OpenE2K
/
qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
qemu-e2k/slirp
History
Petr Matousek 01f7cecf00 slirp: udp: fix NULL pointer dereference because of uninitialized socket 
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 		2014-09-23 19:15:05 +01:00
..
COPYRIGHT
Makefile.objs slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
arp_table.c slirp/arp: do not special-case bogus IP addresses 2014-06-09 01:49:28 +02:00
bootp.c slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
bootp.h janitor: add guards to headers 2012-12-19 08:31:31 +01:00
cksum.c slirp: Fix compiler warning for w64 2012-03-13 16:15:19 +01:00
debug.h
dnssearch.c slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
if.c misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
if.h slirp: Clean up ifs_init 2012-02-27 14:54:49 +01:00
ip.h slirp: Avoid statements without effect on Big Endian host 2012-05-28 22:31:07 +02:00
ip_icmp.c Fix comments (adress -> address, layed -> laid, wierd -> weird) 2012-12-07 12:34:11 +01:00
ip_icmp.h slirp: Fix spelling in comment (enought -> enough, insure -> ensure) 2012-10-05 14:24:37 +02:00
ip_input.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
ip_output.c slirp: Replace m_freem with m_free 2011-07-23 10:19:49 -05:00
libslirp.h slirp: set mainloop timeout with more precise value 2013-09-17 12:26:05 +02:00
main.h slirp: switch to GPollFD 2013-02-21 16:17:31 -06:00
mbuf.c slirp: Cleanup resources on instance removal 2012-03-13 14:05:49 +01:00
mbuf.h slirp: remove mbuf(m_hdr,m_dat) indirection 2013-07-19 12:52:03 +04:00
misc.c slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
misc.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
sbuf.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
sbuf.h
slirp.c slirp: Remove unused zero_ethaddr[] variable 2014-06-10 19:39:34 +04:00
slirp.h slirp: Remove default_mon usage 2014-04-25 09:19:58 -04:00
slirp_config.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
socket.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
socket.h slirp: switch to GPollFD 2013-02-21 16:17:31 -06:00
tcp.h slirp: Untangle TCPOLEN_* from TCPOPT_* 2012-05-28 13:45:33 +02:00
tcp_input.c make user networking hostfwd work with restrict=y 2013-06-19 12:44:38 +02:00
tcp_output.c slirp: Avoid redefining MAX_TCPOPTLEN 2012-05-28 22:44:27 +02:00
tcp_subr.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
tcp_timer.c
tcp_timer.h
tcp_var.h
tcpip.h
tftp.c Fixed various typos 2014-03-25 14:09:50 +01:00
tftp.h Increase maximum number of session of the internal TFTP server. 2014-06-24 20:01:24 +04:00
udp.c slirp: udp: fix NULL pointer dereference because of uninitialized socket 2014-09-23 19:15:05 +01:00
udp.h slirp: Cleanup resources on instance removal 2012-03-13 14:05:49 +01:00