libslirp/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
Marc-André Lureau 091d374633 Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
Resolves: rhbz#1970826
Resolves: rhbz#1970839
Resolves: rhbz#1970857
Resolves: rhbz#1970847
2021-06-18 17:14:15 +04:00

31 lines
897 B
Diff

From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 17 Jun 2021 18:01:32 +0900
Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0"
Fix issue 48
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
src/bootp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/bootp.c b/src/bootp.c
index cafa1eb..0a35873 100644
--- a/src/bootp.c
+++ b/src/bootp.c
@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp,
daddr.sin_addr.s_addr = 0xffffffffu;
- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
+ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN);
+
+ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr);
udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
}
--
2.29.0