Overview

File CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch of Package xen.openSUSE_Leap_42.3_Update

Subject: slirp: udp: fix NULL pointer dereference because of uninitialized socket
From: Petr Matousek pmatouse@redhat.com Thu Sep 18 08:35:37 2014 +0200
Date: Tue Sep 23 19:15:05 2014 +0100:
Git: 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a

When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
@@ -168,7 +168,7 @@ udp_input(m, iphlen)
 	 * Locate pcb for datagram.
 	 */
 	so = udp_last_so;
-	if (so->so_lport != uh->uh_sport ||
+	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
 	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
 		struct socket *tmp;
openSUSE Build Service is sponsored by
Places