45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
Date: Fri, 24 Apr 2020 11:36:41 +0800
|
|
Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The q pointer is updated when the mbuf data is moved from m_dat to
|
|
m_ext.
|
|
|
|
m_ext buffer may also be realloc()'ed and moved during m_cat():
|
|
q should also be updated in this case.
|
|
|
|
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
|
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
|
|
index 89ae04e0..7fdde631 100644
|
|
--- a/slirp/src/ip_input.c
|
|
+++ b/slirp/src/ip_input.c
|
|
@@ -333,7 +333,7 @@ insert:
|
|
q = fp->frag_link.next;
|
|
m = dtom(slirp, q);
|
|
|
|
- int was_ext = m->m_flags & M_EXT;
|
|
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
|
|
|
|
q = (struct ipasfrag *) q->ipf_next;
|
|
while (q != (struct ipasfrag*)&fp->frag_link) {
|
|
@@ -356,8 +356,7 @@ insert:
|
|
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
|
|
* buffer (in the mbuf), so we must point ip into the new buffer.
|
|
*/
|
|
- if (!was_ext && m->m_flags & M_EXT) {
|
|
- int delta = (char *)q - m->m_dat;
|
|
+ if (m->m_flags & M_EXT) {
|
|
q = (struct ipasfrag *)(m->m_ext + delta);
|
|
}
|
|
|
|
--
|
|
2.23.0
|
|
|