[Qemu-devel] [5920] slirp: fix CVE 2007-5729

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [5920] slirp: fix CVE 2007-5729

From:	Aurelien Jarno
Subject:	[Qemu-devel] [5920] slirp: fix CVE 2007-5729
Date:	Sun, 07 Dec 2008 18:15:27 +0000

Revision: 5920
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=5920
Author:   aurel32
Date:     2008-12-07 18:15:23 +0000 (Sun, 07 Dec 2008)

Log Message:
-----------
slirp: fix CVE 2007-5729

The emulated network cards in QEMU allows local users to execute arbitrary
code by writing Ethernet frames with a size larger than the slirp's default
MTU, which triggers a heap-based buffer overflow in the slirp library.

Signed-off-by: Aurelien Jarno <address@hidden>

Modified Paths:
--------------
    trunk/slirp/slirp.c

Modified: trunk/slirp/slirp.c
===================================================================
--- trunk/slirp/slirp.c 2008-12-07 17:16:42 UTC (rev 5919)
+++ trunk/slirp/slirp.c 2008-12-07 18:15:23 UTC (rev 5920)
@@ -654,6 +654,9 @@
         if (!m)
             return;
         /* Note: we add to align the IP header */
+        if (M_FREEROOM(m) < pkt_len + 2) {
+            m_inc(m, pkt_len + 2);
+        }
         m->m_len = pkt_len + 2;
         memcpy(m->m_data + 2, pkt, pkt_len);

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [5920] slirp: fix CVE 2007-5729, Aurelien Jarno <=

Prev by Date: Re: [Qemu-devel] Single stepping command line option? (was: [5910] target-ppc: convert SPR accesses to TCG)
Next by Date: [Qemu-devel] [5921] target-i386: fix CVE-2007-1322
Previous by thread: [Qemu-devel] [PATCH] ARM: some more cleanups and potential bug fixes
Next by thread: [Qemu-devel] [5921] target-i386: fix CVE-2007-1322
Index(es):
- Date
- Thread