Commit 126c04ac authored by Samuel Thibault's avatar Samuel Thibault
Browse files

Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault's avatarSamuel Thibault <>
parent 113a219a
......@@ -326,6 +326,8 @@ insert:
q = fp->;
m = dtom(slirp, q);
int was_ext = m->m_flags & M_EXT;
q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
......@@ -348,7 +350,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
if (m->m_flags & M_EXT) {
if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment