+         xstream_rd_u32_le(s, g_device_id);
+         /* get preferred DOS name
+@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+ 
+         /* Read the device data length from the stream */
+         xstream_rd_u32_le(s, device_data_len);
+        if (device_data_len > 0 && !
+                !s_check_rem_and_log(s, device_data_len,
+                                     "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata"))
+        {
+            return -1;
+        }
+ 
+         switch (device_type)
+         {
+@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+         devredir_send_server_device_announce_resp(g_device_id,
+                 response_status);
+     }
+
+    return 0;
+ }
+ 
+-static void
+static int
+ devredir_proc_client_devlist_remove_req(struct stream *s)
+ {
+     unsigned int i;
+@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
+     tui32 device_id;
+ 
+     /* get number of devices being announced */
+    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
+    {
+        return -1;
+    }
+     xstream_rd_u32_le(s, device_count);
+    if (!s_check_rem_and_log(s, 4 * device_count,
+                             "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
+    {
+        return -1;
+    }
+ 
+     LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
+     {
+@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
+             xfuse_delete_share(device_id);
+         }
+     }
+    return 0;
+ }
+ 
+-static void
+static int
+ devredir_proc_device_iocompletion(struct stream *s)
+ {
+     IRP       *irp       = NULL;
+@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+     tui32      Length;
+     enum COMPLETION_TYPE comp_type;
+ 
+    if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION"))
+    {
+        return -1;
+    }
+     xstream_rd_u32_le(s, DeviceId);
+     xstream_rd_u32_le(s, CompletionId);
+     xstream_rd_u32_le(s, IoStatus32);
+@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 }
+                 else
+                 {
+                    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+                    {
+                        return -1;
+                    }
+                     xstream_rd_u32_le(s, irp->FileId);
+                     devredir_send_drive_dir_request(irp, DeviceId,
+                                                     1, irp->pathname);
+@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_CREATE_REQ:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, irp->FileId);
+ 
+                 xfuse_devredir_cb_create_file(
+@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_OPEN_REQ:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, irp->FileId);
+ 
+                 xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info,
+@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_READ:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, Length);
+                if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+                {
+                    return -1;
+                }
+                 xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info,
+                                             IoStatus,
+                                             s->p, Length);
+@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_WRITE:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, Length);
+                 xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info,
+                                              IoStatus,
+@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_RMDIR_OR_FILE:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, irp->FileId);
+                 devredir_proc_cid_rmdir_or_file(irp, IoStatus);
+                 break;
+@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_RENAME_FILE:
+                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+                {
+                    return -1;
+                }
+                 xstream_rd_u32_le(s, irp->FileId);
+                 devredir_proc_cid_rename_file(irp, IoStatus);
+                 break;
+@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+         }
+     }
+    return 0;
+ }
+ 
+ static void
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
new file mode 100644
index 0000000000..38c444efcf
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
@@ -0,0 +1,54 @@
+From 191ed3e3fa892c7dc26e142c7af7af546fcce87d Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Thu, 8 Dec 2022 14:13:48 +0000
+Subject: [PATCH] Remove unused g_full_name_for_filesystem
+Not only was this unused, the way it was read could lead to a
+buffer overflow (CVE-2022-23480)
+CVE: CVE-2022-23480
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/191ed3e3fa892c7dc26e142c7af7af546fcce87d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/chansrv/devredir.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
+index 7faa9bfc7a..6ce35e34de 100644
+--- a/sesman/chansrv/devredir.c
+++ b/sesman/chansrv/devredir.c
+@@ -103,7 +103,6 @@ int g_is_port_redir_supported = 0;
+ int g_is_drive_redir_supported = 0;
+ int g_is_smartcard_redir_supported = 0;
+ int g_drive_redir_version = 1;
+-char g_full_name_for_filesystem[1024];
+ tui32 g_completion_id = 1;
+ 
+ tui32 g_clientID;           /* unique client ID - announced by client */
+@@ -866,21 +865,18 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+         switch (device_type)
+         {
+             case RDPDR_DTYP_FILESYSTEM:
+-                /* get device data len */
+-                if (device_data_len)
+-                {
+-                    xstream_rd_string(g_full_name_for_filesystem, s,
+-                                      device_data_len);
+-                }
+                /* At present we don't use the full name - see
+                 * [MS-RDPEFS] 2.2.3.1 for details of the contents */
+                xstream_skip_u8(s, device_data_len);
+ 
+                 LOG(LOG_LEVEL_INFO, "Detected remote drive '%s'",
+                     preferred_dos_name);
+ 
+                 LOG_DEVEL(LOG_LEVEL_DEBUG,
+                           "device_type=FILE_SYSTEM device_id=0x%x dosname=%s "
+-                          "device_data_len=%d full_name=%s", g_device_id,
+                          "device_data_len=%d", g_device_id,
+                           preferred_dos_name,
+-                          device_data_len, g_full_name_for_filesystem);
+                          device_data_len);
+ 
+                 response_status = STATUS_SUCCESS;
+ 
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index ea895f169e..e50accfe17 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
           file://CVE-2022-23477.patch \
           file://CVE-2022-23478.patch \
           file://CVE-2022-23479.patch \
+           file://CVE-2022-23480-1.patch \
+           file://CVE-2022-23480-2.patch \
           "
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch new file mode 100644 index 0000000000..259044eb00 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
@@ -0,0 +1,356 @@
		1	From 7ad7b05261c698b867c7c4f1bfffb4f911036847 Mon Sep 17 00:00:00 2001
		2	From: matt335672 <30179339+matt335672@users.noreply.github.com>
		3	Date: Tue, 6 Dec 2022 12:48:57 +0000
		4	Subject: [PATCH] CVE-2022-23480
		5
		6	Added length checking to redirector response parsing
		7
		8	CVE: CVE-2022-23480
		9	Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/7ad7b05261c698b867c7c4f1bfffb4f911036847]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	sesman/chansrv/devredir.c \| 151 +++++++++++++++++++++++++++++++-------
		13	1 file changed, 123 insertions(+), 28 deletions(-)
		14
		15	diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
		16	index a44d47e635..7faa9bfc7a 100644
		17	--- a/sesman/chansrv/devredir.c
		18	+++ b/sesman/chansrv/devredir.c
		19	@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
		20	static void devredir_send_server_clientID_confirm(void);
		21	static void devredir_send_server_user_logged_on(void);
		22
		23	-static void devredir_proc_client_core_cap_resp(struct stream *s);
		24	-static void devredir_proc_client_devlist_announce_req(struct stream *s);
		25	-static void devredir_proc_client_devlist_remove_req(struct stream *s);
		26	-static void devredir_proc_device_iocompletion(struct stream *s);
		27	+static int devredir_proc_client_core_cap_resp(struct stream *s);
		28	+static int devredir_proc_client_devlist_announce_req(struct stream *s);
		29	+static int devredir_proc_client_devlist_remove_req(struct stream *s);
		30	+static int devredir_proc_device_iocompletion(struct stream *s);
		31	static void devredir_proc_query_dir_response(IRP *irp,
		32	struct stream *s_in,
		33	tui32 DeviceId,
		34	@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
		35	}
		36
		37	/* read header from incoming data */
		38	+ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
		39	+ {
		40	+ rv = -1;
		41	+ goto done;
		42	+ }
		43	xstream_rd_u16_le(ls, comp_type);
		44	xstream_rd_u16_le(ls, pktID);
		45
		46	@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
		47	switch (pktID)
		48	{
		49	case PAKID_CORE_CLIENTID_CONFIRM:
		50	- xstream_seek(ls, 2); /* major version, we ignore it */
		51	- xstream_rd_u16_le(ls, minor_ver);
		52	- xstream_rd_u32_le(ls, g_clientID);
		53	+ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP"))
		54	+ {
		55	+ rv = -1;
		56	+ }
		57	+ else
		58	+ {
		59	+ xstream_seek(ls, 2); /* major version, we ignore it */
		60	+ xstream_rd_u16_le(ls, minor_ver);
		61	+ xstream_rd_u32_le(ls, g_clientID);
		62
		63	- g_client_rdp_version = minor_ver;
		64	+ g_client_rdp_version = minor_ver;
		65
		66	- switch (minor_ver)
		67	- {
		68	- case RDP_CLIENT_50:
		69	- break;
		70	+ switch (minor_ver)
		71	+ {
		72	+ case RDP_CLIENT_50:
		73	+ break;
		74
		75	- case RDP_CLIENT_51:
		76	- break;
		77	+ case RDP_CLIENT_51:
		78	+ break;
		79
		80	- case RDP_CLIENT_52:
		81	- break;
		82	+ case RDP_CLIENT_52:
		83	+ break;
		84
		85	- case RDP_CLIENT_60_61:
		86	- break;
		87	+ case RDP_CLIENT_60_61:
		88	+ break;
		89	+ }
		90	+ // LK_TODO devredir_send_server_clientID_confirm();
		91	}
		92	- // LK_TODO devredir_send_server_clientID_confirm();
		93	break;
		94
		95	case PAKID_CORE_CLIENT_NAME:
		96	@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
		97	break;
		98
		99	case PAKID_CORE_CLIENT_CAPABILITY:
		100	- devredir_proc_client_core_cap_resp(ls);
		101	+ rv = devredir_proc_client_core_cap_resp(ls);
		102	break;
		103
		104	case PAKID_CORE_DEVICELIST_ANNOUNCE:
		105	- devredir_proc_client_devlist_announce_req(ls);
		106	+ rv = devredir_proc_client_devlist_announce_req(ls);
		107	break;
		108
		109	case PAKID_CORE_DEVICELIST_REMOVE:
		110	- devredir_proc_client_devlist_remove_req(ls);
		111	+ rv = devredir_proc_client_devlist_remove_req(ls);
		112	break;
		113
		114	case PAKID_CORE_DEVICE_IOCOMPLETION:
		115	- devredir_proc_device_iocompletion(ls);
		116	+ rv = devredir_proc_device_iocompletion(ls);
		117	break;
		118
		119	default:
		120	@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
		121	* @brief process client's response to our core_capability_req() msg
		122	*
		123	* @param s stream containing client's response
		124	+ * @return 0 for success, -1 otherwise
		125	*****************************************************************************/
		126	-static void
		127	+static int
		128	devredir_proc_client_core_cap_resp(struct stream *s)
		129	{
		130	int i;
		131	@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
		132	tui32 cap_version;
		133	char *holdp;
		134
		135	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP"))
		136	+ {
		137	+ return -1;
		138	+ }
		139	xstream_rd_u16_le(s, num_caps);
		140	xstream_seek(s, 2); /* padding */
		141
		142	for (i = 0; i < num_caps; i++)
		143	{
		144	holdp = s->p;
		145	+ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER"))
		146	+ {
		147	+ return -1;
		148	+ }
		149	xstream_rd_u16_le(s, cap_type);
		150	xstream_rd_u16_le(s, cap_len);
		151	xstream_rd_u32_le(s, cap_version);
		152	+ /* Convert the length to a remaining length. Underflow is possible,
		153	+ * but this is an unsigned type so that's OK */
		154	+ cap_len -= (s->p - holdp);
		155	+ if (cap_len > 0 &&
		156	+ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length"))
		157	+ {
		158	+ return -1;
		159	+ }
		160
		161	switch (cap_type)
		162	{
		163	@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
		164	scard_init();
		165	break;
		166	}
		167	- s->p = holdp + cap_len;
		168	+ xstream_seek(s, cap_len);
		169	}
		170	+ return 0;
		171	}
		172
		173	-static void
		174	+static int
		175	devredir_proc_client_devlist_announce_req(struct stream *s)
		176	{
		177	unsigned int i;
		178	@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
		179	enum NTSTATUS response_status;
		180
		181	/* get number of devices being announced */
		182	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
		183	+ {
		184	+ return -1;
		185	+ }
		186	+
		187	xstream_rd_u32_le(s, device_count);
		188
		189	LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
		190
		191	for (i = 0; i < device_count; i++)
		192	{
		193	+ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
		194	+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
		195	+ {
		196	+ return -1;
		197	+ }
		198	xstream_rd_u32_le(s, device_type);
		199	xstream_rd_u32_le(s, g_device_id);
		200	/* get preferred DOS name
		201	@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
		202
		203	/* Read the device data length from the stream */
		204	xstream_rd_u32_le(s, device_data_len);
		205	+ if (device_data_len > 0 && !
		206	+ !s_check_rem_and_log(s, device_data_len,
		207	+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata"))
		208	+ {
		209	+ return -1;
		210	+ }
		211
		212	switch (device_type)
		213	{
		214	@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
		215	devredir_send_server_device_announce_resp(g_device_id,
		216	response_status);
		217	}
		218	+
		219	+ return 0;
		220	}
		221
		222	-static void
		223	+static int
		224	devredir_proc_client_devlist_remove_req(struct stream *s)
		225	{
		226	unsigned int i;
		227	@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
		228	tui32 device_id;
		229
		230	/* get number of devices being announced */
		231	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
		232	+ {
		233	+ return -1;
		234	+ }
		235	xstream_rd_u32_le(s, device_count);
		236	+ if (!s_check_rem_and_log(s, 4 * device_count,
		237	+ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
		238	+ {
		239	+ return -1;
		240	+ }
		241
		242	LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
		243	{
		244	@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
		245	xfuse_delete_share(device_id);
		246	}
		247	}
		248	+ return 0;
		249	}
		250
		251	-static void
		252	+static int
		253	devredir_proc_device_iocompletion(struct stream *s)
		254	{
		255	IRP *irp = NULL;
		256	@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		257	tui32 Length;
		258	enum COMPLETION_TYPE comp_type;
		259
		260	+ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION"))
		261	+ {
		262	+ return -1;
		263	+ }
		264	xstream_rd_u32_le(s, DeviceId);
		265	xstream_rd_u32_le(s, CompletionId);
		266	xstream_rd_u32_le(s, IoStatus32);
		267	@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		268	}
		269	else
		270	{
		271	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
		272	+ {
		273	+ return -1;
		274	+ }
		275	xstream_rd_u32_le(s, irp->FileId);
		276	devredir_send_drive_dir_request(irp, DeviceId,
		277	1, irp->pathname);
		278	@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		279	break;
		280
		281	case CID_CREATE_REQ:
		282	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
		283	+ {
		284	+ return -1;
		285	+ }
		286	xstream_rd_u32_le(s, irp->FileId);
		287
		288	xfuse_devredir_cb_create_file(
		289	@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		290	break;
		291
		292	case CID_OPEN_REQ:
		293	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
		294	+ {
		295	+ return -1;
		296	+ }
		297	xstream_rd_u32_le(s, irp->FileId);
		298
		299	xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info,
		300	@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
		301	break;
		302
		303	case CID_READ:
		304	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP"))
		305	+ {
		306	+ return -1;
		307	+ }
		308	xstream_rd_u32_le(s, Length);
		309	+ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP"))
		310	+ {
		311	+ return -1;
		312	+ }
		313	xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info,
		314	IoStatus,
		315	s->p, Length);
		316	@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		317	break;
		318
		319	case CID_WRITE:
		320	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP"))
		321	+ {
		322	+ return -1;
		323	+ }
		324	xstream_rd_u32_le(s, Length);
		325	xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info,
		326	IoStatus,
		327	@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		328	break;
		329
		330	case CID_RMDIR_OR_FILE:
		331	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
		332	+ {
		333	+ return -1;
		334	+ }
		335	xstream_rd_u32_le(s, irp->FileId);
		336	devredir_proc_cid_rmdir_or_file(irp, IoStatus);
		337	break;
		338	@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
		339	break;
		340
		341	case CID_RENAME_FILE:
		342	+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
		343	+ {
		344	+ return -1;
		345	+ }
		346	xstream_rd_u32_le(s, irp->FileId);
		347	devredir_proc_cid_rename_file(irp, IoStatus);
		348	break;
		349	@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
		350	break;
		351	}
		352	}
		353	+ return 0;
		354	}
		355
		356	static void


diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch new file mode 100644 index 0000000000..38c444efcf --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
@@ -0,0 +1,54 @@
		1	From 191ed3e3fa892c7dc26e142c7af7af546fcce87d Mon Sep 17 00:00:00 2001
		2	From: matt335672 <30179339+matt335672@users.noreply.github.com>
		3	Date: Thu, 8 Dec 2022 14:13:48 +0000
		4	Subject: [PATCH] Remove unused g_full_name_for_filesystem
		5
		6	Not only was this unused, the way it was read could lead to a
		7	buffer overflow (CVE-2022-23480)
		8
		9	CVE: CVE-2022-23480
		10	Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/191ed3e3fa892c7dc26e142c7af7af546fcce87d]
		11	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		12	---
		13	sesman/chansrv/devredir.c \| 14 +++++---------
		14	1 file changed, 5 insertions(+), 9 deletions(-)
		15
		16	diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
		17	index 7faa9bfc7a..6ce35e34de 100644
		18	--- a/sesman/chansrv/devredir.c
		19	+++ b/sesman/chansrv/devredir.c
		20	@@ -103,7 +103,6 @@ int g_is_port_redir_supported = 0;
		21	int g_is_drive_redir_supported = 0;
		22	int g_is_smartcard_redir_supported = 0;
		23	int g_drive_redir_version = 1;
		24	-char g_full_name_for_filesystem[1024];
		25	tui32 g_completion_id = 1;
		26
		27	tui32 g_clientID; /* unique client ID - announced by client */
		28	@@ -866,21 +865,18 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
		29	switch (device_type)
		30	{
		31	case RDPDR_DTYP_FILESYSTEM:
		32	- /* get device data len */
		33	- if (device_data_len)
		34	- {
		35	- xstream_rd_string(g_full_name_for_filesystem, s,
		36	- device_data_len);
		37	- }
		38	+ /* At present we don't use the full name - see
		39	+ * [MS-RDPEFS] 2.2.3.1 for details of the contents */
		40	+ xstream_skip_u8(s, device_data_len);
		41
		42	LOG(LOG_LEVEL_INFO, "Detected remote drive '%s'",
		43	preferred_dos_name);
		44
		45	LOG_DEVEL(LOG_LEVEL_DEBUG,
		46	"device_type=FILE_SYSTEM device_id=0x%x dosname=%s "
		47	- "device_data_len=%d full_name=%s", g_device_id,
		48	+ "device_data_len=%d", g_device_id,
		49	preferred_dos_name,
		50	- device_data_len, g_full_name_for_filesystem);
		51	+ device_data_len);
		52
		53	response_status = STATUS_SUCCESS;
		54


diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index ea895f169e..e50accfe17 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
20	file://CVE-2022-23477.patch \	20	file://CVE-2022-23477.patch \
21	file://CVE-2022-23478.patch \	21	file://CVE-2022-23478.patch \
22	file://CVE-2022-23479.patch \	22	file://CVE-2022-23479.patch \
		23	file://CVE-2022-23480-1.patch \
		24	file://CVE-2022-23480-2.patch \
23	"	25	"
24		26
25	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"	27	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"