blob: a0c41f61f76980231024aef597a89f97a7494b1a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
instruction: 0.523
syscall: 0.244
runtime: 0.233
in tcp_emu function has OOB bug
qemu version: 4.1.0
```c
int tcp_emu(struct socket *so, struct mbuf *m){
............
case EMU_REALAUDIO:
............
while (bptr < m->m_data + m->m_len) {
case 6:
............
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
............
*(uint8_t *)bptr++ = (p >> 8) & 0xff;
*(uint8_t *)bptr = p & 0xff;
............
}
............
............
}
```
bptr)[1] and bptr++ ,may make bptr == m->m_data + m->m_len,and cause OOB(out of bounds.)
|