slirp: correct size computation while concatenating mbuf

While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.

Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
This commit is contained in:
Prasad J Pandit 2018-06-05 23:38:35 +05:30 committed by Samuel Thibault
parent 3835c310bd
commit 864036e251
2 changed files with 8 additions and 11 deletions

View File

@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
* If there's no room, realloc * If there's no room, realloc
*/ */
if (M_FREEROOM(m) < n->m_len) if (M_FREEROOM(m) < n->m_len)
m_inc(m,m->m_size+MINCSIZE); m_inc(m, m->m_len + n->m_len);
memcpy(m->m_data+m->m_len, n->m_data, n->m_len); memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len; m->m_len += n->m_len;
@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
} }
/* make m size bytes large */ /* make m 'size' bytes large from m_data */
void void
m_inc(struct mbuf *m, int size) m_inc(struct mbuf *m, int size)
{ {
@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
if (m->m_flags & M_EXT) { if (m->m_flags & M_EXT) {
datasize = m->m_data - m->m_ext; datasize = m->m_data - m->m_ext;
m->m_ext = g_realloc(m->m_ext, size); m->m_ext = g_realloc(m->m_ext, size + datasize);
m->m_data = m->m_ext + datasize; m->m_data = m->m_ext + datasize;
} else { } else {
char *dat; char *dat;
datasize = m->m_data - m->m_dat; datasize = m->m_data - m->m_dat;
dat = g_malloc(size); dat = g_malloc(size + datasize);
memcpy(dat, m->m_dat, m->m_size); memcpy(dat, m->m_dat, m->m_size);
m->m_ext = dat; m->m_ext = dat;
@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
m->m_flags |= M_EXT; m->m_flags |= M_EXT;
} }
m->m_size = size; m->m_size = size + datasize;
} }

View File

@ -33,8 +33,6 @@
#ifndef MBUF_H #ifndef MBUF_H
#define MBUF_H #define MBUF_H
#define MINCSIZE 4096 /* Amount to increase mbuf if too small */
/* /*
* Macros for type conversion * Macros for type conversion
* mtod(m,t) - convert mbuf pointer to data pointer of correct type * mtod(m,t) - convert mbuf pointer to data pointer of correct type
@ -72,11 +70,11 @@ struct mbuf {
struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
int m_flags; /* Misc flags */ int m_flags; /* Misc flags */
int m_size; /* Size of data */ int m_size; /* Size of mbuf, from m_dat or m_ext */
struct socket *m_so; struct socket *m_so;
caddr_t m_data; /* Location of data */ caddr_t m_data; /* Current location of data */
int m_len; /* Amount of data in this mbuf */ int m_len; /* Amount of data in this mbuf, from m_data */
Slirp *slirp; Slirp *slirp;
bool resolution_requested; bool resolution_requested;