Overview

File CVE-2019-14378-qemut-heap-buffer-overflow-during-packet-reassembly-in-slirp.patch of Package xen.23721

References: bsc#1143797, CVE-2019-14378

Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c
===================================================================
--- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c
+++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/ip_input.c
@@ -369,6 +369,8 @@ insert:
     q = fp->frag_link.next;
 	m = dtom(q);
 
+	int was_ext = m->m_flags & M_EXT;
+
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
 	  struct mbuf *t = dtom(q);
@@ -391,7 +393,7 @@ insert:
 	 * the old buffer (in the mbuf), so we must point ip
 	 * into the new buffer.
 	 */
-	if (m->m_flags & M_EXT) {
+	if (!was_ext && m->m_flags & M_EXT) {
 	  int delta = (char *)q - m->m_dat;
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}
openSUSE Build Service is sponsored by
Places