[oe] [meta-oe][PATCH 2/2] freerdp: patch CVE-2026-22855

Gyorgy Sarvari via lists.openembedded.org Mon, 09 Feb 2026 21:48:12 -0800

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22855


The related Github advisory[1] describes the problem along with analyzing
where the vulnerability is in the codebase. I looked up the commit that
recently performed the changes from the analysis, and backported it.

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../freerdp/freerdp/CVE-2026-22855.patch      | 83 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.11.7.bb |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch 
b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch
new file mode 100644
index 0000000000..ec0c3a75ec
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch
@@ -0,0 +1,83 @@
+From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Sun, 11 Jan 2026 09:03:57 +0100
+Subject: [PATCH] add length validity checks
+
+From: akallabeth <[email protected]>
+
+in smartcard_unpack_set_attrib_call input length validity checks were
+missing.
+
+CVE: CVE-2026-22855
+Upstream-Status: Backport 
[https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ channels/smartcard/client/smartcard_pack.c | 27 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/channels/smartcard/client/smartcard_pack.c 
b/channels/smartcard/client/smartcard_pack.c
+index f70eb4e5d..c0673e066 100644
+--- a/channels/smartcard/client/smartcard_pack.c
++++ b/channels/smartcard/client/smartcard_pack.c
+@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* 
index, UINT32* ptr,
+       return TRUE;
+ }
+ 
+-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t 
elementSize,
+-                               ndr_ptr_t type)
++static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t 
elementSize,
++                               ndr_ptr_t type, size_t* plen)
+ {
+       size_t len, offset, len2;
+       void* r;
+@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, 
size_t min, size_t eleme
+               return STATUS_BUFFER_TOO_SMALL;
+       }
+ 
++      if (plen)
++              *plen = 0;
++
+       switch (type)
+       {
+               case NDR_PTR_FULL:
+@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, 
size_t min, size_t eleme
+       if (!r)
+               return SCARD_E_NO_MEMORY;
+       Stream_Read(s, r, len);
+-      smartcard_unpack_read_size_align(NULL, s, len, 4);
++      const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
++      len += (size_t)pad;
+       *data = r;
++      if (plen)
++              *plen = len;
+       return STATUS_SUCCESS;
+ }
+ 
++static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t 
elementSize,
++                               ndr_ptr_t type)
++{
++       return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
++}
++
+ static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD 
length)
+ {
+       const UINT32 ndrPtr = 0x20000 + (*index) * 4;
+@@ -3427,12 +3439,15 @@ LONG 
smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
+ 
+       if (ndrPtr)
+       {
+-              // TODO: call->cbAttrLen was larger than the pointer value.
+-              // TODO: Maybe need to refine the checks?
+-              status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, 
NDR_PTR_SIMPLE);
++              size_t len = 0;
++              status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, 
NDR_PTR_SIMPLE, &len);
+               if (status != SCARD_S_SUCCESS)
+                       return status;
++              if (call->cbAttrLen > len)
++                      call->cbAttrLen = (DWORD)(len);
+       }
++      else
++              call->cbAttrLen = 0;
+       smartcard_trace_set_attrib_call(smartcard, call);
+       return SCARD_S_SUCCESS;
+ }
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb 
b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
index 0bdf56938b..3ee4f99c1a 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
@@ -25,6 +25,7 @@ SRC_URI = 
"git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
            file://CVE-2024-32661.patch \
            file://CVE-2026-22854.patch \
+           file://CVE-2026-22855.patch \
            "

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124316): 
https://lists.openembedded.org/g/openembedded-devel/message/124316
Mute This Topic: https://lists.openembedded.org/mt/117733922/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[oe] [meta-oe][PATCH 2/2] freerdp: patch CVE-2026-22855

Reply via email to