File CVE-2021-3592-qemut-slirp-bootp-1.patch of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-3592-qemut-slirp-bootp-1.patch of Package xen

From f13cad45b25d92760bb0ad67bec0300a4d7d5275 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 19:25:28 +0400
Subject: [PATCH] bootp: limit vendor-specific area to input packet memory
 buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
from the structure, to help with the following patch checking for
minimal header size. Modify the bootp_reply() function to take the
buffer boundaries and avoiding potential buffer overflow.

Related to CVE-2021-3592.

https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/bootp.c | 26 +++++++++++++++-----------
 src/bootp.h |  2 +-
 src/mbuf.c  |  5 +++++
 src/mbuf.h  |  1 +
 4 files changed, 22 insertions(+), 12 deletions(-)

Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
@@ -83,22 +83,23 @@ static BOOTPClient *find_addr(struct in_
     return bc;
 }
 
-static void dhcp_decode(const uint8_t *buf, int size,
+static void dhcp_decode(const uint8_t *buf,
+                        const uint8_t *bp_end,
+                        int size,
                         int *pmsg_type)
 {
-    const uint8_t *p, *p_end;
+    const uint8_t *p;
     int len, tag;
 
     *pmsg_type = 0;
 
     p = buf;
-    p_end = buf + size;
     if (size < 5)
         return;
     if (memcmp(p, rfc1533_cookie, 4) != 0)
         return;
     p += 4;
-    while (p < p_end) {
+    while (p < bp_end) {
         tag = p[0];
         if (tag == RFC1533_PAD) {
             p++;
@@ -106,10 +107,10 @@ static void dhcp_decode(const uint8_t *b
             break;
         } else {
             p++;
-            if (p >= p_end)
+            if (p >= bp_end)
                 break;
             len = *p++;
-            if (p + len > p_end) {
+            if (p + len > bp_end) {
                 break;
             }
             dprintf("dhcp: tag=0x%02x len=%d\n", tag, len);
@@ -127,7 +128,7 @@ static void dhcp_decode(const uint8_t *b
     }
 }
 
-static void bootp_reply(struct bootp_t *bp)
+static void bootp_reply(struct bootp_t *bp, const uint8_t *bp_end)
 {
     BOOTPClient *bc;
     struct mbuf *m;
@@ -139,7 +140,7 @@ static void bootp_reply(struct bootp_t *
     uint8_t *end;
 
     /* extract exact DHCP msg type */
-    dhcp_decode(bp->bp_vend, DHCP_OPT_LEN, &dhcp_msg_type);
+    dhcp_decode(bp->bp_vend, bp_end, DHCP_OPT_LEN, &dhcp_msg_type);
     dprintf("bootp packet op=%d msgtype=%d\n", bp->bp_op, dhcp_msg_type);
 
     if (dhcp_msg_type == 0)
@@ -154,9 +155,10 @@ static void bootp_reply(struct bootp_t *
     if ((m = m_get()) == NULL)
         return;
     m->m_data += IF_MAXLINKHDR;
+    m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
     rbp = (struct bootp_t *)m->m_data;
     m->m_data += sizeof(struct udpiphdr);
-    memset(rbp, 0, sizeof(struct bootp_t));
+    memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
 
     if (dhcp_msg_type == DHCPDISCOVER) {
     new_addr:
@@ -198,7 +200,7 @@ static void bootp_reply(struct bootp_t *
     daddr.sin_addr.s_addr = 0xffffffffu;
 
     q = rbp->bp_vend;
-    end = (uint8_t *)&rbp[1];
+    end = rbp->bp_vend + DHCP_OPT_LEN;
     memcpy(q, rfc1533_cookie, 4);
     q += 4;
 
@@ -270,6 +272,6 @@ void bootp_input(struct mbuf *m)
     struct bootp_t *bp = mtod(m, struct bootp_t *);
 
     if (bp->bp_op == BOOTP_REQUEST) {
-        bootp_reply(bp);
+        bootp_reply(bp, m_end(m));
     }
 }
Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.h
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/bootp.h
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.h
@@ -107,7 +107,7 @@ struct bootp_t {
     uint8_t bp_hwaddr[16];
     uint8_t bp_sname[64];
     uint8_t bp_file[128];
-    uint8_t bp_vend[DHCP_OPT_LEN];
+    uint8_t bp_vend[];
 };
 
 void bootp_input(struct mbuf *m);
Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.c
@@ -246,3 +246,8 @@ void *mtod_check(struct mbuf *m, size_t
 
     return NULL;
 }
+
+void *m_end(struct mbuf *m)
+{
+    return m->m_data + m->m_len;
+}
Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.h
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.h
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/mbuf.h
@@ -139,5 +139,6 @@ void m_adj _P((struct mbuf *, int));
 int m_copy _P((struct mbuf *, struct mbuf *, int, int));
 struct mbuf * dtom _P((void *));
 void *mtod_check(struct mbuf *, size_t len);
+void *m_end(struct mbuf *);
 
 #endif

Places

File CVE-2021-3592-qemut-slirp-bootp-1.patch of Package xen

Places