* [Qemu-devel] [PATCH-for-3.1.1 0/1] Backport of CVE-2019-14378 fix
@ 2019-08-02 18:04 Philippe Mathieu-Daudé
2019-08-02 18:04 ` [Qemu-devel] [PATCH-for-3.1.1 1/1] Fix heap overflow in ip_reass on big packet input Philippe Mathieu-Daudé
0 siblings, 1 reply; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-08-02 18:04 UTC (permalink / raw)
To: qemu-devel; +Cc: Samuel Thibault, Philippe Mathieu-Daudé, Michael Roth
Trivial backport from the libslirp repository.
Samuel Thibault (1):
Fix heap overflow in ip_reass on big packet input
slirp/ip_input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Qemu-devel] [PATCH-for-3.1.1 1/1] Fix heap overflow in ip_reass on big packet input
2019-08-02 18:04 [Qemu-devel] [PATCH-for-3.1.1 0/1] Backport of CVE-2019-14378 fix Philippe Mathieu-Daudé
@ 2019-08-02 18:04 ` Philippe Mathieu-Daudé
2019-08-02 22:18 ` Marc-André Lureau
0 siblings, 1 reply; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-08-02 18:04 UTC (permalink / raw)
To: qemu-devel
Cc: Samuel Thibault, Philippe Mathieu-Daudé, Michael Roth, Jan Kiszka
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
Fixes: CVE-2019-14378
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
slirp/ip_input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index 348e1dca5a..07d8808671 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -334,6 +334,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -356,7 +358,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH-for-3.1.1 1/1] Fix heap overflow in ip_reass on big packet input
2019-08-02 18:04 ` [Qemu-devel] [PATCH-for-3.1.1 1/1] Fix heap overflow in ip_reass on big packet input Philippe Mathieu-Daudé
@ 2019-08-02 22:18 ` Marc-André Lureau
0 siblings, 0 replies; 3+ messages in thread
From: Marc-André Lureau @ 2019-08-02 22:18 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Samuel Thibault, Jan Kiszka, QEMU, Michael Roth
On Fri, Aug 2, 2019 at 10:09 PM Philippe Mathieu-Daudé
<philmd@redhat.com> wrote:
>
> From: Samuel Thibault <samuel.thibault@ens-lyon.org>
>
> When the first fragment does not fit in the preallocated buffer, q will
> already be pointing to the ext buffer, so we mustn't try to update it.
>
> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
> (cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
> Fixes: CVE-2019-14378
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
thanks
> ---
> slirp/ip_input.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/slirp/ip_input.c b/slirp/ip_input.c
> index 348e1dca5a..07d8808671 100644
> --- a/slirp/ip_input.c
> +++ b/slirp/ip_input.c
> @@ -334,6 +334,8 @@ insert:
> q = fp->frag_link.next;
> m = dtom(slirp, q);
>
> + int was_ext = m->m_flags & M_EXT;
> +
> q = (struct ipasfrag *) q->ipf_next;
> while (q != (struct ipasfrag*)&fp->frag_link) {
> struct mbuf *t = dtom(slirp, q);
> @@ -356,7 +358,7 @@ insert:
> * the old buffer (in the mbuf), so we must point ip
> * into the new buffer.
> */
> - if (m->m_flags & M_EXT) {
> + if (!was_ext && m->m_flags & M_EXT) {
> int delta = (char *)q - m->m_dat;
> q = (struct ipasfrag *)(m->m_ext + delta);
> }
> --
> 2.20.1
>
>
--
Marc-André Lureau
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-02 22:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-02 18:04 [Qemu-devel] [PATCH-for-3.1.1 0/1] Backport of CVE-2019-14378 fix Philippe Mathieu-Daudé
2019-08-02 18:04 ` [Qemu-devel] [PATCH-for-3.1.1 1/1] Fix heap overflow in ip_reass on big packet input Philippe Mathieu-Daudé
2019-08-02 22:18 ` Marc-André Lureau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).