diff options
author | Michael Roth <mdroth@linux.vnet.ibm.com> | 2019-09-24 12:18:07 -0500 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2019-10-01 17:00:56 -0500 |
commit | 9efdbc0224a0edb05e109ad8e1f127b5ac004191 (patch) | |
tree | 59bb752a81ef735516ad8e71b2b5a4edb4e20481 | |
parent | 28c1dde9aa2a22724f81134035959d1a33a57690 (diff) |
slrip: ip_reass: Fix use after free
Using ip_deq after m_free might read pointers from an allocation reuse.
This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-rw-r--r-- | slirp/ip_input.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/slirp/ip_input.c b/slirp/ip_input.c index 6e291eabf0..01b3f9d4e0 100644 --- a/slirp/ip_input.c +++ b/slirp/ip_input.c @@ -300,6 +300,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) */ while (q != (struct ipasfrag*)&fp->frag_link && ip->ip_off + ip->ip_len > q->ipf_off) { + struct ipasfrag *prev; i = (ip->ip_off + ip->ip_len) - q->ipf_off; if (i < q->ipf_len) { q->ipf_len -= i; @@ -307,9 +308,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) m_adj(dtom(slirp, q), i); break; } + prev = q; q = q->ipf_next; - m_free(dtom(slirp, q->ipf_prev)); - ip_deq(q->ipf_prev); + ip_deq(prev); + m_free(dtom(slirp, prev)); } insert: |