Fix heap overflow in ip_reass on big packet input

When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.

Signed-off-by: Samuel Thibault <[email protected]>

Author: sthibaul

src/ip_input.c

@@ -326,6 +326,8 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
     q = fp->frag_link.next;
     m = dtom(slirp, q);
 
+    int was_ext = m->m_flags & M_EXT;
+
     q = (struct ipasfrag *)q->ipf_next;
     while (q != (struct ipasfrag *)&fp->frag_link) {
         struct mbuf *t = dtom(slirp, q);
@@ -348,7 +350,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
      * the old buffer (in the mbuf), so we must point ip
      * into the new buffer.
      */
-    if (m->m_flags & M_EXT) {
+    if (!was_ext && m->m_flags & M_EXT) {
         int delta = (char *)q - m->m_dat;
         q = (struct ipasfrag *)(m->m_ext + delta);
     }