rpms / qemu-kvm

Clone
Source Code
GIT

Blame SOURCES/kvm-tcp_emu-Fix-oob-access.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   c8-sig-altarch-stream-rhel
  2.   SOURCES
  3.   kvm-tcp_emu-Fix-oob-access.patch
Blob History Raw
Pablo Greco e6a3ae 
From a0b2e40bae795bfcf58492e0081665a29a2cc9e2 Mon Sep 17 00:00:00 2001
Pablo Greco e6a3ae 
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Pablo Greco e6a3ae 
Date: Fri, 17 Jan 2020 11:49:40 +0100
Pablo Greco e6a3ae 
Subject: [PATCH 5/7] tcp_emu: Fix oob access
Pablo Greco e6a3ae 
MIME-Version: 1.0
Pablo Greco e6a3ae 
Content-Type: text/plain; charset=UTF-8
Pablo Greco e6a3ae 
Content-Transfer-Encoding: 8bit
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Pablo Greco e6a3ae 
Message-id: <20200117114942.12236-2-philmd@redhat.com>
Pablo Greco e6a3ae 
Patchwork-id: 93393
Pablo Greco e6a3ae 
O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 1/3] tcp_emu: Fix oob access
Pablo Greco e6a3ae 
Bugzilla: 1791566
Pablo Greco e6a3ae 
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Pablo Greco e6a3ae 
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Pablo Greco e6a3ae 
RH-Acked-by: Thomas Huth <thuth@redhat.com>
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
The main loop only checks for one available byte, while we sometimes
Pablo Greco e6a3ae 
need two bytes.
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
(cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289)
Pablo Greco e6a3ae 
[PMD: backported with style conflicts,
Pablo Greco e6a3ae 
      CHANGELOG.md absent in downstream]
Pablo Greco e6a3ae 
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Pablo Greco e6a3ae 
---
Pablo Greco e6a3ae 
 slirp/tcp_subr.c | 7 +++++++
Pablo Greco e6a3ae 
 1 file changed, 7 insertions(+)
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
Pablo Greco e6a3ae 
index 0152f72..decfd9b 100644
Pablo Greco e6a3ae 
--- a/slirp/tcp_subr.c
Pablo Greco e6a3ae 
+++ b/slirp/tcp_subr.c
Pablo Greco e6a3ae 
@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
Pablo Greco e6a3ae 
 				break;
Pablo Greco e6a3ae
Pablo Greco e6a3ae 
 			 case 5:
Pablo Greco e6a3ae 
+				if (bptr == m->m_data + m->m_len - 1)
Pablo Greco e6a3ae 
+					return 1; /* We need two bytes */
Pablo Greco e6a3ae 
+
Pablo Greco e6a3ae 
 				/*
Pablo Greco e6a3ae 
 				 * The difference between versions 1.0 and
Pablo Greco e6a3ae 
 				 * 2.0 is here. For future versions of
Pablo Greco e6a3ae 
@@ -907,6 +910,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
Pablo Greco e6a3ae 
 				/* This is the field containing the port
Pablo Greco e6a3ae 
 				 * number that RA-player is listening to.
Pablo Greco e6a3ae 
 				 */
Pablo Greco e6a3ae 
+
Pablo Greco e6a3ae 
+				if (bptr == m->m_data + m->m_len - 1)
Pablo Greco e6a3ae 
+					return 1; /* We need two bytes */
Pablo Greco e6a3ae 
+
Pablo Greco e6a3ae 
 				lport = (((u_char*)bptr)[0] << 8)
Pablo Greco e6a3ae 
 				+ ((u_char *)bptr)[1];
Pablo Greco e6a3ae 
 				if (lport < 6970)
Pablo Greco e6a3ae 
--
Pablo Greco e6a3ae 
1.8.3.1
Pablo Greco e6a3ae

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation