udp: check upd_input buffer size

Fixes: CVE-2021-3594 Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-04 16:40:23 +0400
committer: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-14 11:45:40 +0400
commit: 74572be49247c8c5feae7c6e0b50c4f569ca9824 (patch)
tree: 1aa7d4e7d8844a01ac7585cdeb8d7ce9c94471bb
parent: 990163cf3ac86b7875559f49602c4d76f46f6f30 (diff)
download: slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.zip
slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.tar.gz
slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.tar.bz2
1 files changed, 4 insertions, 1 deletions
diff --git a/src/udp.c b/src/udp.c
index 767ca85..06b7b7d 100644
--- a/src/udp.c
+++ b/src/udp.c
@@ -96,7 +96,10 @@ void udp_input(register struct mbuf *m, int iphlen)
     /*
      * Get IP and UDP header together in first mbuf.
      */
-    ip = mtod(m, struct ip *);
+    ip = mtod_check(m, iphlen + sizeof(struct udphdr));
+    if (ip == NULL) {
+        goto bad;
+    }
     uh = (struct udphdr *)((char *)ip + iphlen);
 
     /*
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-04 16:40:23 +0400
committer	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-14 11:45:40 +0400
commit	74572be49247c8c5feae7c6e0b50c4f569ca9824 (patch)
tree	1aa7d4e7d8844a01ac7585cdeb8d7ce9c94471bb
parent	990163cf3ac86b7875559f49602c4d76f46f6f30 (diff)
download	slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.zip slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.tar.gz slirp-74572be49247c8c5feae7c6e0b50c4f569ca9824.tar.bz2