File libslirp-CVE-2021-3592.patch of Package libslirp.23007

Overview Repositories Revisions Requests Users Attributes Meta

File libslirp-CVE-2021-3592.patch of Package libslirp.23007

Index: libslirp-4.3.1/src/mbuf.c
===================================================================
--- libslirp-4.3.1.orig/src/mbuf.c	2020-07-08 13:48:02.000000000 +0200
+++ libslirp-4.3.1/src/mbuf.c	2022-02-23 09:41:22.785542791 +0100
@@ -222,3 +222,19 @@ struct mbuf *dtom(Slirp *slirp, void *da
 
     return (struct mbuf *)0;
 }
+
+void *mtod_check(struct mbuf *m, size_t len)
+{
+    if (m->m_len >= len) {
+        return m->m_data;
+    }
+
+    DEBUG_ERROR("mtod failed");
+
+    return NULL;
+}
+
+void *m_end(struct mbuf *m)
+{
+    return m->m_data + m->m_len;
+}
Index: libslirp-4.3.1/src/mbuf.h
===================================================================
--- libslirp-4.3.1.orig/src/mbuf.h	2020-07-08 13:48:02.000000000 +0200
+++ libslirp-4.3.1/src/mbuf.h	2022-02-23 09:41:22.785542791 +0100
@@ -118,6 +118,8 @@ void m_inc(struct mbuf *, int);
 void m_adj(struct mbuf *, int);
 int m_copy(struct mbuf *, struct mbuf *, int, int);
 struct mbuf *dtom(Slirp *, void *);
+void *mtod_check(struct mbuf *, size_t len);
+void *m_end(struct mbuf *);
 
 static inline void ifs_init(struct mbuf *ifm)
 {
Index: libslirp-4.3.1/src/bootp.c
===================================================================
--- libslirp-4.3.1.orig/src/bootp.c	2020-07-08 13:48:02.000000000 +0200
+++ libslirp-4.3.1/src/bootp.c	2022-02-23 09:41:22.785542791 +0100
@@ -92,21 +92,22 @@ found:
     return bc;
 }
 
-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+static void dhcp_decode(const struct bootp_t *bp,
+                        const uint8_t *bp_end,
+                        int *pmsg_type,
                         struct in_addr *preq_addr)
 {
-    const uint8_t *p, *p_end;
+    const uint8_t *p;
     int len, tag;
 
     *pmsg_type = 0;
     preq_addr->s_addr = htonl(0L);
 
     p = bp->bp_vend;
-    p_end = p + DHCP_OPT_LEN;
     if (memcmp(p, rfc1533_cookie, 4) != 0)
         return;
     p += 4;
-    while (p < p_end) {
+    while (p < bp_end) {
         tag = p[0];
         if (tag == RFC1533_PAD) {
             p++;
@@ -114,10 +115,10 @@ static void dhcp_decode(const struct boo
             break;
         } else {
             p++;
-            if (p >= p_end)
+            if (p >= bp_end)
                 break;
             len = *p++;
-            if (p + len > p_end) {
+            if (p + len > bp_end) {
                 break;
             }
             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
@@ -144,7 +145,9 @@ static void dhcp_decode(const struct boo
     }
 }
 
-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+static void bootp_reply(Slirp *slirp,
+                        const struct bootp_t *bp,
+                        const uint8_t *bp_end)
 {
     BOOTPClient *bc = NULL;
     struct mbuf *m;
@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, co
     uint8_t client_ethaddr[ETH_ALEN];
 
     /* extract exact DHCP msg type */
-    dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
+    dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
     DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
     if (preq_addr.s_addr != htonl(0L))
         DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, co
         return;
     }
     m->m_data += IF_MAXLINKHDR;
+    m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
     rbp = (struct bootp_t *)m->m_data;
     m->m_data += sizeof(struct udpiphdr);
-    memset(rbp, 0, sizeof(struct bootp_t));
+    memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
 
     if (dhcp_msg_type == DHCPDISCOVER) {
         if (preq_addr.s_addr != htonl(0L)) {
@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, co
     rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
 
     q = rbp->bp_vend;
-    end = (uint8_t *)&rbp[1];
+    end = rbp->bp_vend + DHCP_OPT_LEN;
     memcpy(q, rfc1533_cookie, 4);
     q += 4;
 
@@ -361,9 +365,9 @@ static void bootp_reply(Slirp *slirp, co
 
 void bootp_input(struct mbuf *m)
 {
-    struct bootp_t *bp = mtod(m, struct bootp_t *);
+    struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
 
-    if (bp->bp_op == BOOTP_REQUEST) {
-        bootp_reply(m->slirp, bp);
+    if (bp && bp->bp_op == BOOTP_REQUEST) {
+        bootp_reply(m->slirp, bp, m_end(m));
     }
 }
Index: libslirp-4.3.1/src/bootp.h
===================================================================
--- libslirp-4.3.1.orig/src/bootp.h	2020-07-08 13:48:02.000000000 +0200
+++ libslirp-4.3.1/src/bootp.h	2022-02-23 09:41:22.785542791 +0100
@@ -114,7 +114,7 @@ struct bootp_t {
     uint8_t bp_hwaddr[16];
     uint8_t bp_sname[64];
     char bp_file[128];
-    uint8_t bp_vend[DHCP_OPT_LEN];
+    uint8_t bp_vend[];
 };
 
 typedef struct {

Places

File libslirp-CVE-2021-3592.patch of Package libslirp.23007

Places