diff options
author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2020-11-27 15:58:18 +0000 |
---|---|---|
committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2020-11-27 15:58:18 +0000 |
commit | 65a228860cea416477aa5887f1e3601f607baf00 (patch) | |
tree | 842e3df9481b802bf46e8ac722abb31fb7b351b6 | |
parent | 55e83caf7d7a49256ff38c849360d5b34aa8b546 (diff) | |
parent | 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (diff) | |
download | slirp-65a228860cea416477aa5887f1e3601f607baf00.zip slirp-65a228860cea416477aa5887f1e3601f607baf00.tar.gz slirp-65a228860cea416477aa5887f1e3601f607baf00.tar.bz2 |
Merge branch 'CVE-2020-29129' into 'master'
slirp: check pkt_len before reading protocol header
See merge request slirp/libslirp!57
-rw-r--r-- | src/ncsi.c | 4 | ||||
-rw-r--r-- | src/slirp.c | 4 |
2 files changed, 8 insertions, 0 deletions
@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) uint32_t checksum; uint32_t *pchecksum; + if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { + return; /* packet too short */ + } + memset(ncsi_reply, 0, sizeof(ncsi_reply)); memset(reh->h_dest, 0xff, ETH_ALEN); diff --git a/src/slirp.c b/src/slirp.c index 9bead0c..abb6f9a 100644 --- a/src/slirp.c +++ b/src/slirp.c @@ -860,6 +860,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) return; } + if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { + return; /* packet too short */ + } + ar_op = ntohs(ah->ar_op); switch (ar_op) { case ARPOP_REQUEST: |