| commit | 864036e251f54c99d31df124aad7f34f01f5344c | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Tue, 5 Jun 2018 18:08:35 +0000 (5 23:38 +0530) | ||
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | |
| Fri, 8 Jun 2018 06:08:30 +0000 (8 09:08 +0300) | ||
| tree | ca78196ce84b59fe837722729d93bc043d1192b0 | treesnapshot (tar.gz zip) |
| parent | 3835c310bd13662d5fb3f50f3dd62605dfd40cf9 | commitdiff |
slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
| slirp/mbuf.c | diffblobblamehistory | |
| slirp/mbuf.h | diffblobblamehistory |