From 49fbfce352a678b538113598cba05c48281174a4 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>

Date: Wed, 24 Jul 2019 15:53:34 +0100

Subject: [PATCH 09/14] slirp: check sscanf result when emulating ident

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: <20190724155337.25303-2-philmd@redhat.com>

Patchwork-id: 89675

O-Subject: [RHEL-8.1.0 qemu-kvm PATCH v2 1/4] slirp: check sscanf result when emulating ident

Bugzilla: 1727642

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>

RH-Acked-by: Thomas Huth <thuth@redhat.com>

From: William Bowling <will@wbowling.info>

When emulating ident in tcp_emu, if the strchr checks passed but the

sscanf check failed, two uninitialized variables would be copied and

sent in the reply, so move this code inside the if(sscanf()) clause.

Signed-off-by: William Bowling <will@wbowling.info>

Cc: qemu-stable@nongnu.org

Cc: secalert@redhat.com

Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)

Fixes: CVE-2019-9824

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 slirp/tcp_subr.c | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c

index 1c7eb28..af1b3eb 100644

--- a/slirp/tcp_subr.c

+++ b/slirp/tcp_subr.c

@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m)

 							break;

 						}

 					}

+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,

+								 so_rcv->sb_datalen,

+								 "%d,%d\r\n", n1, n2);

+					so_rcv->sb_rptr = so_rcv->sb_data;

+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;

 				}

-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,

-                                                         so_rcv->sb_datalen,

-                                                         "%d,%d\r\n", n1, n2);

-				so_rcv->sb_rptr = so_rcv->sb_data;

-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;

 			}

 			m_free(m);

 			return 0;

-- 

1.8.3.1