From 8cf51a309acf37f2d03ed5a0a31737b884ace3f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 17 Jan 2020 11:49:40 +0000 Subject: [PATCH 1/5] tcp_emu: Fix oob access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Philippe Mathieu-Daudé Message-id: <20200117114942.12236-2-philmd@redhat.com> Patchwork-id: 93393 O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 1/3] tcp_emu: Fix oob access Bugzilla: 1791565 RH-Acked-by: Thomas Huth RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Stefano Garzarella From: Samuel Thibault The main loop only checks for one available byte, while we sometimes need two bytes. (cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289) [PMD: backported with style conflicts, CHANGELOG.md absent in downstream] Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Danilo C. L. de Paula --- slirp/tcp_subr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index 0152f72..decfd9b 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *m) break; case 5: + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + /* * The difference between versions 1.0 and * 2.0 is here. For future versions of @@ -907,6 +910,10 @@ tcp_emu(struct socket *so, struct mbuf *m) /* This is the field containing the port * number that RA-player is listening to. */ + + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + lport = (((u_char*)bptr)[0] << 8) + ((u_char *)bptr)[1]; if (lport < 6970) -- 1.8.3.1