Overview

File CVE-2021-3594-qemut-slirp-udp.patch of Package xen.23721

From 74572be49247c8c5feae7c6e0b50c4f569ca9824 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:40:23 +0400
Subject: [PATCH] udp: check upd_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: CVE-2021-3594
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/udp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
===================================================================
--- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
+++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
@@ -103,7 +103,10 @@ udp_input(m, iphlen)
 	/*
 	 * Get IP and UDP header together in first mbuf.
 	 */
-	ip = mtod(m, struct ip *);
+	ip = mtod_check(m, iphlen + sizeof(struct udphdr));
+	if (ip == NULL) {
+		goto bad;
+	}
 	uh = (struct udphdr *)((caddr_t)ip + iphlen);
 
 	/*
openSUSE Build Service is sponsored by
Places