Fix CVE-2018-11806: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806 Patch copied from upstream source repository: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 5 Jun 2018 23:38:35 +0530 Subject: [PATCH] slirp: correct size computation while concatenating mbuf While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer, if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. Correct this size computation in m_cat. Reported-by: ZDI Disclosures Signed-off-by: Prasad J Pandit Signed-off-by: Samuel Thibault --- slirp/mbuf.c | 11 +++++------ slirp/mbuf.h | 8 +++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/slirp/mbuf.c b/slirp/mbuf.c index 5ff24559fd..18cbf759a7 100644 --- a/slirp/mbuf.c +++ b/slirp/mbuf.c @@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) * If there's no room, realloc */ if (M_FREEROOM(m) < n->m_len) - m_inc(m,m->m_size+MINCSIZE); + m_inc(m, m->m_len + n->m_len); memcpy(m->m_data+m->m_len, n->m_data, n->m_len); m->m_len += n->m_len; @@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) } -/* make m size bytes large */ +/* make m 'size' bytes large from m_data */ void m_inc(struct mbuf *m, int size) { @@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) if (m->m_flags & M_EXT) { datasize = m->m_data - m->m_ext; - m->m_ext = g_realloc(m->m_ext, size); + m->m_ext = g_realloc(m->m_ext, size + datasize); m->m_data = m->m_ext + datasize; } else { char *dat; datasize = m->m_data - m->m_dat; - dat = g_malloc(size); + dat = g_malloc(size + datasize); memcpy(dat, m->m_dat, m->m_size); m->m_ext = dat; @@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) m->m_flags |= M_EXT; } - m->m_size = size; - + m->m_size = size + datasize; } diff --git a/slirp/mbuf.h b/slirp/mbuf.h index 893601ff9d..33b84485d6 100644 --- a/slirp/mbuf.h +++ b/slirp/mbuf.h @@ -33,8 +33,6 @@ #ifndef MBUF_H #define MBUF_H -#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ - /* * Macros for type conversion * mtod(m,t) - convert mbuf pointer to data pointer of correct type @@ -72,11 +70,11 @@ struct mbuf { struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ int m_flags; /* Misc flags */ - int m_size; /* Size of data */ + int m_size; /* Size of mbuf, from m_dat or m_ext */ struct socket *m_so; - caddr_t m_data; /* Location of data */ - int m_len; /* Amount of data in this mbuf */ + caddr_t m_data; /* Current location of data */ + int m_len; /* Amount of data in this mbuf, from m_data */ Slirp *slirp; bool resolution_requested; -- 2.17.1