slirp: Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will already be pointing to the ext buffer, so we mustn't try to update it. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> (from libslirp.git commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) (from libslirp.git commit e0be80430c390bce181ea04dfcdd6ea3dfa97de1) *squash in e0be80 (clarifying comments) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu · Oct 1, 2019 · 28c1dde · 28c1dde
1 parent ab630a0
commit 28c1dde
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/slirp/ip_input.c b/slirp/ip_input.c
@@ -334,6 +334,8 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 
+	int was_ext = m->m_flags & M_EXT;
+
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
 	  struct mbuf *t = dtom(slirp, q);
@@ -350,13 +352,12 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
 	q = fp->frag_link.next;
 
 	/*
-	 * If the fragments concatenated to an mbuf that's
-	 * bigger than the total size of the fragment, then and
-	 * m_ext buffer was alloced. But fp->ipq_next points to
-	 * the old buffer (in the mbuf), so we must point ip
-	 * into the new buffer.
+	 * If the fragments concatenated to an mbuf that's bigger than the total
+	 * size of the fragment and the mbuf was not already using an m_ext buffer,
+	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old
+	 * buffer (in the mbuf), so we must point ip into the new buffer.
 	 */
-	if (m->m_flags & M_EXT) {
+	if (!was_ext && m->m_flags & M_EXT) {
 	  int delta = (char *)q - m->m_dat;
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}