Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stream out of bounds seek in update_read_synchronize could lead out of bounds read later #6006

Closed
hac425xxx opened this issue Mar 31, 2020 · 1 comment

Comments

@hac425xxx
Copy link

hac425xxx commented Mar 31, 2020

version

https://github.com/FreeRDP/FreeRDP/blob/9ef1e81c559bb19d613b4da2d68908ea5d7f9259/libfreerdp/core/update.c#L293

vuln code

static void update_read_synchronize(rdpUpdate* update, wStream* s)
{
	WINPR_UNUSED(update);
	Stream_Seek_UINT16(s); /* pad2Octets (2 bytes) */
	                       /**
	                        * The Synchronize Update is an artifact from the
	                        * T.128 protocol and should be ignored.
	                        */
}

the code just seek the stream pointer without check stream's length, it could lead _s->pointer - _s->buffer > _s->length
Then the check in other functions could fail, and could lead out of bounds read later.

@akallabeth akallabeth added this to the 2.0.0 milestone Mar 31, 2020
@hac425xxx hac425xxx changed the title stream out of bounds seek in update_read_synchronize could lead out of bounds read after stream out of bounds seek in update_read_synchronize could lead out of bounds read later Mar 31, 2020
@nfedera nfedera closed this as completed in ed53cd1 Apr 6, 2020
@carnil
Copy link

carnil commented May 8, 2020

CVE-2020-11046 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants