[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input
From: |
Michael Roth |
Subject: |
[PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input |
Date: |
Tue, 1 Oct 2019 18:46:12 -0500 |
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <address@hidden>
(from libslirp.git commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
(from libslirp.git commit e0be80430c390bce181ea04dfcdd6ea3dfa97de1)
*squash in e0be80 (clarifying comments)
Signed-off-by: Michael Roth <address@hidden>
---
slirp/src/ip_input.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index a714fecd58..68a99de5b5 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -331,6 +331,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -347,13 +349,12 @@ insert:
q = fp->frag_link.next;
/*
- * If the fragments concatenated to an mbuf that's
- * bigger than the total size of the fragment, then and
- * m_ext buffer was alloced. But fp->ipq_next points to
- * the old buffer (in the mbuf), so we must point ip
- * into the new buffer.
+ * If the fragments concatenated to an mbuf that's bigger than the total
+ * size of the fragment and the mbuf was not already using an m_ext
buffer,
+ * then an m_ext buffer was alloced. But fp->ipq_next points to the old
+ * buffer (in the mbuf), so we must point ip into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.17.1
- [PATCH 89/97] curl: Pass CURLSocket to curl_multi_do(), (continued)
- [PATCH 89/97] curl: Pass CURLSocket to curl_multi_do(), Michael Roth, 2019/10/01
- [PATCH 90/97] curl: Report only ready sockets, Michael Roth, 2019/10/01
- [PATCH 82/97] libvhost-user: fix SLAVE_SEND_FD handling, Michael Roth, 2019/10/01
- [PATCH 85/97] blockjob: update nodes head while removing all bdrv, Michael Roth, 2019/10/01
- [PATCH 73/97] target/arm: Don't abort on M-profile exception return in linux-user mode, Michael Roth, 2019/10/01
- [PATCH 84/97] block/nfs: tear down aio before nfs_close, Michael Roth, 2019/10/01
- [PATCH 92/97] curl: Check curl_multi_add_handle()'s return code, Michael Roth, 2019/10/01
- [PATCH 10/97] spapr/xive: fix EQ page addresses above 64GB, Michael Roth, 2019/10/01
- [PATCH 06/97] block: Fix AioContext switch for bs->drv == NULL, Michael Roth, 2019/10/01
- [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy(), Michael Roth, 2019/10/01
- [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input,
Michael Roth <=
- [PATCH 95/97] s390: PCI: fix IOMMU region init, Michael Roth, 2019/10/01
- [PATCH 63/97] backup: Copy only dirty areas, Michael Roth, 2019/10/01
- [PATCH 08/97] Makefile: add nit-picky mode to sphinx-build, Michael Roth, 2019/10/01
- [PATCH 97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068), Michael Roth, 2019/10/01
- [PATCH 74/97] xen-bus: Fix backend state transition on device reset, Michael Roth, 2019/10/01
- [PATCH 75/97] pr-manager: Fix invalid g_free() crash bug, Michael Roth, 2019/10/01
- [PATCH 94/97] slirp: ip_reass: Fix use after free, Michael Roth, 2019/10/01
- [PATCH 09/97] docs/interop/bitmaps: rewrite and modernize doc, Michael Roth, 2019/10/01
- [PATCH 23/97] iotests: add iotest 256 for testing blockdev-backup across iothread contexts, Michael Roth, 2019/10/01
- [PATCH 91/97] curl: Handle success in multi_check_completion, Michael Roth, 2019/10/01