slirp: udp: fix NULL pointer dereference because of uninitialized socket

When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <[email protected]>
Reported-by: Xavier Mehrenberger <[email protected]>
Reported-by: Stephane Duverger <[email protected]>
Reviewed-by: Jan Kiszka <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 01f7cec)
Signed-off-by: Michael Roth <[email protected]>

Author: pmatouse

slirp/udp.c

@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
 	 * Locate pcb for datagram.
 	 */
 	so = slirp->udp_last_so;
-	if (so->so_lport != uh->uh_sport ||
+	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
 	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
 		struct socket *tmp;