File 0125-Fix-use-afte-free-in-ip_reass-CVE-2.patch of Package qemu.20748

From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Sat, 4 Apr 2020 22:42:13 +0200
Subject: Fix use-afte-free in ip_reass() (CVE-2020-1983)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Git-commit: 2faae0f778f818fadc873308f983289df697eb93
References: bsc#1170940, CVE-2020-1983

The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.

m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.

Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 slirp/ip_input.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index 01b3f9d4e0eeea95aed6eddcbc73..a29ad3bf317c68d7db53793ead1d 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -335,8 +335,7 @@ insert:
 	 */
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
-
-	int was_ext = m->m_flags & M_EXT;
+        int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
 
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
@@ -359,8 +358,7 @@ insert:
 	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old
 	 * buffer (in the mbuf), so we must point ip into the new buffer.
 	 */
-	if (!was_ext && m->m_flags & M_EXT) {
-	  int delta = (char *)q - m->m_dat;
+          if (m->m_flags & M_EXT) {
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}