Overview

File CVE-2019-14378-qemuu-heap-buffer-overflow-during-packet-reassembly-in-slirp.patch of Package xen.14030

References: bsc#1143797, CVE-2019-14378

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/slirp/ip_input.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/slirp/ip_input.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/slirp/ip_input.c
@@ -330,6 +330,8 @@ insert:
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 
+	int was_ext = m->m_flags & M_EXT;
+
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
 	  struct mbuf *t = dtom(slirp, q);
@@ -352,7 +354,7 @@ insert:
 	 * the old buffer (in the mbuf), so we must point ip
 	 * into the new buffer.
 	 */
-	if (m->m_flags & M_EXT) {
+	if (!was_ext && m->m_flags & M_EXT) {
 	  int delta = (char *)q - m->m_dat;
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}
openSUSE Build Service is sponsored by
Places