Fix "implicit declaration of function" errors

Fix multiple CVE issues
CVE-2022-39316, CVE-2022-39317: Add missing length checks in zgfx CVE-2022-39318: Fix division by zero in urbdrc channel CVE-2022-39319: Add missing length checks in urbdrc channel CVE-2022-39320: Ensure urb_create_iocompletion uses size_t CVE-2022-39347: Fix path validation in drive channel CVE-2022-41877: Add missing length check in drive channel Resolves: #2145140
2023-05-18 11:17:37 +00:00 · 2022-12-09 11:46:01 +01:00 · 2022-12-08 10:57:53 +01:00 · 2022-12-08 10:49:14 +01:00 · 2022-06-22 10:11:14 +02:00 · 2021-11-29 14:06:45 +01:00
24 changed files with 1186 additions and 141 deletions
--- a/.freerdp.metadata
+++ b/.freerdp.metadata
@ -0,0 +1 @@
+03ba0409951eaf50023cd4aac9bd49e443225a2f FreeRDP-2.4.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -50,3 +50,4 @@
 /FreeRDP-2.2.0.tar.gz
 /FreeRDP-2.3.2.tar.gz
 /FreeRDP-2.4.0.tar.gz
+/FreeRDP-2.4.1.tar.gz
--- a/Added-function-_wcsncmp.patch
+++ b/Added-function-_wcsncmp.patch
@ -0,0 +1,62 @@
+From e482b394efc371412ce659b731a9b1e1d73bdf0e Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 24 Oct 2022 10:42:56 +0200
+Subject: [PATCH] Added function _wcsncmp
+
+* Compare WCHAR strings up to n characters
+
+(cherry picked from commit 8178ed26a459356ece17414c6e871a7e0735a4ec)
+---
+ winpr/include/winpr/string.h |  2 ++
+ winpr/libwinpr/crt/string.c  | 15 ++++++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/winpr/include/winpr/string.h b/winpr/include/winpr/string.h
+index 8ce83bc1d..3b907c444 100644
+--- a/winpr/include/winpr/string.h
+++ b/winpr/include/winpr/string.h
+@@ -57,6 +57,7 @@ extern "C"
+ 	WINPR_API int _strnicmp(const char* string1, const char* string2, size_t count);
+ 
+ 	WINPR_API int _wcscmp(const WCHAR* string1, const WCHAR* string2);
+	WINPR_API int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count);
+ 
+ 	WINPR_API size_t _wcslen(const WCHAR* str);
+ 	WINPR_API size_t _wcsnlen(const WCHAR* str, size_t maxNumberOfElements);
+@@ -70,6 +71,7 @@ extern "C"
+ #else
+ 
+ #define _wcscmp wcscmp
+#define _wcsncmp wcsncmp
+ #define _wcslen wcslen
+ #define _wcsnlen wcsnlen
+ #define _wcschr wcschr
+diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
+index 37fcb4b25..c25ffa279 100644
+--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
+@@ -90,7 +90,20 @@ int _wcscmp(const WCHAR* string1, const WCHAR* string2)
+ 
+ 	Data_Read_UINT16(string1, value1);
+ 	Data_Read_UINT16(string2, value2);
+-	return value1 - value2;
+	return (int)value1 - value2;
+}
+
+int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
+{
+	for (size_t x = 0; x < count; x++)
+	{
+		const WCHAR a = string1[x];
+		const WCHAR b = string2[x];
+
+		if (a != b)
+			return (int)a - b;
+	}
+	return 0;
+ }
+ 
+ /* _wcslen -> wcslen */
+-- 
+2.37.1
+
--- a/Added-missing-length-check-in-urb_control_transfer.patch
+++ b/Added-missing-length-check-in-urb_control_transfer.patch
@ -0,0 +1,29 @@
+From 8c513f127549433c830575202d1551b0e9dd182d Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 09:00:48 +0200
+Subject: [PATCH] Added missing length check in urb_control_transfer
+
+(cherry picked from commit ce838e2477cb8173ea5e98f35ad55ff41ea5117d)
+---
+ channels/urbdrc/client/data_transfer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index 9a44e6e09..bb2784055 100644
+--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
+@@ -673,7 +673,11 @@ static UINT urb_control_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
+ 	buffer = Stream_Pointer(out);
+ 
+ 	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+			return ERROR_INVALID_DATA;
+ 		Stream_Copy(s, out, OutputBufferSize);
+	}
+ 
+ 	/**  process TS_URB_CONTROL_TRANSFER */
+ 	if (!pdev->control_transfer(pdev, RequestId, EndpointAddress, TransferFlags, bmRequestType,
+-- 
+2.37.1
+
--- a/Added-missing-length-checks-in-zgfx_decompress_segme.patch
+++ b/Added-missing-length-checks-in-zgfx_decompress_segme.patch
@ -0,0 +1,51 @@
+From babbd1e433d273634637f5199429986714864033 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 09:09:28 +0200
+Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
+
+(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
+---
+ libfreerdp/codec/zgfx.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
+index 1a2878bd9..04ddeadb2 100644
+--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
+@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+ 	BYTE* pbSegment;
+ 	size_t cbSegment;
+ 
+-	if (!zgfx || !stream)
+	if (!zgfx || !stream || (segmentSize < 2))
+ 		return FALSE;
+ 
+ 	cbSegment = segmentSize - 1;
+ 
+-	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
+-	    (segmentSize > UINT32_MAX))
+	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
+ 		return FALSE;
+ 
+ 	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
+ 	zgfx->OutputCount = 0;
+ 	pbSegment = Stream_Pointer(stream);
+-	Stream_Seek(stream, cbSegment);
+	if (!Stream_SafeSeek(stream, cbSegment))
+		return FALSE;
+ 
+ 	if (!(flags & PACKET_COMPRESSED))
+ 	{
+@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+ 						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+ 							return FALSE;
+ 
+						if (count > zgfx->cBitsRemaining / 8)
+							return FALSE;
+
+ 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
+ 						           count);
+ 						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
+-- 
+2.37.1
+
--- a/Ensure-urb_create_iocompletion-uses-size_t-for-calcu.patch
+++ b/Ensure-urb_create_iocompletion-uses-size_t-for-calcu.patch
@ -0,0 +1,32 @@
+From b3a695e9f38a42f1ef0cade0d5e1fe60cf68864e Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:36:26 +0200
+Subject: [PATCH] Ensure urb_create_iocompletion uses size_t for calculation
+
+(cherry picked from commit de7e0f062ee53d00b4a966a43855a716e3478150)
+---
+ channels/urbdrc/client/data_transfer.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index 80e84af48..8642c8506 100644
+--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
+@@ -97,7 +97,13 @@ static wStream* urb_create_iocompletion(UINT32 InterfaceField, UINT32 MessageId,
+                                         UINT32 OutputBufferSize)
+ {
+ 	const UINT32 InterfaceId = (STREAM_ID_PROXY << 30) | (InterfaceField & 0x3FFFFFFF);
+-	wStream* out = Stream_New(NULL, OutputBufferSize + 28);
+
+#if UINT32_MAX >= SIZE_MAX
+	if (OutputBufferSize > UINT32_MAX - 28ull)
+		return NULL;
+#endif
+
+	wStream* out = Stream_New(NULL, OutputBufferSize + 28ull);
+ 
+ 	if (!out)
+ 		return NULL;
+-- 
+2.37.1
+
--- a/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
+++ b/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
@ -1,41 +0,0 @@
-From df5d2572497f4cd7ab15144dbab99d0e01495127 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Wed, 12 May 2021 12:48:15 +0200
-Subject: [PATCH] Fix FIPS mode support and build with OpenSSL 3.0
-
-FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
-and `FIPS_mode_set` functions, which were removed there. Just a note that
-the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
-functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
-Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
-
-See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
---
- winpr/libwinpr/utils/ssl.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
-index 3a8590390..03b23af43 100644
--- a/winpr/libwinpr/utils/ssl.c
-+++ b/winpr/libwinpr/utils/ssl.c
-@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
- #else
- 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
- 
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+		if (!EVP_default_properties_is_fips_enabled(NULL))
-+#else
- 		if (FIPS_mode() != 1)
-+#endif
- 		{
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+			if (EVP_set_default_properties(NULL, "fips=yes"))
-+#else
- 			if (FIPS_mode_set(1))
-+#endif
- 				WLog_INFO(TAG, "Openssl fips mode ENabled!");
- 			else
- 			{
-- 
-2.31.1
-
--- a/Fix-length-checks-in-parallel-driver.patch
+++ b/Fix-length-checks-in-parallel-driver.patch
@ -0,0 +1,37 @@
+From 64544c7f4ed72b3023955ebe6ad3b118ebb8d6c7 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 6 Oct 2022 09:12:40 +0200
+Subject: [PATCH] Fix length checks in parallel driver
+
+The length requested was not checked against the length read from
+the port.
+
+(cherry picked from commit 094cc5a4596c299595b732effd59ee149181fd61)
+---
+ channels/parallel/client/parallel_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/channels/parallel/client/parallel_main.c b/channels/parallel/client/parallel_main.c
+index af3e82703..993605a65 100644
+--- a/channels/parallel/client/parallel_main.c
+++ b/channels/parallel/client/parallel_main.c
+@@ -159,7 +159,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
+ 		return ERROR_INVALID_DATA;
+ 	Stream_Read_UINT32(irp->input, Length);
+ 	Stream_Read_UINT64(irp->input, Offset);
+-	buffer = (BYTE*)malloc(Length);
+	buffer = (BYTE*)calloc(Length, sizeof(BYTE));
+ 
+ 	if (!buffer)
+ 	{
+@@ -178,6 +178,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
+ 	}
+ 	else
+ 	{
+		Length = status;
+ 	}
+ 
+ 	Stream_Write_UINT32(irp->output, Length);
+-- 
+2.37.1
+
--- a/Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
+++ b/Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
@ -0,0 +1,25 @@
+From 2ddb22f7a453f3429b3246ca8ffa1ff2c31fe71d Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Fri, 12 Nov 2021 11:24:38 +0100
+Subject: [PATCH] Fixed #7436: Datatype mismatch to crypto_base64_decode
+
+---
+ libfreerdp/core/gateway/rdg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
+index 72019ede8..44de2c137 100644
+--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
+@@ -1190,7 +1190,7 @@ static BOOL rdg_handle_ntlm_challenge(rdpNtlm* ntlm, HttpResponse* response)
+ 	BOOL continueNeeded = FALSE;
+ 	size_t len;
+ 	const char* token64 = NULL;
+-	size_t ntlmTokenLength = 0;
+	int ntlmTokenLength = 0;
+ 	BYTE* ntlmTokenData = NULL;
+ 	long StatusCode;
+ 
+-- 
+2.33.1
+
--- a/Fixed-7436-Datatype-mismatch.patch
+++ b/Fixed-7436-Datatype-mismatch.patch
@ -0,0 +1,34 @@
+From 403402607214092d20277af3aa959ce87768580a Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Fri, 12 Nov 2021 16:01:39 +0100
+Subject: [PATCH] Fixed #7436: Datatype mismatch
+
+---
+ libfreerdp/core/gateway/ncacn_http.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/core/gateway/ncacn_http.c b/libfreerdp/core/gateway/ncacn_http.c
+index f288a0f3c..75da83d62 100644
+--- a/libfreerdp/core/gateway/ncacn_http.c
+++ b/libfreerdp/core/gateway/ncacn_http.c
+@@ -105,7 +105,7 @@ BOOL rpc_ncacn_http_send_in_channel_request(RpcChannel* inChannel)
+ BOOL rpc_ncacn_http_recv_in_channel_response(RpcChannel* inChannel, HttpResponse* response)
+ {
+ 	const char* token64 = NULL;
+-	size_t ntlmTokenLength = 0;
+	int ntlmTokenLength = 0;
+ 	BYTE* ntlmTokenData = NULL;
+ 	rdpNtlm* ntlm;
+ 
+@@ -259,7 +259,7 @@ BOOL rpc_ncacn_http_send_out_channel_request(RpcChannel* outChannel, BOOL replac
+ BOOL rpc_ncacn_http_recv_out_channel_response(RpcChannel* outChannel, HttpResponse* response)
+ {
+ 	const char* token64 = NULL;
+-	size_t ntlmTokenLength = 0;
+	int ntlmTokenLength = 0;
+ 	BYTE* ntlmTokenData = NULL;
+ 	rdpNtlm* ntlm;
+ 
+-- 
+2.33.1
+
--- a/Fixed-division-by-zero-in-urbdrc.patch
+++ b/Fixed-division-by-zero-in-urbdrc.patch
@ -0,0 +1,39 @@
+From b9c5e3668c4022b34734ac8ccb07dd044d4ff38c Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:27:41 +0200
+Subject: [PATCH] Fixed division by zero in urbdrc
+
+(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765)
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index aa69890ae..5784d9fe2 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
+++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -1214,12 +1214,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c
+ 	if (!Buffer)
+ 		Stream_Seek(user_data->data, (NumberOfPackets * 12));
+ 
+-	iso_packet_size = BufferSize / NumberOfPackets;
+-	iso_transfer = libusb_alloc_transfer(NumberOfPackets);
+	if (NumberOfPackets > 0)
+	{
+		iso_packet_size = BufferSize / NumberOfPackets;
+		iso_transfer = libusb_alloc_transfer((int)NumberOfPackets);
+	}
+ 
+ 	if (iso_transfer == NULL)
+ 	{
+-		WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer.");
+		WLog_Print(urbdrc->log, WLOG_ERROR,
+		           "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32
+		           " ]",
+		           NumberOfPackets, BufferSize);
+ 		async_transfer_user_data_free(user_data);
+ 		return -1;
+ 	}
+-- 
+2.37.1
+
--- a/Fixed-format-string-for-Stream_CheckAndLogRequiredLe.patch
+++ b/Fixed-format-string-for-Stream_CheckAndLogRequiredLe.patch
@ -0,0 +1,122 @@
+From 6ed2f7d1a379f69cca102e8166d20eb5ed38652b Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Fri, 22 Apr 2022 16:27:21 +0200
+Subject: [PATCH] Fixed format string for Stream_CheckAndLogRequiredLength
+
+__LINE__ requires %d and not %PRIuz
+
+(cherry picked from commit 74c1a006e940308b0653427d25a87ea5a24cb573)
+---
+ winpr/include/winpr/stream.h  | 14 ++++++++
+ winpr/libwinpr/utils/stream.c | 65 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 79 insertions(+)
+
+diff --git a/winpr/include/winpr/stream.h b/winpr/include/winpr/stream.h
+index f351eaa15..ed637f034 100644
+--- a/winpr/include/winpr/stream.h
+++ b/winpr/include/winpr/stream.h
+@@ -27,6 +27,8 @@
+ #include <winpr/wtypes.h>
+ #include <winpr/endian.h>
+ #include <winpr/synch.h>
+#include <winpr/wlog.h>
+#include <winpr/debug.h>
+ 
+ #ifdef __cplusplus
+ extern "C"
+@@ -56,6 +57,19 @@ extern "C"
+ 	WINPR_API void Stream_StaticInit(wStream* s, BYTE* buffer, size_t size);
+ 	WINPR_API void Stream_Free(wStream* s, BOOL bFreeBuffer);
+ 
+#define Stream_CheckAndLogRequiredLength(tag, s, len)                                     \
+	Stream_CheckAndLogRequiredLengthEx(tag, WLOG_WARN, s, len, "%s(%s:%d)", __FUNCTION__, \
+	                                   __FILE__, __LINE__)
+	WINPR_API BOOL Stream_CheckAndLogRequiredLengthEx(const char* tag, DWORD level, wStream* s,
+	                                                  UINT64 len, const char* fmt, ...);
+	WINPR_API BOOL Stream_CheckAndLogRequiredLengthExVa(const char* tag, DWORD level, wStream* s,
+	                                                    UINT64 len, const char* fmt, va_list args);
+	WINPR_API BOOL Stream_CheckAndLogRequiredLengthWLogEx(wLog* log, DWORD level, wStream* s,
+	                                                      UINT64 len, const char* fmt, ...);
+	WINPR_API BOOL Stream_CheckAndLogRequiredLengthWLogExVa(wLog* log, DWORD level, wStream* s,
+	                                                        UINT64 len, const char* fmt,
+	                                                        va_list args);
+
+ 	static INLINE void Stream_Seek(wStream* s, size_t _offset)
+ 	{
+ 		s->pointer += (_offset);
+diff --git a/winpr/libwinpr/utils/stream.c b/winpr/libwinpr/utils/stream.c
+index 1271981b7..cc119c771 100644
+--- a/winpr/libwinpr/utils/stream.c
+++ b/winpr/libwinpr/utils/stream.c
+@@ -132,3 +132,68 @@ void Stream_Free(wStream* s, BOOL bFreeBuffer)
+ 			free(s);
+ 	}
+ }
+
+BOOL Stream_CheckAndLogRequiredLengthEx(const char* tag, DWORD level, wStream* s, UINT64 len,
+                                        const char* fmt, ...)
+{
+	const size_t actual = Stream_GetRemainingLength(s);
+
+	if (actual < len)
+	{
+		va_list args;
+
+		va_start(args, fmt);
+		Stream_CheckAndLogRequiredLengthExVa(tag, level, s, len, fmt, args);
+		va_end(args);
+
+		return FALSE;
+	}
+	return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthExVa(const char* tag, DWORD level, wStream* s, UINT64 len,
+                                          const char* fmt, va_list args)
+{
+	const size_t actual = Stream_GetRemainingLength(s);
+
+	if (actual < len)
+		return Stream_CheckAndLogRequiredLengthWLogExVa(WLog_Get(tag), level, s, len, fmt, args);
+	return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthWLogEx(wLog* log, DWORD level, wStream* s, UINT64 len,
+                                            const char* fmt, ...)
+{
+	const size_t actual = Stream_GetRemainingLength(s);
+
+	if (actual < len)
+	{
+		va_list args;
+
+		va_start(args, fmt);
+		Stream_CheckAndLogRequiredLengthWLogExVa(log, level, s, len, fmt, args);
+		va_end(args);
+
+		return FALSE;
+	}
+	return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthWLogExVa(wLog* log, DWORD level, wStream* s, UINT64 len,
+                                              const char* fmt, va_list args)
+{
+	const size_t actual = Stream_GetRemainingLength(s);
+
+	if (actual < len)
+	{
+		char prefix[1024] = { 0 };
+
+		vsnprintf(prefix, sizeof(prefix), fmt, args);
+
+		WLog_Print(log, level, "[%s] invalid length, got %" PRIuz ", require at least %" PRIu64,
+		           prefix, actual, len);
+		winpr_log_backtrace_ex(log, level, 20);
+		return FALSE;
+	}
+	return TRUE;
+}
+-- 
+2.38.1
+
--- a/Fixed-missing-input-buffer-length-check-in-urbdrc.patch
+++ b/Fixed-missing-input-buffer-length-check-in-urbdrc.patch
@ -0,0 +1,58 @@
+From ddf9b3f852c31311f8d726012131f657c9857276 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:47:51 +0200
+Subject: [PATCH] Fixed missing input buffer length check in urbdrc
+
+(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
+---
+ channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index bb2784055..80e84af48 100644
+--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
+@@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
+ 
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	Stream_Read_UINT32(s, RequestId);
+
+	if (OutputBufferSize > UINT32_MAX - 4)
+		return ERROR_INVALID_DATA;
+
+ 	InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
+ 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
+ 
+@@ -724,6 +728,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
+ 	Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+ 	EndpointAddress = (PipeHandle & 0x000000ff);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+		{
+			return ERROR_INVALID_DATA;
+		}
+	}
+
+ 	/**  process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
+ 	return pdev->bulk_or_interrupt_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
+@@ -808,6 +821,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
+ 	packetDescriptorData = Stream_Pointer(s);
+ 	Stream_Seek(s, NumberOfPackets * 12);
+ 	Stream_Read_UINT32(s, OutputBufferSize);
+
+	if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+	{
+		if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+			return ERROR_INVALID_DATA;
+	}
+
+ 	return pdev->isoch_transfer(
+ 	    pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
+ 	    ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
+-- 
+2.37.1
+
--- a/Fixed-missing-length-check-in-video-channel.patch
+++ b/Fixed-missing-length-check-in-video-channel.patch
@ -0,0 +1,29 @@
+From bf28ea249de57acc6dfadbd778afef2093c1c283 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 6 Oct 2022 09:15:40 +0200
+Subject: [PATCH] Fixed missing length check in video channel
+
+Data received in video redirection channel was not checked for
+proper length.
+
+(cherry picked from commit eeffd1050e9284d1464b58e049b2b4d88726632b)
+---
+ channels/video/client/video_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
+index a21e7cdf2..a8031fc86 100644
+--- a/channels/video/client/video_main.c
+++ b/channels/video/client/video_main.c
+@@ -930,6 +930,8 @@ static UINT video_data_on_data_received(IWTSVirtualChannelCallback* pChannelCall
+ 	Stream_Read_UINT16(s, data.PacketsInSample);
+ 	Stream_Read_UINT32(s, data.SampleNumber);
+ 	Stream_Read_UINT32(s, data.cbSample);
+	if (!Stream_CheckAndLogRequiredLength(TAG, s, data.cbSample))
+		return ERROR_INVALID_DATA;
+ 	data.pSample = Stream_Pointer(s);
+ 
+ 	/*
+-- 
+2.37.1
+
--- a/Fixed-missing-stream-length-check-in-drive_file_quer.patch
+++ b/Fixed-missing-stream-length-check-in-drive_file_quer.patch
@ -0,0 +1,28 @@
+From 80b2483373c00baec3a26b1d82027f16dfdd8859 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 24 Oct 2022 08:45:05 +0200
+Subject: [PATCH] Fixed missing stream length check in
+ drive_file_query_directory
+
+(cherry picked from commit 4e4bb79795d6ac85473fb7a83e53ccf63d204b93)
+---
+ channels/drive/client/drive_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
+index d3776381c..b6cf2ad32 100644
+--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
+@@ -629,6 +629,9 @@ static UINT drive_process_irp_query_directory(DRIVE_DEVICE* drive, IRP* irp)
+ 	Stream_Read_UINT32(irp->input, PathLength);
+ 	Stream_Seek(irp->input, 23); /* Padding */
+ 	path = (WCHAR*)Stream_Pointer(irp->input);
+	if (!Stream_CheckAndLogRequiredLength(TAG, irp->input, PathLength))
+		return ERROR_INVALID_DATA;
+
+ 	file = drive_get_file_by_id(drive, irp->FileId);
+ 
+ 	if (file == NULL)
+-- 
+2.37.1
+
--- a/Fixed-path-validation-in-drive-channel.patch
+++ b/Fixed-path-validation-in-drive-channel.patch
@ -0,0 +1,296 @@
+From 865ba07a0fd4fbc7a8203482411aacca3bbfbb9f Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 24 Oct 2022 10:41:55 +0200
+Subject: [PATCH] Fixed path validation in drive channel
+
+Check that canonical path is a subpath of the shared directory
+
+(cherry picked from commit 844c94e6d0438fa7bd8ff8d5513c3f69c3018b85)
+---
+ channels/drive/client/drive_file.c | 106 ++++++++++++++++++-----------
+ channels/drive/client/drive_file.h |   8 +--
+ channels/drive/client/drive_main.c |   8 +--
+ 3 files changed, 73 insertions(+), 49 deletions(-)
+
+diff --git a/channels/drive/client/drive_file.c b/channels/drive/client/drive_file.c
+index 305438593..1ea4ab9da 100644
+--- a/channels/drive/client/drive_file.c
+++ b/channels/drive/client/drive_file.c
+@@ -34,6 +34,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <time.h>
+#include <assert.h>
+ 
+ #include <winpr/wtypes.h>
+ #include <winpr/crt.h>
+@@ -61,10 +62,14 @@
+ 	} while (0)
+ #endif
+ 
+-static void drive_file_fix_path(WCHAR* path)
+static BOOL drive_file_fix_path(WCHAR* path, size_t length)
+ {
+ 	size_t i;
+-	size_t length = _wcslen(path);
+
+	if ((length == 0) || (length > UINT32_MAX))
+		return FALSE;
+
+	assert(path);
+ 
+ 	for (i = 0; i < length; i++)
+ 	{
+@@ -75,58 +79,82 @@ static void drive_file_fix_path(WCHAR* path)
+ #ifdef WIN32
+ 
+ 	if ((length == 3) && (path[1] == L':') && (path[2] == L'/'))
+-		return;
+		return FALSE;
+ 
+ #else
+ 
+ 	if ((length == 1) && (path[0] == L'/'))
+-		return;
+		return FALSE;
+ 
+ #endif
+ 
+ 	if ((length > 0) && (path[length - 1] == L'/'))
+ 		path[length - 1] = L'\0';
+
+	return TRUE;
+ }
+ 
+ static WCHAR* drive_file_combine_fullpath(const WCHAR* base_path, const WCHAR* path,
+-                                          size_t PathLength)
+                                          size_t PathWCharLength)
+ {
+-	WCHAR* fullpath;
+-	size_t base_path_length;
+	BOOL ok = FALSE;
+	WCHAR* fullpath = NULL;
+	size_t length;
+ 
+-	if (!base_path || (!path && (PathLength > 0)))
+-		return NULL;
+	if (!base_path || (!path && (PathWCharLength > 0)))
+		goto fail;
+ 
+-	base_path_length = _wcslen(base_path) * 2;
+-	fullpath = (WCHAR*)calloc(1, base_path_length + PathLength + sizeof(WCHAR));
+	const size_t base_path_length = _wcsnlen(base_path, MAX_PATH);
+	length = base_path_length + PathWCharLength + 1;
+	fullpath = (WCHAR*)calloc(length, sizeof(WCHAR));
+ 
+ 	if (!fullpath)
+		goto fail;
+
+	CopyMemory(fullpath, base_path, base_path_length * sizeof(WCHAR));
+	if (path)
+		CopyMemory(&fullpath[base_path_length], path, PathWCharLength * sizeof(WCHAR));
+
+	if (!drive_file_fix_path(fullpath, length))
+		goto fail;
+
+	/* Ensure the path does not contain sequences like '..' */
+	const WCHAR dotdot[] = { '.', '.', '\0' };
+	if (_wcsstr(&fullpath[base_path_length], dotdot))
+ 	{
+-		WLog_ERR(TAG, "malloc failed!");
+-		return NULL;
+		char abuffer[MAX_PATH] = { 0 };
+		ConvertFromUnicode(CP_UTF8, 0, &fullpath[base_path_length], -1, (char**)&abuffer,
+		                   ARRAYSIZE(abuffer) - 1, NULL, NULL);
+
+		WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!",
+		          &abuffer[base_path_length]);
+		goto fail;
+ 	}
+ 
+-	CopyMemory(fullpath, base_path, base_path_length);
+-	if (path)
+-		CopyMemory((char*)fullpath + base_path_length, path, PathLength);
+-	drive_file_fix_path(fullpath);
+	ok = TRUE;
+fail:
+	if (!ok)
+	{
+		free(fullpath);
+		fullpath = NULL;
+	}
+ 	return fullpath;
+ }
+ 
+ static BOOL drive_file_remove_dir(const WCHAR* path)
+ {
+-	WIN32_FIND_DATAW findFileData;
+	WIN32_FIND_DATAW findFileData = { 0 };
+ 	BOOL ret = TRUE;
+-	HANDLE dir;
+-	WCHAR* fullpath;
+-	WCHAR* path_slash;
+-	size_t base_path_length;
+	HANDLE dir = INVALID_HANDLE_VALUE;
+	WCHAR* fullpath = NULL;
+	WCHAR* path_slash = NULL;
+	size_t base_path_length = 0;
+ 
+ 	if (!path)
+ 		return FALSE;
+ 
+-	base_path_length = _wcslen(path) * 2;
+-	path_slash = (WCHAR*)calloc(1, base_path_length + sizeof(WCHAR) * 3);
+	base_path_length = _wcslen(path);
+	path_slash = (WCHAR*)calloc(base_path_length + 3, sizeof(WCHAR));
+ 
+ 	if (!path_slash)
+ 	{
+@@ -134,12 +162,11 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
+ 		return FALSE;
+ 	}
+ 
+-	CopyMemory(path_slash, path, base_path_length);
+-	path_slash[base_path_length / 2] = L'/';
+-	path_slash[base_path_length / 2 + 1] = L'*';
+	CopyMemory(path_slash, path, base_path_length * sizeof(WCHAR));
+	path_slash[base_path_length] = L'/';
+	path_slash[base_path_length + 1] = L'*';
+ 	DEBUG_WSTR("Search in %s", path_slash);
+ 	dir = FindFirstFileW(path_slash, &findFileData);
+-	path_slash[base_path_length / 2 + 1] = 0;
+ 
+ 	if (dir == INVALID_HANDLE_VALUE)
+ 	{
+@@ -149,7 +176,7 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
+ 
+ 	do
+ 	{
+-		size_t len = _wcslen(findFileData.cFileName);
+		const size_t len = _wcsnlen(findFileData.cFileName, ARRAYSIZE(findFileData.cFileName));
+ 
+ 		if ((len == 1 && findFileData.cFileName[0] == L'.') ||
+ 		    (len == 2 && findFileData.cFileName[0] == L'.' && findFileData.cFileName[1] == L'.'))
+@@ -157,7 +184,7 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
+ 			continue;
+ 		}
+ 
+-		fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len * 2);
+		fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len);
+ 		DEBUG_WSTR("Delete %s", fullpath);
+ 
+ 		if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
+@@ -333,13 +360,13 @@ static BOOL drive_file_init(DRIVE_FILE* file)
+ 	return file->file_handle != INVALID_HANDLE_VALUE;
+ }
+ 
+-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
+-                           UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
+-                           UINT32 FileAttributes, UINT32 SharedAccess)
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+                           UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+                           UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess)
+ {
+ 	DRIVE_FILE* file;
+ 
+-	if (!base_path || (!path && (PathLength > 0)))
+	if (!base_path || (!path && (PathWCharLength > 0)))
+ 		return NULL;
+ 
+ 	file = (DRIVE_FILE*)calloc(1, sizeof(DRIVE_FILE));
+@@ -359,7 +386,7 @@ DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 Pat
+ 	file->CreateDisposition = CreateDisposition;
+ 	file->CreateOptions = CreateOptions;
+ 	file->SharedAccess = SharedAccess;
+-	drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathLength));
+	drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathWCharLength));
+ 
+ 	if (!drive_file_init(file))
+ 	{
+@@ -714,13 +741,10 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
+ 				return FALSE;
+ 
+ 			fullpath = drive_file_combine_fullpath(file->basepath, (WCHAR*)Stream_Pointer(input),
+-			                                       FileNameLength);
+			                                       FileNameLength / sizeof(WCHAR));
+ 
+ 			if (!fullpath)
+-			{
+-				WLog_ERR(TAG, "drive_file_combine_fullpath failed!");
+ 				return FALSE;
+-			}
+ 
+ #ifdef _WIN32
+ 
+@@ -759,7 +783,7 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
+ }
+ 
+ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
+-                                const WCHAR* path, UINT32 PathLength, wStream* output)
+                                const WCHAR* path, UINT32 PathWCharLength, wStream* output)
+ {
+ 	size_t length;
+ 	WCHAR* ent_path;
+@@ -773,7 +797,7 @@ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYT
+ 		if (file->find_handle != INVALID_HANDLE_VALUE)
+ 			FindClose(file->find_handle);
+ 
+-		ent_path = drive_file_combine_fullpath(file->basepath, path, PathLength);
+		ent_path = drive_file_combine_fullpath(file->basepath, path, PathWCharLength);
+ 		/* open new search handle and retrieve the first entry */
+ 		file->find_handle = FindFirstFileW(ent_path, &file->find_data);
+ 		free(ent_path);
+diff --git a/channels/drive/client/drive_file.h b/channels/drive/client/drive_file.h
+index ed789d6f0..6d3bd7045 100644
+--- a/channels/drive/client/drive_file.h
+++ b/channels/drive/client/drive_file.h
+@@ -51,9 +51,9 @@ struct _DRIVE_FILE
+ 	UINT32 CreateOptions;
+ };
+ 
+-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
+-                           UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
+-                           UINT32 FileAttributes, UINT32 SharedAccess);
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+                           UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+                           UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess);
+ BOOL drive_file_free(DRIVE_FILE* file);
+ 
+ BOOL drive_file_open(DRIVE_FILE* file);
+@@ -64,6 +64,6 @@ BOOL drive_file_query_information(DRIVE_FILE* file, UINT32 FsInformationClass, w
+ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UINT32 Length,
+                                 wStream* input);
+ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
+-                                const WCHAR* path, UINT32 PathLength, wStream* output);
+                                const WCHAR* path, UINT32 PathWCharLength, wStream* output);
+ 
+ #endif /* FREERDP_CHANNEL_DRIVE_FILE_H */
+diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
+index 1b5422522..d3776381c 100644
+--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
+@@ -184,8 +184,8 @@ static UINT drive_process_irp_create(DRIVE_DEVICE* drive, IRP* irp)
+ 
+ 	path = (const WCHAR*)Stream_Pointer(irp->input);
+ 	FileId = irp->devman->id_sequence++;
+-	file = drive_file_new(drive->path, path, PathLength, FileId, DesiredAccess, CreateDisposition,
+-	                      CreateOptions, FileAttributes, SharedAccess);
+	file = drive_file_new(drive->path, path, PathLength / sizeof(WCHAR), FileId, DesiredAccess,
+	                      CreateDisposition, CreateOptions, FileAttributes, SharedAccess);
+ 
+ 	if (!file)
+ 	{
+@@ -636,8 +636,8 @@ static UINT drive_process_irp_query_directory(DRIVE_DEVICE* drive, IRP* irp)
+ 		irp->IoStatus = STATUS_UNSUCCESSFUL;
+ 		Stream_Write_UINT32(irp->output, 0); /* Length */
+ 	}
+-	else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path, PathLength,
+-	                                     irp->output))
+	else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path,
+	                                     PathLength / sizeof(WCHAR), irp->output))
+ 	{
+ 		irp->IoStatus = drive_map_windows_err(GetLastError());
+ 	}
+-- 
+2.37.1
+
--- a/Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch
+++ b/Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch
@ -0,0 +1,67 @@
+From 1a0f68d2058f361fc23ed9babcd618a838744bf8 Mon Sep 17 00:00:00 2001
+From: akarl <mike@mwsys.mine.bz>
+Date: Sun, 24 Apr 2022 21:16:52 +0200
+Subject: [PATCH] Implement BIO_CTRL_GET_KTLS_SEND and BIO_CTRL_GET_KTLS_SEND
+
+Openssl 3.0 requires to respond to this controls. According to there
+documentation it should not need them, but in practice openssl's own source
+is full of places where negative return values are not checked.
+
+(cherry picked from commit 9d7c20ce8fe50bd6de54e7480b5096761a510daf)
+---
+ libfreerdp/core/gateway/rdg.c | 18 +++++++++++++++++-
+ libfreerdp/core/gateway/tsg.c |  9 ++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
+index 72019ede8..5d970f39e 100644
+--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
+@@ -2483,7 +2483,23 @@ static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
+ 		 */
+ 		status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
+ 	}
+-
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	else if (cmd == BIO_CTRL_GET_KTLS_SEND)
+	{
+		/* Even though BIO_get_ktls_send says that returning negative values is valid
+		 * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
+		 * nasty sideeffects. return 0 as proper no KTLS offloading flag
+		 */
+		status = 0;
+	}
+	else if (cmd == BIO_CTRL_GET_KTLS_RECV)
+	{
+		/* Even though BIO_get_ktls_recv says that returning negative values is valid
+		 * there is no reason to trust  trust negative values are implemented right everywhere
+		 */
+		status = 0;
+	}
+#endif
+ 	return status;
+ }
+ 
+diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c
+index c03f266f2..70fdf9e27 100644
+--- a/libfreerdp/core/gateway/tsg.c
+++ b/libfreerdp/core/gateway/tsg.c
+@@ -2716,7 +2716,14 @@ static long transport_bio_tsg_ctrl(BIO* bio, int cmd, long arg1, void* arg2)
+ 				status = 1;
+ 		}
+ 		break;
+-
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		case BIO_CTRL_GET_KTLS_SEND:
+			status = 0;
+			break;
+		case BIO_CTRL_GET_KTLS_RECV:
+			status = 0;
+			break;
+#endif
+ 		default:
+ 			break;
+ 	}
+-- 
+2.36.1
+
--- a/freerdp.spec
+++ b/freerdp.spec
@ -21,8 +21,8 @@
 %endif

 Name:           freerdp
-Version:        2.4.0
-Release:        2%{?dist}
+Version:        2.4.1
+Release:        5%{?dist}
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@ -30,9 +30,34 @@ URL:            http://www.freerdp.com/

 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz

-Patch0:         Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
-Patch1:         winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
-Patch2:         winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
+# https://github.com/FreeRDP/FreeRDP/issues/7436
+Patch0:         Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
+Patch1:         Fixed-7436-Datatype-mismatch.patch
+
+# https://github.com/FreeRDP/FreeRDP/pull/7448
+Patch2:         winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2023262
+Patch3:         Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2136152
+Patch4:         Fix-length-checks-in-parallel-driver.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2136154
+Patch5:         Fixed-missing-length-check-in-video-channel.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2145140
+Patch6:         Added-missing-length-checks-in-zgfx_decompress_segme.patch
+Patch7:         Fixed-division-by-zero-in-urbdrc.patch
+Patch8:         Added-missing-length-check-in-urb_control_transfer.patch
+Patch9:         Fixed-missing-input-buffer-length-check-in-urbdrc.patch
+Patch10:        Ensure-urb_create_iocompletion-uses-size_t-for-calcu.patch
+Patch11:        Added-function-_wcsncmp.patch
+Patch12:        winpr-crt-Fix-wcs-cmp-and-wcs-len-checks.patch
+Patch13:        winpr-crt-Added-wcsstr-implementation.patch
+Patch14:        Fixed-path-validation-in-drive-channel.patch
+Patch15:        Fixed-missing-stream-length-check-in-drive_file_quer.patch
+Patch16:        Fixed-format-string-for-Stream_CheckAndLogRequiredLe.patch

 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@ -299,6 +324,33 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc

 %changelog
+* Tue Dec 13 2022 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-5
+- Fix "implicit declaration of function" errors (#2136155, #2145140)
+
+* Thu Dec 08 2022 Ondrej Holy <oholy@redhat.com> - - 2:2.4.1-4
+- CVE-2022-39282: Fix length checks in parallel driver (#2136152)
+- CVE-2022-39283: Add missing length check in video channel (#2136154)
+- CVE-2022-39316, CVE-2022-39317: Add missing length checks in zgfx (#2145140)
+- CVE-2022-39318: Fix division by zero in urbdrc channel (#2145140)
+- CVE-2022-39319: Add missing length checks in urbdrc channel (#2145140)
+- CVE-2022-39320: Ensure urb_create_iocompletion uses size_t (#2145140)
+- CVE-2022-39347: Fix path validation in drive channel (#2145140)
+- CVE-2022-41877: Add missing length check in drive channel (#2145140)
+
+* Wed Jun 22 2022 Ondrej Holy <oholy@redhat.com> - - 2:2.4.1-3
+- Fix gateway functionality with OpenSSL 3.0 (#2023262)
+
+* Fri Nov 26 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-2
+- Fix datatype mismatch / big-endian breakage
+- Load legacy provider when initializing OpenSSL 3.0
+
+* Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
+- Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.4.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
 * Tue Aug 03 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.0-2
 - Load legacy provider to fix rc4 with OpenSSL 3.0 (#1988443).

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (FreeRDP-2.4.0.tar.gz) = fb63c40dcdbbc16bf1d591227ec04537f96f0d5098be28a7b8b0158c83803941f1737604473e6fec45e85ec951bf4309c7b119a282ed2a7902f095757da67b20
+SHA512 (FreeRDP-2.4.1.tar.gz) = a02c2fac8f90142b8b7a36e31a720c79d7947c32fc8d4ac1c976e4f01467b3d78c50b00974af1db6e3e61c2c81ac77c1ac9bf889d14e4be084afa18b634e28f0
--- a/winpr-crt-Added-wcsstr-implementation.patch
+++ b/winpr-crt-Added-wcsstr-implementation.patch
@ -0,0 +1,66 @@
+From ddc6dacd06b41ed5001b1c884b5d5c9e0a70e275 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 10 Nov 2022 15:54:28 +0100
+Subject: [PATCH] [winpr, crt] Added wcsstr implementation
+
+(cherry picked from commit 6c034ba6117a4efc9266e845fe9a9a92ed4ee61d)
+---
+ winpr/include/winpr/string.h |  3 +++
+ winpr/libwinpr/crt/string.c  | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/winpr/include/winpr/string.h b/winpr/include/winpr/string.h
+index 3b907c444..2d7126210 100644
+--- a/winpr/include/winpr/string.h
+++ b/winpr/include/winpr/string.h
+@@ -62,6 +62,8 @@ extern "C"
+ 	WINPR_API size_t _wcslen(const WCHAR* str);
+ 	WINPR_API size_t _wcsnlen(const WCHAR* str, size_t maxNumberOfElements);
+ 
+	WINPR_API WCHAR* _wcsstr(const WCHAR* str, const WCHAR* strSearch);
+
+ 	WINPR_API WCHAR* _wcschr(const WCHAR* str, WCHAR c);
+ 	WINPR_API WCHAR* _wcsrchr(const WCHAR* str, WCHAR c);
+ 
+@@ -74,6 +76,7 @@ extern "C"
+ #define _wcsncmp wcsncmp
+ #define _wcslen wcslen
+ #define _wcsnlen wcsnlen
+#define _wcsstr wcsstr
+ #define _wcschr wcschr
+ #define _wcsrchr wcsrchr
+ 
+diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
+index 5dcf4b3f1..efd7d166c 100644
+--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
+@@ -147,6 +147,26 @@ size_t _wcsnlen(const WCHAR* str, size_t max)
+ 	return x;
+ }
+ 
+/* _wcsstr -> wcsstr */
+
+WCHAR* _wcsstr(const WCHAR* str, const WCHAR* strSearch)
+{
+	assert(str);
+	assert(strSearch);
+
+	if (strSearch[0] == '\0')
+		return str;
+
+	const size_t searchLen = _wcslen(strSearch);
+	while (*str)
+	{
+		if (_wcsncmp(str, strSearch, searchLen) == 0)
+			return str;
+		str++;
+	}
+	return NULL;
+}
+
+ /* _wcschr -> wcschr */
+ 
+ WCHAR* _wcschr(const WCHAR* str, WCHAR c)
+-- 
+2.37.1
+
--- a/winpr-crt-Fix-wcs-cmp-and-wcs-len-checks.patch
+++ b/winpr-crt-Fix-wcs-cmp-and-wcs-len-checks.patch
@ -0,0 +1,90 @@
+From fb9d753af70b449dd7a17898d46fd57822a08dc1 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 10 Nov 2022 14:21:22 +0100
+Subject: [PATCH] [winpr, crt] Fix wcs*cmp and wcs*len checks
+
+(cherry picked from commit b60fac1a0470fe83e8d0b448f0fd7e9e6d6a0f96)
+---
+ winpr/libwinpr/crt/string.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
+index c25ffa279..5dcf4b3f1 100644
+--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
+@@ -26,6 +26,7 @@
+ #include <wctype.h>
+ 
+ #include <winpr/crt.h>
+#include <assert.h>
+ #include <winpr/endian.h>
+ 
+ /* String Manipulation (CRT): http://msdn.microsoft.com/en-us/library/f0151s4x.aspx */
+@@ -80,21 +81,28 @@ int _strnicmp(const char* string1, const char* string2, size_t count)
+ 
+ int _wcscmp(const WCHAR* string1, const WCHAR* string2)
+ {
+-	WCHAR value1, value2;
+	assert(string1);
+	assert(string2);
+ 
+-	while (*string1 && (*string1 == *string2))
+	while (TRUE)
+ 	{
+-		string1++;
+-		string2++;
+		const WCHAR w1 = *string1++;
+		const WCHAR w2 = *string2++;
+
+		if (w1 != w2)
+			return (int)w1 - w2;
+		else if ((w1 == '\0') || (w2 == '\0'))
+			return (int)w1 - w2;
+ 	}
+ 
+-	Data_Read_UINT16(string1, value1);
+-	Data_Read_UINT16(string2, value2);
+-	return (int)value1 - value2;
+	return 0;
+ }
+ 
+ int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
+ {
+	assert(string1);
+	assert(string2);
+
+ 	for (size_t x = 0; x < count; x++)
+ 	{
+ 		const WCHAR a = string1[x];
+@@ -102,6 +110,8 @@ int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
+ 
+ 		if (a != b)
+ 			return (int)a - b;
+		else if ((a == '\0') || (b == '\0'))
+			return (int)a - b;
+ 	}
+ 	return 0;
+ }
+@@ -112,8 +122,7 @@ size_t _wcslen(const WCHAR* str)
+ {
+ 	const WCHAR* p = (const WCHAR*)str;
+ 
+-	if (!p)
+-		return 0;
+	assert(p);
+ 
+ 	while (*p)
+ 		p++;
+@@ -127,8 +136,7 @@ size_t _wcsnlen(const WCHAR* str, size_t max)
+ {
+ 	size_t x;
+ 
+-	if (!str)
+-		return 0;
+	assert(str);
+ 
+ 	for (x = 0; x < max; x++)
+ 	{
+-- 
+2.37.1
+
--- a/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
+++ b/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
@ -1,47 +0,0 @@
-From a79e09d97435bfdf4fdd439d76d847ba8dcbb445 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Tue, 3 Aug 2021 08:39:21 +0200
-Subject: [PATCH] winpr/crypto: Exit cleanly when EVP_EncryptInit_ex fails
-
-The `EVP_EncryptInit_ex` function may fail in certain configurations.
-Consequently, FreeRDP segfaults in `EVP_CIPHER_CTX_set_key_length`.
-Let's handle the `EVP_EncryptInit_ex` failures and exit cleanly in
-such case.
---
- winpr/libwinpr/crypto/cipher.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
-index c47595b14..bd52cfeed 100644
--- a/winpr/libwinpr/crypto/cipher.c
-+++ b/winpr/libwinpr/crypto/cipher.c
-@@ -66,7 +66,12 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 		return NULL;
- 
- 	EVP_CIPHER_CTX_init((EVP_CIPHER_CTX*)ctx);
-	EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL);
-+	if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL) != 1)
-+	{
-+		EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
-+		return NULL;
-+	}
-+
- 	/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
- #if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
- 
-@@ -75,7 +80,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 
- #endif
- 	EVP_CIPHER_CTX_set_key_length((EVP_CIPHER_CTX*)ctx, (int)keylen);
-	EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL);
-+	if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL) != 1)
-+	{
-+		EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
-+		return NULL;
-+	}
- #elif defined(WITH_MBEDTLS) && defined(MBEDTLS_ARC4_C)
- 
- 	if (!(ctx = (WINPR_RC4_CTX*)calloc(1, sizeof(mbedtls_arc4_context))))
-- 
-2.31.1
-
--- a/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
+++ b/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
@ -1,47 +0,0 @@
-From e1f63dba5c63302b8a5e9d33c9ffe5580105de72 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Tue, 3 Aug 2021 08:47:13 +0200
-Subject: [PATCH] winpr/crypto: Load legacy provider to fix rc4 with OpenSSL
- 3.0
-
-Currently, the `EVP_EncryptInit_ex` function fails for rc4 with OpenSSL 3.0.
-This is becuase rc4 is provided by the legacy provider which is not loaded
-by default. Let's explicitly load the legacy provider to make FreeRDP work
-with OpenSSL 3.0.
-
-Relates: https://github.com/openssl/openssl/issues/14392
-Fixes: https://github.com/FreeRDP/FreeRDP/issues/6604
---
- winpr/libwinpr/crypto/cipher.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
-index bd52cfeed..75d25a1c7 100644
--- a/winpr/libwinpr/crypto/cipher.c
-+++ b/winpr/libwinpr/crypto/cipher.c
-@@ -29,6 +29,9 @@
- #include <openssl/rc4.h>
- #include <openssl/des.h>
- #include <openssl/evp.h>
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+#include <openssl/provider.h>
-+#endif
- #endif
- 
- #ifdef WITH_MBEDTLS
-@@ -57,6 +60,12 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 
- 	if (keylen > INT_MAX)
- 		return NULL;
-+
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+	if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
-+		return NULL;
-+#endif
-+
- 	if (!(ctx = (WINPR_RC4_CTX*)EVP_CIPHER_CTX_new()))
- 		return NULL;
- 
-- 
-2.31.1
-
--- a/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
+++ b/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
@ -0,0 +1,61 @@
+From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 16 Nov 2021 16:12:33 +0100
+Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0
+
+With OpenSSL 3.O, FreeRDP log contains errors like:
+
+```
+4036740A4C7F0000:error:0308010C:digital envelope routines:
+inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:
+Global default library context, Algorithm (MD4 : 85), Properties ()
+```
+
+This leads to connection failures in some cases. This is because algorithms
+like MD4 are now part of the legacy provider, which is not loaded by
+default. Let's explicitly load that provider. With this change, also the
+other provides has to be explicitely loaded.
+---
+ winpr/libwinpr/utils/ssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
+index 74ef156e7..392f8e227 100644
+--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
+@@ -33,6 +33,10 @@
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ 
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
+
+ #include "../log.h"
+ #define TAG WINPR_TAG("utils.ssl")
+ 
+@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags)
+ 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+ 
+ #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+		OSSL_PROVIDER_load(NULL, "fips");
+ 		if (!EVP_default_properties_is_fips_enabled(NULL))
+ #else
+ 		if (FIPS_mode() != 1)
+@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
+ 		return FALSE;
+ 
+ #endif
+
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+	/* The legacy provider is needed for MD4. */
+	OSSL_PROVIDER_load(NULL, "legacy");
+	OSSL_PROVIDER_load(NULL, "default");
+#endif
+
+ 	g_winpr_openssl_initialized_by_winpr = TRUE;
+ 	return winpr_enable_fips(flags);
+ }
+-- 
+2.33.1
+
Author	SHA1	Message	Date
Ondrej Holy	7bf48662a1	Fix "implicit declaration of function" errors	2023-05-18 11:17:37 +00:00
Ondrej Holy	916e606784	Fix multiple CVE issues CVE-2022-39316, CVE-2022-39317: Add missing length checks in zgfx CVE-2022-39318: Fix division by zero in urbdrc channel CVE-2022-39319: Add missing length checks in urbdrc channel CVE-2022-39320: Ensure urb_create_iocompletion uses size_t CVE-2022-39347: Fix path validation in drive channel CVE-2022-41877: Add missing length check in drive channel Resolves: #2145140	2022-12-09 11:46:01 +01:00
Ondrej Holy	0657b181a4	CVE-2022-39283: Add missing length check in video channel Resolves: #2136154	2022-12-08 10:57:53 +01:00
Ondrej Holy	96676737fa	CVE-2022-39282: Fix length checks in parallel driver Resolves: #2136152	2022-12-08 10:49:14 +01:00
Ondrej Holy	6e02d7e8a6	Fix gateway functionality with OpenSSL 3.0 Resolves: #2023262	2022-06-22 10:11:14 +02:00
Ondrej Holy	7a6f5d6855	Load legacy provider when initializing OpenSSL 3.0 See: https://github.com/FreeRDP/FreeRDP/pull/7448 (cherry picked from Fedora commit 03115cf349e3643ddb2881c718043908ad21cf2d) Resolves: #2023182 Related: #2023262	2021-11-29 14:06:45 +01:00
Ondrej Holy	d4756790be	Fix datatype mismatch / big-endian breakage See: https://github.com/FreeRDP/FreeRDP/issues/7436 (cherry picked from Fedora commit 3e1767838718ef6676d20e39bab69104e64aabbd) Related: #2023182 Related: #2017950	2021-11-29 14:06:28 +01:00
Ondrej Holy	bfe82ab42a	Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160) (cherry picked from Fedora commit d274320ad4fd1c4e8a03d68813e80070a9a391f7) Resolves: #2017957, #2017950 Related: #2023182	2021-11-29 14:05:42 +01:00
Mohan Boddu	92dad3c150	Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-08-09 20:04:49 +00:00
Ondrej Holy	a71c37f744	Fix patches to make them applicable Resolves: #1988443	2021-08-04 10:24:18 +02:00
				`@ -0,0 +1 @@`
				`03ba0409951eaf50023cd4aac9bd49e443225a2f FreeRDP-2.4.1.tar.gz`