01f7cecf00
When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
||
---|---|---|
.. | ||
COPYRIGHT | ||
Makefile.objs | ||
arp_table.c | ||
bootp.c | ||
bootp.h | ||
cksum.c | ||
debug.h | ||
dnssearch.c | ||
if.c | ||
if.h | ||
ip.h | ||
ip_icmp.c | ||
ip_icmp.h | ||
ip_input.c | ||
ip_output.c | ||
libslirp.h | ||
main.h | ||
mbuf.c | ||
mbuf.h | ||
misc.c | ||
misc.h | ||
sbuf.c | ||
sbuf.h | ||
slirp.c | ||
slirp.h | ||
slirp_config.h | ||
socket.c | ||
socket.h | ||
tcp.h | ||
tcp_input.c | ||
tcp_output.c | ||
tcp_subr.c | ||
tcp_timer.c | ||
tcp_timer.h | ||
tcp_var.h | ||
tcpip.h | ||
tftp.c | ||
tftp.h | ||
udp.c | ||
udp.h |