diff options
| author | Akihiko Odaki <akihiko.odaki@daynix.com> | 2023-01-30 14:56:02 +0900 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2023-05-16 20:04:45 +0200 |
| commit | 26be815b86e8d49add8c9a8b320239b9594ff03d (patch) | |
| tree | 90e345cb3c73cf326a125b7bed746bf85fb57d96 /src/util.c | |
| parent | fc5eaaf6f68d5cff76468c63984c33c4fb51506d (diff) | |
| download | slirp-26be815b86e8d49add8c9a8b320239b9594ff03d.zip slirp-26be815b86e8d49add8c9a8b320239b9594ff03d.tar.gz slirp-26be815b86e8d49add8c9a8b320239b9594ff03d.tar.bz2 | |
ip: Enforce strict aliasing
Sometimes ipq were casted to ipasfrag, and the original and casted
pointer were used simultaneously in ip_reass(). GCC 12.1.0 assumes
these pointers are not aliases, and therefore incorrectly the pointed
data will not be modified when it is actually modified with another
pointer.
To fix this problem, introduce a new type "ipas", which is a universal
type denoting an entry in the assembly queue and contains union for
specialization as queue head (frequently referred as "q" or "ipq" in
the source code) or IP fragment ("f" or "ipf").
This bug was found by Alexander Bulekov when fuzzing QEMU:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_449dd4ad72212627fe3245c875f79a7033cc5382
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Diffstat (limited to 'src/util.c')
0 files changed, 0 insertions, 0 deletions