thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch

9ae3a8
From 013f795cb54d42e6b057689f7d51fd27e1730197 Mon Sep 17 00:00:00 2001
9ae3a8
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
9ae3a8
Date: Tue, 2 Apr 2019 13:39:01 +0200
9ae3a8
Subject: [PATCH 3/3] slirp: check sscanf result when emulating ident
9ae3a8
MIME-Version: 1.0
9ae3a8
Content-Type: text/plain; charset=UTF-8
9ae3a8
Content-Transfer-Encoding: 8bit
9ae3a8
9ae3a8
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
9ae3a8
Message-id: <20190402133901.28238-1-marcandre.lureau@redhat.com>
9ae3a8
Patchwork-id: 85305
9ae3a8
O-Subject: [RHEL-7.7 qemu-kvm PATCH] slirp: check sscanf result when emulating ident
9ae3a8
Bugzilla: 1689791
9ae3a8
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
9ae3a8
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
9ae3a8
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
9ae3a8
9ae3a8
From: William Bowling <will@wbowling.info>
9ae3a8
9ae3a8
When emulating ident in tcp_emu, if the strchr checks passed but the
9ae3a8
sscanf check failed, two uninitialized variables would be copied and
9ae3a8
sent in the reply, so move this code inside the if(sscanf()) clause.
9ae3a8
9ae3a8
Signed-off-by: William Bowling <will@wbowling.info>
9ae3a8
Cc: qemu-stable@nongnu.org
9ae3a8
Cc: secalert@redhat.com
9ae3a8
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
9ae3a8
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
9ae3a8
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
9ae3a8
9ae3a8
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
9ae3a8
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
9ae3a8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
---
9ae3a8
 slirp/tcp_subr.c | 10 +++++-----
9ae3a8
 1 file changed, 5 insertions(+), 5 deletions(-)
9ae3a8
9ae3a8
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
9ae3a8
index 043f28f..0b7138b 100644
9ae3a8
--- a/slirp/tcp_subr.c
9ae3a8
+++ b/slirp/tcp_subr.c
9ae3a8
@@ -605,12 +605,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
9ae3a8
 							break;
9ae3a8
 						}
9ae3a8
 					}
9ae3a8
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
9ae3a8
+								 so_rcv->sb_datalen,
9ae3a8
+								 "%d,%d\r\n", n1, n2);
9ae3a8
+					so_rcv->sb_rptr = so_rcv->sb_data;
9ae3a8
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
9ae3a8
 				}
9ae3a8
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
9ae3a8
-                                                         so_rcv->sb_datalen,
9ae3a8
-                                                         "%d,%d\r\n", n1, n2);
9ae3a8
-				so_rcv->sb_rptr = so_rcv->sb_data;
9ae3a8
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
9ae3a8
 			}
9ae3a8
 			m_free(m);
9ae3a8
 			return 0;
9ae3a8
-- 
9ae3a8
1.8.3.1
9ae3a8