upd6: check udp6_input buffer size

Fixes: CVE-2021-3593 Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-04 16:32:55 +0400
committer: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-14 11:42:26 +0400
commit: de71c15de66ba9350bf62c45b05f8fbff166517b (patch)
tree: df95b41743781871875cf27dda3ff4c2f3bb8cad
parent: 2eca0838eee1da96204545e22cdaed860d9d7c6c (diff)
download: slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.zip
slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.tar.gz
slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.tar.bz2
1 files changed, 4 insertions, 1 deletions
diff --git a/src/udp6.c b/src/udp6.c
index 18ce998..efeac5c 100644
--- a/src/udp6.c
+++ b/src/udp6.c
@@ -31,7 +31,10 @@ void udp6_input(struct mbuf *m)
     ip = mtod(m, struct ip6 *);
     m->m_len -= iphlen;
     m->m_data += iphlen;
-    uh = mtod(m, struct udphdr *);
+    uh = mtod_check(m, sizeof(struct udphdr));
+    if (uh == NULL) {
+        goto bad;
+    }
     m->m_len += iphlen;
     m->m_data -= iphlen;
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-04 16:32:55 +0400
committer	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-14 11:42:26 +0400
commit	de71c15de66ba9350bf62c45b05f8fbff166517b (patch)
tree	df95b41743781871875cf27dda3ff4c2f3bb8cad
parent	2eca0838eee1da96204545e22cdaed860d9d7c6c (diff)
download	slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.zip slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.tar.gz slirp-de71c15de66ba9350bf62c45b05f8fbff166517b.tar.bz2