Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 200458 Details for
Bug 255148
net-misc/xrdp arbitrary code execution (CVE-2008-{5902,5903,5904})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0002-fix-some-buffer-overruns.patch
0002-fix-some-buffer-overruns.patch (text/plain), 5.27 KB, created by
Robert Buchholz (RETIRED)
on 2009-08-07 01:00:29 UTC
(
hide
)
Description:
0002-fix-some-buffer-overruns.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-08-07 01:00:29 UTC
Size:
5.27 KB
patch
obsolete
>From cffaf229d1efc404042dbde10da6b0101114b5ee Mon Sep 17 00:00:00 2001 >From: Jay Sorg <jsorg71@users.sourceforge.net> >Date: Fri, 23 Jan 2009 06:43:00 +0000 >Subject: [PATCH 2/2] fix some buffer overruns > >--- > rdp/rdp_rdp.c | 45 +++++++++++++++++++++++++++++++++------------ > 1 files changed, 33 insertions(+), 12 deletions(-) > >diff --git a/rdp/rdp_rdp.c b/rdp/rdp_rdp.c >index db8bb30..04f0da0 100644 >--- a/rdp/rdp_rdp.c >+++ b/rdp/rdp_rdp.c >@@ -395,7 +395,7 @@ rdp_rdp_send_confirm_active(struct rdp_rdp* self, struct stream* s) > > /******************************************************************************/ > /* Process a color pointer PDU */ >-static void APP_CC >+static int APP_CC > rdp_rdp_process_color_pointer_pdu(struct rdp_rdp* self, struct stream* s) > { > int cache_idx; >@@ -404,6 +404,10 @@ rdp_rdp_process_color_pointer_pdu(struct rdp_rdp* self, struct stream* s) > struct rdp_cursor* cursor; > > in_uint16_le(s, cache_idx); >+ if (cache_idx >= sizeof(self->cursors) / sizeof(cursor)) >+ { >+ return 1; >+ } > cursor = self->cursors + cache_idx; > in_uint16_le(s, cursor->x); > in_uint16_le(s, cursor->y); >@@ -411,29 +415,39 @@ rdp_rdp_process_color_pointer_pdu(struct rdp_rdp* self, struct stream* s) > in_uint16_le(s, cursor->height); > in_uint16_le(s, mlen); /* mask length */ > in_uint16_le(s, dlen); /* data length */ >+ if ((mlen > sizeof(cursor->mask)) || (dlen > sizeof(cursor->data))) >+ { >+ return 1; >+ } > in_uint8a(s, cursor->data, dlen); > in_uint8a(s, cursor->mask, mlen); > self->mod->server_set_cursor(self->mod, cursor->x, cursor->y, > cursor->data, cursor->mask); >+ return 0; > } > > /******************************************************************************/ > /* Process a cached pointer PDU */ >-static void APP_CC >+static int APP_CC > rdp_rdp_process_cached_pointer_pdu(struct rdp_rdp* self, struct stream* s) > { > int cache_idx; > struct rdp_cursor* cursor; > > in_uint16_le(s, cache_idx); >+ if (cache_idx >= sizeof(self->cursors) / sizeof(cursor)) >+ { >+ return 1; >+ } > cursor = self->cursors + cache_idx; > self->mod->server_set_cursor(self->mod, cursor->x, cursor->y, > cursor->data, cursor->mask); >+ return 0; > } > > /******************************************************************************/ > /* Process a system pointer PDU */ >-static void APP_CC >+static int APP_CC > rdp_rdp_process_system_pointer_pdu(struct rdp_rdp* self, struct stream* s) > { > int system_pointer_type; >@@ -452,17 +466,20 @@ rdp_rdp_process_system_pointer_pdu(struct rdp_rdp* self, struct stream* s) > default: > break; > } >+ return 0; > } > > /******************************************************************************/ > /* Process a pointer PDU */ >-static void APP_CC >+static int APP_CC > rdp_rdp_process_pointer_pdu(struct rdp_rdp* self, struct stream* s) > { > int message_type; > int x; > int y; >+ int rv; > >+ rv = 0; > in_uint16_le(s, message_type); > in_uint8s(s, 2); /* pad */ > switch (message_type) >@@ -472,17 +489,18 @@ rdp_rdp_process_pointer_pdu(struct rdp_rdp* self, struct stream* s) > in_uint16_le(s, y); > break; > case RDP_POINTER_COLOR: >- rdp_rdp_process_color_pointer_pdu(self, s); >+ rv = rdp_rdp_process_color_pointer_pdu(self, s); > break; > case RDP_POINTER_CACHED: >- rdp_rdp_process_cached_pointer_pdu(self, s); >+ rv = rdp_rdp_process_cached_pointer_pdu(self, s); > break; > case RDP_POINTER_SYSTEM: >- rdp_rdp_process_system_pointer_pdu(self, s); >+ rv = rdp_rdp_process_system_pointer_pdu(self, s); > break; > default: > break; > } >+ return rv; > } > > /******************************************************************************/ >@@ -615,7 +633,7 @@ rdp_rdp_process_palette(struct rdp_rdp* self, struct stream* s) > > /******************************************************************************/ > /* Process an update PDU */ >-static void APP_CC >+static int APP_CC > rdp_rdp_process_update_pdu(struct rdp_rdp* self, struct stream* s) > { > int update_type; >@@ -643,6 +661,7 @@ rdp_rdp_process_update_pdu(struct rdp_rdp* self, struct stream* s) > break; > } > self->mod->server_end_update(self->mod); >+ return 0; > } > > >@@ -852,7 +871,9 @@ rdp_rdp_process_data_pdu(struct rdp_rdp* self, struct stream* s) > int ctype; > int clen; > int len; >+ int rv; > >+ rv = 0; > in_uint8s(s, 6); /* shareid, pad, streamid */ > in_uint16_le(s, len); > in_uint8(s, data_pdu_type); >@@ -862,26 +883,26 @@ rdp_rdp_process_data_pdu(struct rdp_rdp* self, struct stream* s) > switch (data_pdu_type) > { > case RDP_DATA_PDU_UPDATE: >- rdp_rdp_process_update_pdu(self, s); >+ rv = rdp_rdp_process_update_pdu(self, s); > break; > case RDP_DATA_PDU_CONTROL: > break; > case RDP_DATA_PDU_SYNCHRONISE: > break; > case RDP_DATA_PDU_POINTER: >- rdp_rdp_process_pointer_pdu(self, s); >+ rv = rdp_rdp_process_pointer_pdu(self, s); > break; > case RDP_DATA_PDU_BELL: > break; > case RDP_DATA_PDU_LOGON: > break; > case RDP_DATA_PDU_DISCONNECT: >- rdp_rdp_process_disconnect_pdu(self, s); >+ rv = rdp_rdp_process_disconnect_pdu(self, s); > break; > default: > break; > } >- return 0; >+ return rv; > } > > /******************************************************************************/ >-- >1.6.3.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 255148
:
200457
| 200458