1. Patchew
  2. QEMU
  3. View series

[Qemu-devel] [PATCH] slirp: check len against dhcp options array end

P J P posted 1 patch 6 years, 9 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20170717120326.27967-1-ppandit@redhat.com
Test FreeBSD passed
Test checkpatch passed
Test docker passed
Test s390x passed
slirp/bootp.c | 3 +++
1 file changed, 3 insertions(+)
[Qemu-devel] [PATCH] slirp: check len against dhcp options array end
Posted by P J P 6 years, 9 months ago 
From: Prasad J Pandit <pjp@fedoraproject.org>

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 slirp/bootp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c..5dd1a41 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
             if (p >= p_end)
                 break;
             len = *p++;
+            if (p + len > p_end) {
+                break;
+            }
             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
 
             switch(tag) {
-- 
2.9.4
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end
Posted by Samuel Thibault 6 years, 9 months ago 
P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While parsing dhcp options string in 'dhcp_decode', if an options'
> length 'len' appeared towards the end of 'bp_vend' array, ensuing
> read could lead to an OOB memory access issue. Add check to avoid it.
> 
> Reported-by: Reno Robert <renorobert@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Oops, sure, applied to my tree, thanks!

Samuel
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end
Posted by Reno Robert 6 years, 9 months ago 
+            if (p + len > p_end) {

Shouldn't this be (p + len >= p_end) ?

On Mon, Jul 17, 2017 at 8:18 PM, Samuel Thibault
<samuel.thibault@gnu.org> wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory access issue. Add check to avoid it.
>>
>> Reported-by: Reno Robert <renorobert@gmail.com>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>
> Oops, sure, applied to my tree, thanks!
>
> Samuel



-- 
Regards,
Reno Robert
http://v0ids3curity.blogspot.in/
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end
Posted by Samuel Thibault 6 years, 9 months ago 
Reno Robert, on lun. 17 juil. 2017 23:10:02 +0530, wrote:
> +            if (p + len > p_end) {
> 
> Shouldn't this be (p + len >= p_end) ?

No: if p_end-p is 1, len being 1 is fine.
 
Samuel
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end
Posted by Michael Tokarev 6 years, 8 months ago 
17.07.2017 17:48, Samuel Thibault wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory access issue. Add check to avoid it.
>>
>> Reported-by: Reno Robert <renorobert@gmail.com>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> 
> Oops, sure, applied to my tree, thanks!

Can we have it in 2.10 please?

This is CVE-2017-11434, which can be mentioned in the commit message.

Thanks,

/mjt

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.