From 90b1929638fb5fed4e5fc65f95b7a76e339e0640 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 9 Sep 2019 09:13:33 +0200 Subject: [PATCH 01/12] Using ip_deq after m_free might read pointers from an allocation reuse. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Philippe Mathieu-Daudé Message-id: <20190909091333.18511-2-philmd@redhat.com> Patchwork-id: 90336 O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/1] Using ip_deq after m_free might read pointers from an allocation reuse. Bugzilla: 1749735 RH-Acked-by: John Snow RH-Acked-by: Stefano Garzarella RH-Acked-by: Thomas Huth From: Samuel Thibault This would be difficult to exploit, but that is still related with CVE-2019-14378 which generates fragmented IP packets that would trigger this issue and at least produce a DoS. Signed-off-by: Samuel Thibault (cherry picked from libslirp commit c59279437eda91841b9d26079c70b8a540d41204) Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Miroslav Rezanina --- slirp/ip_input.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/slirp/ip_input.c b/slirp/ip_input.c index 5226224..9e95b40 100644 --- a/slirp/ip_input.c +++ b/slirp/ip_input.c @@ -296,6 +296,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) */ while (q != (struct ipasfrag*)&fp->frag_link && ip->ip_off + ip->ip_len > q->ipf_off) { + struct ipasfrag *prev; i = (ip->ip_off + ip->ip_len) - q->ipf_off; if (i < q->ipf_len) { q->ipf_len -= i; @@ -303,9 +304,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) m_adj(dtom(slirp, q), i); break; } + prev = q; q = q->ipf_next; - m_free(dtom(slirp, q->ipf_prev)); - ip_deq(q->ipf_prev); + ip_deq(prev); + m_free(dtom(slirp, prev)); } insert: -- 1.8.3.1