|
 |
958e1b |
From 00e16a0908803bf1e796864511862067a763e95e Mon Sep 17 00:00:00 2001
|
|
|
958e1b |
From: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
958e1b |
Date: Thu, 23 Oct 2014 09:19:24 +0200
|
|
|
958e1b |
Subject: [PATCH 1/9] slirp: udp: fix NULL pointer dereference because of
|
|
|
958e1b |
uninitialized socket
|
|
|
958e1b |
|
|
|
958e1b |
Message-id: <1414055964-27479-1-git-send-email-mrezanin@redhat.com>
|
|
|
958e1b |
Patchwork-id: 61832
|
|
|
958e1b |
O-Subject: [RHEL-7.1 qemu-kvm PATCH] slirp: udp: fix NULL pointer dereference because of uninitialized socket
|
|
|
958e1b |
Bugzilla: 1144820
|
|
|
958e1b |
RH-Acked-by: Petr Matousek <pmatouse@redhat.com>
|
|
|
958e1b |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
958e1b |
RH-Acked-by: Amos Kong <akong@redhat.com>
|
|
|
958e1b |
|
|
|
958e1b |
From: Petr Matousek <pmatouse@redhat.com>
|
|
|
958e1b |
|
|
|
958e1b |
When guest sends udp packet with source port and source addr 0,
|
|
|
958e1b |
uninitialized socket is picked up when looking for matching and already
|
|
|
958e1b |
created udp sockets, and later passed to sosendto() where NULL pointer
|
|
|
958e1b |
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
|
|
|
958e1b |
|
|
|
958e1b |
Fix this by checking that the socket is not just a socket stub.
|
|
|
958e1b |
|
|
|
958e1b |
This is CVE-2014-3640.
|
|
|
958e1b |
|
|
|
958e1b |
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
|
958e1b |
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
|
|
|
958e1b |
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
|
|
|
958e1b |
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
|
|
|
958e1b |
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
958e1b |
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
|
958e1b |
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
|
|
|
958e1b |
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
|
958e1b |
(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
|
|
|
958e1b |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
958e1b |
---
|
|
|
958e1b |
slirp/udp.c | 2 +-
|
|
|
958e1b |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
958e1b |
|
|
|
958e1b |
diff --git a/slirp/udp.c b/slirp/udp.c
|
|
|
958e1b |
index b105f87..2188176 100644
|
|
|
958e1b |
--- a/slirp/udp.c
|
|
|
958e1b |
+++ b/slirp/udp.c
|
|
|
958e1b |
@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
|
|
|
958e1b |
* Locate pcb for datagram.
|
|
|
958e1b |
*/
|
|
|
958e1b |
so = slirp->udp_last_so;
|
|
|
958e1b |
- if (so->so_lport != uh->uh_sport ||
|
|
|
958e1b |
+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
|
|
|
958e1b |
so->so_laddr.s_addr != ip->ip_src.s_addr) {
|
|
|
958e1b |
struct socket *tmp;
|
|
|
958e1b |
|
|
|
958e1b |
--
|
|
|
958e1b |
1.8.3.1
|
|
|
958e1b |
|