[Slirp] [Git][slirp/libslirp][stable-4.2] 2 commits: slirp: check pkt_len before reading protocol header

Marc-André Lureau gitlab at gitlab.freedesktop.org
Fri Nov 27 16:47:17 UTC 2020 


Marc-André Lureau pushed to branch stable-4.2 at slirp / libslirp


Commits:
69b0d718 by Prasad J Pandit at 2020-11-27T20:42:31+04:00
slirp: check pkt_len before reading protocol header

While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.

CVE-2020-29129 CVE-2020-29130
  QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
 -> https://www.openwall.com/lists/oss-security/2020/11/27/1

Reported-by: Qiuhao Li <Qiuhao.Li at outlook.com>
Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit at redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>

- - - - -
8f43a991 by Marc-André Lureau at 2020-11-27T16:47:13+00:00
Merge branch 'stable-4.2' into 'stable-4.2'

stable-4.2: Fix CVE-2020-29129, CVE-2020-29130

See merge request slirp/libslirp!58
- - - - -


2 changed files:

- src/ncsi.c
- src/slirp.c


Changes:

=====================================
src/ncsi.c
=====================================
@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
     uint32_t checksum;
     uint32_t *pchecksum;
 
+    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
+        return; /* packet too short */
+    }
+
     memset(ncsi_reply, 0, sizeof(ncsi_reply));
 
     memset(reh->h_dest, 0xff, ETH_ALEN);


=====================================
src/slirp.c
=====================================
@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
         return;
     }
 
+    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
+        return; /* packet too short */
+    }
+
     ar_op = ntohs(ah->ar_op);
     switch (ar_op) {
     case ARPOP_REQUEST:



View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/ce94eba2042d52a0ba3d9e252ebce86715e94275...8f43a99191afb47ca3f3c6972f6306209f367ece

-- 
View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/ce94eba2042d52a0ba3d9e252ebce86715e94275...8f43a99191afb47ca3f3c6972f6306209f367ece
You're receiving this email because of your account on gitlab.freedesktop.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/slirp/attachments/20201127/e9eba031/attachment.htm>

More information about the Slirp mailing list