Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
qemu.28156
0113-tcp_emu-Fix-oob-access.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0113-tcp_emu-Fix-oob-access.patch of Package qemu.28156
From: Samuel Thibault <samuel.thibault@ens-lyon.org> Date: Wed, 8 Jan 2020 00:58:48 +0100 Subject: tcp_emu: Fix oob access Git-commit: 2655fffed7a9e765bcb4701dd876e9dab975f289 References: bsc#1161066, CVE-2020-7039, bsc#1163018, CVE-2020-8608 The main loop only checks for one available byte, while we sometimes need two bytes. Signed-off-by: Bruce Rogers <brogers@suse.com> --- slirp/tcp_subr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index fedf3f08c87f35765ed4fc6f6476..624ec008ba7943cbf6eacf7b23d2 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -888,6 +888,9 @@ tcp_emu(struct socket *so, struct mbuf *m) break; case 5: + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + /* * The difference between versions 1.0 and * 2.0 is here. For future versions of @@ -903,6 +906,10 @@ tcp_emu(struct socket *so, struct mbuf *m) /* This is the field containing the port * number that RA-player is listening to. */ + + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + lport = (((u_char*)bptr)[0] << 8) + ((u_char *)bptr)[1]; if (lport < 6970)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor