qemu-e2k/slirp
Petr Matousek 01f7cecf00 slirp: udp: fix NULL pointer dereference because of uninitialized socket
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-09-23 19:15:05 +01:00
..
COPYRIGHT
Makefile.objs
arp_table.c slirp/arp: do not special-case bogus IP addresses 2014-06-09 01:49:28 +02:00
bootp.c
bootp.h
cksum.c
debug.h
dnssearch.c
if.c misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
if.h
ip.h
ip_icmp.c
ip_icmp.h
ip_input.c
ip_output.c
libslirp.h slirp: set mainloop timeout with more precise value 2013-09-17 12:26:05 +02:00
main.h
mbuf.c
mbuf.h
misc.c slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
misc.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
sbuf.c
sbuf.h
slirp.c slirp: Remove unused zero_ethaddr[] variable 2014-06-10 19:39:34 +04:00
slirp.h slirp: Remove default_mon usage 2014-04-25 09:19:58 -04:00
slirp_config.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
socket.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
socket.h
tcp.h
tcp_input.c
tcp_output.c
tcp_subr.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
tcp_timer.c
tcp_timer.h
tcp_var.h
tcpip.h
tftp.c Fixed various typos 2014-03-25 14:09:50 +01:00
tftp.h Increase maximum number of session of the internal TFTP server. 2014-06-24 20:01:24 +04:00
udp.c slirp: udp: fix NULL pointer dereference because of uninitialized socket 2014-09-23 19:15:05 +01:00
udp.h