Merge branch 'stable-4.2' into 'stable-4.2'stable-4.2

stable-4.2: Fix CVE-2020-29129, CVE-2020-29130 See merge request slirp/libslirp!58
author: Marc-André Lureau <marcandre.lureau@gmail.com> 2020-11-27 16:47:13 +0000
committer: Marc-André Lureau <marcandre.lureau@gmail.com> 2020-11-27 16:47:13 +0000
commit: 8f43a99191afb47ca3f3c6972f6306209f367ece (patch)
tree: bb7e5b1557ef32b34840dbc11c0d83ff8313aa25
parent: ce94eba2042d52a0ba3d9e252ebce86715e94275 (diff)
parent: 69b0d71870eca29f04d59da277a42d6515c3edd6 (diff)
download: slirp-stable-4.2.zip
slirp-stable-4.2.tar.gz
slirp-stable-4.2.tar.bz2
2 files changed, 8 insertions, 0 deletions
diff --git a/src/ncsi.c b/src/ncsi.c
index 3c1dfef..75dcc08 100644
--- a/src/ncsi.c
+++ b/src/ncsi.c
@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
     uint32_t checksum;
     uint32_t *pchecksum;
 
+    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
+        return; /* packet too short */
+    }
+
     memset(ncsi_reply, 0, sizeof(ncsi_reply));
 
     memset(reh->h_dest, 0xff, ETH_ALEN);
diff --git a/src/slirp.c b/src/slirp.c
index dba7c98..9be58e2 100644
--- a/src/slirp.c
+++ b/src/slirp.c
@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
         return;
     }
 
+    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
+        return; /* packet too short */
+    }
+
     ar_op = ntohs(ah->ar_op);
     switch (ar_op) {
     case ARPOP_REQUEST:
author	Marc-André Lureau <marcandre.lureau@gmail.com>	2020-11-27 16:47:13 +0000
committer	Marc-André Lureau <marcandre.lureau@gmail.com>	2020-11-27 16:47:13 +0000
commit	8f43a99191afb47ca3f3c6972f6306209f367ece (patch)
tree	bb7e5b1557ef32b34840dbc11c0d83ff8313aa25
parent	ce94eba2042d52a0ba3d9e252ebce86715e94275 (diff)
parent	69b0d71870eca29f04d59da277a42d6515c3edd6 (diff)
download	slirp-stable-4.2.zip slirp-stable-4.2.tar.gz slirp-stable-4.2.tar.bz2