Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
xen.16555
CVE-2019-15890-qemut-slirp-use-after-free-durin...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-15890-qemut-slirp-use-after-free-during-packet-reassembly.patch of Package xen.16555
References: bsc#1149813 CVE-2019-15890 Subject: ip_reass: Fix use after free From: Samuel Thibault samuel.thibault@ens-lyon.org Mon Aug 26 00:55:03 2019 +0200 Date: Mon Aug 26 00:55:03 2019 +0200: Git: c59279437eda91841b9d26079c70b8a540d41204 Using ip_deq after m_free might read pointers from an allocation reuse. This would be difficult to exploit, but that is still related with CVE-2019-14378 which generates fragmented IP packets that would trigger this issue and at least produce a DoS. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Index: xen-4.11.2-testing/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c =================================================================== --- xen-4.11.2-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c +++ xen-4.11.2-testing/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c @@ -335,6 +335,7 @@ ip_reass(register struct ip *ip, registe */ while (q != (struct ipasfrag*)&fp->frag_link && ip->ip_off + ip->ip_len > q->ipf_off) { + struct ipasfrag *prev; i = (ip->ip_off + ip->ip_len) - q->ipf_off; if (i < q->ipf_len) { q->ipf_len -= i; @@ -342,9 +343,10 @@ ip_reass(register struct ip *ip, registe m_adj(dtom(q), i); break; } + prev = q; q = q->ipf_next; - m_freem(dtom(q->ipf_prev)); - ip_deq(q->ipf_prev); + ip_deq(prev); + m_freem(dtom(prev)); } insert:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor