slirp: Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(from libslirp.git commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
(from libslirp.git commit e0be80430c390bce181ea04dfcdd6ea3dfa97de1)
*squash in e0be80 (clarifying comments)
Fixes: CVE-2019-14378
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index a714fecd58c60e61762e884fc386c3882ed544b1..68a99de5b5dafbcc0998ffc8ecf3421da0dd5a49 100644 (file)
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -331,6 +331,8 @@ insert:
     q = fp->frag_link.next;
        m = dtom(slirp, q);
 
+       int was_ext = m->m_flags & M_EXT;
+
        q = (struct ipasfrag *) q->ipf_next;
        while (q != (struct ipasfrag*)&fp->frag_link) {
          struct mbuf *t = dtom(slirp, q);
@@ -347,13 +349,12 @@ insert:
        q = fp->frag_link.next;
 
        /*
-        * If the fragments concatenated to an mbuf that's
-        * bigger than the total size of the fragment, then and
-        * m_ext buffer was alloced. But fp->ipq_next points to
-        * the old buffer (in the mbuf), so we must point ip
-        * into the new buffer.
+        * If the fragments concatenated to an mbuf that's bigger than the total
+        * size of the fragment and the mbuf was not already using an m_ext buffer,
+        * then an m_ext buffer was alloced. But fp->ipq_next points to the old
+        * buffer (in the mbuf), so we must point ip into the new buffer.
         */
-       if (m->m_flags & M_EXT) {
+       if (!was_ext && m->m_flags & M_EXT) {
          int delta = (char *)q - m->m_dat;
          q = (struct ipasfrag *)(m->m_ext + delta);
        }