upd6: check udp6_input buffer size

Fixes: CVE-2021-3593 Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

upd6: check udp6_input buffer size
de71c15d · Marc-André Lureau · 2eca0838 · de71c15d
Commit de71c15d authored 3 years ago by Marc-André Lureau
--- a/src/udp6.c
+++ b/src/udp6.c
@@ -31,7 +31,10 @@ void udp6_input(struct mbuf *m)
    ip = mtod(m, struct ip6 *);
    m->m_len -= iphlen;
    m->m_data += iphlen;
-    uh = mtod(m, struct udphdr *);
+    uh = mtod_check(m, sizeof(struct udphdr));
+    if (uh == NULL) {
+        goto bad;
+    }
    m->m_len += iphlen;
    m->m_data -= iphlen;