diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch')
| -rw-r--r-- | app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch b/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch new file mode 100644 index 000000000000..d1d3c49a58f6 --- /dev/null +++ b/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch @@ -0,0 +1,35 @@ +https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 +https://bugzilla.redhat.com/show_bug.cgi?id=1835986 +https://bugs.gentoo.org/731992 + +From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp <rhafer@suse.com> +Date: Fri, 3 Jul 2020 14:51:16 +0200 +Subject: [PATCH] Drop bogus IPv6 messages + +Drop IPv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). They're invalid an could +lead to data leakage in icmp6_send_echoreply(). +--- + src/ip6_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +GitLab + |