diff --git a/SOURCES/slirp4netns-CVE-2019-14378.patch b/SOURCES/slirp4netns-CVE-2019-14378.patch new file mode 100644 index 0000000..9696269 --- /dev/null +++ b/SOURCES/slirp4netns-CVE-2019-14378.patch @@ -0,0 +1,34 @@ +From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 28 Jul 2019 19:11:24 +0200 +Subject: [PATCH] Fix heap overflow in ip_reass on big packet input + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +--- + src/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff -up ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 ./slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c +--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c.CVE-2019-14378 2019-09-27 11:04:30.215413671 +0200 ++++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/ip_input.c 2019-09-27 11:04:30.216413682 +0200 +@@ -333,6 +333,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -355,7 +357,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + } diff --git a/SPECS/slirp4netns.spec b/SPECS/slirp4netns.spec index 8096d34..d292425 100644 --- a/SPECS/slirp4netns.spec +++ b/SPECS/slirp4netns.spec @@ -4,13 +4,14 @@ Name: slirp4netns Version: 0.1 -Release: 2.dev.git%{shortcommit0}%{?dist} +Release: 3.dev.git%{shortcommit0}%{?dist} # no go-md2man in ix86 and ppc64 ExcludeArch: %{ix86} ppc64 Summary: slirp for network namespaces License: GPLv2 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Patch0: slirp4netns-CVE-2019-14378.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc @@ -55,6 +56,9 @@ make DESTDIR=%{buildroot} install install-man %{_mandir}/man1/%{name}.1.gz %changelog +* Fri Sep 27 2019 Jindrich Novy - 0.1-3.dev.gitc4e1bc5 +- Fix CVE-2019-14378 (#1755595). + * Fri Nov 16 2018 Frantisek Kluknavsky - 0.1-2.dev.gitc4e1bc5 - changed summary