|
 |
4ec855 |
From 49fbfce352a678b538113598cba05c48281174a4 Mon Sep 17 00:00:00 2001
|
|
|
4ec855 |
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
|
|
|
4ec855 |
Date: Wed, 24 Jul 2019 15:53:34 +0100
|
|
|
4ec855 |
Subject: [PATCH 09/14] slirp: check sscanf result when emulating ident
|
|
|
4ec855 |
MIME-Version: 1.0
|
|
|
4ec855 |
Content-Type: text/plain; charset=UTF-8
|
|
|
4ec855 |
Content-Transfer-Encoding: 8bit
|
|
|
4ec855 |
|
|
|
4ec855 |
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
4ec855 |
Message-id: <20190724155337.25303-2-philmd@redhat.com>
|
|
|
4ec855 |
Patchwork-id: 89675
|
|
|
4ec855 |
O-Subject: [RHEL-8.1.0 qemu-kvm PATCH v2 1/4] slirp: check sscanf result when emulating ident
|
|
|
4ec855 |
Bugzilla: 1727642
|
|
|
4ec855 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
4ec855 |
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4ec855 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
4ec855 |
|
|
|
4ec855 |
From: William Bowling <will@wbowling.info>
|
|
|
4ec855 |
|
|
|
4ec855 |
When emulating ident in tcp_emu, if the strchr checks passed but the
|
|
|
4ec855 |
sscanf check failed, two uninitialized variables would be copied and
|
|
|
4ec855 |
sent in the reply, so move this code inside the if(sscanf()) clause.
|
|
|
4ec855 |
|
|
|
4ec855 |
Signed-off-by: William Bowling <will@wbowling.info>
|
|
|
4ec855 |
Cc: qemu-stable@nongnu.org
|
|
|
4ec855 |
Cc: secalert@redhat.com
|
|
|
4ec855 |
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
|
|
|
4ec855 |
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
4ec855 |
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
4ec855 |
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
|
|
|
4ec855 |
Fixes: CVE-2019-9824
|
|
|
4ec855 |
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
4ec855 |
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
|
4ec855 |
---
|
|
|
4ec855 |
slirp/tcp_subr.c | 10 +++++-----
|
|
|
4ec855 |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
4ec855 |
|
|
|
4ec855 |
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
|
|
|
4ec855 |
index 1c7eb28..af1b3eb 100644
|
|
|
4ec855 |
--- a/slirp/tcp_subr.c
|
|
|
4ec855 |
+++ b/slirp/tcp_subr.c
|
|
|
4ec855 |
@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
|
|
|
4ec855 |
break;
|
|
|
4ec855 |
}
|
|
|
4ec855 |
}
|
|
|
4ec855 |
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
|
|
|
4ec855 |
+ so_rcv->sb_datalen,
|
|
|
4ec855 |
+ "%d,%d\r\n", n1, n2);
|
|
|
4ec855 |
+ so_rcv->sb_rptr = so_rcv->sb_data;
|
|
|
4ec855 |
+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
|
|
|
4ec855 |
}
|
|
|
4ec855 |
- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
|
|
|
4ec855 |
- so_rcv->sb_datalen,
|
|
|
4ec855 |
- "%d,%d\r\n", n1, n2);
|
|
|
4ec855 |
- so_rcv->sb_rptr = so_rcv->sb_data;
|
|
|
4ec855 |
- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
|
|
|
4ec855 |
}
|
|
|
4ec855 |
m_free(m);
|
|
|
4ec855 |
return 0;
|
|
|
4ec855 |
--
|
|
|
4ec855 |
1.8.3.1
|
|
|
4ec855 |
|