@@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3592_1.patch \
file://CVE-2021-3592_2.patch \
file://CVE-2021-3592_3.patch \
+ file://CVE-2021-3593.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
new file mode 100644
@@ -0,0 +1,40 @@
+From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:32:55 +0400
+Subject: [PATCH 04/12] upd6: check udp6_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3593
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b]
+CVE: CVE-2021-3593
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/udp6.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
+index 6f9486bbc..8c490e4d1 100644
+--- a/slirp/src/udp6.c
++++ b/slirp/src/udp6.c
+@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
+ ip = mtod(m, struct ip6 *);
+ m->m_len -= iphlen;
+ m->m_data += iphlen;
+- uh = mtod(m, struct udphdr *);
++ uh = mtod_check(m, sizeof(struct udphdr));
++ if (uh == NULL) {
++ goto bad;
++ }
+ m->m_len += iphlen;
+ m->m_data -= iphlen;
+
+--
+2.31.1
+
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3593.patch | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch