bump version to 2.9.1-1

[pve-qemu.git] / debian / patches / extra / 0004-slirp-check-len-against-dhcp-options-array-end.patch

diff --git a/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch b/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch
new file mode 100644 (file)
index 0000000..bf86029
--- /dev/null
+++ b/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch
@@ -0,0 +1,35 @@
+From 918e23903f5712274830bb20e2d5603bf5794af7 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 17 Jul 2017 17:33:26 +0530
+Subject: [PATCH 04/13] slirp: check len against dhcp options array end
+
+While parsing dhcp options string in 'dhcp_decode', if an options'
+length 'len' appeared towards the end of 'bp_vend' array, ensuing
+read could lead to an OOB memory access issue. Add check to avoid it.
+
+This is CVE-2017-11434.
+
+Reported-by: Reno Robert <renorobert@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ slirp/bootp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c182..5dd1a415b5 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             if (p >= p_end)
+                 break;
+             len = *p++;
++            if (p + len > p_end) {
++                break;
++            }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+ 
+             switch(tag) {
+-- 
+2.11.0
+