On Thu, Sep 18, 2014 at 08:35:37AM +0200, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
>
> Fix this by checking that the socket is not just a socket stub.
>
> This is CVE-2014-3640.
>
> Signed-off-by: Petr Matousek <pmato...@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenber...@airbus.com>
> Reported-by: Stephane Duverger <stephane.duver...@eads.net>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
> ---
> v1 -> v2
> * change the check so that it's consistent with the rest of the code
>
> slirp/udp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
> * Locate pcb for datagram.
> */
> so = slirp->udp_last_so;
> - if (so->so_lport != uh->uh_sport ||
> + if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
> so->so_laddr.s_addr != ip->ip_src.s_addr) {
> struct socket *tmp;
>
> --
> 1.9.3
