merge fix for CVE-2019-14378
[pve-qemu.git] / debian / patches / extra / 0004-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Samuel Thibault <samuel.thibault@ens-lyon.org>
3 Date: Sun, 28 Jul 2019 19:11:24 +0200
4 Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
5
6 When the first fragment does not fit in the preallocated buffer, q will
7 already be pointing to the ext buffer, so we mustn't try to update it.
8
9 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
10 ---
11 slirp/src/ip_input.c | 4 +++-
12 1 file changed, 3 insertions(+), 1 deletion(-)
13
14 diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
15 index a714fecd58..0ccb78317f 100644
16 --- a/slirp/src/ip_input.c
17 +++ b/slirp/src/ip_input.c
18 @@ -331,6 +331,8 @@ insert:
19 q = fp->frag_link.next;
20 m = dtom(slirp, q);
21
22 + int was_ext = m->m_flags & M_EXT;
23 +
24 q = (struct ipasfrag *) q->ipf_next;
25 while (q != (struct ipasfrag*)&fp->frag_link) {
26 struct mbuf *t = dtom(slirp, q);
27 @@ -353,7 +355,7 @@ insert:
28 * the old buffer (in the mbuf), so we must point ip
29 * into the new buffer.
30 */
31 - if (m->m_flags & M_EXT) {
32 + if (!was_ext && m->m_flags & M_EXT) {
33 int delta = (char *)q - m->m_dat;
34 q = (struct ipasfrag *)(m->m_ext + delta);
35 }
36 --
37 2.20.1
38