Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
qemu-testsuite.19805
0160-slrip-ip_reass-Fix-use-after-free.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0160-slrip-ip_reass-Fix-use-after-free.patch of Package qemu-testsuite.19805
From: Michael Roth <mdroth@linux.vnet.ibm.com> Date: Tue, 24 Sep 2019 12:18:07 -0500 Subject: slrip: ip_reass: Fix use after free Using ip_deq after m_free might read pointers from an allocation reuse. This would be difficult to exploit, but that is still related with CVE-2019-14378 which generates fragmented IP packets that would trigger this issue and at least produce a DoS. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> (from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> [BR: BSC#1149811 CVE-2019-15890] Signed-off-by: Bruce Rogers <brogers@suse.com> --- slirp/ip_input.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/slirp/ip_input.c b/slirp/ip_input.c index 644b550d4e65f39112a6daf01bb9..6f6794b8b96c21b6dac2cd0ce79f 100644 --- a/slirp/ip_input.c +++ b/slirp/ip_input.c @@ -300,6 +300,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) */ while (q != (struct ipasfrag*)&fp->frag_link && ip->ip_off + ip->ip_len > q->ipf_off) { + struct ipasfrag *prev; i = (ip->ip_off + ip->ip_len) - q->ipf_off; if (i < q->ipf_len) { q->ipf_len -= i; @@ -307,9 +308,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) m_adj(dtom(slirp, q), i); break; } + prev = q; q = q->ipf_next; - m_free(dtom(slirp, q->ipf_prev)); - ip_deq(q->ipf_prev); + ip_deq(prev); + m_free(dtom(slirp, prev)); } insert:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor