Attachment 287621 Details for Bug 360381 – Specific patch for CVE-2007-5730 issue

[patch] Specific patch for CVE-2007-5730 issue

CVE-2007-5730.patch (text/plain), 1.40 KB, created by Mark J. Cox on 2007-12-13 16:51:41 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mark J. Cox

Created: 2007-12-13 16:51:41 UTC

Size: 1.40 KB

patch

obsolete

>diff -rpu qemu-0.9.0.orig/vl.c qemu-0.9.0/vl.c
>--- qemu-0.9.0.orig/vl.c	2007-02-05 23:01:54.000000000 +0000
>+++ qemu-0.9.0/vl.c	2007-02-20 21:53:41.000000000 +0000
>@@ -3329,8 +3329,8 @@ typedef struct NetSocketState {
>     VLANClientState *vc;
>     int fd;
>     int state; /* 0 = getting length, 1 = getting data */
>-    int index;
>-    int packet_len;
>+    unsigned int index;
>+    unsigned int packet_len;
>     uint8_t buf[4096];
>     struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
> } NetSocketState;
>@@ -3361,7 +3361,8 @@ static void net_socket_receive_dgram(voi
> static void net_socket_send(void *opaque)
> {
>     NetSocketState *s = opaque;
>-    int l, size, err;
>+    int size, err;
>+    unsigned l;
>     uint8_t buf1[4096];
>     const uint8_t *buf;
> 
>@@ -3400,7 +3401,15 @@ static void net_socket_send(void *opaque
>             l = s->packet_len - s->index;
>             if (l > size)
>                 l = size;
>-            memcpy(s->buf + s->index, buf, l);
>+            if (s->index + l <= sizeof(s->buf)) {
>+                memcpy(s->buf + s->index, buf, l);
>+            } else {
>+                fprintf(stderr, "serious error: oversized packet received,"
>+                    "connection terminated.\n");
>+                s->state = 0;
>+                goto eoc;
>+            }
>+
>             s->index += l;
>             buf += l;
>             size -= l;

Actions: View | Diff

Attachments on bug 360381: 287621 | 291284