slirp: ensure there is enough space in mbuf to null-terminate

Prevents from buffer overflows.
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205

Cc: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 7ab3ab2..aa10bc8 100644
--- a/src/tcp_subr.c
+++ b/src/tcp_subr.c
@@ -639,6 +639,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
             so_rcv->sb_wptr += m->m_len;
             so_rcv->sb_rptr += m->m_len;
+            m_inc(m, m->m_len + 1);
             m->m_data[m->m_len] = 0; /* NULL terminate */
             if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
                 if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
@@ -671,6 +672,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
         }
 
     case EMU_FTP: /* ftp */
+        m_inc(m, m->m_len + 1);
         *(m->m_data + m->m_len) = 0; /* NUL terminate for strstr */
         if ((bptr = (char *)strstr(m->m_data, "ORT")) != NULL) {
             /*
@@ -771,6 +773,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
         /*
          * Need to emulate DCC CHAT, DCC SEND and DCC MOVE
          */
+        m_inc(m, m->m_len + 1);
         *(m->m_data + m->m_len) = 0; /* NULL terminate the string for strstr */
         if ((bptr = (char *)strstr(m->m_data, "DCC")) == NULL)
             return 1;