]>
Commit | Line | Data |
---|---|---|
1be32c85 OB |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Samuel Thibault <samuel.thibault@ens-lyon.org> | |
3 | Date: Mon, 26 Aug 2019 00:55:03 +0200 | |
4 | Subject: [PATCH] ip_reass: Fix use after free | |
5 | ||
6 | Using ip_deq after m_free might read pointers from an allocation reuse. | |
7 | ||
8 | This would be difficult to exploit, but that is still related with | |
9 | CVE-2019-14378 which generates fragmented IP packets that would trigger this | |
10 | issue and at least produce a DoS. | |
11 | ||
12 | Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | |
13 | (cherry picked from commit c59279437eda91841b9d26079c70b8a540d41204) | |
14 | Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> | |
15 | --- | |
16 | src/ip_input.c | 6 ++++-- | |
17 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
18 | ||
19 | diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c | |
20 | index 8c75d91..c07d7d4 100644 | |
21 | --- a/slirp/src/ip_input.c | |
22 | +++ b/slirp/src/ip_input.c | |
23 | @@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) | |
24 | */ | |
25 | while (q != (struct ipasfrag *)&fp->frag_link && | |
26 | ip->ip_off + ip->ip_len > q->ipf_off) { | |
27 | + struct ipasfrag *prev; | |
28 | i = (ip->ip_off + ip->ip_len) - q->ipf_off; | |
29 | if (i < q->ipf_len) { | |
30 | q->ipf_len -= i; | |
31 | @@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) | |
32 | m_adj(dtom(slirp, q), i); | |
33 | break; | |
34 | } | |
35 | + prev = q; | |
36 | q = q->ipf_next; | |
37 | - m_free(dtom(slirp, q->ipf_prev)); | |
38 | - ip_deq(q->ipf_prev); | |
39 | + ip_deq(prev); | |
40 | + m_free(dtom(slirp, prev)); | |
41 | } | |
42 | ||
43 | insert: | |
44 | -- | |
45 | 2.20.1 | |
46 |