Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
qemu.20749
0247-libslirp-slirp-Add-sanity-check-for.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0247-libslirp-slirp-Add-sanity-check-for.patch of Package qemu.20749
From: Jose R Ziviani <jose.ziviani@suse.com> Date: Tue, 6 Jul 2021 19:51:56 -0600 Subject: libslirp: slirp: Add sanity check for str option length Git commit: 6fd057f7960bc7b3a69f3c53de5c9d0d5d34a79c References: bsc#1187364, CVE-2021-3592 When user provides a long domainname or hostname that doesn't fit in the DHCP packet, we mustn't overflow the response packet buffer. Instead, report errors, following the g_warning() in the slirp->vdnssearch branch. Also check the strlen against 256 when initializing slirp, which limit is also from the protocol where one byte represents the string length. This gives an early error before the warning which is harder to notice or diagnose. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com> --- slirp/bootp.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/slirp/bootp.c b/slirp/bootp.c index 5dd1a415b59c5abb78808c4e0d96..567e332e758f0d69aefcdc1c97a5 100644 --- a/slirp/bootp.c +++ b/slirp/bootp.c @@ -159,6 +159,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) struct in_addr preq_addr; int dhcp_msg_type, val; uint8_t *q; + uint8_t *end; uint8_t client_ethaddr[ETH_ALEN]; /* extract exact DHCP msg type */ @@ -240,6 +241,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ q = rbp->bp_vend; + end = (uint8_t *)&rbp[1]; memcpy(q, rfc1533_cookie, 4); q += 4; @@ -292,16 +294,20 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) if (*slirp->client_hostname) { val = strlen(slirp->client_hostname); - *q++ = RFC1533_HOSTNAME; - *q++ = val; - memcpy(q, slirp->client_hostname, val); - q += val; + if (q + val + 2 >= end) { + g_warning("DHCP packet size exceeded, " + "omitting host name option."); + } else { + *q++ = RFC1533_HOSTNAME; + *q++ = val; + memcpy(q, slirp->client_hostname, val); + q += val; + } } if (slirp->vdnssearch) { - size_t spaceleft = sizeof(rbp->bp_vend) - (q - rbp->bp_vend); val = slirp->vdnssearch_len; - if (val + 1 > spaceleft) { + if (q + val >= end) { g_warning("DHCP packet size exceeded, " "omitting domain-search option."); } else { @@ -323,6 +329,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) memcpy(q, nak_msg, sizeof(nak_msg) - 1); q += sizeof(nak_msg) - 1; } + assert(q < end); *q = RFC1533_END; daddr.sin_addr.s_addr = 0xffffffffu;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor