Google Git
Sign in
qemu / libslirp / refs/tags/v2.10.0-rc2
tag7c49661736224f2b542142ae901939c743f07ade
taggerPeter Maydell <peter.maydell@linaro.org>Tue Aug 08 19:07:46 2017 +0100
object27731580d379716f2a0b4ea7d27486dd9c29198a 
v2.10.0-rc2 release
commit27731580d379716f2a0b4ea7d27486dd9c29198a[log] [tgz]
authorPrasad J Pandit <pjp@fedoraproject.org>Mon Jul 17 17:33:26 2017 +0530
committerSamuel Thibault <samuel.thibault@ens-lyon.org>Thu Aug 03 00:26:44 2017 +0200
tree54d4b78d60bf75b605b10a07dd108bac4514264e
parentdb0dd60b8c8de91ef3f6d66a2d0c2b62ab94c400 [diff]
slirp: check len against dhcp options array end

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

This is CVE-2017-11434.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
1 file changed
tree: 54d4b78d60bf75b605b10a07dd108bac4514264e
  1. arp_table.c
  2. bootp.c
  3. bootp.h
  4. cksum.c
  5. COPYRIGHT
  6. debug.h
  7. dhcpv6.c
  8. dhcpv6.h
  9. dnssearch.c
  10. if.c
  11. if.h
  12. ip.h
  13. ip6.h
  14. ip6_icmp.c
  15. ip6_icmp.h
  16. ip6_input.c
  17. ip6_output.c
  18. ip_icmp.c
  19. ip_icmp.h
  20. ip_input.c
  21. ip_output.c
  22. libslirp.h
  23. main.h
  24. Makefile.objs
  25. mbuf.c
  26. mbuf.h
  27. misc.c
  28. misc.h
  29. ncsi-pkt.h
  30. ncsi.c
  31. ndp_table.c
  32. sbuf.c
  33. sbuf.h
  34. slirp.c
  35. slirp.h
  36. slirp_config.h
  37. socket.c
  38. socket.h
  39. tcp.h
  40. tcp_input.c
  41. tcp_output.c
  42. tcp_subr.c
  43. tcp_timer.c
  44. tcp_timer.h
  45. tcp_var.h
  46. tcpip.h
  47. tftp.c
  48. tftp.h
  49. udp.c
  50. udp.h
  51. udp6.c