e74c0f316d
CVE-2017-7539: qemu-nbd crashes due to undefined I/O coroutine CVE-2017-11434: slirp: out-of-bounds read while parsing dhcp options CVE-2017-11334: exec: oob access during dma operation CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort CVE-2017-9524: nbd: segmentation fault due to client non-negotiation CVE-2017-9503: scsi: null pointer dereference while processing megasas command
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From f3b5bdea7ea51404bbf88bea6fc8887586a423b2 Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 17 Jul 2017 17:33:26 +0530
|
|
Subject: [PATCH 23/23] slirp: check len against dhcp options array end
|
|
|
|
While parsing dhcp options string in 'dhcp_decode', if an options'
|
|
length 'len' appeared towards the end of 'bp_vend' array, ensuing
|
|
read could lead to an OOB memory access issue. Add check to avoid it.
|
|
|
|
This is CVE-2017-11434.
|
|
|
|
Reported-by: Reno Robert <renorobert@gmail.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
---
|
|
slirp/bootp.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/slirp/bootp.c b/slirp/bootp.c
|
|
index 5a4646c182..5dd1a415b5 100644
|
|
--- a/slirp/bootp.c
|
|
+++ b/slirp/bootp.c
|
|
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
|
if (p >= p_end)
|
|
break;
|
|
len = *p++;
|
|
+ if (p + len > p_end) {
|
|
+ break;
|
|
+ }
|
|
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
|
|
|
|
switch(tag) {
|
|
--
|
|
2.11.0
|
|
|