[Bug 1858415] Re: in tcp_emu function has OOB bug

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1858415] Re: in tcp_emu function has OOB bug

From:	Philippe Mathieu-Daudé
Subject:	[Bug 1858415] Re: in tcp_emu function has OOB bug
Date:	Wed, 10 Jun 2020 12:49:04 -0000

libslirp fix included in commit 7769c23774d1, released in QEMU-v5.0.0

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1858415

Title:
  in tcp_emu function has OOB bug

Status in QEMU:
  Fix Released

Bug description:
  qemu version: 4.1.0

  ```c
  int tcp_emu(struct socket *so, struct mbuf *m){
  ............
  case EMU_REALAUDIO:
  ............
      while (bptr < m->m_data + m->m_len) {
          case 6:
  ............
              lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
  ............               
              *(uint8_t *)bptr++ = (p >> 8) & 0xff;
              *(uint8_t *)bptr = p & 0xff;
  ............
      }
  ............
  ............
  }
  ```

  bptr)[1] and  bptr++ ,may make bptr ==  m->m_data + m->m_len,and cause
  OOB（out of bounds.）

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1858415/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1858415] Re: in tcp_emu function has OOB bug, r1ng0hacking, 2020/06/10
- [Bug 1858415] Re: in tcp_emu function has OOB bug, Philippe Mathieu-Daudé <=

Prev by Date: [PATCH v9 38/61] target/riscv: vector floating-point sign-injection instructions
Next by Date: [PATCH v9 39/61] target/riscv: vector floating-point compare instructions
Previous by thread: [Bug 1858415] Re: in tcp_emu function has OOB bug
Next by thread: [PULL v2 00/16] Trivial branch for 5.1 patches
Index(es):
- Date
- Thread