0 | |
From: matt335672 <30179339+matt335672@users.noreply.github.com>
|
1 | |
Date: Wed, 2 Feb 2022 10:39:50 +0000
|
2 | |
Subject: [PATCH] Add lower bound to sesman data input size check
|
3 | |
Origin: upstream, https://github.com/neutrinolabs/xrdp/commit/4def30ab
|
4 | |
|
5 | |
---
|
6 | |
sesman/sesman.c | 8 +++++---
|
7 | |
1 file changed, 5 insertions(+), 3 deletions(-)
|
8 | |
|
9 | |
diff --git a/sesman/sesman.c b/sesman/sesman.c
|
10 | |
index a85769053..e2b057e6a 100644
|
11 | |
--- a/sesman/sesman.c
|
12 | |
+++ b/sesman/sesman.c
|
13 | |
@@ -276,6 +276,7 @@ sesman_close_all(void)
|
14 | |
static int
|
15 | |
sesman_data_in(struct trans *self)
|
16 | |
{
|
17 | |
+#define HEADER_SIZE 8
|
18 | |
int version;
|
19 | |
int size;
|
20 | |
|
21 | |
@@ -283,9 +284,9 @@ sesman_data_in(struct trans *self)
|
22 | |
{
|
23 | |
in_uint32_be(self->in_s, version);
|
24 | |
in_uint32_be(self->in_s, size);
|
25 | |
- if (size > self->in_s->size)
|
26 | |
+ if (size < HEADER_SIZE || size > self->in_s->size)
|
27 | |
{
|
28 | |
- LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size");
|
29 | |
+ LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size);
|
30 | |
return 1;
|
31 | |
}
|
32 | |
self->header_size = size;
|
33 | |
@@ -302,11 +303,12 @@ sesman_data_in(struct trans *self)
|
34 | |
return 1;
|
35 | |
}
|
36 | |
/* reset for next message */
|
37 | |
- self->header_size = 8;
|
38 | |
+ self->header_size = HEADER_SIZE;
|
39 | |
self->extra_flags = 0;
|
40 | |
init_stream(self->in_s, 0); /* Reset input stream pointers */
|
41 | |
}
|
42 | |
return 0;
|
43 | |
+#undef HEADER_SIZE
|
44 | |
}
|
45 | |
|
46 | |
/******************************************************************************/
|