qemu-kvm/SOURCES/kvm-upd6-check-udp6_input-buffer-size.patch

From 6808086932ddc83fd748c46fea495e7004299b55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 29 Jul 2021 04:56:31 -0400
Subject: [PATCH 08/14] upd6: check udp6_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: <20210708082537.1550263-5-marcandre.lureau@redhat.com>
Patchwork-id: 101822
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 4/8] upd6: check udp6_input buffer size
Bugzilla: 1970835
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Fixes: CVE-2021-3593
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1970835

(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 slirp/src/udp6.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
index 6f9486bbca..8c490e4d10 100644
--- a/slirp/src/udp6.c
+++ b/slirp/src/udp6.c
@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
     ip = mtod(m, struct ip6 *);
     m->m_len -= iphlen;
     m->m_data += iphlen;
-    uh = mtod(m, struct udphdr *);
+    uh = mtod_check(m, sizeof(struct udphdr));
+    if (uh == NULL) {
+        goto bad;
+    }
     m->m_len += iphlen;
     m->m_data -= iphlen;
 
-- 
2.27.0