Commit 9bd6c591 authored by Marc-André Lureau's avatar Marc-André Lureau

Fix use-afte-free in ip_reass() (CVE-2020-1983)

The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.

m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson's avatarAviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
parent b2dd0915
......@@ -327,8 +327,7 @@ insert:
*/
q = fp->frag_link.next;
m = dtom(slirp, q);
int was_ext = m->m_flags & M_EXT;
int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) {
......@@ -351,8 +350,7 @@ insert:
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
* buffer (in the mbuf), so we must point ip into the new buffer.
*/
if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
if (m->m_flags & M_EXT) {
q = (struct ipasfrag *)(m->m_ext + delta);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment