diff options
author | aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-12-07 18:15:23 +0000 |
---|---|---|
committer | aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-12-07 18:15:23 +0000 |
commit | e8e880a72e63d0587f03aa670be3de683b881ca8 (patch) | |
tree | 1581368764d44d56922b384787971b36f1dd1494 | |
parent | a810a2de170565529464072edf2102443aaa9fab (diff) |
slirp: fix CVE 2007-5729
The emulated network cards in QEMU allows local users to execute arbitrary
code by writing Ethernet frames with a size larger than the slirp's default
MTU, which triggers a heap-based buffer overflow in the slirp library.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5920 c046a42c-6fe2-441c-8c8c-71466251a162
-rw-r--r-- | slirp/slirp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/slirp/slirp.c b/slirp/slirp.c index de4b4806f4..17b40e249a 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -654,6 +654,9 @@ void slirp_input(const uint8_t *pkt, int pkt_len) if (!m) return; /* Note: we add to align the IP header */ + if (M_FREEROOM(m) < pkt_len + 2) { + m_inc(m, pkt_len + 2); + } m->m_len = pkt_len + 2; memcpy(m->m_data + 2, pkt, pkt_len); |