qemu-kvm/SOURCES/kvm-tftp-check-tftp_input-buffer-size.patch

From 6bd4d80f9274f76eb402ce85aa60729150b39980 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 29 Jul 2021 04:56:34 -0400
Subject: [PATCH 09/14] tftp: check tftp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: <20210708082537.1550263-6-marcandre.lureau@redhat.com>
Patchwork-id: 101823
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 5/8] tftp: check tftp_input buffer size
Bugzilla: 1970843
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1970843

(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 slirp/src/tftp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
index 093c2e06a3..07e8f3cb2f 100644
--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
@@ -444,7 +444,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
 
 void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
 {
-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
+    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+    if (tp == NULL) {
+        return;
+    }
 
     switch (ntohs(tp->tp_op)) {
     case TFTP_RRQ:
-- 
2.27.0