From a61009746f7bf2c9b08bab2367a93160ba838b0c Mon Sep 17 00:00:00 2001
From: Bojan Smojver <bojan@rexursive.com>
Date: Tue, 8 Feb 2022 11:48:01 +1100
Subject: [PATCH] Add patch for CVE-2022-23613.

---
 xrdp-0.9.18-cve-2022-23613.patch | 47 ++++++++++++++++++++++++++++++++
 xrdp.spec                        |  6 +++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 xrdp-0.9.18-cve-2022-23613.patch

diff --git a/xrdp-0.9.18-cve-2022-23613.patch b/xrdp-0.9.18-cve-2022-23613.patch
new file mode 100644
index 0000000..3dd3d3f
--- /dev/null
+++ b/xrdp-0.9.18-cve-2022-23613.patch
@@ -0,0 +1,47 @@
+From eb4a8e342dcf848ca716792763ca1904e913ca9d Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 2 Feb 2022 10:39:50 +0000
+Subject: [PATCH] Add lower bound to sesman data input size check
+
+---
+ sesman/sesman.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sesman/sesman.c b/sesman/sesman.c
+index a85769053..e2b057e6a 100644
+--- a/sesman/sesman.c
++++ b/sesman/sesman.c
+@@ -276,6 +276,7 @@ sesman_close_all(void)
+ static int
+ sesman_data_in(struct trans *self)
+ {
++#define HEADER_SIZE 8
+     int version;
+     int size;
+ 
+@@ -283,9 +284,9 @@ sesman_data_in(struct trans *self)
+     {
+         in_uint32_be(self->in_s, version);
+         in_uint32_be(self->in_s, size);
+-        if (size > self->in_s->size)
++        if (size < HEADER_SIZE || size > self->in_s->size)
+         {
+-            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size");
++            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size);
+             return 1;
+         }
+         self->header_size = size;
+@@ -302,11 +303,12 @@ sesman_data_in(struct trans *self)
+             return 1;
+         }
+         /* reset for next message */
+-        self->header_size = 8;
++        self->header_size = HEADER_SIZE;
+         self->extra_flags = 0;
+         init_stream(self->in_s, 0); /* Reset input stream pointers */
+     }
+     return 0;
++#undef HEADER_SIZE
+ }
+ 
+ /******************************************************************************/
diff --git a/xrdp.spec b/xrdp.spec
index 60f4c6d..0222f06 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -17,7 +17,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.18
-Release:   4%{?dist}
+Release:   5%{?dist}
 License:   ASL 2.0 and GPLv2+ and MIT
 URL:       http://www.xrdp.org/
 Source0:   https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz
@@ -39,6 +39,7 @@ Patch6:    xrdp-0.9.18-vnc-uninit.patch
 Patch7:    xrdp-0.9.15-sesman-ini.patch
 %endif
 Patch8:    xrdp-0.9.18-imlib2.patch
+Patch9:    xrdp-0.9.18-cve-2022-23613.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -289,6 +290,9 @@ fi
 %{_datadir}/selinux/*/%{name}.pp
 
 %changelog
+* Tue Feb  8 2022 Bojan Smojver <bojan@rexurive.com> - 1:0.9.18-5
+- Add patch for CVE-2022-23613
+
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.18-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild