Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
qemu-testsuite.20395
0180-tcp_emu-Fix-oob-access.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0180-tcp_emu-Fix-oob-access.patch of Package qemu-testsuite.20395
From: Samuel Thibault <samuel.thibault@ens-lyon.org> Date: Wed, 8 Jan 2020 00:58:48 +0100 Subject: tcp_emu: Fix oob access Git-commit: 2655fffed7a9e765bcb4701dd876e9dab975f289 References: bsc#1161066, CVE2020-7039, bsc#1161066, CVS-2020-7039 The main loop only checks for one available byte, while we sometimes need two bytes. Signed-off-by: Bruce Rogers <brogers@suse.com> --- slirp/tcp_subr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index 10cf18d650092c291c29ea589756..1ff6d0929269fb0178a27c8d62aa 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *m) break; case 5: + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + /* * The difference between versions 1.0 and * 2.0 is here. For future versions of @@ -907,6 +910,10 @@ tcp_emu(struct socket *so, struct mbuf *m) /* This is the field containing the port * number that RA-player is listening to. */ + + if (bptr == m->m_data + m->m_len - 1) + return 1; /* We need two bytes */ + lport = (((u_char*)bptr)[0] << 8) + ((u_char *)bptr)[1]; if (lport < 6970)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor