Commit 9efdbc02 authored by Michael Roth's avatar Michael Roth
Browse files

slrip: ip_reass: Fix use after free 



Using ip_deq after m_free might read pointers from an allocation reuse.

This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.

Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent 28c1dde9

slirp/ip_input.c

+4 −2
Original line number Diff line number Diff line
@@ -300,6 +300,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) 
	 */

	while (q != (struct ipasfrag*)&fp->frag_link &&

            ip->ip_off + ip->ip_len > q->ipf_off) {

		struct ipasfrag *prev;

		i = (ip->ip_off + ip->ip_len) - q->ipf_off;

		if (i < q->ipf_len) {

			q->ipf_len -= i;
@@ -307,9 +308,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) 
			m_adj(dtom(slirp, q), i);

			break;

		}

		prev = q;

		q = q->ipf_next;

		m_free(dtom(slirp, q->ipf_prev));

		ip_deq(q->ipf_prev);

		ip_deq(prev);

		m_free(dtom(slirp, prev));

	}



insert: