Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
xen.23721
CVE-2021-3592-3594-3595-qemut-prereq1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-3592-3594-3595-qemut-prereq1.patch of Package xen.23721
Subject: slirp: Add sanity check for str option length From: Fam Zheng famz@redhat.com Fri Sep 14 15:26:15 2018 +0800 Date: Thu Mar 21 15:47:26 2019 -0500: Git: 70b8acfa0d496ccc796ab183581c98fd8574163e When user provides a long domainname or hostname that doesn't fit in the DHCP packet, we mustn't overflow the response packet buffer. Instead, report errors, following the g_warning() in the slirp->vdnssearch branch. Also check the strlen against 256 when initializing slirp, which limit is also from the protocol where one byte represents the string length. This gives an early error before the warning which is harder to notice or diagnose. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> (cherry picked from commit 6e157a0339793bb081705f52318fc77afd10addf) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/net.c =================================================================== --- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c +++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/net.c @@ -1709,7 +1709,11 @@ int net_client_init(const char *device, if (!strcmp(device, "user")) { if (get_param_value(buf, sizeof(buf), "hostname", p)) { pstrcpy(slirp_hostname, sizeof(slirp_hostname), buf); - } + if (slirp_hostname && strlen(slirp_hostname) > 255) { + fprintf(stderr, "'vhostname' parameter cannot exceed 255 bytes\n"); + return -1; + } + } if (get_param_value(buf, sizeof(buf), "restrict", p)) { slirp_restrict = (buf[0] == 'y') ? 1 : 0; } Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c =================================================================== --- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c +++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c @@ -136,6 +136,7 @@ static void bootp_reply(struct bootp_t * struct in_addr dns_addr; int dhcp_msg_type, val; uint8_t *q; + uint8_t *end; /* extract exact DHCP msg type */ dhcp_decode(bp->bp_vend, DHCP_OPT_LEN, &dhcp_msg_type); @@ -197,6 +198,7 @@ static void bootp_reply(struct bootp_t * daddr.sin_addr.s_addr = 0xffffffffu; q = rbp->bp_vend; + end = (uint8_t *)&rbp[1]; memcpy(q, rfc1533_cookie, 4); q += 4; @@ -245,12 +247,17 @@ static void bootp_reply(struct bootp_t * if (*slirp_hostname) { val = strlen(slirp_hostname); - *q++ = RFC1533_HOSTNAME; - *q++ = val; - memcpy(q, slirp_hostname, val); - q += val; + if (q + val + 2 >= end) { + dprintf("DHCP packet size exceeded, omitting host name option."); + } else { + *q++ = RFC1533_HOSTNAME; + *q++ = val; + memcpy(q, slirp_hostname, val); + q += val; + } } } + assert(q < end); *q++ = RFC1533_END; m->m_len = sizeof(struct bootp_t) -
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor