qemu/slirp at 70d8d9a0c9bc599d8ae99dd65ff8535adb2acdfc - qemu

History

Prasad J Pandit 413d463f43 slirp: check len against dhcp options array end

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

This is CVE-2017-11434.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

2017-08-03 00:26:44 +02:00

arp_table.c

…

bootp.c

slirp: check len against dhcp options array end

2017-08-03 00:26:44 +02:00

bootp.h

…

cksum.c

…

debug.h

…

dhcpv6.c

…

dhcpv6.h

…

dnssearch.c

…

if.c

…

if.h

…

ip6_icmp.c

slirp: Send RDNSS in RA only if host has an IPv6 DNS server

2017-03-29 00:51:25 +02:00

ip6_icmp.h

…

ip6_input.c

…

ip6_output.c

…

ip6.h

slirp: use DIV_ROUND_UP

2017-07-15 14:28:25 +02:00

ip_icmp.c

slirp: fix pinging the virtual ipv4 DNS server

2017-04-29 18:29:58 +02:00

ip_icmp.h

…

ip_input.c

…

ip_output.c

…

ip.h

…

libslirp.h

…

main.h

…

Makefile.objs

slirp: add a fake NC-SI backend

2017-04-25 19:17:25 +08:00

mbuf.c

slirp: Convert mbufs to use g_malloc() and g_free()

2017-02-26 15:39:05 +01:00

mbuf.h

…

misc.c

slirp: fork_exec(): Don't close() a negative number in fork_exec()

2017-07-15 14:28:25 +02:00

misc.h

…

ncsi-pkt.h

slirp: add a fake NC-SI backend

2017-04-25 19:17:25 +08:00

ncsi.c

slirp: add a fake NC-SI backend

2017-04-25 19:17:25 +08:00

ndp_table.c

…

sbuf.c

slirp: Handle error returns from sosendoob()

2017-07-15 14:28:25 +02:00

sbuf.h

slirp: VMStatify sbuf

2017-04-29 18:44:16 +02:00

slirp_config.h

…

slirp.c

migration: Split registration functions from vmstate.h

2017-06-13 11:00:44 +02:00

slirp.h

slirp: add a fake NC-SI backend

2017-04-25 19:17:25 +08:00

socket.c

slirp: Handle error returns from sosendoob()

2017-07-15 14:28:25 +02:00

socket.h

slirp: VMStatify socket level

2017-04-29 18:44:16 +02:00

tcp_input.c

slirp: Fix wrong mss bug.

2017-05-27 23:34:47 +02:00

tcp_output.c

…

tcp_subr.c

Fix total IP header length in forwarded TCP packets

2017-05-27 23:35:00 +02:00

tcp_timer.c

…

tcp_timer.h

…

tcp_var.h

slirp: VMState conversion; tcpcb

2017-04-29 18:44:16 +02:00

tcp.h

…

tcpip.h

…

tftp.c

slirp: tftp, copy sockaddr_size

2017-04-29 18:29:58 +02:00

tftp.h

slirp: support dynamic block size for TFTP transfers

2016-12-21 00:02:15 +01:00

udp6.c

…

udp.c

slirp: Check qemu_socket() return value in udp_listen()

2017-02-26 15:38:38 +01:00

udp.h

…