slirp · 307119e7d948bcdb5918fd762153deda471e695b · Anton / libtcg

slirp: udp: fix NULL pointer dereference because of uninitialized socket

Petr Matousek authored 10 years ago

When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

01f7cecf

History

01f7cecf 10 years ago

History

Name	Last commit	Last update
..
COPYRIGHT
Makefile.objs
arp_table.c
bootp.c
bootp.h
cksum.c
debug.h
dnssearch.c
if.c
if.h
ip.h
ip_icmp.c
ip_icmp.h
ip_input.c
ip_output.c
libslirp.h
main.h
mbuf.c
mbuf.h
misc.c
misc.h
sbuf.c
sbuf.h
slirp.c
slirp.h
slirp_config.h
socket.c
socket.h
tcp.h
tcp_input.c
tcp_output.c
tcp_subr.c
tcp_timer.c
tcp_timer.h
tcp_var.h
tcpip.h
tftp.c
tftp.h
udp.c
udp.h