Description: CVE-2020-7039 fix
 .
 tcp_emu: Fix oob access
 https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
 The main loop only checks for one available byte, while we sometimes need two bytes.
 .
 slirp: use correct size while emulating IRC commands 
 https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
 While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
 'm->m_size' to write DCC commands via snprintf(3). This may
 lead to OOB write access, because 'bptr' points somewhere in
 the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
 size to avoid OOB access.
 Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
 Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
 .
 slirp: use correct size while emulating commands 
 https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
 While emulating services in tcp_emu(), it uses 'mbuf' size
 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
 size to avoid possible OOB access.
 Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
 Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
 .
Author: Roberto Lumbreras <rover@debian.org>

Index: slirp-1.0.17/src/tcp_subr.c
===================================================================
--- slirp-1.0.17.orig/src/tcp_subr.c	2020-01-24 12:02:44.164951544 +0100
+++ slirp-1.0.17/src/tcp_subr.c	2020-01-24 20:04:00.773372684 +0100
@@ -1015,8 +1015,7 @@
 			n4 =  (laddr & 0xff);
 
 			m->m_len = bptr - m->m_data; /* Adjust length */
-            /* SECURITY TODO: Length Check */
-			m->m_len += sprintf(bptr,"ORT %d,%d,%d,%d,%d,%d\r\n%s",
+			m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s",
 					    n1, n2, n3, n4, n5, n6, x==7?buff:"");
 			return 1;
 		} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
@@ -1047,8 +1046,8 @@
 			n4 =  (laddr & 0xff);
 
 			m->m_len = bptr - m->m_data; /* Adjust length */
-			/* SECURITY TODO: length check */
-			m->m_len += sprintf(bptr,"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+			m->m_len += snprintf(bptr, M_FREEROOM(m),
+					    "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
 					    n1, n2, n3, n4, n5, n6, x==7?buff:"");
 
 			return 1;
@@ -1072,7 +1071,7 @@
 		}
 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
 		    (so = solisten(0, so->so_laddr.s_addr, htons(lport), SS_FACCEPTONCE)) != NULL)
-			m->m_len = sprintf(m->m_data, "%d", ntohs(so->so_fport))+1;
+			m->m_len = snprintf(m->m_data, M_ROOM(m), "%d", ntohs(so->so_fport)) + 1;
 		return 1;
 
 	 case EMU_IRC:
@@ -1089,8 +1088,7 @@
 				return 1;
 
 			m->m_len = bptr - m->m_data; /* Adjust length */
-			/* SECURITY TODO: length check */
-			m->m_len += sprintf(bptr, "DCC CHAT chat %lu %u%c\n",
+			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC CHAT chat %lu %u%c\n",
 			     (unsigned long)ntohl(so->so_faddr.s_addr),
 			     ntohs(so->so_fport), 1);
 		} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
@@ -1098,7 +1096,7 @@
 				return 1;
 
 			m->m_len = bptr - m->m_data; /* Adjust length */
-			m->m_len += sprintf(bptr, "DCC SEND %s %lu %u %u%c\n",
+			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC SEND %s %lu %u %u%c\n",
 			      buff, (unsigned long)ntohl(so->so_faddr.s_addr),
 			      ntohs(so->so_fport), n1, 1);
 		} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
@@ -1106,8 +1104,7 @@
 				return 1;
 
 			m->m_len = bptr - m->m_data; /* Adjust length */
-			/* SECURITY TODO: length check */
-			m->m_len += sprintf(bptr, "DCC MOVE %s %lu %u %u%c\n",
+			m->m_len += snprintf(bptr, M_FREEROOM(m), "DCC MOVE %s %lu %u %u%c\n",
 			      buff, (unsigned long)ntohl(so->so_faddr.s_addr),
 			      ntohs(so->so_fport), n1, 1);
 		}
@@ -1193,6 +1190,9 @@
 				break;
 				
 			 case 5: 
+				if (bptr == m->m_data + m->m_len - 1)
+				   return 1; /* We need two bytes */
+
 				/*
 				 * The difference between versions 1.0 and
 				 * 2.0 is here. For future versions of
@@ -1208,6 +1208,10 @@
 				/* This is the field containing the port
 				 * number that RA-player is listening to.
 				 */
+
+				if (bptr == m->m_data + m->m_len - 1)
+				   return 1; /* We need two bytes */
+
 				lport = (((u_char*)bptr)[0] << 8) 
 				+ ((u_char *)bptr)[1];
 				if (lport < 6970)