bootp: limit vendor-specific area to input packet memory buffer

sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field from the structure, to help with the following patch checking for minimal header size. Modify the bootp_reply() function to take the buffer boundaries and avoiding potential buffer overflow. Related to CVE-2021-3592. https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-04 19:25:28 +0400
committer: Marc-André Lureau <marcandre.lureau@redhat.com> 2021-06-14 11:37:22 +0400
commit: f13cad45b25d92760bb0ad67bec0300a4d7d5275 (patch)
tree: 3d780ae36d9617410a6342ddaa82193173bfc29e /src/mbuf.c
parent: 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (diff)
download: slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.zip
slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.tar.gz
slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/src/mbuf.c b/src/mbuf.c
index b4152c3..36864a4 100644
--- a/src/mbuf.c
+++ b/src/mbuf.c
@@ -274,3 +274,8 @@ void *mtod_check(struct mbuf *m, size_t len)
 
     return NULL;
 }
+
+void *m_end(struct mbuf *m)
+{
+    return m->m_data + m->m_len;
+}
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-04 19:25:28 +0400
committer	Marc-André Lureau <marcandre.lureau@redhat.com>	2021-06-14 11:37:22 +0400
commit	f13cad45b25d92760bb0ad67bec0300a4d7d5275 (patch)
tree	3d780ae36d9617410a6342ddaa82193173bfc29e /src/mbuf.c
parent	93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (diff)
download	slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.zip slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.tar.gz slirp-f13cad45b25d92760bb0ad67bec0300a4d7d5275.tar.bz2