ipreass in ipinput.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "317361430190225003347536229565579127684", "32876557084403352590041593915771637096", "329287438392875335896608726947175177095", "86677765742023927759653894039043670774", "313169288687725037738192364702706909465", "156244072918945693710603918551038402869", "276087485554849238538926261260840071705" ], "threshold": 0.9 }, "deprecated": false, "signature_version": "v1", "target": { "file": "src/ip_input.c" }, "id": "CVE-2019-14378-303b7146", "source": "https://gitlab.freedesktop.org/slirp/libslirp@126c04acbabd7ad32c2b018fe10dfac2a3bc1210", "signature_type": "Line" }, { "digest": { "length": 2835.0, "function_hash": "228952944605302490550765160498435836668" }, "deprecated": false, "signature_version": "v1", "target": { "function": "ip_reass", "file": "src/ip_input.c" }, "id": "CVE-2019-14378-4d99f843", "source": "https://gitlab.freedesktop.org/slirp/libslirp@126c04acbabd7ad32c2b018fe10dfac2a3bc1210", "signature_type": "Function" } ] }