qemu-kvm/SOURCES/kvm-udp-check-upd_input-buffer-size.patch

From 1b8aa33b218a8ff3e8aa2f1b6875df40fd70f0ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 29 Jul 2021 04:56:40 -0400
Subject: [PATCH 11/14] udp: check upd_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: <20210708082537.1550263-8-marcandre.lureau@redhat.com>
Patchwork-id: 101826
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 7/8] udp: check upd_input buffer size
Bugzilla: 1970853
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Fixes: CVE-2021-3594
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1970853

(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 slirp/src/udp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/slirp/src/udp.c b/slirp/src/udp.c
index ae23ba4b2a..86142bba14 100644
--- a/slirp/src/udp.c
+++ b/slirp/src/udp.c
@@ -90,7 +90,10 @@ void udp_input(register struct mbuf *m, int iphlen)
     /*
      * Get IP and UDP header together in first mbuf.
      */
-    ip = mtod(m, struct ip *);
+    ip = mtod_check(m, iphlen + sizeof(struct udphdr));
+    if (ip == NULL) {
+        goto bad;
+    }
     uh = (struct udphdr *)((char *)ip + iphlen);
 
     /*
-- 
2.27.0