Commit 9ac0371b authored by Marc-André Lureau's avatar Marc-André Lureau 🎺

Merge branch 'cve-2020-1983' into 'master'

Cve 2020 1983

Closes #20

See merge request !38
parents b2dd0915 1abf18b2
Pipeline #134780 passed with stage
in 2 minutes and 10 seconds
......@@ -9,12 +9,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- `SLIRP_VERSION_STRING` macro, with the git sha suffix when building from git
- `SlirpConfig.disable_dns`, to disable DNS redirection #16
### Changed
- `slirp_version_string()` now has the git sha suffix when building form git
- Limit DNS redirection to port 53 #16
### Deprecated
### Fixed
- Fix build regression with mingw & NetBSD
- Fix use-afte-free in `ip_reass()` (CVE-2020-1983)
## [4.2.0] - 2020-03-17
### Added
......@@ -22,12 +31,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- New API function `slirp_add_unix`: add a forward rule to a Unix socket.
- New API function `slirp_remove_guestfwd`: remove a forward rule previously
added by `slirp_add_exec`, `slirp_add_unix` or `slirp_add_guestfwd`
- New SlirpConfig.outbound_addr{,6} fields to bind output socket to a
- New `SlirpConfig.outbound_addr{,6}` fields to bind output socket to a
specific address
### Changed
- socket: do not fallback on host loopback if get_dns_addr() failed
- socket: do not fallback on host loopback if `get_dns_addr()` failed
or the address is in slirp network
### Fixed
......
......@@ -327,8 +327,7 @@ insert:
*/
q = fp->frag_link.next;
m = dtom(slirp, q);
int was_ext = m->m_flags & M_EXT;
int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) {
......@@ -351,8 +350,7 @@ insert:
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
* buffer (in the mbuf), so we must point ip into the new buffer.
*/
if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
if (m->m_flags & M_EXT) {
q = (struct ipasfrag *)(m->m_ext + delta);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment