]> git.ipfire.org Git - thirdparty/qemu.git/commit
projects / thirdparty / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c2e03e2) | patch
slirp: ip_reass: Fix use after free
authorMichael Roth <mdroth@linux.vnet.ibm.com>
Tue, 24 Sep 2019 21:04:04 +0000 (16:04 -0500)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Wed, 2 Oct 2019 00:14:07 +0000 (19:14 -0500)
commitb27192be13da3fb59f51185d9a1f944b3474b2fc
tree75c7bec0a04f889ca41a47eb201a0507e6e869e7tree | snapshot
parentc2e03e2aa42d0f4f41deb08c2655503835840afacommit | diff
slirp: ip_reass: Fix use after free

Using ip_deq after m_free might read pointers from an allocation reuse.

This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit c59279437eda91841b9d26079c70b8a540d41204)
Fixes: CVE-2019-15890
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
slirp/src/ip_input.c diff | blob | blame | history
Mirror of https://git.qemu.org/git/qemu.git