Another memory management bug in the slirp code causes qemu to crash while attempting to reassemble a fragmented IP packet. While iterating through a list of buffers, if m_cat() moves the current buffer, the pointer to the next buffer is read from an invalid location.
The attached patch simply reads the next buffer pointer before calling m_cat(). Incidentally, this is also the fix adopted in the BSD networking stack, from which slirp was originally derived. --Ed
diff -BurN qemu-snapshot-2006-03-27_23.orig/slirp/ip_input.c qemu-snapshot-2006-03-27_23/slirp/ip_input.c --- qemu-snapshot-2006-03-27_23.orig/slirp/ip_input.c 2004-04-22 00:10:47.000000000 +0000 +++ qemu-snapshot-2006-03-27_23/slirp/ip_input.c 2006-04-06 06:02:52.000000000 +0000 @@ -344,8 +344,8 @@ while (q != (struct ipasfrag *)fp) { struct mbuf *t; t = dtom(q); - m_cat(m, t); q = (struct ipasfrag *) q->ipf_next; + m_cat(m, t); } /*
_______________________________________________ Qemu-devel mailing list Qemu-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/qemu-devel