aboutsummaryrefslogtreecommitdiff
path: root/udp.c
diff options
context:
space:
mode:
authorPetr Matousek <pmatouse@redhat.com>2014-09-18 08:35:37 +0200
committerPeter Maydell <peter.maydell@linaro.org>2014-09-23 19:15:05 +0100
commit11cdeaccef94afa51ff50f6e5909e05f9146a126 (patch)
treeeeba3a831d77a9823891ce16fbb1a48a304b5797 /udp.c
parent2439a79b0dfcad1e066d2d1cd21873dc8b24696b (diff)
downloadslirp-11cdeaccef94afa51ff50f6e5909e05f9146a126.zip
slirp-11cdeaccef94afa51ff50f6e5909e05f9146a126.tar.gz
slirp-11cdeaccef94afa51ff50f6e5909e05f9146a126.tar.bz2
When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'udp.c')
-rw-r--r--udp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/udp.c b/udp.c
index 9bc264f..5121099 100644
--- a/udp.c
+++ b/udp.c
@@ -150,7 +150,7 @@ void udp_input(register struct mbuf *m, int iphlen)
* Locate pcb for datagram.
*/
so = slirp->udp_last_so;
- if (so->so_lport != uh->uh_sport ||
+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
so->so_laddr.s_addr != ip->ip_src.s_addr) {
struct socket *tmp;