Merge branch 'cve-2020-1983' into 'master'

Cve 2020 1983 Closes #20 See merge request !38

Merge branch 'cve-2020-1983' into 'master'
Cve 2020 1983 Closes #20 See merge request !38
9ac0371b · Marc-André Lureau · b2dd0915 · 1abf18b2 · 9ac0371b · 9ac0371b
Commit 9ac0371b authored Apr 20, 2020 by Marc-André Lureau 🎺
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 6 deletions

CHANGELOG.md CHANGELOG.md +11 -2

src/ip_input.c src/ip_input.c +2 -4

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,12 +9,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Added

+ - `SLIRP_VERSION_STRING` macro, with the git sha suffix when building from git
+ - `SlirpConfig.disable_dns`, to disable DNS redirection #16
+
 ### Changed

+ - `slirp_version_string()` now has the git sha suffix when building form git
+ - Limit DNS redirection to port 53 #16
+
 ### Deprecated

 ### Fixed

+ - Fix build regression with mingw & NetBSD
+ - Fix use-afte-free in `ip_reass()` (CVE-2020-1983)
+
 ## [4.2.0] - 2020-03-17

 ### Added
@@ -22,12 +31,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - New API function `slirp_add_unix`: add a forward rule to a Unix socket.
 - New API function `slirp_remove_guestfwd`: remove a forward rule previously
   added by `slirp_add_exec`, `slirp_add_unix` or `slirp_add_guestfwd`
- - New SlirpConfig.outbound_addr{,6} fields to bind output socket to a
+ - New `SlirpConfig.outbound_addr{,6}` fields to bind output socket to a
   specific address

 ### Changed

- - socket: do not fallback on host loopback if get_dns_addr() failed
+ - socket: do not fallback on host loopback if `get_dns_addr()` failed
   or the address is in slirp network

 ### Fixed

--- a/src/ip_input.c
+++ b/src/ip_input.c
@@ -327,8 +327,7 @@ insert:
     */
    q = fp->frag_link.next;
    m = dtom(slirp, q);
-
-    int was_ext = m->m_flags & M_EXT;
+    int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);

    q = (struct ipasfrag *)q->ipf_next;
    while (q != (struct ipasfrag *)&fp->frag_link) {
@@ -351,8 +350,7 @@ insert:
     * then an m_ext buffer was alloced. But fp->ipq_next points to the old
     * buffer (in the mbuf), so we must point ip into the new buffer.
     */
-    if (!was_ext && m->m_flags & M_EXT) {
-        int delta = (char *)q - m->m_dat;
+    if (m->m_flags & M_EXT) {
        q = (struct ipasfrag *)(m->m_ext + delta);
    }