qemu-e2k/slirp
Prasad J Pandit 413d463f43 slirp: check len against dhcp options array end
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

This is CVE-2017-11434.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-08-03 00:26:44 +02:00
..
arp_table.c
bootp.c slirp: check len against dhcp options array end 2017-08-03 00:26:44 +02:00
bootp.h
cksum.c
COPYRIGHT
debug.h
dhcpv6.c
dhcpv6.h
dnssearch.c
if.c
if.h
ip6_icmp.c slirp: Send RDNSS in RA only if host has an IPv6 DNS server 2017-03-29 00:51:25 +02:00
ip6_icmp.h
ip6_input.c
ip6_output.c
ip6.h slirp: use DIV_ROUND_UP 2017-07-15 14:28:25 +02:00
ip_icmp.c slirp: fix pinging the virtual ipv4 DNS server 2017-04-29 18:29:58 +02:00
ip_icmp.h
ip_input.c
ip_output.c
ip.h
libslirp.h
main.h
Makefile.objs slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
mbuf.c slirp: Convert mbufs to use g_malloc() and g_free() 2017-02-26 15:39:05 +01:00
mbuf.h
misc.c slirp: fork_exec(): Don't close() a negative number in fork_exec() 2017-07-15 14:28:25 +02:00
misc.h
ncsi-pkt.h slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
ncsi.c slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
ndp_table.c
sbuf.c slirp: Handle error returns from sosendoob() 2017-07-15 14:28:25 +02:00
sbuf.h slirp: VMStatify sbuf 2017-04-29 18:44:16 +02:00
slirp_config.h
slirp.c migration: Split registration functions from vmstate.h 2017-06-13 11:00:44 +02:00
slirp.h slirp: add a fake NC-SI backend 2017-04-25 19:17:25 +08:00
socket.c slirp: Handle error returns from sosendoob() 2017-07-15 14:28:25 +02:00
socket.h slirp: VMStatify socket level 2017-04-29 18:44:16 +02:00
tcp_input.c slirp: Fix wrong mss bug. 2017-05-27 23:34:47 +02:00
tcp_output.c
tcp_subr.c Fix total IP header length in forwarded TCP packets 2017-05-27 23:35:00 +02:00
tcp_timer.c
tcp_timer.h
tcp_var.h slirp: VMState conversion; tcpcb 2017-04-29 18:44:16 +02:00
tcp.h
tcpip.h
tftp.c slirp: tftp, copy sockaddr_size 2017-04-29 18:29:58 +02:00
tftp.h slirp: support dynamic block size for TFTP transfers 2016-12-21 00:02:15 +01:00
udp6.c
udp.c slirp: Check qemu_socket() return value in udp_listen() 2017-02-26 15:38:38 +01:00
udp.h