summaryrefslogtreecommitdiff
path: root/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch')
-rw-r--r--app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch29
1 files changed, 29 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
new file mode 100644
index 000000000000..5d32067c7a05
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
@@ -0,0 +1,29 @@
+[Qemu-devel] [PATCH] slirp: check len against dhcp options array end
+From: Prasad J Pandit <address@hidden>
+
+While parsing dhcp options string in 'dhcp_decode', if an options'
+length 'len' appeared towards the end of 'bp_vend' array, ensuing
+read could lead to an OOB memory access issue. Add check to avoid it.
+
+Reported-by: Reno Robert <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ slirp/bootp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c..5dd1a41 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ if (p >= p_end)
+ break;
+ len = *p++;
++ if (p + len > p_end) {
++ break;
++ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+
+ switch(tag) {
+--
+2.9.4
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 00:41:26 +0000