File CVE-2019-6778-qemut-A-heap-buffer-overflow-in-t... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-6778-qemut-A-heap-buffer-overflow-in-tcp_emu-found-in-slirp.patch of Package xen (Revision d52ab9fb5315180828e9e6153fd9632d)

Currently displaying revision d52ab9fb5315180828e9e6153fd9632d , Show latest

References: bsc#1123157 CVE-2019-6778

While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.

Reported-by: Kira <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
---
 slirp/tcp_subr.c | 5 +++++
 1 file changed, 5 insertions(+)

Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/slirp/tcp_subr.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/tcp_subr.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/slirp/tcp_subr.c
@@ -648,6 +648,11 @@ tcp_emu(so, m)
 			socklen_t addrlen = sizeof(struct sockaddr_in);
 			struct sbuf *so_rcv = &so->so_rcv;
 
+			if (m->m_len > so_rcv->sb_datalen
+					- (so_rcv->sb_wptr - so_rcv->sb_data)) {
+			    return 1;
+			}
+
 			memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
 			so_rcv->sb_wptr += m->m_len;
 			so_rcv->sb_rptr += m->m_len;

Places

File CVE-2019-6778-qemut-A-heap-buffer-overflow-in-tcp_emu-found-in-slirp.patch of Package xen (Revision d52ab9fb5315180828e9e6153fd9632d)

Places