File 0218-libslirp-Add-mtod_check.patch of Package qemu-linux-user.28156
From: Jose R Ziviani <jose.ziviani@suse.com>
Date: Tue, 6 Jul 2021 16:54:19 -0600
Subject: libslirp: Add mtod_check()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
References: bsc#1187364, CVE-2021-3592
bsc#1187367, CVE-2021-3594
Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
slirp/mbuf.c | 11 +++++++++++
slirp/mbuf.h | 1 +
2 files changed, 12 insertions(+)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index aa1f28afb180c1877dde8be64a98..0f1eb015de568029b420de650bfb 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -236,3 +236,14 @@ dtom(Slirp *slirp, void *dat)
return (struct mbuf *)0;
}
+
+void *mtod_check(struct mbuf *m, size_t len)
+{
+ if (m->m_len >= len) {
+ return m->m_data;
+ }
+
+ DEBUG_ERROR("mtod failed");
+
+ return NULL;
+}
diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index bfdf8c4577a9ccbe574f45482da8..bd76059e5a6d8a073a09faab0352 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
void m_adj(struct mbuf *, int);
int m_copy(struct mbuf *, struct mbuf *, int, int);
struct mbuf * dtom(Slirp *, void *);
+void *mtod_check(struct mbuf *, size_t len);
static inline void ifs_init(struct mbuf *ifm)
{