qemu/0061-slirp-check-sscanf-result-when-emul.patch

From: William Bowling <will@wbowling.info>
Date: Fri, 1 Mar 2019 21:45:56 +0000
Subject: slirp: check sscanf result when emulating ident
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When emulating ident in tcp_emu, if the strchr checks passed but the
sscanf check failed, two uninitialized variables would be copied and
sent in the reply, so move this code inside the if(sscanf()) clause.

Signed-off-by: William Bowling <will@wbowling.info>
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
[BR: BSC#1129622 CVE-2019-9824 To pass our checkpatch check, I changed
the patch to use spaces, not tabs, as in the initially proposed]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 slirp/tcp_subr.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index 7a23ce738c..a6fd8626a8 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -661,12 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
 							break;
 						}
 					}
+                                        so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+                                                                 so_rcv->sb_datalen,
+                                                                 "%d,%d\r\n", n1, n2);
+                                        so_rcv->sb_rptr = so_rcv->sb_data;
+                                        so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
 				}
-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
-                                                         so_rcv->sb_datalen,
-                                                         "%d,%d\r\n", n1, n2);
-				so_rcv->sb_rptr = so_rcv->sb_data;
-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
 			}
 			m_free(m);
 			return 0;