yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch

b38b0f
From 49fbfce352a678b538113598cba05c48281174a4 Mon Sep 17 00:00:00 2001
69f3e1
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
b38b0f
Date: Wed, 24 Jul 2019 15:53:34 +0100
b38b0f
Subject: [PATCH 09/14] slirp: check sscanf result when emulating ident
69f3e1
MIME-Version: 1.0
69f3e1
Content-Type: text/plain; charset=UTF-8
69f3e1
Content-Transfer-Encoding: 8bit
69f3e1
69f3e1
RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
b38b0f
Message-id: <20190724155337.25303-2-philmd@redhat.com>
b38b0f
Patchwork-id: 89675
b38b0f
O-Subject: [RHEL-8.1.0 qemu-kvm PATCH v2 1/4] slirp: check sscanf result when emulating ident
b38b0f
Bugzilla: 1727642
69f3e1
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
69f3e1
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
b38b0f
RH-Acked-by: Thomas Huth <thuth@redhat.com>
69f3e1
69f3e1
From: William Bowling <will@wbowling.info>
69f3e1
69f3e1
When emulating ident in tcp_emu, if the strchr checks passed but the
69f3e1
sscanf check failed, two uninitialized variables would be copied and
69f3e1
sent in the reply, so move this code inside the if(sscanf()) clause.
69f3e1
69f3e1
Signed-off-by: William Bowling <will@wbowling.info>
69f3e1
Cc: qemu-stable@nongnu.org
69f3e1
Cc: secalert@redhat.com
69f3e1
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
69f3e1
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
69f3e1
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
69f3e1
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
69f3e1
Fixes: CVE-2019-9824
69f3e1
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
69f3e1
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
69f3e1
---
69f3e1
 slirp/tcp_subr.c | 10 +++++-----
69f3e1
 1 file changed, 5 insertions(+), 5 deletions(-)
69f3e1
69f3e1
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
69f3e1
index 1c7eb28..af1b3eb 100644
69f3e1
--- a/slirp/tcp_subr.c
69f3e1
+++ b/slirp/tcp_subr.c
69f3e1
@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
69f3e1
 							break;
69f3e1
 						}
69f3e1
 					}
69f3e1
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
69f3e1
+								 so_rcv->sb_datalen,
69f3e1
+								 "%d,%d\r\n", n1, n2);
69f3e1
+					so_rcv->sb_rptr = so_rcv->sb_data;
69f3e1
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
69f3e1
 				}
69f3e1
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
69f3e1
-                                                         so_rcv->sb_datalen,
69f3e1
-                                                         "%d,%d\r\n", n1, n2);
69f3e1
-				so_rcv->sb_rptr = so_rcv->sb_data;
69f3e1
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
69f3e1
 			}
69f3e1
 			m_free(m);
69f3e1
 			return 0;
69f3e1
-- 
69f3e1
1.8.3.1
69f3e1