summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch48
1 files changed, 0 insertions, 48 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
deleted file mode 100644
index a7ecf31c01..0000000000
--- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Thu, 18 Sep 2014 08:35:37 +0200
4Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
5 uninitialized socket
6
7When guest sends udp packet with source port and source addr 0,
8uninitialized socket is picked up when looking for matching and already
9created udp sockets, and later passed to sosendto() where NULL pointer
10dereference is hit during so->slirp->vnetwork_mask.s_addr access.
11
12Fix this by checking that the socket is not just a socket stub.
13
14This is CVE-2014-3640.
15
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
20Reported-by: Stephane Duverger <stephane.duverger@eads.net>
21Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
22Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
23Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
24Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
25Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
26(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
27Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
28Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
29---
30 slirp/udp.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/slirp/udp.c b/slirp/udp.c
34index 8cc6cb6..f77e00f 100644
35--- a/slirp/udp.c
36+++ b/slirp/udp.c
37@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
38 * Locate pcb for datagram.
39 */
40 so = slirp->udp_last_so;
41- if (so->so_lport != uh->uh_sport ||
42+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
43 so->so_laddr.s_addr != ip->ip_src.s_addr) {
44 struct socket *tmp;
45
46--
471.9.1
48
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-27 03:40:12 +0000