]> xenbits.xensource.com Git - qemu-xen.git/commitdiff
projects / qemu-xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd6dd4e)
slirp: check data length while emulating ident function
authorPrasad J Pandit <pjp@fedoraproject.org>
Sun, 13 Jan 2019 17:59:48 +0000 (23:29 +0530)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Tue, 2 Apr 2019 18:16:34 +0000 (13:16 -0500)
While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.

Reported-by: Kira <864786842@qq.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit a7104eda7dab99d0cdbd3595c211864cba415905)
*CVE-2019-6778
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
slirp/tcp_subr.c patch | blob | blame | history

diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index 473c8b04e668cbd7191267453135675d2fd39939..aa88de854ab597713026ca3247c5ca792c3ac971 100644 (file)
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
                        socklen_t addrlen = sizeof(struct sockaddr_in);
                        struct sbuf *so_rcv = &so->so_rcv;
 
+                       if (m->m_len > so_rcv->sb_datalen
+                                       - (so_rcv->sb_wptr - so_rcv->sb_data)) {
+                           return 1;
+                       }
+
                        memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
                        so_rcv->sb_wptr += m->m_len;
                        so_rcv->sb_rptr += m->m_len;
qemu-xen (upstream qemu) tree.