slirp: use correct size while emulating IRC commands (ce131029) · Commits · slirp / libslirp · GitLab

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

Commit ce131029 authored Jan 09, 2020 by Prasad J Pandit Committed by Samuel Thibault Jan 12, 2020

slirp: use correct size while emulating IRC commands



While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.

Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>

parent 3fc6296b

Hide whitespace changes

Inline Side-by-side

Marc-André Lureau 🎺 @elmarco
mentioned in commit 68ccb802
· Jan 27, 2020

mentioned in commit 68ccb802

mentioned in commit 68ccb8021a838066f0951d4b2817eb6b6f10a843

Toggle commit list

Please register or to comment