On 2014-09-17 13:41, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
>
> Fix this by checking that the socket is in initialized state.
>
> This is CVE-2014-3640.
>
> Signed-off-by: Petr Matousek <pmato...@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenber...@airbus.com>
> Reported-by: Stephane Duverger <stephane.duver...@eads.net>
> Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> slirp/udp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..4affcc6 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
> * Locate pcb for datagram.
> */
> so = slirp->udp_last_so;
> - if (so->so_lport != uh->uh_sport ||
> + if (!so->so_state || so->so_lport != uh->uh_sport ||
I think it would be clearer to test so against &slirp->udb. That's done
later on in this code as well to differentiate between valid sockets and
this stub.
Jan
> so->so_laddr.s_addr != ip->ip_src.s_addr) {
> struct socket *tmp;
>
>
--
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux
