blob: 8b24d28a139a5aa2c9db941964626931b5b1dc24 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
in tcp_emu function has OOB bug
qemu version: 4.1.0
```c
int tcp_emu(struct socket *so, struct mbuf *m){
............
case EMU_REALAUDIO:
............
while (bptr < m->m_data + m->m_len) {
case 6:
............
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
............
*(uint8_t *)bptr++ = (p >> 8) & 0xff;
*(uint8_t *)bptr = p & 0xff;
............
}
............
............
}
```
bptr)[1] and bptr++ ,may make bptr == m->m_data + m->m_len,and cause OOB(out of bounds.)
|