Commit 28c1dde9 authored by Michael Roth's avatar Michael Roth
Browse files

slirp: Fix heap overflow in ip_reass on big packet input 



When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.

Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
(from libslirp.git commit e0be80430c390bce181ea04dfcdd6ea3dfa97de1)
*squash in e0be80 (clarifying comments)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent ab630a06

slirp/ip_input.c

+7 −6
Original line number Diff line number Diff line
@@ -334,6 +334,8 @@ insert: 
    q = fp->frag_link.next;

	m = dtom(slirp, q);



	int was_ext = m->m_flags & M_EXT;



	q = (struct ipasfrag *) q->ipf_next;

	while (q != (struct ipasfrag*)&fp->frag_link) {

	  struct mbuf *t = dtom(slirp, q);
@@ -350,13 +352,12 @@ insert: 
	q = fp->frag_link.next;



	/*

	 * If the fragments concatenated to an mbuf that's

	 * bigger than the total size of the fragment, then and

	 * m_ext buffer was alloced. But fp->ipq_next points to

	 * the old buffer (in the mbuf), so we must point ip

	 * into the new buffer.

	 * If the fragments concatenated to an mbuf that's bigger than the total

	 * size of the fragment and the mbuf was not already using an m_ext buffer,

	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old

	 * buffer (in the mbuf), so we must point ip into the new buffer.

	 */

	if (m->m_flags & M_EXT) {

	if (!was_ext && m->m_flags & M_EXT) {

	  int delta = (char *)q - m->m_dat;

	  q = (struct ipasfrag *)(m->m_ext + delta);

	}