libslirp/0007-udp-check-upd_input-buffer-size.patch
Marc-André Lureau 091d374633 Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
Resolves: rhbz#1970826
Resolves: rhbz#1970839
Resolves: rhbz#1970857
Resolves: rhbz#1970847
2021-06-18 17:14:15 +04:00

37 lines
1.0 KiB
Diff

From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:40:23 +0400
Subject: [PATCH 7/7] udp: check upd_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CVE-2021-3594
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
---
src/udp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/udp.c b/src/udp.c
index 050cee4..e4578aa 100644
--- a/src/udp.c
+++ b/src/udp.c
@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen)
/*
* Get IP and UDP header together in first mbuf.
*/
- ip = mtod(m, struct ip *);
+ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
+ if (ip == NULL) {
+ goto bad;
+ }
uh = (struct udphdr *)((char *)ip + iphlen);
/*
--
2.29.0