thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch

d740ea
From 013f795cb54d42e6b057689f7d51fd27e1730197 Mon Sep 17 00:00:00 2001
3f5fa1
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
d740ea
Date: Tue, 2 Apr 2019 13:39:01 +0200
d740ea
Subject: [PATCH 3/3] slirp: check sscanf result when emulating ident
3f5fa1
MIME-Version: 1.0
3f5fa1
Content-Type: text/plain; charset=UTF-8
3f5fa1
Content-Transfer-Encoding: 8bit
3f5fa1
3f5fa1
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
d740ea
Message-id: <20190402133901.28238-1-marcandre.lureau@redhat.com>
d740ea
Patchwork-id: 85305
d740ea
O-Subject: [RHEL-7.7 qemu-kvm PATCH] slirp: check sscanf result when emulating ident
d740ea
Bugzilla: 1689791
3f5fa1
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
d740ea
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
d740ea
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
3f5fa1
3f5fa1
From: William Bowling <will@wbowling.info>
3f5fa1
3f5fa1
When emulating ident in tcp_emu, if the strchr checks passed but the
3f5fa1
sscanf check failed, two uninitialized variables would be copied and
3f5fa1
sent in the reply, so move this code inside the if(sscanf()) clause.
3f5fa1
3f5fa1
Signed-off-by: William Bowling <will@wbowling.info>
3f5fa1
Cc: qemu-stable@nongnu.org
3f5fa1
Cc: secalert@redhat.com
3f5fa1
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
3f5fa1
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
3f5fa1
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3f5fa1
3f5fa1
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
3f5fa1
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
3f5fa1
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
3f5fa1
---
3f5fa1
 slirp/tcp_subr.c | 10 +++++-----
3f5fa1
 1 file changed, 5 insertions(+), 5 deletions(-)
3f5fa1
3f5fa1
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
3f5fa1
index 043f28f..0b7138b 100644
3f5fa1
--- a/slirp/tcp_subr.c
3f5fa1
+++ b/slirp/tcp_subr.c
3f5fa1
@@ -605,12 +605,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
3f5fa1
 							break;
3f5fa1
 						}
3f5fa1
 					}
3f5fa1
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
3f5fa1
+								 so_rcv->sb_datalen,
3f5fa1
+								 "%d,%d\r\n", n1, n2);
3f5fa1
+					so_rcv->sb_rptr = so_rcv->sb_data;
3f5fa1
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
3f5fa1
 				}
3f5fa1
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
3f5fa1
-                                                         so_rcv->sb_datalen,
3f5fa1
-                                                         "%d,%d\r\n", n1, n2);
3f5fa1
-				so_rcv->sb_rptr = so_rcv->sb_data;
3f5fa1
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
3f5fa1
 			}
3f5fa1
 			m_free(m);
3f5fa1
 			return 0;
3f5fa1
-- 
3f5fa1
1.8.3.1
3f5fa1