4.2.0-2 - CVE-2020-1983 fix
This commit is contained in:
Marc-André Lureau
parent
2ed83bceb0
commit
8496ac1f98
48
0001-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Normal file
48
0001-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 9bd6c5913271eabcb7768a58197ed3301fe19f2d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Sat, 4 Apr 2020 22:42:13 +0200
|
||||
Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The q pointer is updated when the mbuf data is moved from m_dat to
|
||||
m_ext.
|
||||
|
||||
m_ext buffer may also be realloc()'ed and moved during m_cat():
|
||||
q should also be updated in this case.
|
||||
|
||||
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
---
|
||||
src/ip_input.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/ip_input.c b/src/ip_input.c
|
||||
index aa514ae..89a01d4 100644
|
||||
--- a/src/ip_input.c
|
||||
+++ b/src/ip_input.c
|
||||
@@ -327,8 +327,7 @@ insert:
|
||||
*/
|
||||
q = fp->frag_link.next;
|
||||
m = dtom(slirp, q);
|
||||
-
|
||||
- int was_ext = m->m_flags & M_EXT;
|
||||
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
|
||||
|
||||
q = (struct ipasfrag *)q->ipf_next;
|
||||
while (q != (struct ipasfrag *)&fp->frag_link) {
|
||||
@@ -351,8 +350,7 @@ insert:
|
||||
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
|
||||
* buffer (in the mbuf), so we must point ip into the new buffer.
|
||||
*/
|
||||
- if (!was_ext && m->m_flags & M_EXT) {
|
||||
- int delta = (char *)q - m->m_dat;
|
||||
+ if (m->m_flags & M_EXT) {
|
||||
q = (struct ipasfrag *)(m->m_ext + delta);
|
||||
}
|
||||
|
||||
--
|
||||
2.26.0.106.g9fadedd637
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libslirp
|
||||
Version: 4.2.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A general purpose TCP-IP emulator
|
||||
|
||||
# check the SPDX tags in source files for details
|
||||
@ -8,6 +8,8 @@ License: BSD and MIT
|
||||
URL: https://gitlab.freedesktop.org/slirp/%{name}
|
||||
Source0: %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
|
||||
|
||||
Patch0001: 0001-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: meson
|
||||
BuildRequires: gcc
|
||||
@ -52,6 +54,9 @@ developing applications that use %{name}.
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Apr 20 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.2.0-2
|
||||
- CVE-2020-1983 fix
|
||||
|
||||
* Tue Mar 17 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.2.0-1
|
||||
- New v4.2.0 release
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user