File CVE-2021-3595-qemut-slirp-tcp.patch of Package xen

From 3f17948137155f025f7809fdc38576d5d2451c3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:34:30 +0400
Subject: [PATCH] tftp: check tftp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/tftp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/tftp.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/tftp.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/slirp/tftp.c
@@ -415,7 +415,11 @@ static void tftp_handle_ack(struct tftp_
 
 void tftp_input(struct mbuf *m)
 {
-  struct tftp_t *tp = (struct tftp_t *)m->m_data;
+  struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+  if (tp == NULL) {
+    return;
+  }
 
   switch(ntohs(tp->tp_op)) {
   case TFTP_RRQ:
Places

File CVE-2021-3595-qemut-slirp-tcp.patch of Package xen

Places
