slirp: fix CVE 2007-5729

The emulated network cards in QEMU allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the slirp's default MTU, which triggers a heap-based buffer overflow in the slirp library. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5920 c046a42c-6fe2-441c-8c8c-71466251a162
author: aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-12-07 18:15:23 +0000
committer: aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-12-07 18:15:23 +0000
commit: 70d0b0571226dc772a6e9454fc33803a5942ee01 (patch)
tree: 1581368764d44d56922b384787971b36f1dd1494 /slirp
parent: 5391a403b61f041db9fe7c630e3a2518914bb5b1 (diff)
download: qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.tar.gz
qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.tar.bz2
qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/slirp/slirp.c b/slirp/slirp.c
index de4b4806f4..17b40e249a 100644
--- a/slirp/slirp.c
+++ b/slirp/slirp.c
@@ -654,6 +654,9 @@ void slirp_input(const uint8_t *pkt, int pkt_len)
         if (!m)
             return;
         /* Note: we add to align the IP header */
+        if (M_FREEROOM(m) < pkt_len + 2) {
+            m_inc(m, pkt_len + 2);
+        }
         m->m_len = pkt_len + 2;
         memcpy(m->m_data + 2, pkt, pkt_len);
author	aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-12-07 18:15:23 +0000
committer	aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-12-07 18:15:23 +0000
commit	70d0b0571226dc772a6e9454fc33803a5942ee01 (patch)
tree	1581368764d44d56922b384787971b36f1dd1494 /slirp
parent	5391a403b61f041db9fe7c630e3a2518914bb5b1 (diff)
download	qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.tar.gz qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.tar.bz2 qemu-70d0b0571226dc772a6e9454fc33803a5942ee01.zip