thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch

3f5fa1
From 5cba04974b46608f462b7ce711c8eb0966f5d101 Mon Sep 17 00:00:00 2001
3f5fa1
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
3f5fa1
Date: Mon, 20 May 2019 17:00:52 +0200
3f5fa1
Subject: [PATCH 1/4] slirp: check sscanf result when emulating ident
3f5fa1
MIME-Version: 1.0
3f5fa1
Content-Type: text/plain; charset=UTF-8
3f5fa1
Content-Transfer-Encoding: 8bit
3f5fa1
3f5fa1
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
3f5fa1
Message-id: <20190520170055.15404-2-marcandre.lureau@redhat.com>
3f5fa1
Patchwork-id: 88098
3f5fa1
O-Subject: [RHEL-7.6.z qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident
3f5fa1
Bugzilla: 1669067
3f5fa1
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3f5fa1
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
3f5fa1
RH-Acked-by: Thomas Huth <thuth@redhat.com>
3f5fa1
3f5fa1
From: William Bowling <will@wbowling.info>
3f5fa1
3f5fa1
When emulating ident in tcp_emu, if the strchr checks passed but the
3f5fa1
sscanf check failed, two uninitialized variables would be copied and
3f5fa1
sent in the reply, so move this code inside the if(sscanf()) clause.
3f5fa1
3f5fa1
Signed-off-by: William Bowling <will@wbowling.info>
3f5fa1
Cc: qemu-stable@nongnu.org
3f5fa1
Cc: secalert@redhat.com
3f5fa1
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
3f5fa1
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
3f5fa1
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3f5fa1
3f5fa1
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
3f5fa1
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
3f5fa1
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
3f5fa1
---
3f5fa1
 slirp/tcp_subr.c | 10 +++++-----
3f5fa1
 1 file changed, 5 insertions(+), 5 deletions(-)
3f5fa1
3f5fa1
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
3f5fa1
index 043f28f..0b7138b 100644
3f5fa1
--- a/slirp/tcp_subr.c
3f5fa1
+++ b/slirp/tcp_subr.c
3f5fa1
@@ -605,12 +605,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
3f5fa1
 							break;
3f5fa1
 						}
3f5fa1
 					}
3f5fa1
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
3f5fa1
+								 so_rcv->sb_datalen,
3f5fa1
+								 "%d,%d\r\n", n1, n2);
3f5fa1
+					so_rcv->sb_rptr = so_rcv->sb_data;
3f5fa1
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
3f5fa1
 				}
3f5fa1
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
3f5fa1
-                                                         so_rcv->sb_datalen,
3f5fa1
-                                                         "%d,%d\r\n", n1, n2);
3f5fa1
-				so_rcv->sb_rptr = so_rcv->sb_data;
3f5fa1
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
3f5fa1
 			}
3f5fa1
 			m_free(m);
3f5fa1
 			return 0;
3f5fa1
-- 
3f5fa1
1.8.3.1
3f5fa1