[Bug 1858415] Re: in tcp_emu function has OOB bug

r1ng0hacking Wed, 10 Jun 2020 05:39:03 -0700

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1858415


Title:
  in tcp_emu function has OOB bug

Status in QEMU:
  Fix Released

Bug description:
  qemu version: 4.1.0

  ```c
  int tcp_emu(struct socket *so, struct mbuf *m){
  ............
  case EMU_REALAUDIO:
  ............
      while (bptr < m->m_data + m->m_len) {
          case 6:
  ............
              lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
  ............               
              *(uint8_t *)bptr++ = (p >> 8) & 0xff;
              *(uint8_t *)bptr = p & 0xff;
  ............
      }
  ............
  ............
  }
  ```

  bptr)[1] and  bptr++ ,may make bptr ==  m->m_data + m->m_len,and cause
  OOB（out of bounds.）

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1858415/+subscriptions

[Bug 1858415] Re: in tcp_emu function has OOB bug

Reply via email to