|
 |
383d26 |
From cbf833ce3cbbd9162c22573278497e5b8bd1ccb4 Mon Sep 17 00:00:00 2001
|
|
|
383d26 |
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
|
383d26 |
Date: Tue, 2 Apr 2019 14:03:50 +0200
|
|
|
383d26 |
Subject: [PATCH 131/163] slirp: check sscanf result when emulating ident
|
|
|
383d26 |
MIME-Version: 1.0
|
|
|
383d26 |
Content-Type: text/plain; charset=UTF-8
|
|
|
383d26 |
Content-Transfer-Encoding: 8bit
|
|
|
383d26 |
|
|
|
383d26 |
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
383d26 |
Message-id: <20190402140350.5604-1-marcandre.lureau@redhat.com>
|
|
|
383d26 |
Patchwork-id: 85306
|
|
|
383d26 |
O-Subject: [RHEL-7.7 qemu-kvm-rhev PATCH] slirp: check sscanf result when emulating ident
|
|
|
383d26 |
Bugzilla: 1689793
|
|
|
383d26 |
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
|
|
|
383d26 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
383d26 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
383d26 |
|
|
|
383d26 |
From: William Bowling <will@wbowling.info>
|
|
|
383d26 |
|
|
|
383d26 |
When emulating ident in tcp_emu, if the strchr checks passed but the
|
|
|
383d26 |
sscanf check failed, two uninitialized variables would be copied and
|
|
|
383d26 |
sent in the reply, so move this code inside the if(sscanf()) clause.
|
|
|
383d26 |
|
|
|
383d26 |
Signed-off-by: William Bowling <will@wbowling.info>
|
|
|
383d26 |
Cc: qemu-stable@nongnu.org
|
|
|
383d26 |
Cc: secalert@redhat.com
|
|
|
383d26 |
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
|
|
|
383d26 |
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
383d26 |
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
383d26 |
|
|
|
383d26 |
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
|
|
|
383d26 |
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
383d26 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
383d26 |
---
|
|
|
383d26 |
slirp/tcp_subr.c | 10 +++++-----
|
|
|
383d26 |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
383d26 |
|
|
|
383d26 |
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
|
|
|
383d26 |
index da0d537..98ceb4f 100644
|
|
|
383d26 |
--- a/slirp/tcp_subr.c
|
|
|
383d26 |
+++ b/slirp/tcp_subr.c
|
|
|
383d26 |
@@ -660,12 +660,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
|
|
|
383d26 |
break;
|
|
|
383d26 |
}
|
|
|
383d26 |
}
|
|
|
383d26 |
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
|
|
|
383d26 |
+ so_rcv->sb_datalen,
|
|
|
383d26 |
+ "%d,%d\r\n", n1, n2);
|
|
|
383d26 |
+ so_rcv->sb_rptr = so_rcv->sb_data;
|
|
|
383d26 |
+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
|
|
|
383d26 |
}
|
|
|
383d26 |
- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
|
|
|
383d26 |
- so_rcv->sb_datalen,
|
|
|
383d26 |
- "%d,%d\r\n", n1, n2);
|
|
|
383d26 |
- so_rcv->sb_rptr = so_rcv->sb_data;
|
|
|
383d26 |
- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
|
|
|
383d26 |
}
|
|
|
383d26 |
m_free(m);
|
|
|
383d26 |
return 0;
|
|
|
383d26 |
--
|
|
|
383d26 |
1.8.3.1
|
|
|
383d26 |
|