Control: tag -1 + confirmed pending 23.09.2014 10:54, Henri Salo wrote: > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is not just a socket stub. > > Please see this discussion for more information: > http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html
Yes, that's a security fix indeed, but it is, again, of a rather low impact. At max it will lead to qemu process crashing (so a DoS), but the thing is that slirp (aka user-mode networking) in qemu should never be used for anything serious because it is very slow and has many limitations, it is a poor-man bandaind to get networking running quick without setting up tap devices and bridges... I'll fix this for the next upload anyway. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
