diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | 44 |
1 files changed, 0 insertions, 44 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch deleted file mode 100644 index df6bca6db6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 27 Feb 2020 12:07:35 +0800 -Subject: [PATCH] tcp_emu: Fix oob access - -The main loop only checks for one available byte, while we sometimes -need two bytes. - -CVE: CVE-2020-7039 -Upstream-Status: Backport -[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - slirp/src/tcp_subr.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c -index d6dd133..4bea2d4 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - break; - - case 5: -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ - /* - * The difference between versions 1.0 and - * 2.0 is here. For future versions of -@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - /* This is the field containing the port - * number that RA-player is listening to. - */ -+ -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; - if (lport < 6970) - lport += 256; /* don't know why */ --- -2.7.4 - |