From dea2f95979cc0ba0c36f07b8e9cc709bd1ef1eb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 17 Jan 2020 12:00:35 +0100 Subject: [PATCH 1/3] tcp_emu: Fix oob access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Philippe Mathieu-Daudé Message-id: <20200117120037.12800-2-philmd@redhat.com> Patchwork-id: 93395 O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 1/3] tcp_emu: Fix oob access Bugzilla: 1791560 RH-Acked-by: Stefano Garzarella RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Thomas Huth From: Samuel Thibault The main loop only checks for one available byte, while we sometimes need two bytes. (cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289) [PMD: backported with style conflicts, CHANGELOG.md absent in downstream] Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Miroslav Rezanina --- slirp/tcp_subr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index d49a366..70a4c83 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -837,6 +837,9 @@ tcp_emu(struct socket *so, struct mbuf *m) break; case 5: + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + /* * The difference between versions 1.0 and * 2.0 is here. For future versions of @@ -852,6 +855,10 @@ tcp_emu(struct socket *so, struct mbuf *m) /* This is the field containing the port * number that RA-player is listening to. */ + + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + lport = (((u_char*)bptr)[0] << 8) + ((u_char *)bptr)[1]; if (lport < 6970) -- 1.8.3.1