fb21ed7696
Picked from libslirp upstream: tcp_emu: Fix oob access2655fffed7slirp: use correct size while emulating IRC commandsce131029d6slirp: use correct size while emulating commands82ebe9c370Signed-off-by: Ying Fang <fangying1@huawei.com>
39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001
|
|
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Date: Wed, 11 Mar 2020 17:33:46 +0800
|
|
Subject: [PATCH] tcp_emu: Fix oob access
|
|
|
|
The main loop only checks for one available byte, while we sometimes
|
|
need two bytes.
|
|
---
|
|
slirp/src/tcp_subr.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
|
|
index fde9207b..4608942f 100644
|
|
--- a/slirp/src/tcp_subr.c
|
|
+++ b/slirp/src/tcp_subr.c
|
|
@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
|
|
break;
|
|
|
|
case 5:
|
|
+ if (bptr == m->m_data + m->m_len - 1)
|
|
+ return 1; /* We need two bytes */
|
|
+
|
|
/*
|
|
* The difference between versions 1.0 and
|
|
* 2.0 is here. For future versions of
|
|
@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
|
|
/* This is the field containing the port
|
|
* number that RA-player is listening to.
|
|
*/
|
|
+ if (bptr == m->m_data + m->m_len - 1)
|
|
+ return 1; /* We need two bytes */
|
|
+
|
|
lport = (((uint8_t*)bptr)[0] << 8)
|
|
+ ((uint8_t *)bptr)[1];
|
|
if (lport < 6970)
|
|
--
|
|
2.21.1 (Apple Git-122.3)
|
|
|