[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference bec
Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
Wed, 24 Sep 2014 03:40:53 -0700
On 23 September 2014 09:50, Michael Tokarev <address@hidden> wrote:
> 18.09.2014 10:35, Petr Matousek wrote:
>> When guest sends udp packet with source port and source addr 0,
>> uninitialized socket is picked up when looking for matching and already
>> created udp sockets, and later passed to sosendto() where NULL pointer
>> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
>> Fix this by checking that the socket is not just a socket stub.
>> This is CVE-2014-3640.
>> Signed-off-by: Petr Matousek <address@hidden>
>> Reported-by: Xavier Mehrenberger <address@hidden>
>> Reported-by: Stephane Duverger <address@hidden>
> Reviewed-by: Michael Tokarev <address@hidden>
Applied to master, thanks.