slirp: check pkt_len before reading protocol header (!57) · Merge requests · slirp / libslirp

Marc-André Lureau requested to merge elmarco/libslirp:CVE-2020-29129 into master Nov 27, 2020

While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' routines, ensure that pkt_len is large enough to accommodate the respective protocol headers, lest it should do an OOB access. Add check to avoid it.

CVE-2020-29129 CVE-2020-29130 QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets -> https://www.openwall.com/lists/oss-security/2020/11/27/1

Reported-by: Qiuhao Li Qiuhao.Li@outlook.com
Signed-off-by: Prasad J Pandit pjp@fedoraproject.org
Message-Id: 20201126135706.273950-1-ppandit@redhat.com
Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com

slirp: check pkt_len before reading protocol header

Merge request reports