[Slirp] [Git][slirp/libslirp][master] 2 commits: slirp: check pkt_len before reading protocol header

Samuel Thibault gitlab at gitlab.freedesktop.org
Fri Nov 27 15:58:20 UTC 2020 


Samuel Thibault pushed to branch master at slirp / libslirp


Commits:
2e1dcbc0 by Prasad J Pandit at 2020-11-27T19:35:04+04:00
slirp: check pkt_len before reading protocol header

While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.

CVE-2020-29129 CVE-2020-29130
  QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
 -> https://www.openwall.com/lists/oss-security/2020/11/27/1

Reported-by: Qiuhao Li <Qiuhao.Li at outlook.com>
Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit at redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>

- - - - -
65a22886 by Samuel Thibault at 2020-11-27T15:58:18+00:00
Merge branch 'CVE-2020-29129' into 'master'

slirp: check pkt_len before reading protocol header

See merge request slirp/libslirp!57
- - - - -


2 changed files:

- src/ncsi.c
- src/slirp.c


Changes:

=====================================
src/ncsi.c
=====================================
@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
     uint32_t checksum;
     uint32_t *pchecksum;
 
+    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
+        return; /* packet too short */
+    }
+
     memset(ncsi_reply, 0, sizeof(ncsi_reply));
 
     memset(reh->h_dest, 0xff, ETH_ALEN);


=====================================
src/slirp.c
=====================================
@@ -860,6 +860,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
         return;
     }
 
+    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
+        return; /* packet too short */
+    }
+
     ar_op = ntohs(ah->ar_op);
     switch (ar_op) {
     case ARPOP_REQUEST:



View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/55e83caf7d7a49256ff38c849360d5b34aa8b546...65a228860cea416477aa5887f1e3601f607baf00

-- 
View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/55e83caf7d7a49256ff38c849360d5b34aa8b546...65a228860cea416477aa5887f1e3601f607baf00
You're receiving this email because of your account on gitlab.freedesktop.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/slirp/attachments/20201127/af110fb8/attachment-0001.htm>

More information about the Slirp mailing list