Bug#964573: xrdp: diff for NMU version 0.9.12-1.1
Control: tags 964573 + patch
Control: tags 964573 + pending
Dear maintainer,
I've prepared an NMU for xrdp (versioned as 0.9.12-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
I can defintively cancel it if you prefer to do either a maintainer
upload or even better to rebase to the new upstream version.
Regards,
Salvatore
diff -Nru xrdp-0.9.12/debian/changelog xrdp-0.9.12/debian/changelog
--- xrdp-0.9.12/debian/changelog 2020-01-11 02:40:04.000000000 +0100
+++ xrdp-0.9.12/debian/changelog 2020-07-19 17:11:20.000000000 +0200
@@ -1,3 +1,12 @@
+xrdp (0.9.12-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * xrdp-sesman can be crashed remotely over port 3350 (CVE-2020-4044)
+ (Closes: #964573)
+ * Fixed CVE-2020-4044 CI errors
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 19 Jul 2020 17:11:20 +0200
+
xrdp (0.9.12-1) unstable; urgency=low
* Update Homepage link
diff -Nru xrdp-0.9.12/debian/patches/Fix-for-CVE-2020-4044.patch xrdp-0.9.12/debian/patches/Fix-for-CVE-2020-4044.patch
--- xrdp-0.9.12/debian/patches/Fix-for-CVE-2020-4044.patch 1970-01-01 01:00:00.000000000 +0100
+++ xrdp-0.9.12/debian/patches/Fix-for-CVE-2020-4044.patch 2020-07-19 17:11:20.000000000 +0200
@@ -0,0 +1,1270 @@
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Fri, 12 Jun 2020 09:56:47 +0100
+Subject: Fix for CVE-2020-4044
+Origin: https://github.com/neutrinolabs/xrdp/commit/ba2f727c9a2acbee59c27b5883b36b43b022ea9c
+Bug-Debian: https://bugs.debian.org/964573
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-4044
+
+Reported by: Ashley Newson
+---
+ sesman/libscp/libscp_types.h | 4 +
+ sesman/libscp/libscp_v0.c | 335 ++++++++++++++++++++------------
+ sesman/libscp/libscp_v1s.c | 336 +++++++++++++++++++++++----------
+ sesman/libscp/libscp_v1s_mng.c | 164 +++++++++++++---
+ sesman/scp.c | 12 +-
+ 5 files changed, 592 insertions(+), 259 deletions(-)
+
+diff --git a/sesman/libscp/libscp_types.h b/sesman/libscp/libscp_types.h
+index 8cb9166c515f..84e6c4651e7e 100644
+--- a/sesman/libscp/libscp_types.h
++++ b/sesman/libscp/libscp_types.h
+@@ -59,6 +59,10 @@
+
+ #include "libscp_types_mng.h"
+
++/* Max server incoming and outgoing message size, used to stop memory
++ exhaustion attempts (CVE-2020-4044) */
++#define SCP_MAX_MESSAGE_SIZE 8192
++
+ struct SCP_CONNECTION
+ {
+ int in_sck;
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 61bf4fdae43a..55168b4f515f 100644
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -34,6 +34,65 @@
+
+ extern struct log_config *s_log;
+
++/** Maximum length of a string (two bytes + len), excluding the terminator
++ *
++ * Practially this is limited by [MS-RDPBCGR] TS_INFO_PACKET
++ * */
++#define STRING16_MAX_LEN 512
++
++/**
++ * Reads a big-endian uint16 followed by a string into a buffer
++ *
++ * Buffer is null-terminated on success
++ *
++ * @param s Input stream
++ * @param [out] Output buffer (must be >= (STRING16_MAX_LEN+1) chars)
++ * @param param Parameter we're reading
++ * @param line Line number reference
++ * @return != 0 if string read OK
++ */
++static
++int in_string16(struct stream *s, char str[], const char *param, int line)
++{
++ int result;
++
++ if (!s_check_rem(s, 2))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: %s len missing",
++ line, param);
++ result = 0;
++ }
++ else
++ {
++ unsigned int sz;
++
++ in_uint16_be(s, sz);
++ if (sz > STRING16_MAX_LEN)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: %s too long (%u chars)",
++ line, param, sz);
++ result = 0;
++ }
++ else
++ {
++ result = s_check_rem(s, sz);
++ if (!result)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: %s data missing",
++ line, param);
++ }
++ else
++ {
++ in_uint8a(s, str, sz);
++ str[sz] = '\0';
++ }
++ }
++ }
++ return result;
++}
+ /* client API */
+ /******************************************************************************/
+ enum SCP_CLIENT_STATES_E
+@@ -71,10 +130,24 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ }
+
+ sz = g_strlen(s->username);
++ if (sz > STRING16_MAX_LEN)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: username too long",
++ __LINE__);
++ return SCP_CLIENT_STATE_SIZE_ERR;
++ }
+ out_uint16_be(c->out_s, sz);
+ out_uint8a(c->out_s, s->username, sz);
+
+ sz = g_strlen(s->password);
++ if (sz > STRING16_MAX_LEN)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: password too long",
++ __LINE__);
++ return SCP_CLIENT_STATE_SIZE_ERR;
++ }
+ out_uint16_be(c->out_s, sz);
+ out_uint8a(c->out_s, s->password, sz);
+ out_uint16_be(c->out_s, s->width);
+@@ -111,14 +184,16 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+
+ in_uint32_be(c->in_s, size);
+
+- if (size < 14)
++ if (size < (8 + 2 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+- log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: packet size error", __LINE__);
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: msg size = %u",
++ __LINE__, (unsigned int)size);
+ return SCP_CLIENT_STATE_SIZE_ERR;
+ }
+
+ /* getting payload */
+- init_stream(c->in_s, c->in_s->size);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8))
+ {
+@@ -126,6 +201,8 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ return SCP_CLIENT_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ /* check code */
+ in_uint16_be(c->in_s, sz);
+
+@@ -151,43 +228,38 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ return SCP_CLIENT_STATE_END;
+ }
+
+-/* server API */
+-/******************************************************************************/
+-enum SCP_SERVER_STATES_E
+-scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
++/**
++ * Initialises a V0 session object
++ *
++ * At the time of the call, the version has been read from the connection
++ *
++ * @param c Connection
++ * @param [out] session pre-allocated session object
++ * @return SCP_SERVER_STATE_OK for success
++ */
++static enum SCP_SERVER_STATES_E
++scp_v0s_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
+ {
+- tui32 version = 0;
+ tui32 size;
+- struct SCP_SESSION *session = 0;
+- tui16 sz;
++ tui16 height;
++ tui16 width;
++ tui16 bpp;
+ tui32 code = 0;
+- char *buf = 0;
+-
+- if (!skipVchk)
+- {
+- LOG_DBG("[v0:%d] starting connection", __LINE__);
++ char buf[STRING16_MAX_LEN + 1];
+
+- if (0 == scp_tcp_force_recv(c->in_sck, c->in_s->data, 8))
+- {
+- c->in_s->end = c->in_s->data + 8;
+- in_uint32_be(c->in_s, version);
+-
+- if (version != 0)
+- {
+- log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: version error", __LINE__);
+- return SCP_SERVER_STATE_VERSION_ERR;
+- }
+- }
+- else
+- {
+- log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
+- return SCP_SERVER_STATE_NETWORK_ERR;
+- }
+- }
++ scp_session_set_version(session, 0);
+
++ /* Check for a header and a code value in the length */
+ in_uint32_be(c->in_s, size);
++ if (size < (8 + 2) || size > SCP_MAX_MESSAGE_SIZE)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: msg size = %u",
++ __LINE__, (unsigned int)size);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+- init_stream(c->in_s, 8196);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8))
+ {
+@@ -201,16 +273,6 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ if (code == 0 || code == 10 || code == 20)
+ {
+- session = scp_session_create();
+-
+- if (0 == session)
+- {
+- log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+-
+- scp_session_set_version(session, version);
+-
+ if (code == 0)
+ {
+ scp_session_set_type(session, SCP_SESSION_TYPE_XVNC);
+@@ -225,154 +287,130 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ }
+
+ /* reading username */
+- in_uint16_be(c->in_s, sz);
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
++ if (!in_string16(c->in_s, buf, "username", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+ if (0 != scp_session_set_username(session, buf))
+ {
+- scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
+- g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+- g_free(buf);
+
+ /* reading password */
+- in_uint16_be(c->in_s, sz);
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
++ if (!in_string16(c->in_s, buf, "passwd", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+ if (0 != scp_session_set_password(session, buf))
+ {
+- scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
+- g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+- g_free(buf);
+-
+- /* width */
+- in_uint16_be(c->in_s, sz);
+- scp_session_set_width(session, sz);
+- /* height */
+- in_uint16_be(c->in_s, sz);
+- scp_session_set_height(session, sz);
+- /* bpp */
+- in_uint16_be(c->in_s, sz);
+- if (0 != scp_session_set_bpp(session, (tui8)sz))
++
++ /* width + height + bpp */
++ if (!s_check_rem(c->in_s, 2 + 2 + 2))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: width+height+bpp missing",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++ in_uint16_be(c->in_s, width);
++ scp_session_set_width(session, width);
++ in_uint16_be(c->in_s, height);
++ scp_session_set_height(session, height);
++ in_uint16_be(c->in_s, bpp);
++ if (0 != scp_session_set_bpp(session, (tui8)bpp))
+ {
+- scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING,
+ "[v0:%d] connection aborted: unsupported bpp: %d",
+- __LINE__, (tui8)sz);
++ __LINE__, (tui8)bpp);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+
+ if (s_check_rem(c->in_s, 2))
+ {
+ /* reading domain */
+- in_uint16_be(c->in_s, sz);
+-
+- if (sz > 0)
++ if (!in_string16(c->in_s, buf, "domain", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++ if (buf[0] != '\0')
+ {
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
+ scp_session_set_domain(session, buf);
+- g_free(buf);
+ }
+ }
+
+ if (s_check_rem(c->in_s, 2))
+ {
+ /* reading program */
+- in_uint16_be(c->in_s, sz);
++ if (!in_string16(c->in_s, buf, "program", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+- if (sz > 0)
++ if (buf[0] != '\0')
+ {
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
+ scp_session_set_program(session, buf);
+- g_free(buf);
+ }
+ }
+
+ if (s_check_rem(c->in_s, 2))
+ {
+ /* reading directory */
+- in_uint16_be(c->in_s, sz);
++ if (!in_string16(c->in_s, buf, "directory", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+- if (sz > 0)
++ if (buf[0] != '\0')
+ {
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
+ scp_session_set_directory(session, buf);
+- g_free(buf);
+ }
+ }
+
+ if (s_check_rem(c->in_s, 2))
+ {
+ /* reading client IP address */
+- in_uint16_be(c->in_s, sz);
+-
+- if (sz > 0)
++ if (!in_string16(c->in_s, buf, "client IP", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++ if (buf[0] != '\0')
+ {
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
+ scp_session_set_client_ip(session, buf);
+- g_free(buf);
+ }
+ }
+ }
+ else if (code == SCP_GW_AUTHENTICATION)
+ {
+- /* g_writeln("Command is SCP_GW_AUTHENTICATION"); */
+- session = scp_session_create();
+-
+- if (0 == session)
+- {
+- /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);*/
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+-
+- scp_session_set_version(session, version);
+ scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+ /* reading username */
+- in_uint16_be(c->in_s, sz);
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
++ if (!in_string16(c->in_s, buf, "username", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ /* g_writeln("Received user name: %s",buf); */
+ if (0 != scp_session_set_username(session, buf))
+ {
+- scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
+- g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+- g_free(buf);
+
+ /* reading password */
+- in_uint16_be(c->in_s, sz);
+- buf = g_new0(char, sz + 1);
+- in_uint8a(c->in_s, buf, sz);
+- buf[sz] = '\0';
++ if (!in_string16(c->in_s, buf, "passwd", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ /* g_writeln("Received password: %s",buf); */
+ if (0 != scp_session_set_password(session, buf))
+ {
+- scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
+- g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+- g_free(buf);
+ }
+ else
+ {
+@@ -380,10 +418,67 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ return SCP_SERVER_STATE_SEQUENCE_ERR;
+ }
+
+- (*s) = session;
+ return SCP_SERVER_STATE_OK;
+ }
+
++
++/* server API */
++/******************************************************************************/
++enum SCP_SERVER_STATES_E
++scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
++{
++ enum SCP_SERVER_STATES_E result = SCP_SERVER_STATE_OK;
++ struct SCP_SESSION *session = NULL;
++ tui32 version = 0;
++
++ if (!skipVchk)
++ {
++ LOG_DBG("[v0:%d] starting connection", __LINE__);
++
++ if (0 == scp_tcp_force_recv(c->in_sck, c->in_s->data, 8))
++ {
++ c->in_s->end = c->in_s->data + 8;
++ in_uint32_be(c->in_s, version);
++
++ if (version != 0)
++ {
++ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: version error", __LINE__);
++ result = SCP_SERVER_STATE_VERSION_ERR;
++ }
++ }
++ else
++ {
++ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);
++ result = SCP_SERVER_STATE_NETWORK_ERR;
++ }
++ }
++
++ if (result == SCP_SERVER_STATE_OK)
++ {
++ session = scp_session_create();
++ if (NULL == session)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v0:%d] connection aborted: no memory",
++ __LINE__);
++ result = SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++ else
++ {
++ result = scp_v0s_init_session(c, session);
++ if (result != SCP_SERVER_STATE_OK)
++ {
++ scp_session_destroy(session);
++ session = NULL;
++ }
++ }
++ }
++
++ (*s) = session;
++
++ return result;
++}
++
+ /******************************************************************************/
+ enum SCP_SERVER_STATES_E
+ scp_v0s_allow_connection(struct SCP_CONNECTION *c, SCP_DISPLAY d, const tui8 *guid)
+diff --git a/sesman/libscp/libscp_v1s.c b/sesman/libscp/libscp_v1s.c
+index 27e5ef13db30..37e8a01c42f8 100644
+--- a/sesman/libscp/libscp_v1s.c
++++ b/sesman/libscp/libscp_v1s.c
+@@ -35,16 +35,194 @@
+
+ //extern struct log_config* s_log;
+
++/**
++ * Reads a uint8 followed by a string into a buffer
++ *
++ * Buffer is null-terminated on success
++ *
++ * @param s Input stream
++ * @param [out] Output buffer (must be >= 256 chars)
++ * @param param Parameter we're reading
++ * @param line Line number reference
++ * @return != 0 if string read OK
++ *
++ * @todo
++ * This needs to be merged with the func of the same name in
++ * libscp_v1s_mng.c
++ */
++static
++int in_string8(struct stream *s, char str[], const char *param, int line)
++{
++ int result;
++
++ if (!s_check_rem(s, 1))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: %s len missing",
++ line, param);
++ result = 0;
++ }
++ else
++ {
++ unsigned int sz;
++
++ in_uint8(s, sz);
++ result = s_check_rem(s, sz);
++ if (!result)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: %s data missing",
++ line, param);
++ }
++ else
++ {
++ in_uint8a(s, str, sz);
++ str[sz] = '\0';
++ }
++ }
++ return result;
++}
++/* server API */
++
++/**
++ * Initialises a V1 session object
++ *
++ * This is called after the V1 header, command set and command have been read
++ *
++ * @param c Connection
++ * @param [out] session pre-allocated session object
++ * @return SCP_SERVER_STATE_OK for success
++ */
++static enum SCP_SERVER_STATES_E
++scp_v1s_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
++{
++ tui8 type;
++ tui16 height;
++ tui16 width;
++ tui8 bpp;
++ tui8 sz;
++ char buf[256];
++
++ scp_session_set_version(session, 1);
++
++ /* Check there's data for the session type, the height, the width, the
++ * bpp, the resource sharing indicator and the locale */
++ if (!s_check_rem(c->in_s, 1 + 2 + 2 + 1 + 1 + 17))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: short packet",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ in_uint8(c->in_s, type);
++
++ if ((type != SCP_SESSION_TYPE_XVNC) && (type != SCP_SESSION_TYPE_XRDP))
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: unknown session type", __LINE__);
++ return SCP_SERVER_STATE_SESSION_TYPE_ERR;
++ }
++
++ scp_session_set_type(session, type);
++
++ in_uint16_be(c->in_s, height);
++ scp_session_set_height(session, height);
++ in_uint16_be(c->in_s, width);
++ scp_session_set_width(session, width);
++ in_uint8(c->in_s, bpp);
++ if (0 != scp_session_set_bpp(session, bpp))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: unsupported bpp: %d",
++ __LINE__, bpp);
++ return SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++ in_uint8(c->in_s, sz);
++ scp_session_set_rsr(session, sz);
++ in_uint8a(c->in_s, buf, 17);
++ buf[17] = '\0';
++ scp_session_set_locale(session, buf);
++
++ /* Check there's enough data left for at least an IPv4 address (+len) */
++ if (!s_check_rem(c->in_s, 1 + 4))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: IP addr len missing",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ in_uint8(c->in_s, sz);
++
++ if (sz == SCP_ADDRESS_TYPE_IPV4)
++ {
++ tui32 ipv4;
++ in_uint32_be(c->in_s, ipv4);
++ scp_session_set_addr(session, sz, &ipv4);
++ }
++ else if (sz == SCP_ADDRESS_TYPE_IPV6)
++ {
++ if (!s_check_rem(c->in_s, 16))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: IP addr missing",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++ in_uint8a(c->in_s, buf, 16);
++ scp_session_set_addr(session, sz, buf);
++ }
++
++ /* reading hostname */
++ if (!in_string8(c->in_s, buf, "hostname", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ if (0 != scp_session_set_hostname(session, buf))
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
++ return SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++
++ /* reading username */
++ if (!in_string8(c->in_s, buf, "username", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ if (0 != scp_session_set_username(session, buf))
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
++ return SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++
++ /* reading password */
++ if (!in_string8(c->in_s, buf, "passwd", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ if (0 != scp_session_set_password(session, buf))
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
++ return SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++
++ return SCP_SERVER_STATE_OK;
++}
++
+ /* server API */
+ enum SCP_SERVER_STATES_E scp_v1s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ {
++ enum SCP_SERVER_STATES_E result;
+ struct SCP_SESSION *session;
+ tui32 version;
+ tui32 size;
+ tui16 cmdset;
+ tui16 cmd;
+- tui8 sz;
+- char buf[257];
++
++ (*s) = NULL;
+
+ if (!skipVchk)
+ {
+@@ -68,13 +246,15 @@ enum SCP_SERVER_STATES_E scp_v1s_accept(struct SCP_CONNECTION *c, struct SCP_SES
+
+ in_uint32_be(c->in_s, size);
+
+- if (size < 12)
++ /* Check the message is big enough for the header, the command set, and
++ * the command (but not too big) */
++ if (size < (8 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: size error", __LINE__);
+ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+- init_stream(c->in_s, c->in_s->size);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, (size - 8)))
+ {
+@@ -82,6 +262,8 @@ enum SCP_SERVER_STATES_E scp_v1s_accept(struct SCP_CONNECTION *c, struct SCP_SES
+ return SCP_SERVER_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ /* reading command set */
+ in_uint16_be(c->in_s, cmdset);
+
+@@ -111,98 +293,27 @@ enum SCP_SERVER_STATES_E scp_v1s_accept(struct SCP_CONNECTION *c, struct SCP_SES
+
+ session = scp_session_create();
+
+- if (0 == session)
+- {
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error (malloc returned NULL)", __LINE__);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+-
+- scp_session_set_version(session, 1);
+-
+- in_uint8(c->in_s, sz);
+-
+- if ((sz != SCP_SESSION_TYPE_XVNC) && (sz != SCP_SESSION_TYPE_XRDP))
++ if (NULL == session)
+ {
+- scp_session_destroy(session);
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: unknown session type", __LINE__);
+- return SCP_SERVER_STATE_SESSION_TYPE_ERR;
+- }
+-
+- scp_session_set_type(session, sz);
+-
+- in_uint16_be(c->in_s, cmd);
+- scp_session_set_height(session, cmd);
+- in_uint16_be(c->in_s, cmd);
+- scp_session_set_width(session, cmd);
+- in_uint8(c->in_s, sz);
+- if (0 != scp_session_set_bpp(session, sz))
+- {
+- scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING,
+- "[v1s:%d] connection aborted: unsupported bpp: %d",
+- __LINE__, sz);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+- in_uint8(c->in_s, sz);
+- scp_session_set_rsr(session, sz);
+- in_uint8a(c->in_s, buf, 17);
+- buf[17] = '\0';
+- scp_session_set_locale(session, buf);
+-
+- in_uint8(c->in_s, sz);
+-
+- if (sz == SCP_ADDRESS_TYPE_IPV4)
+- {
+- in_uint32_be(c->in_s, size);
+- scp_session_set_addr(session, sz, &size);
+- }
+- else if (sz == SCP_ADDRESS_TYPE_IPV6)
+- {
+- in_uint8a(c->in_s, buf, 16);
+- scp_session_set_addr(session, sz, buf);
++ "[v1s:%d] connection aborted: internal error "
++ "(malloc returned NULL)", __LINE__);
++ result = SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+-
+- buf[256] = '\0';
+- /* reading hostname */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
+-
+- if (0 != scp_session_set_hostname(session, buf))
+- {
+- scp_session_destroy(session);
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+-
+- /* reading username */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
+-
+- if (0 != scp_session_set_username(session, buf))
+- {
+- scp_session_destroy(session);
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
+- }
+-
+- /* reading password */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
+-
+- if (0 != scp_session_set_password(session, buf))
++ else
+ {
+- scp_session_destroy(session);
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: internal error", __LINE__);
+- return SCP_SERVER_STATE_INTERNAL_ERR;
++ result = scp_v1s_init_session(c, session);
++ if (result != SCP_SERVER_STATE_OK)
++ {
++ scp_session_destroy(session);
++ session = NULL;
++ }
+ }
+
+ /* returning the struct */
+ (*s) = session;
+
+- return SCP_SERVER_STATE_OK;
++ return result;
+ }
+
+ enum SCP_SERVER_STATES_E
+@@ -242,13 +353,12 @@ enum SCP_SERVER_STATES_E
+ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+ const char *reason)
+ {
+- tui8 sz;
+ tui32 version;
+ tui32 size;
+ tui16 cmdset;
+ tui16 cmd;
+ int rlen;
+- char buf[257];
++ char buf[256];
+
+ init_stream(c->in_s, c->in_s->size);
+ init_stream(c->out_s, c->out_s->size);
+@@ -296,13 +406,17 @@ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+
+ in_uint32_be(c->in_s, size);
+
+- if (size < 12)
++ /* Check the message is big enough for the header, the command set, and
++ * the command (but not too big) */
++ if (size < (8 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+- log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: size error", __LINE__);
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s:%d] connection aborted: size error",
++ __LINE__);
+ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+- init_stream(c->in_s, c->in_s->size);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, (size - 8)))
+ {
+@@ -310,6 +424,8 @@ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+ return SCP_SERVER_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ in_uint16_be(c->in_s, cmdset);
+
+ if (cmdset != SCP_COMMAND_SET_DEFAULT)
+@@ -326,11 +442,11 @@ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+ return SCP_SERVER_STATE_SEQUENCE_ERR;
+ }
+
+- buf[256] = '\0';
+ /* reading username */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
++ if (!in_string8(c->in_s, buf, "username", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ if (0 != scp_session_set_username(s, buf))
+ {
+@@ -339,9 +455,10 @@ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+ }
+
+ /* reading password */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
++ if (!in_string8(c->in_s, buf, "passwd", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ if (0 != scp_session_set_password(s, buf))
+ {
+@@ -468,13 +585,15 @@ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNEC
+
+ in_uint32_be(c->in_s, size);
+
+- if (size < 12)
++ /* Check the message is big enough for the header, the command set, and
++ * the command (but not too big) */
++ if (size < (8 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: size error", __LINE__);
+ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+- init_stream(c->in_s, c->in_s->size);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, (size - 8)))
+ {
+@@ -482,6 +601,8 @@ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNEC
+ return SCP_SERVER_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ in_uint16_be(c->in_s, cmd);
+
+ if (cmd != SCP_COMMAND_SET_DEFAULT)
+@@ -606,14 +727,16 @@ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNEC
+
+ in_uint32_be(c->in_s, size);
+
+- if (size < 12)
++ /* Check the message is big enough for the header, the command set, and
++ * the command (but not too big) */
++ if (size < (8 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: size error", __LINE__);
+ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+ /* rest of the packet */
+- init_stream(c->in_s, c->in_s->size);
++ init_stream(c->in_s, size - 8);
+
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, (size - 8)))
+ {
+@@ -621,6 +744,8 @@ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNEC
+ return SCP_SERVER_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ in_uint16_be(c->in_s, cmd);
+
+ if (cmd != SCP_COMMAND_SET_DEFAULT)
+@@ -633,6 +758,11 @@ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNEC
+
+ if (cmd == 43)
+ {
++ if (!s_check_rem(c->in_s, 4))
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s:%d] connection aborted: missing session", __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+ /* select session */
+ in_uint32_be(c->in_s, (*sid));
+
+diff --git a/sesman/libscp/libscp_v1s_mng.c b/sesman/libscp/libscp_v1s_mng.c
+index 3a3e1d980870..8e9aed12b84f 100644
+--- a/sesman/libscp/libscp_v1s_mng.c
++++ b/sesman/libscp/libscp_v1s_mng.c
+@@ -38,17 +38,79 @@
+ static enum SCP_SERVER_STATES_E
+ _scp_v1s_mng_check_response(struct SCP_CONNECTION *c, struct SCP_SESSION *s);
+
+-/* server API */
+-enum SCP_SERVER_STATES_E
+-scp_v1s_mng_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s)
++/**
++ * Reads a uint8 followed by a string into a buffer
++ *
++ * Buffer is null-terminated on success
++ *
++ * @param s Input stream
++ * @param [out] Output buffer (must be >= 256 chars)
++ * @param param Parameter we're reading
++ * @param line Line number reference
++ * @return != 0 if string read OK
++ *
++ * @todo
++ * This needs to be merged with the func of the same name in
++ * libscp_v1s.c
++ */
++static
++int in_string8(struct stream *s, char str[], const char *param, int line)
++{
++ int result;
++
++ if (!s_check_rem(s, 1))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s_mng:%d] connection aborted: %s len missing",
++ line, param);
++ result = 0;
++ }
++ else
++ {
++ unsigned int sz;
++
++ in_uint8(s, sz);
++ result = s_check_rem(s, sz);
++ if (!result)
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s_mng:%d] connection aborted: %s data missing",
++ line, param);
++ }
++ else
++ {
++ in_uint8a(s, str, sz);
++ str[sz] = '\0';
++ }
++ }
++ return result;
++}
++/**
++ * Initialises a V1 management session object
++ *
++ * At call time, the command set value has been read from the wire, and
++ * the command still needs to be processed.
++ *
++ * @param c Connection
++ * @param [out] session pre-allocated session object
++ * @return SCP_SERVER_STATE_START_MANAGE for success
++ */
++static enum SCP_SERVER_STATES_E
++scp_v1s_mng_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
+ {
+- struct SCP_SESSION *session;
+ tui32 ipaddr;
+ tui16 cmd;
+ tui8 sz;
+- char buf[257];
++ char buf[256];
++
++ scp_session_set_version(session, 1);
+
+ /* reading command */
++ if (!s_check_rem(c->in_s, 2))
++ {
++ /* Caller should have checked this */
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+ in_uint16_be(c->in_s, cmd);
+
+ if (cmd != 1) /* manager login */
+@@ -56,41 +118,39 @@ scp_v1s_mng_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s)
+ return SCP_SERVER_STATE_SEQUENCE_ERR;
+ }
+
+- session = scp_session_create();
+-
+- if (0 == session)
++ /* reading username */
++ if (!in_string8(c->in_s, buf, "username", __LINE__))
+ {
+- return SCP_SERVER_STATE_INTERNAL_ERR;
++ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+- scp_session_set_version(session, 1);
+- scp_session_set_type(session, SCP_SESSION_TYPE_MANAGE);
+-
+- /* reading username */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
+-
+ if (0 != scp_session_set_username(session, buf))
+ {
+- scp_session_destroy(session);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+
+ /* reading password */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
++ if (!in_string8(c->in_s, buf, "passwd", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ if (0 != scp_session_set_password(session, buf))
+ {
+- scp_session_destroy(session);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+
+- /* reading remote address */
+- in_uint8(c->in_s, sz);
++ /* reading remote address
++ * Check there's enough data left for at least an IPv4 address (+len) */
++ if (!s_check_rem(c->in_s, 1 + 4))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s_mng:%d] connection aborted: IP addr len missing",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
++ in_uint8(c->in_s, sz);
+ if (sz == SCP_ADDRESS_TYPE_IPV4)
+ {
+ in_uint32_be(c->in_s, ipaddr);
+@@ -98,25 +158,57 @@ scp_v1s_mng_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s)
+ }
+ else if (sz == SCP_ADDRESS_TYPE_IPV6)
+ {
++ if (!s_check_rem(c->in_s, 16))
++ {
++ log_message(LOG_LEVEL_WARNING,
++ "[v1s_mng:%d] connection aborted: IP addr missing",
++ __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+ in_uint8a(c->in_s, buf, 16);
+ scp_session_set_addr(session, sz, buf);
+ }
+
+ /* reading hostname */
+- in_uint8(c->in_s, sz);
+- buf[sz] = '\0';
+- in_uint8a(c->in_s, buf, sz);
++ if (!in_string8(c->in_s, buf, "hostname", __LINE__))
++ {
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
+
+ if (0 != scp_session_set_hostname(session, buf))
+ {
+- scp_session_destroy(session);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
+
+- /* returning the struct */
++ return SCP_SERVER_STATE_START_MANAGE;
++}
++
++enum SCP_SERVER_STATES_E
++scp_v1s_mng_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s)
++{
++ enum SCP_SERVER_STATES_E result;
++ struct SCP_SESSION *session;
++
++ session = scp_session_create();
++ if (NULL == session)
++ {
++ result = SCP_SERVER_STATE_INTERNAL_ERR;
++ }
++ else
++ {
++ scp_session_set_type(session, SCP_SESSION_TYPE_MANAGE);
++
++ result = scp_v1s_mng_init_session(c, session);
++ if (result != SCP_SERVER_STATE_START_MANAGE)
++ {
++ scp_session_destroy(session);
++ session = NULL;
++ }
++ }
++
+ (*s) = session;
+
+- return SCP_SERVER_STATE_START_MANAGE;
++ return result;
+ }
+
+ /* 002 */
+@@ -312,7 +404,15 @@ _scp_v1s_mng_check_response(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+
+ in_uint32_be(c->in_s, size);
+
+- init_stream(c->in_s, c->in_s->size);
++ /* Check the message is big enough for the header, the command set, and
++ * the command (but not too big) */
++ if (size < (8 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
++ {
++ log_message(LOG_LEVEL_WARNING, "[v1s_mng:%d] connection aborted: size error", __LINE__);
++ return SCP_SERVER_STATE_SIZE_ERR;
++ }
++
++ init_stream(c->in_s, size - 8);
+
+ /* read the rest of the packet */
+ if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8))
+@@ -321,6 +421,8 @@ _scp_v1s_mng_check_response(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ return SCP_SERVER_STATE_NETWORK_ERR;
+ }
+
++ c->in_s->end = c->in_s->data + (size - 8);
++
+ in_uint16_be(c->in_s, cmd);
+
+ if (cmd != SCP_COMMAND_SET_MANAGE)
+diff --git a/sesman/scp.c b/sesman/scp.c
+index d548052aeb39..7fa4d2a78b64 100644
+--- a/sesman/scp.c
++++ b/sesman/scp.c
+@@ -48,8 +48,8 @@ scp_process_start(void *sck)
+ make_stream(scon.in_s);
+ make_stream(scon.out_s);
+
+- init_stream(scon.in_s, 8192);
+- init_stream(scon.out_s, 8192);
++ init_stream(scon.in_s, SCP_MAX_MESSAGE_SIZE);
++ init_stream(scon.out_s, SCP_MAX_MESSAGE_SIZE);
+
+ switch (scp_vXs_accept(&scon, &(sdata)))
+ {
+@@ -76,10 +76,12 @@ scp_process_start(void *sck)
+ scp_v1_mng_process(&scon, sdata);
+ break;
+ case SCP_SERVER_STATE_VERSION_ERR:
+- /* an unknown scp version was requested, so we shut down the */
+- /* connection (and log the fact) */
++ case SCP_SERVER_STATE_SIZE_ERR:
++ /* an unknown scp version was requested, or the message sizes
++ are inconsistent. Shut down the connection and log the
++ fact */
+ log_message(LOG_LEVEL_WARNING,
+- "unknown protocol version specified. connection refused.");
++ "protocol violation. connection refused.");
+ break;
+ case SCP_SERVER_STATE_NETWORK_ERR:
+ log_message(LOG_LEVEL_WARNING, "libscp network error.");
+--
+2.28.0.rc0
+
diff -Nru xrdp-0.9.12/debian/patches/Fixed-CVE-2020-4044-CI-errors.patch xrdp-0.9.12/debian/patches/Fixed-CVE-2020-4044-CI-errors.patch
--- xrdp-0.9.12/debian/patches/Fixed-CVE-2020-4044-CI-errors.patch 1970-01-01 01:00:00.000000000 +0100
+++ xrdp-0.9.12/debian/patches/Fixed-CVE-2020-4044-CI-errors.patch 2020-07-19 17:11:20.000000000 +0200
@@ -0,0 +1,102 @@
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Mon, 29 Jun 2020 11:22:13 +0100
+Subject: Fixed CVE-2020-4044 CI errors
+Origin: https://github.com/neutrinolabs/xrdp/commit/cfd653c6e541ccba38cadbc8776423b288d14042
+
+---
+ sesman/libscp/libscp_v0.c | 12 ++++++------
+ sesman/libscp/libscp_v1s.c | 6 +++---
+ sesman/libscp/libscp_v1s_mng.c | 2 +-
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 55168b4f515f..90bf921e9783 100644
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -99,7 +99,7 @@ enum SCP_CLIENT_STATES_E
+ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ {
+ tui32 version;
+- tui32 size;
++ int size;
+ tui16 sz;
+
+ init_stream(c->in_s, c->in_s->size);
+@@ -187,8 +187,8 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ if (size < (8 + 2 + 2 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+ log_message(LOG_LEVEL_WARNING,
+- "[v0:%d] connection aborted: msg size = %u",
+- __LINE__, (unsigned int)size);
++ "[v0:%d] connection aborted: msg size = %d",
++ __LINE__, size);
+ return SCP_CLIENT_STATE_SIZE_ERR;
+ }
+
+@@ -240,7 +240,7 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ static enum SCP_SERVER_STATES_E
+ scp_v0s_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
+ {
+- tui32 size;
++ int size;
+ tui16 height;
+ tui16 width;
+ tui16 bpp;
+@@ -254,8 +254,8 @@ scp_v0s_init_session(struct SCP_CONNECTION *c, struct SCP_SESSION *session)
+ if (size < (8 + 2) || size > SCP_MAX_MESSAGE_SIZE)
+ {
+ log_message(LOG_LEVEL_WARNING,
+- "[v0:%d] connection aborted: msg size = %u",
+- __LINE__, (unsigned int)size);
++ "[v0:%d] connection aborted: msg size = %d",
++ __LINE__, size);
+ return SCP_SERVER_STATE_SIZE_ERR;
+ }
+
+diff --git a/sesman/libscp/libscp_v1s.c b/sesman/libscp/libscp_v1s.c
+index 37e8a01c42f8..7aab200df522 100644
+--- a/sesman/libscp/libscp_v1s.c
++++ b/sesman/libscp/libscp_v1s.c
+@@ -218,7 +218,7 @@ enum SCP_SERVER_STATES_E scp_v1s_accept(struct SCP_CONNECTION *c, struct SCP_SES
+ enum SCP_SERVER_STATES_E result;
+ struct SCP_SESSION *session;
+ tui32 version;
+- tui32 size;
++ int size;
+ tui16 cmdset;
+ tui16 cmd;
+
+@@ -354,7 +354,7 @@ scp_v1s_request_password(struct SCP_CONNECTION *c, struct SCP_SESSION *s,
+ const char *reason)
+ {
+ tui32 version;
+- tui32 size;
++ int size;
+ tui16 cmdset;
+ tui16 cmd;
+ int rlen;
+@@ -539,7 +539,7 @@ enum SCP_SERVER_STATES_E
+ scp_v1s_list_sessions(struct SCP_CONNECTION *c, int sescnt, struct SCP_DISCONNECTED_SESSION *ds, SCP_SID *sid)
+ {
+ tui32 version = 1;
+- tui32 size = 12;
++ int size = 12;
+ tui16 cmd = 40;
+ int pktcnt;
+ int idx;
+diff --git a/sesman/libscp/libscp_v1s_mng.c b/sesman/libscp/libscp_v1s_mng.c
+index 8e9aed12b84f..28c8290f8ff7 100644
+--- a/sesman/libscp/libscp_v1s_mng.c
++++ b/sesman/libscp/libscp_v1s_mng.c
+@@ -381,7 +381,7 @@ static enum SCP_SERVER_STATES_E
+ _scp_v1s_mng_check_response(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
+ {
+ tui32 version;
+- tui32 size;
++ int size;
+ tui16 cmd;
+ // tui8 dim;
+ // char buf[257];
+--
+2.28.0.rc0
+
diff -Nru xrdp-0.9.12/debian/patches/series xrdp-0.9.12/debian/patches/series
--- xrdp-0.9.12/debian/patches/series 2020-01-11 02:26:41.000000000 +0100
+++ xrdp-0.9.12/debian/patches/series 2020-07-19 17:11:20.000000000 +0200
@@ -7,3 +7,5 @@
pulse-debian.patch
var-run.diff
document-certs.diff
+Fix-for-CVE-2020-4044.patch
+Fixed-CVE-2020-4044-CI-errors.patch
Reply to: