[Slirp] [PATCH] libslirp: fix NULL pointer dereference in tcp_sockclosed
Marc-André Lureau
marcandre.lureau at gmail.com
Sun Dec 1 08:16:29 UTC 2019
Hi
On Sun, Dec 1, 2019 at 12:09 PM <pannengyuan at huawei.com> wrote:
>
> From: PanNengyuan <pannengyuan at huawei.com>
>
> qemu crashes with a segfault (NULL pointer access in tcp_sockclosed),
> tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp)
> access the null pointer(tp).
>
> This fixes:
> 384 break;
> 385 }
> CID 68914397: (NULL_RETURNS)
> 386. dereference: Dereferencing a pointer that might be "NULL"
> "tp" when calling "tcp_output".
> 386 tcp_output(tp);
> 387}
>
> Reported-by: Euler Robot <euler.robot at huawei.com>
> Signed-off-by: PanNengyuan <pannengyuan at huawei.com>
thanks
Applied, this is a regression from:
commit 804f441a9d6998a57040bf36685a17a6436b2ea8
Author: Steven Luo <steven+qemu at steven676.net>
Date: Wed Apr 6 22:04:21 2016 -0700
slirp: don't crash when tcp_sockclosed() is called with a NULL tp
Signed-off-by: Steven Luo <steven+qemu at steven676.net>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias at xilinx.com>
Signed-off-by: Samuel Thibault <samuel.thibault at ens-lyon.org>
> ---
> src/tcp_subr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/tcp_subr.c b/src/tcp_subr.c
> index 2e32cb6..662f768 100644
> --- a/src/tcp_subr.c
> +++ b/src/tcp_subr.c
> @@ -378,7 +378,7 @@ void tcp_sockclosed(struct tcpcb *tp)
> case TCPS_SYN_SENT:
> tp->t_state = TCPS_CLOSED;
> tp = tcp_close(tp);
> - break;
> + return;
>
> case TCPS_SYN_RECEIVED:
> case TCPS_ESTABLISHED:
> --
> 2.7.2.windows.1
>
>
> _______________________________________________
> Slirp mailing list
> Slirp at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/slirp
--
Marc-André Lureau
More information about the Slirp
mailing list