[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 94/97] slirp: ip_reass: Fix use after free
From: |
Michael Roth |
Subject: |
[PATCH 94/97] slirp: ip_reass: Fix use after free |
Date: |
Tue, 1 Oct 2019 18:46:13 -0500 |
Using ip_deq after m_free might read pointers from an allocation reuse.
This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.
Signed-off-by: Samuel Thibault <address@hidden>
(from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: Michael Roth <address@hidden>
---
slirp/src/ip_input.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index 68a99de5b5..89ae04e0c1 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -297,6 +297,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
*/
while (q != (struct ipasfrag*)&fp->frag_link &&
ip->ip_off + ip->ip_len > q->ipf_off) {
+ struct ipasfrag *prev;
i = (ip->ip_off + ip->ip_len) - q->ipf_off;
if (i < q->ipf_len) {
q->ipf_len -= i;
@@ -304,9 +305,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
m_adj(dtom(slirp, q), i);
break;
}
+ prev = q;
q = q->ipf_next;
- m_free(dtom(slirp, q->ipf_prev));
- ip_deq(q->ipf_prev);
+ ip_deq(prev);
+ m_free(dtom(slirp, prev));
}
insert:
--
2.17.1
- [PATCH 10/97] spapr/xive: fix EQ page addresses above 64GB, (continued)
- [PATCH 10/97] spapr/xive: fix EQ page addresses above 64GB, Michael Roth, 2019/10/01
- [PATCH 06/97] block: Fix AioContext switch for bs->drv == NULL, Michael Roth, 2019/10/01
- [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy(), Michael Roth, 2019/10/01
- [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input, Michael Roth, 2019/10/01
- [PATCH 95/97] s390: PCI: fix IOMMU region init, Michael Roth, 2019/10/01
- [PATCH 63/97] backup: Copy only dirty areas, Michael Roth, 2019/10/01
- [PATCH 08/97] Makefile: add nit-picky mode to sphinx-build, Michael Roth, 2019/10/01
- [PATCH 97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068), Michael Roth, 2019/10/01
- [PATCH 74/97] xen-bus: Fix backend state transition on device reset, Michael Roth, 2019/10/01
- [PATCH 75/97] pr-manager: Fix invalid g_free() crash bug, Michael Roth, 2019/10/01
- [PATCH 94/97] slirp: ip_reass: Fix use after free,
Michael Roth <=
- [PATCH 09/97] docs/interop/bitmaps: rewrite and modernize doc, Michael Roth, 2019/10/01
- [PATCH 23/97] iotests: add iotest 256 for testing blockdev-backup across iothread contexts, Michael Roth, 2019/10/01
- [PATCH 91/97] curl: Handle success in multi_check_completion, Michael Roth, 2019/10/01
- [PATCH 19/97] iotests.py: do not use infinite waits, Michael Roth, 2019/10/01
- Re: [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10, Thomas Huth, 2019/10/02
- Re: [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10, Philippe Mathieu-Daudé, 2019/10/03
- Re: [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10, Alexandr Iarygin, 2019/10/07
- Re: [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10, Philippe Mathieu-Daudé, 2019/10/08