Skip to content
Snippets Groups Projects
Commit 01f7cecf authored by Petr Matousek's avatar Petr Matousek Committed by Peter Maydell
Browse files

slirp: udp: fix NULL pointer dereference because of uninitialized socket 


When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: default avatarPetr Matousek <pmatouse@redhat.com>
Reported-by: default avatarXavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: default avatarStephane Duverger <stephane.duverger@eads.net>
Reviewed-by: default avatarJan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parent 769188d3
No related branches found
No related tags found
Show whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment