diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch')
-rw-r--r-- | app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch new file mode 100644 index 000000000000..5d32067c7a05 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch @@ -0,0 +1,29 @@ +[Qemu-devel] [PATCH] slirp: check len against dhcp options array end +From: Prasad J Pandit <address@hidden> + +While parsing dhcp options string in 'dhcp_decode', if an options' +length 'len' appeared towards the end of 'bp_vend' array, ensuing +read could lead to an OOB memory access issue. Add check to avoid it. + +Reported-by: Reno Robert <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +--- + slirp/bootp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c..5dd1a41 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + if (p >= p_end) + break; + len = *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); + + switch(tag) { +-- +2.9.4 |