From patchwork Thu Sep 18 06:35:37 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Matousek X-Patchwork-Id: 390647 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 0B0E31401AD for ; Thu, 18 Sep 2014 16:36:14 +1000 (EST) Received: from localhost ([::1]:48729 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XUVK8-0001je-5b for incoming@patchwork.ozlabs.org; Thu, 18 Sep 2014 02:36:12 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47732) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XUVJn-0001OT-W1 for qemu-devel@nongnu.org; Thu, 18 Sep 2014 02:35:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XUVJj-0000md-KY for qemu-devel@nongnu.org; Thu, 18 Sep 2014 02:35:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56792) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XUVJj-0000mE-C8; Thu, 18 Sep 2014 02:35:47 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8I6ZfTg003919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 18 Sep 2014 02:35:41 -0400 Received: from dhcp-25-225.brq.redhat.com (dhcp-27-207.brq.redhat.com [10.34.27.207]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8I6ZcDr030934 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 18 Sep 2014 02:35:40 -0400 Date: Thu, 18 Sep 2014 08:35:37 +0200 From: Petr Matousek To: qemu-devel@nongnu.org Message-ID: <20140918063537.GX9321@dhcp-25-225.brq.redhat.com> MIME-Version: 1.0 Content-Disposition: inline X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Jan Kiszka , qemu-stable@nongnu.org, "Michael S. Tsirkin" Subject: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek Reported-by: Xavier Mehrenberger Reported-by: Stephane Duverger Reviewed-by: Jan Kiszka Reviewed-by: Michael S. Tsirkin Reviewed-by: Michael Tokarev --- v1 -> v2 * change the check so that it's consistent with the rest of the code slirp/udp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slirp/udp.c b/slirp/udp.c index 8cc6cb6..f77e00f 100644 --- a/slirp/udp.c +++ b/slirp/udp.c @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) * Locate pcb for datagram. */ so = slirp->udp_last_so; - if (so->so_lport != uh->uh_sport || + if (so == &slirp->udb || so->so_lport != uh->uh_sport || so->so_laddr.s_addr != ip->ip_src.s_addr) { struct socket *tmp;