aboutsummaryrefslogtreecommitdiff
path: root/slirp
diff options
context:
space:
mode:
authorPrasad J Pandit <pjp@fedoraproject.org>2017-07-17 17:33:26 +0530
committerSamuel Thibault <samuel.thibault@ens-lyon.org>2017-08-03 00:26:44 +0200
commit413d463f43fbc4dd3a601e80a5724aa384a265a0 (patch)
tree46d91274360ae4adcf4dd21ea30fd39e00ce7cf5 /slirp
parent5c843af22604edecda10d4bb89d4eede9e1bd3d0 (diff)
downloadqemu-413d463f43fbc4dd3a601e80a5724aa384a265a0.zip
qemu-413d463f43fbc4dd3a601e80a5724aa384a265a0.tar.gz
qemu-413d463f43fbc4dd3a601e80a5724aa384a265a0.tar.bz2
slirp: check len against dhcp options array end
While parsing dhcp options string in 'dhcp_decode', if an options' length 'len' appeared towards the end of 'bp_vend' array, ensuing read could lead to an OOB memory access issue. Add check to avoid it. This is CVE-2017-11434. Reported-by: Reno Robert <renorobert@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Diffstat (limited to 'slirp')
-rw-r--r--slirp/bootp.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c..5dd1a41 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
if (p >= p_end)
break;
len = *p++;
+ if (p + len > p_end) {
+ break;
+ }
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
switch(tag) {