Commit 9bd6c591 authored by Marc-André Lureau's avatar Marc-André Lureau
Browse files

Fix use-afte-free in ip_reass() (CVE-2020-1983)



The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.

m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.

Reported-by: Aviv Sasson's avatarAviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
parent b2dd0915
...@@ -327,8 +327,7 @@ insert: ...@@ -327,8 +327,7 @@ insert:
*/ */
q = fp->frag_link.next; q = fp->frag_link.next;
m = dtom(slirp, q); m = dtom(slirp, q);
int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
int was_ext = m->m_flags & M_EXT;
q = (struct ipasfrag *)q->ipf_next; q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) { while (q != (struct ipasfrag *)&fp->frag_link) {
...@@ -351,8 +350,7 @@ insert: ...@@ -351,8 +350,7 @@ insert:
* then an m_ext buffer was alloced. But fp->ipq_next points to the old * then an m_ext buffer was alloced. But fp->ipq_next points to the old
* buffer (in the mbuf), so we must point ip into the new buffer. * buffer (in the mbuf), so we must point ip into the new buffer.
*/ */
if (!was_ext && m->m_flags & M_EXT) { if (m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta); q = (struct ipasfrag *)(m->m_ext + delta);
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment