Changeset 50211 in vbox for trunk

Timestamp:

Jan 24, 2014 3:51:01 AM (11 years ago)

Author:

vboxsync

Message:

lwip: Partially apply missed commit from git master
commit 381a7b110a4a611e9956b2c644bc330bacb87073
Date: Fri Jan 10 21:47:42 2014 +0100

Apply IPv4 part only. IPv6 was fixed properly in r91477 as part of
IPv6 reassembly rewrite. Force README.vbox commit so that it has this
in its history.

Location:

trunk/src/VBox/Devices/Network/lwip-new

Files:

• CHANGELOG (modified) (1 diff)
• src/core/ipv4/ip_frag.c (modified) (4 diffs)

trunk/src/VBox/Devices/Network/lwip-new/CHANGELOG

@@ -109 +109 @@
   * timers.c: patch #8244 make timeouts usable reliably from outside of the
     timeout routine
+
+  2014-01-10: Simon Goldschmidt
+  * ip_frag.c, ip6_frag.c: fixed bug #41041 Potential use-after-free in IPv6 reassembly
 
   2014-01-10: Simon Goldschmidt

trunk/src/VBox/Devices/Network/lwip-new/src/core/ipv4/ip_frag.c

@@ -482 +482 @@
   u16_t offset, len;
   u8_t clen;
-  struct ip_reassdata *ipr_prev = NULL;
 
   IPFRAG_STATS_INC(ip_frag.recv);
@@ -528 +527 @@
       break;
     }
-    ipr_prev = ipr;
   }
 
@@ -566 +564 @@
   /* @todo: trim pbufs if fragments are overlapping */
   if (ip_reass_chain_frag_into_datagram_and_validate(ipr, p)) {
+    struct ip_reassdata *ipr_prev;
     /* the totally last fragment (flag more fragments = 0) was received at least
      * once AND all fragments are received */
@@ -595 +594 @@
       r = iprh->next_pbuf;
     }
+
+    /* find the previous entry in the linked list */
+    for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr = ipr->next) {
+      if (ipr_prev->next == ipr) {
+        break;
+      }
+    }
+
     /* release the sources allocate for the fragment queue entry */
     ip_reass_dequeue_datagram(ipr, ipr_prev);