[Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
P J P
ppandit at redhat.com
Thu Aug 29 11:13:56 UTC 2019
+-- On Mon, 26 Aug 2019, Samuel Thibault wrote --+
| Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
| > > Did you make your test with commit 126c04acbabd ("Fix heap overflow in
| > > ip_reass on big packet input") applied?
| >
| > Yes, unfortunately it doesn't fix the issue.
|
| Ok.
|
| Could you try the attached patch? There was a use-after-free. Without
| it, I can indeed crash qemu with the given exploit. With it I don't
| seem to be able to crash it (trying in a loop for several minutes).
Considering that earlier fix was released/pulled into upstream QEMU v4.1.0, we
need to treat this one as a separate issue.
commit c59279437eda91841b9d26079c70b8a540d41204
Author: Samuel Thibault <samuel.thibault at ens-lyon.org>
Date: Mon Aug 26 00:55:03 2019 +0200
ip_reass: Fix use after free
Using ip_deq after m_free might read pointers from an allocation reuse.
I'll follow-up on that.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
More information about the Slirp
mailing list