debian/patches/extra/0004-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Samuel Thibault <samuel.thibault@ens-lyon.org>
   3 Date: Sun, 28 Jul 2019 19:11:24 +0200
   4 Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
   5
   6 When the first fragment does not fit in the preallocated buffer, q will
   7 already be pointing to the ext buffer, so we mustn't try to update it.
   8
   9 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
  10 ---
  11  slirp/src/ip_input.c | 4 +++-
  12  1 file changed, 3 insertions(+), 1 deletion(-)
  13
  14 diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
  15 index a714fecd58..0ccb78317f 100644
  16 --- a/slirp/src/ip_input.c
  17 +++ b/slirp/src/ip_input.c
  18 @@ -331,6 +331,8 @@ insert:
  19      q = fp->frag_link.next;
  20         m = dtom(slirp, q);
  21
  22 +       int was_ext = m->m_flags & M_EXT;
  23 +
  24         q = (struct ipasfrag *) q->ipf_next;
  25         while (q != (struct ipasfrag*)&fp->frag_link) {
  26           struct mbuf *t = dtom(slirp, q);
  27 @@ -353,7 +355,7 @@ insert:
  28          * the old buffer (in the mbuf), so we must point ip
  29          * into the new buffer.
  30          */
  31 -       if (m->m_flags & M_EXT) {
  32 +       if (!was_ext && m->m_flags & M_EXT) {
  33           int delta = (char *)q - m->m_dat;
  34           q = (struct ipasfrag *)(m->m_ext + delta);
  35         }
  36 --
  37 2.20.1
  38