On Wed, Sep 17, 2014 at 01:41:30PM +0200, Petr Matousek wrote: > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is in initialized state. > > This is CVE-2014-3640. > > Signed-off-by: Petr Matousek <[email protected]> > Reported-by: Xavier Mehrenberger <[email protected]> > Reported-by: Stephane Duverger <[email protected]> > Reviewed-by: Michael S. Tsirkin <[email protected]>
Security bug so Cc: [email protected] > --- > slirp/udp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/slirp/udp.c b/slirp/udp.c > index 8cc6cb6..4affcc6 100644 > --- a/slirp/udp.c > +++ b/slirp/udp.c > @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) > * Locate pcb for datagram. > */ > so = slirp->udp_last_so; > - if (so->so_lport != uh->uh_sport || > + if (!so->so_state || so->so_lport != uh->uh_sport || > so->so_laddr.s_addr != ip->ip_src.s_addr) { > struct socket *tmp; > > -- > 1.9.3
