qemu/slirp
Petr Matousek 01f7cecf00 slirp: udp: fix NULL pointer dereference because of uninitialized socket
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-09-23 19:15:05 +01:00
..
arp_table.c slirp/arp: do not special-case bogus IP addresses 2014-06-09 01:49:28 +02:00
bootp.c slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
bootp.h janitor: add guards to headers 2012-12-19 08:31:31 +01:00
cksum.c slirp: Fix compiler warning for w64 2012-03-13 16:15:19 +01:00
COPYRIGHT Remove the advertising clause from the slirp license 2009-01-26 19:37:41 +00:00
debug.h slirp: Cleanup and basic reanimation of debug code 2009-06-29 08:52:46 -05:00
dnssearch.c slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
if.c misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
if.h slirp: Clean up ifs_init 2012-02-27 14:54:49 +01:00
ip.h slirp: Avoid statements without effect on Big Endian host 2012-05-28 22:31:07 +02:00
ip_icmp.c Fix comments (adress -> address, layed -> laid, wierd -> weird) 2012-12-07 12:34:11 +01:00
ip_icmp.h slirp: Fix spelling in comment (enought -> enough, insure -> ensure) 2012-10-05 14:24:37 +02:00
ip_input.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
ip_output.c slirp: Replace m_freem with m_free 2011-07-23 10:19:49 -05:00
libslirp.h slirp: set mainloop timeout with more precise value 2013-09-17 12:26:05 +02:00
main.h slirp: switch to GPollFD 2013-02-21 16:17:31 -06:00
Makefile.objs slirp: Add domain-search option to slirp's DHCP server 2012-11-15 10:27:14 +01:00
mbuf.c slirp: Cleanup resources on instance removal 2012-03-13 14:05:49 +01:00
mbuf.h slirp: remove mbuf(m_hdr,m_dat) indirection 2013-07-19 12:52:03 +04:00
misc.c slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
misc.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
sbuf.c misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
sbuf.h Fix breakage by obsolete _P() for good 2009-07-01 19:11:17 +00:00
slirp.c slirp: Remove unused zero_ethaddr[] variable 2014-06-10 19:39:34 +04:00
slirp.h slirp: Remove default_mon usage 2014-04-25 09:19:58 -04:00
slirp_config.h slirp/misc: Use the GLib memory allocation APIs 2014-08-24 13:16:32 +04:00
socket.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
socket.h slirp: switch to GPollFD 2013-02-21 16:17:31 -06:00
tcp.h slirp: Untangle TCPOLEN_* from TCPOPT_* 2012-05-28 13:45:33 +02:00
tcp_input.c make user networking hostfwd work with restrict=y 2013-06-19 12:44:38 +02:00
tcp_output.c slirp: Avoid redefining MAX_TCPOPTLEN 2012-05-28 22:44:27 +02:00
tcp_subr.c slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDR 2013-10-02 19:20:31 +02:00
tcp_timer.c More NULL pointer fixes 2009-08-01 10:13:20 +00:00
tcp_timer.h Fix breakage by obsolete _P() for good 2009-07-01 19:11:17 +00:00
tcp_var.h slirp: Replace u_int8_t, u_int16_t, u_int32_t, u_int64_t by standard int types 2010-07-25 16:59:41 +02:00
tcpip.h Remove the advertising clause from the slirp license 2009-01-26 19:37:41 +00:00
tftp.c Fixed various typos 2014-03-25 14:09:50 +01:00
tftp.h Increase maximum number of session of the internal TFTP server. 2014-06-24 20:01:24 +04:00
udp.c slirp: udp: fix NULL pointer dereference because of uninitialized socket 2014-09-23 19:15:05 +01:00
udp.h slirp: Cleanup resources on instance removal 2012-03-13 14:05:49 +01:00