diff options
| author | Marc-André Lureau <marcandre.lureau@gmail.com> | 2020-04-20 20:28:52 +0000 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@gmail.com> | 2020-04-20 20:28:52 +0000 |
| commit | 9ac0371bb8c0a40f5d9f82a1c25129660e81df04 (patch) | |
| tree | cc9f0207eb51ca38107a7c20be0bd08b2c3ac067 | |
| parent | b2dd09156a1ff5adb20c8ad73055284c6be786ff (diff) | |
| parent | 1abf18b2b5edb462797629ed47ad4515a195686e (diff) | |
| download | slirp-9ac0371bb8c0a40f5d9f82a1c25129660e81df04.zip slirp-9ac0371bb8c0a40f5d9f82a1c25129660e81df04.tar.gz slirp-9ac0371bb8c0a40f5d9f82a1c25129660e81df04.tar.bz2 | |
Merge branch 'cve-2020-1983' into 'master'
Cve 2020 1983
Closes #20
See merge request slirp/libslirp!38
| -rw-r--r-- | CHANGELOG.md | 13 | ||||
| -rw-r--r-- | src/ip_input.c | 6 |
2 files changed, 13 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 67b0a74..d4c935b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,12 +9,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added + - `SLIRP_VERSION_STRING` macro, with the git sha suffix when building from git + - `SlirpConfig.disable_dns`, to disable DNS redirection #16 + ### Changed + - `slirp_version_string()` now has the git sha suffix when building form git + - Limit DNS redirection to port 53 #16 + ### Deprecated ### Fixed + - Fix build regression with mingw & NetBSD + - Fix use-afte-free in `ip_reass()` (CVE-2020-1983) + ## [4.2.0] - 2020-03-17 ### Added @@ -22,12 +31,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - New API function `slirp_add_unix`: add a forward rule to a Unix socket. - New API function `slirp_remove_guestfwd`: remove a forward rule previously added by `slirp_add_exec`, `slirp_add_unix` or `slirp_add_guestfwd` - - New SlirpConfig.outbound_addr{,6} fields to bind output socket to a + - New `SlirpConfig.outbound_addr{,6}` fields to bind output socket to a specific address ### Changed - - socket: do not fallback on host loopback if get_dns_addr() failed + - socket: do not fallback on host loopback if `get_dns_addr()` failed or the address is in slirp network ### Fixed diff --git a/src/ip_input.c b/src/ip_input.c index aa514ae..89a01d4 100644 --- a/src/ip_input.c +++ b/src/ip_input.c @@ -327,8 +327,7 @@ insert: */ q = fp->frag_link.next; m = dtom(slirp, q); - - int was_ext = m->m_flags & M_EXT; + int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat); q = (struct ipasfrag *)q->ipf_next; while (q != (struct ipasfrag *)&fp->frag_link) { @@ -351,8 +350,7 @@ insert: * then an m_ext buffer was alloced. But fp->ipq_next points to the old * buffer (in the mbuf), so we must point ip into the new buffer. */ - if (!was_ext && m->m_flags & M_EXT) { - int delta = (char *)q - m->m_dat; + if (m->m_flags & M_EXT) { q = (struct ipasfrag *)(m->m_ext + delta); } |