Google Git
Sign in
fuchsia / third_party / qemu / 9efdbc0224a0edb05e109ad8e1f127b5ac004191
commit9efdbc0224a0edb05e109ad8e1f127b5ac004191[log] [tgz]
authorMichael Roth <mdroth@linux.vnet.ibm.com>Tue Sep 24 12:18:07 2019 -0500
committerMichael Roth <mdroth@linux.vnet.ibm.com>Tue Oct 01 17:00:56 2019 -0500
tree59bb752a81ef735516ad8e71b2b5a4edb4e20481
parent28c1dde9aa2a22724f81134035959d1a33a57690 [diff]
slrip: ip_reass: Fix use after free

Using ip_deq after m_free might read pointers from an allocation reuse.

This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1 file changed
tree: 59bb752a81ef735516ad8e71b2b5a4edb4e20481
  1. accel/
  2. audio/
  3. backends/
  4. block/
  5. bsd-user/
  6. chardev/
  7. contrib/
  8. crypto/
  9. default-configs/
  10. disas/
  11. docs/
  12. fpu/
  13. fsdev/
  14. gdb-xml/
  15. hw/
  16. include/
  17. io/
  18. libdecnumber/
  19. linux-headers/
  20. linux-user/
  21. migration/
  22. nbd/
  23. net/
  24. pc-bios/
  25. po/
  26. qapi/
  27. qga/
  28. qobject/
  29. qom/
  30. replay/
  31. roms/
  32. scripts/
  33. scsi/
  34. slirp/
  35. stubs/
  36. target/
  37. tcg/
  38. tests/
  39. trace/
  40. ui/
  41. util/
  42. capstone
  43. dtc
  44. .dir-locals.el
  45. .editorconfig
  46. .exrc
  47. .gdbinit
  48. .gitignore
  49. .gitmodules
  50. .gitpublish
  51. .mailmap
  52. .shippable.yml
  53. .travis.yml
  54. arch_init.c
  55. balloon.c
  56. block.c
  57. blockdev-nbd.c
  58. blockdev.c
  59. blockjob.c
  60. bootdevice.c
  61. bt-host.c
  62. bt-vhci.c
  63. Changelog
  64. CODING_STYLE
  65. configure
  66. COPYING
  67. COPYING.LIB
  68. cpus-common.c
  69. cpus.c
  70. device-hotplug.c
  71. device_tree.c
  72. disas.c
  73. dma-helpers.c
  74. dump.c
  75. exec.c
  76. gdbstub.c
  77. HACKING
  78. hmp-commands-info.hx
  79. hmp-commands.hx
  80. hmp.c
  81. hmp.h
  82. ioport.c
  83. iothread.c
  84. job-qmp.c
  85. job.c
  86. LICENSE
  87. MAINTAINERS
  88. Makefile
  89. Makefile.objs
  90. Makefile.target
  91. memory.c
  92. memory_ldst.inc.c
  93. memory_mapping.c
  94. module-common.c
  95. monitor.c
  96. numa.c
  97. os-posix.c
  98. os-win32.c
  99. qdev-monitor.c
  100. qdict-test-data.txt
  101. qemu-bridge-helper.c
  102. qemu-deprecated.texi
  103. qemu-doc.texi
  104. qemu-edid.c
  105. qemu-ga.texi
  106. qemu-img-cmds.hx
  107. qemu-img.c
  108. qemu-img.texi
  109. qemu-io-cmds.c
  110. qemu-io.c
  111. qemu-keymap.c
  112. qemu-nbd.c
  113. qemu-nbd.texi
  114. qemu-option-trace.texi
  115. qemu-options-wrapper.h
  116. qemu-options.h
  117. qemu-options.hx
  118. qemu-seccomp.c
  119. qemu-tech.texi
  120. qemu.nsi
  121. qemu.sasl
  122. qmp.c
  123. qtest.c
  124. README
  125. replication.c
  126. replication.h
  127. rules.mak
  128. thunk.c
  129. tpm.c
  130. trace-events
  131. VERSION
  132. version.rc
  133. vl.c
  134. win_dump.c
  135. win_dump.h