qemu/tcp_emu-Fix-oob-access.patch

From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 11 Mar 2020 17:33:46 +0800
Subject: [PATCH] tcp_emu: Fix oob access

The main loop only checks for one available byte, while we sometimes
need two bytes.
---
 slirp/src/tcp_subr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index fde9207b..4608942f 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				break;
 
 			 case 5:
+				if (bptr == m->m_data + m->m_len - 1)
+					return 1; /* We need two bytes */
+
 				/*
 				 * The difference between versions 1.0 and
 				 * 2.0 is here. For future versions of
@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				/* This is the field containing the port
 				 * number that RA-player is listening to.
 				 */
+				if (bptr == m->m_data + m->m_len - 1)
+					return 1; /* We need two bytes */
+
 				lport = (((uint8_t*)bptr)[0] << 8)
 				+ ((uint8_t *)bptr)[1];
 				if (lport < 6970)
-- 
2.21.1 (Apple Git-122.3)
slirp: Fix libslirp CVE-2020-7039 Picked from libslirp upstream: tcp_emu: Fix oob access https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 slirp: use correct size while emulating IRC commands https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 slirp: use correct size while emulating commands https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Signed-off-by: Ying Fang <fangying1@huawei.com> 2020-03-11 19:12:43 +08:00			`From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001`
			`From: Samuel Thibault <samuel.thibault@ens-lyon.org>`
			`Date: Wed, 11 Mar 2020 17:33:46 +0800`
			`Subject: [PATCH] tcp_emu: Fix oob access`

			`The main loop only checks for one available byte, while we sometimes`
			`need two bytes.`
			`---`
			`slirp/src/tcp_subr.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c`
			`index fde9207b..4608942f 100644`
			`--- a/slirp/src/tcp_subr.c`
			`+++ b/slirp/src/tcp_subr.c`
			`@@ -895,6 +895,9 @@ tcp_emu(struct socket so, struct mbuf m)`
			`break;`

			`case 5:`
			`+ if (bptr == m->m_data + m->m_len - 1)`
			`+ return 1; /* We need two bytes */`
			`+`
			`/*`
			`* The difference between versions 1.0 and`
			`* 2.0 is here. For future versions of`
			`@@ -910,6 +913,9 @@ tcp_emu(struct socket so, struct mbuf m)`
			`/* This is the field containing the port`
			`* number that RA-player is listening to.`
			`*/`
			`+ if (bptr == m->m_data + m->m_len - 1)`
			`+ return 1; /* We need two bytes */`
			`+`
			`lport = (((uint8_t*)bptr)[0] << 8)`
			`+ ((uint8_t *)bptr)[1];`
			`if (lport < 6970)`
			`--`
			`2.21.1 (Apple Git-122.3)`