5a2a43fcb1
fix submodule slirp cve-2021-3592 cve-2021-3593 and cve-2021-3595 Signed-off-by: imxcc <xingchaochao@huawei.com> Signed-off-by: bobychen <boby.chen@huawei.com>
37 lines
1.0 KiB
Diff
37 lines
1.0 KiB
Diff
From 054a233306e781ae3cf66b386b67b68e8ac33c37 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
Date: Fri, 4 Jun 2021 16:32:55 +0400
|
|
Subject: [PATCH 4/6] upd6: check udp6_input buffer size
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Fixes: CVE-2021-3593
|
|
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
|
|
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: imxcc <xingchaochao@huawei.com>
|
|
---
|
|
slirp/src/udp6.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
|
|
index 6f9486bb..8c490e4d 100644
|
|
--- a/slirp/src/udp6.c
|
|
+++ b/slirp/src/udp6.c
|
|
@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
|
|
ip = mtod(m, struct ip6 *);
|
|
m->m_len -= iphlen;
|
|
m->m_data += iphlen;
|
|
- uh = mtod(m, struct udphdr *);
|
|
+ uh = mtod_check(m, sizeof(struct udphdr));
|
|
+ if (uh == NULL) {
|
|
+ goto bad;
|
|
+ }
|
|
m->m_len += iphlen;
|
|
m->m_data -= iphlen;
|
|
|
|
--
|
|
2.27.0
|
|
|