[pve-qemu.git] / debian / patches / extra / 0003-ip_reass-Fix-use-after-free.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon, 26 Aug 2019 00:55:03 +0200
Subject: [PATCH] ip_reass: Fix use after free

Using ip_deq after m_free might read pointers from an allocation reuse.

This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
 src/ip_input.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index 8c75d91..c07d7d4 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
      */
     while (q != (struct ipasfrag *)&fp->frag_link &&
            ip->ip_off + ip->ip_len > q->ipf_off) {
+        struct ipasfrag *prev;
         i = (ip->ip_off + ip->ip_len) - q->ipf_off;
         if (i < q->ipf_len) {
             q->ipf_len -= i;
@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
             m_adj(dtom(slirp, q), i);
             break;
         }
+        prev = q;
         q = q->ipf_next;
-        m_free(dtom(slirp, q->ipf_prev));
-        ip_deq(q->ipf_prev);
+        ip_deq(prev);
+        m_free(dtom(slirp, prev));
     }
 
 insert:
-- 
2.20.1
Commit	Line	Data
1be32c85 OB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Samuel Thibault <samuel.thibault@ens-lyon.org>
	3	Date: Mon, 26 Aug 2019 00:55:03 +0200
	4	Subject: [PATCH] ip_reass: Fix use after free
	5
	6	Using ip_deq after m_free might read pointers from an allocation reuse.
	7
	8	This would be difficult to exploit, but that is still related with
	9	CVE-2019-14378 which generates fragmented IP packets that would trigger this
	10	issue and at least produce a DoS.
	11
	12	Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
	13	(cherry picked from commit c59279437eda91841b9d26079c70b8a540d41204)
	14	Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
	15	---
	16	src/ip_input.c \| 6 ++++--
	17	1 file changed, 4 insertions(+), 2 deletions(-)
	18
	19	diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
	20	index 8c75d91..c07d7d4 100644
	21	--- a/slirp/src/ip_input.c
	22	+++ b/slirp/src/ip_input.c
	23	@@ -292,6 +292,7 @@ static struct ip ip_reass(Slirp slirp, struct ip ip, struct ipq fp)
	24	*/
	25	while (q != (struct ipasfrag *)&fp->frag_link &&
	26	ip->ip_off + ip->ip_len > q->ipf_off) {
	27	+ struct ipasfrag *prev;
	28	i = (ip->ip_off + ip->ip_len) - q->ipf_off;
	29	if (i < q->ipf_len) {
	30	q->ipf_len -= i;
	31	@@ -299,9 +300,10 @@ static struct ip ip_reass(Slirp slirp, struct ip ip, struct ipq fp)
	32	m_adj(dtom(slirp, q), i);
	33	break;
	34	}
	35	+ prev = q;
	36	q = q->ipf_next;
	37	- m_free(dtom(slirp, q->ipf_prev));
	38	- ip_deq(q->ipf_prev);
	39	+ ip_deq(prev);
	40	+ m_free(dtom(slirp, prev));
	41	}
	42
	43	insert:
	44	--
	45	2.20.1
	46