slirp: check sscanf result when emulating ident

When emulating ident in tcp_emu, if the strchr checks passed but the sscanf check failed, two uninitialized variables would be copied and sent in the reply, so move this code inside the if(sscanf()) clause. Signed-off-by: William Bowling <will@wbowling.info> Cc: qemu-stable@nongnu.org Cc: secalert@redhat.com Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
author: William Bowling <will@wbowling.info> 2019-03-01 21:45:56 +0000
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2019-03-06 23:36:22 +0100
commit: d3222975c7d6cda9e25809dea05241188457b113 (patch)
tree: 279e19d3623a1f5456ae5267bbebf62b40bbaebd /slirp
parent: 6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index 262a42d6c8..ef9d99c154 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
 							break;
 						}
 					}
+					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+								 so_rcv->sb_datalen,
+								 "%d,%d\r\n", n1, n2);
+					so_rcv->sb_rptr = so_rcv->sb_data;
+					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
 				}
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
-                                                         so_rcv->sb_datalen,
-                                                         "%d,%d\r\n", n1, n2);
-				so_rcv->sb_rptr = so_rcv->sb_data;
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
 			}
 			m_free(m);
 			return 0;
author	William Bowling <will@wbowling.info>	2019-03-01 21:45:56 +0000
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2019-03-06 23:36:22 +0100
commit	d3222975c7d6cda9e25809dea05241188457b113 (patch)
tree	279e19d3623a1f5456ae5267bbebf62b40bbaebd /slirp
parent	6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 (diff)