| From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 |
| From: Changqing Li <changqing.li@windriver.com> |
| Date: Thu, 27 Feb 2020 12:07:35 +0800 |
| Subject: [PATCH] tcp_emu: Fix oob access |
| |
| The main loop only checks for one available byte, while we sometimes |
| need two bytes. |
| |
| CVE: CVE-2020-7039 |
| Upstream-Status: Backport |
| [https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] |
| |
| Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| --- |
| slirp/src/tcp_subr.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c |
| index d6dd133..4bea2d4 100644 |
| --- a/slirp/src/tcp_subr.c |
| +++ b/slirp/src/tcp_subr.c |
| @@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) |
| break; |
| |
| case 5: |
| + if (bptr == m->m_data + m->m_len - 1) |
| + return 1; /* We need two bytes */ |
| /* |
| * The difference between versions 1.0 and |
| * 2.0 is here. For future versions of |
| @@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) |
| /* This is the field containing the port |
| * number that RA-player is listening to. |
| */ |
| + |
| + if (bptr == m->m_data + m->m_len - 1) |
| + return 1; /* We need two bytes */ |
| + |
| lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; |
| if (lport < 6970) |
| lport += 256; /* don't know why */ |
| -- |
| 2.7.4 |
| |