File 0112-tcp_emu-Fix-oob-access.patch of Package qemu.14390

From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 8 Jan 2020 00:58:48 +0100
Subject: tcp_emu: Fix oob access

Git-commit: 2655fffed7a9e765bcb4701dd876e9dab975f289
References: bsc#1161066, CVE2020-7039, bsc#1161066, CVS-2020-7039

The main loop only checks for one available byte, while we sometimes
need two bytes.

Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 slirp/tcp_subr.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index fedf3f08c8..624ec008ba 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -888,6 +888,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				break;
 
 			 case 5:
+				if (bptr == m->m_data + m->m_len - 1)
+					return 1; /* We need two bytes */
+
 				/*
 				 * The difference between versions 1.0 and
 				 * 2.0 is here. For future versions of
@@ -903,6 +906,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				/* This is the field containing the port
 				 * number that RA-player is listening to.
 				 */
+
+				if (bptr == m->m_data + m->m_len - 1)
+					return 1; /* We need two bytes */
+
 				lport = (((u_char*)bptr)[0] << 8)
 				+ ((u_char *)bptr)[1];
 				if (lport < 6970)