Overview

File CVE-2021-3592-qemut-slirp-bootp-2.patch of Package xen.26348

From 2eca0838eee1da96204545e22cdaed860d9d7c6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:15:14 +0400
Subject: [PATCH] bootp: check bootp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: CVE-2021-3592
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/bootp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
===================================================================
--- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
+++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/slirp/bootp.c
@@ -269,9 +269,9 @@ static void bootp_reply(struct bootp_t *
 
 void bootp_input(struct mbuf *m)
 {
-    struct bootp_t *bp = mtod(m, struct bootp_t *);
+    struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
 
-    if (bp->bp_op == BOOTP_REQUEST) {
+    if (bp && bp->bp_op == BOOTP_REQUEST) {
         bootp_reply(bp, m_end(m));
     }
 }
openSUSE Build Service is sponsored by
Places