Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will already be pointing to the ext buffer, so we mustn't try to update it. Fixes CVE-2019-14378 Signed-off-by: Samuel Thibault <[email protected]> Signed-off-by: Samuel Ortiz <[email protected]>
intel · Aug 27, 2019 · 7e323b6 · 7e323b6
1 parent 3d0dc89
commit 7e323b6
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
@@ -331,6 +331,8 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 
+        int was_ext = m->m_flags & M_EXT;
+
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
 	  struct mbuf *t = dtom(slirp, q);
@@ -353,7 +355,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
 	 * the old buffer (in the mbuf), so we must point ip
 	 * into the new buffer.
 	 */
-	if (m->m_flags & M_EXT) {
+        if (!was_ext && m->m_flags & M_EXT) {
 	  int delta = (char *)q - m->m_dat;
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}