in tcp_emu function has OOB bug
Bug #1858415 reported by
r1ng0hacking
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Samuel thibault |
Bug Description
qemu version: 4.1.0
```c
int tcp_emu(struct socket *so, struct mbuf *m){
............
case EMU_REALAUDIO:
............
while (bptr < m->m_data + m->m_len) {
case 6:
............
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
............
............
}
............
............
}
```
bptr)[1] and bptr++ ,may make bptr == m->m_data + m->m_len,and cause OOB(out of bounds.)
CVE References
information type: | Private Security → Private |
information type: | Private → Private Security |
information type: | Private Security → Public |
To post a comment you must log in.
Thanks for your bug report. For future security critical bugs, please follow the steps described on https:/ /wiki.qemu. org/SecurityPro cess instead. /gitlab. freedesktop. org/slirp/ libslirp/ commit/ 2655fffed7a9e76 5bcb4701dd876e9 dab975f289
For this one, I've forwarded the information to the libslirp project, since the "slirp" code has been moved to a separate project which is no longer part of the QEMU project. They've included a fix here:
https:/