File 0062-Fix-heap-overflow-in-ip_reass-on-bi.patch of Package qemu.12238

From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 6 Aug 2019 18:16:07 -0400
Subject: Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
[LY: CVE-2019-14378 BSC#1143794]
Signed-off-by: Liang Yan <lyan@suse.com>
---
 slirp/ip_input.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index 348e1dca5a..8cb19b91a9 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -334,6 +334,8 @@ insert:
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 
+    int was_ext = m->m_flags & M_EXT;
+
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
 	  struct mbuf *t = dtom(slirp, q);
@@ -356,9 +358,9 @@ insert:
 	 * the old buffer (in the mbuf), so we must point ip
 	 * into the new buffer.
 	 */
-	if (m->m_flags & M_EXT) {
-	  int delta = (char *)q - m->m_dat;
-	  q = (struct ipasfrag *)(m->m_ext + delta);
+    if (!was_ext && m->m_flags & M_EXT) {
+        int delta = (char *)q - m->m_dat;
+        q = (struct ipasfrag *)(m->m_ext + delta);
 	}
 
     ip = fragtoip(q);