On 23 September 2014 09:50, Michael Tokarev <m...@tls.msk.ru> wrote: > 18.09.2014 10:35, Petr Matousek wrote: >> When guest sends udp packet with source port and source addr 0, >> uninitialized socket is picked up when looking for matching and already >> created udp sockets, and later passed to sosendto() where NULL pointer >> dereference is hit during so->slirp->vnetwork_mask.s_addr access. >> >> Fix this by checking that the socket is not just a socket stub. >> >> This is CVE-2014-3640. >> >> Signed-off-by: Petr Matousek <pmato...@redhat.com> >> Reported-by: Xavier Mehrenberger <xavier.mehrenber...@airbus.com> >> Reported-by: Stephane Duverger <stephane.duver...@eads.net> > > Reviewed-by: Michael Tokarev <m...@tls.msk.ru>
Applied to master, thanks. -- PMM
