commit de71c15de66ba9350bf62c45b05f8fbff166517b
author Marc-André Lureau <marcandre.lureau@redhat.com> Fri Jun 04 16:32:55 2021 +0400
committer Marc-André Lureau <marcandre.lureau@redhat.com> Mon Jun 14 11:42:26 2021 +0400
tree df95b41743781871875cf27dda3ff4c2f3bb8cad
parent 2eca0838eee1da96204545e22cdaed860d9d7c6c

upd6: check udp6_input buffer size

Fixes: CVE-2021-3593
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

src/udp6.c

diff --git a/src/udp6.c b/src/udp6.c
index 18ce998..efeac5c 100644
--- a/src/udp6.c
+++ b/src/udp6.c
@@ -31,7 +31,10 @@
     ip = mtod(m, struct ip6 *);
     m->m_len -= iphlen;
     m->m_data += iphlen;
-    uh = mtod(m, struct udphdr *);
+    uh = mtod_check(m, sizeof(struct udphdr));
+    if (uh == NULL) {
+        goto bad;
+    }
     m->m_len += iphlen;
     m->m_data -= iphlen;