[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input
From: |
Michael Roth |
Subject: |
[PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input |
Date: |
Tue, 1 Oct 2019 18:46:12 -0500 |
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <address@hidden>
(from libslirp.git commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
(from libslirp.git commit e0be80430c390bce181ea04dfcdd6ea3dfa97de1)
*squash in e0be80 (clarifying comments)
Signed-off-by: Michael Roth <address@hidden>
---
slirp/src/ip_input.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index a714fecd58..68a99de5b5 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -331,6 +331,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -347,13 +349,12 @@ insert:
q = fp->frag_link.next;
/*
- * If the fragments concatenated to an mbuf that's
- * bigger than the total size of the fragment, then and
- * m_ext buffer was alloced. But fp->ipq_next points to
- * the old buffer (in the mbuf), so we must point ip
- * into the new buffer.
+ * If the fragments concatenated to an mbuf that's bigger than the total
+ * size of the fragment and the mbuf was not already using an m_ext
buffer,
+ * then an m_ext buffer was alloced. But fp->ipq_next points to the old
+ * buffer (in the mbuf), so we must point ip into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.17.1
- [PATCH 41/97] docs/bitmaps: use QMP lexer instead of json, (continued)
- [PATCH 41/97] docs/bitmaps: use QMP lexer instead of json, Michael Roth, 2019/10/01
- [PATCH 53/97] virtio-balloon: don't track subpages for the PBP, Michael Roth, 2019/10/01
- [PATCH 50/97] virtio-balloon: Better names for offset variables in inflate/deflate code, Michael Roth, 2019/10/01
- [PATCH 55/97] i386/acpi: fix gint overflow in crs_range_compare, Michael Roth, 2019/10/01
- [PATCH 45/97] ioapic: kvm: Skip route updates for masked pins, Michael Roth, 2019/10/01
- [PATCH 03/97] qcow2: Fix full preallocation with external data file, Michael Roth, 2019/10/01
- [PATCH 36/97] virtio-pci: fix missing device properties, Michael Roth, 2019/10/01
- [PATCH 05/97] qcow2: Fix qcow2_make_empty() with external data file, Michael Roth, 2019/10/01
- [PATCH 74/97] xen-bus: Fix backend state transition on device reset, Michael Roth, 2019/10/01
- [PATCH 70/97] Revert "ide/ahci: Check for -ECANCELED in aio callbacks", Michael Roth, 2019/10/01
- [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input,
Michael Roth <=
- [PATCH 78/97] iotests: Add supported protocols to execute_test(), Michael Roth, 2019/10/01
- [PATCH 52/97] virtio-balloon: Use temporary PBP only, Michael Roth, 2019/10/01
- [PATCH 54/97] virtio-balloon: free pbp more aggressively, Michael Roth, 2019/10/01
- [PATCH 73/97] target/arm: Don't abort on M-profile exception return in linux-user mode, Michael Roth, 2019/10/01
- [PATCH 94/97] slirp: ip_reass: Fix use after free, Michael Roth, 2019/10/01
- [PATCH 83/97] block/create: Do not abort if a block driver is not available, Michael Roth, 2019/10/01
- [PATCH 17/97] block: Drain source node in bdrv_replace_node(), Michael Roth, 2019/10/01
- [PATCH 80/97] iotests: Restrict nbd Python tests to nbd, Michael Roth, 2019/10/01
- [PATCH 90/97] curl: Report only ready sockets, Michael Roth, 2019/10/01
- [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy(), Michael Roth, 2019/10/01