aboutsummaryrefslogtreecommitdiff
path: root/slirp
diff options
context:
space:
mode:
authorFam Zheng <famz@redhat.com>2018-09-14 15:26:15 +0800
committerSamuel Thibault <samuel.thibault@ens-lyon.org>2018-10-21 21:22:17 +0200
commit6e157a0339793bb081705f52318fc77afd10addf (patch)
treeb28916158baccc6919994ab7cda862a04854e6f3 /slirp
parentb312532fd03413d0e6ae6767ec793a3e30f487b8 (diff)
downloadqemu-6e157a0339793bb081705f52318fc77afd10addf.zip
qemu-6e157a0339793bb081705f52318fc77afd10addf.tar.gz
qemu-6e157a0339793bb081705f52318fc77afd10addf.tar.bz2
slirp: Add sanity check for str option length
When user provides a long domainname or hostname that doesn't fit in the DHCP packet, we mustn't overflow the response packet buffer. Instead, report errors, following the g_warning() in the slirp->vdnssearch branch. Also check the strlen against 256 when initializing slirp, which limit is also from the protocol where one byte represents the string length. This gives an early error before the warning which is harder to notice or diagnose. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Diffstat (limited to 'slirp')
-rw-r--r--slirp/bootp.c32
1 files changed, 22 insertions, 10 deletions
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 9e7b53b..1e8185f 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -159,6 +159,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
struct in_addr preq_addr;
int dhcp_msg_type, val;
uint8_t *q;
+ uint8_t *end;
uint8_t client_ethaddr[ETH_ALEN];
/* extract exact DHCP msg type */
@@ -240,6 +241,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
q = rbp->bp_vend;
+ end = (uint8_t *)&rbp[1];
memcpy(q, rfc1533_cookie, 4);
q += 4;
@@ -292,24 +294,33 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
if (*slirp->client_hostname) {
val = strlen(slirp->client_hostname);
- *q++ = RFC1533_HOSTNAME;
- *q++ = val;
- memcpy(q, slirp->client_hostname, val);
- q += val;
+ if (q + val + 2 >= end) {
+ g_warning("DHCP packet size exceeded, "
+ "omitting host name option.");
+ } else {
+ *q++ = RFC1533_HOSTNAME;
+ *q++ = val;
+ memcpy(q, slirp->client_hostname, val);
+ q += val;
+ }
}
if (slirp->vdomainname) {
val = strlen(slirp->vdomainname);
- *q++ = RFC1533_DOMAINNAME;
- *q++ = val;
- memcpy(q, slirp->vdomainname, val);
- q += val;
+ if (q + val + 2 >= end) {
+ g_warning("DHCP packet size exceeded, "
+ "omitting domain name option.");
+ } else {
+ *q++ = RFC1533_DOMAINNAME;
+ *q++ = val;
+ memcpy(q, slirp->vdomainname, val);
+ q += val;
+ }
}
if (slirp->vdnssearch) {
- size_t spaceleft = sizeof(rbp->bp_vend) - (q - rbp->bp_vend);
val = slirp->vdnssearch_len;
- if (val + 1 > spaceleft) {
+ if (q + val >= end) {
g_warning("DHCP packet size exceeded, "
"omitting domain-search option.");
} else {
@@ -331,6 +342,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
memcpy(q, nak_msg, sizeof(nak_msg) - 1);
q += sizeof(nak_msg) - 1;
}
+ assert(q < end);
*q = RFC1533_END;
daddr.sin_addr.s_addr = 0xffffffffu;