aboutsummaryrefslogtreecommitdiff
path: root/slirp/mbuf.c
AgeCommit message (Collapse)AuthorFilesLines
2020-06-22slirp: update to fix CVE-2020-1983Marc-André Lureau1-0/+0
This is an update on the stable-4.2 branch of libslirp.git: git shortlog 55ab21c9a3..2faae0f778f81 Marc-André Lureau (1): Fix use-afte-free in ip_reass() (CVE-2020-1983) CVE-2020-1983 is actually a follow up fix for commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 ("Fix heap overflow in ip_reass on big packet input") which was was included in qemu v4.1 (commit e1a4a24d262ba5ac74ea1795adb3ab1cd574c7fb "slirp: update with CVE-2019-14378 fix"). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20200421170227.843555-1-marcandre.lureau@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 7769c23774d1278f60b9e40d2c0b98784de6425f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-08-02slirp: update with CVE-2019-14378 fixMarc-André Lureau1-0/+0
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2019-05-09Update upstream slirpSamuel Thibault1-0/+0
Adds gitignore, README file, and fixes ident protocol parsing. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2019-05-04Update slirp submoduleSamuel Thibault1-0/+0
To fix Windows on ARM.
2019-05-03build-sys: move slirp as git submodule projectMarc-André Lureau1-0/+0
The slirp project is now hosted on freedesktop at: https://gitlab.freedesktop.org/slirp. The libslirp source was extracted from qemu/slirp filtered through clang-format (available in project tree). The qemu slirp directory can be swapped by a git submodule. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20190424110041.8175-3-marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2019-03-07slirp: move sources to src/ subdirectoryMarc-André Lureau1-237/+0
Prepare for making slirp/ a standalone project. Remove some useless includes while at it. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20190212162524.31504-5-marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2019-02-07slirp: replace remaining qemu headers dependencyMarc-André Lureau1-1/+0
Except for the migration code which is gated by WITH_QEMU, only include our own headers, so libslirp can be built standalone. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2019-01-14slirp: improve a bit the debug macrosMarc-André Lureau1-1/+1
Let them accept multiple arguments. Simplify the inner argument handling of DEBUG_ARGS/DEBUG_MISC_DEBUG_ERROR. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-10-07slirp: document mbuf pointers and sizesPeter Maydell1-7/+7
and fix confusing datasize name into gapsize in m_inc. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-08-07slirp: Correct size check in m_inc()Peter Maydell1-1/+1
The data in an mbuf buffer is not necessarily at the start of the allocated buffer. (For instance m_adj() allows data to be trimmed from the start by just advancing the pointer and reducing the length.) This means that the allocated buffer size (m->m_size) and the amount of space from the m_data pointer to the end of the buffer (M_ROOM(m)) are not necessarily the same. Commit 864036e251f54c9 tried to change the m_inc() function from taking the new allocated-buffer-size to taking the new room-size, but forgot to change the initial "do we already have enough space" check. This meant that if we were trying to extend a buffer which had a leading gap between the buffer start and the data, we might incorrectly decide it didn't need to be extended, and then overrun the end of the buffer, causing memory corruption and an eventual crash. Change the "already big enough?" condition from checking the argument against m->m_size to checking against M_ROOM(). This only makes a difference for the callsite in m_cat(); the other three callsites all start with a freshly allocated mbuf from m_get(), which will have m->m_size == M_ROOM(m). Fixes: 864036e251f54c9 Fixes: https://bugs.launchpad.net/qemu/+bug/1785670 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Message-id: 20180807114501.12370-1-peter.maydell@linaro.org Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2018-06-08slirp: reformat m_inc routinePrasad J Pandit1-18/+16
Coding style changes to the m_inc routine and minor refactoring. Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-06-08slirp: correct size computation while concatenating mbufPrasad J Pandit1-6/+5
While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer, if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. Correct this size computation in m_cat. Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: Convert mbufs to use g_malloc() and g_free()Peter Maydell1-16/+14
The mbuf code currently doesn't check the result of doing a malloc() or realloc() of its data (spotted by Coverity, CID 1238946). Since the m_inc() API assumes that extending an mbuf must succeed, just convert to g_malloc() and g_free(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-07-12Use #include "..." for our own headers, <...> for othersMarkus Armbruster1-1/+1
Tracked down with an ugly, brittle and probably buggy Perl script. Also move includes converted to <...> up so they get included before ours where that's obviously okay. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-03-23Avoid embedding struct mbuf in other structuresSamuel Thibault1-9/+10
struct mbuf uses a C99 open char array to allow inlining data. Inlining this in another structure is however a GNU extension. The inlines used so far in struct Slirp were actually only needed as head of struct mbuf lists. This replaces these inline with mere struct quehead, and use casts as appropriate. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2016-03-15slirp: Factorizing tcpiphdr structure with an unionGuillaume Subiron1-2/+2
This patch factorizes the tcpiphdr structure to put the IPv4 fields in an union, for addition of version 6 in further patch. Using some macros, retrocompatibility of the existing code is assured. This patch also fixes the SLIRP_MSIZE and margin computation in various functions, and makes them compatible with the new tcpiphdr structure, whose size will be bigger than sizeof(struct tcphdr) + sizeof(struct ip) Signed-off-by: Guillaume Subiron <maethor@subiron.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
2016-02-04slirp: Clean up includesPeter Maydell1-0/+1
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1454089805-5470-10-git-send-email-peter.maydell@linaro.org
2016-02-04slirp: Generalizing and neutralizing ARP codeGuillaume Subiron1-1/+1
Basically, this patch replaces "arp" by "resolution" every time "arp" means "mac resolution" and not specifically ARP. This prepares for IPv6 support. Signed-off-by: Guillaume Subiron <maethor@subiron.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-11-12slirp: Fix type casts and format strings in debug codeStefan Weil1-3/+3
Casting pointers to long won't work on 64 bit Windows. It is not needed with the right format strings. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jason Wang <jasowang@redhat.com>
2012-03-13slirp: Cleanup resources on instance removalJan Kiszka1-0/+21
Close & free sockets when shutting down a slirp instance, also release all buffers. CC: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2011-08-03Delayed IP packetsFabien Chouteau1-0/+2
In the current implementation, if Slirp tries to send an IP packet to a client with an unknown hardware address, the packet is simply dropped and an ARP request is sent (if_encap in slirp/slirp.c). With this patch, Slirp will send the ARP request, re-queue the packet and try to send it later. The packet is dropped after one second if the ARP reply is not received. Signed-off-by: Fabien Chouteau <chouteau@adacore.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2011-02-14Fix build from previous commitAnthony Liguori1-1/+1
I unfortunately got on an unnamed branch and pushed the wrong bits Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-02-14PATCH] slirp: fix buffer overrunBruce Rogers1-2/+2
Since the addition of the slirp member to struct mbuf, the value of SLIRP_MSIZE and the initialization of m_size have not been correct, resulting in overrunning the end of the malloc'd buffer in some cases. Signed-off-by: Bruce Rogers <brogers@novell.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-11-21slirp: fix use-after-freeMark McLoughlin1-1/+1
460fec67ee introduced a use-after free in slirp. Cc: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Mark McLoughlin <markmc@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2009-06-29slirp: Factor out internal state structureJan Kiszka1-15/+15
The essence of this patch is to stuff (almost) all global variables of the slirp stack into the structure Slirp. In this step, we still keep the structure as global variable, directly accessible by the whole stack. Changes to the external interface of slirp will be applied in the following patches. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-06-29slirp: Drop statistic codeJan Kiszka1-4/+1
As agreed on the mailing list, there is no interest in keeping the usually disabled slirp statistics in the tree. So this patch removes them. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-06-29slirp: Drop dead codeJan Kiszka1-6/+0
After all its years inside the qemu tree, there is no point in keeping the dead code paths of slirp. This patch is a first round of removing usually commented out code parts. More cleanups need to follow (and maybe finally a proper reindention). Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-03-07Sparse fixes: NULL use, header order, ANSI prototypes, staticblueswir11-19/+10
Fix Sparse warnings: * use NULL instead of plain 0 * rearrange header include order to avoid redefining types accidentally * ANSIfy SLIRP * avoid "restrict" keyword * add static git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6736 c046a42c-6fe2-441c-8c8c-71466251a162
2008-12-13Remove unnecessary trailing newlinesblueswir11-1/+0
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6000 c046a42c-6fe2-441c-8c8c-71466251a162
2008-10-01Remove unused variablesblueswir11-2/+0
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5374 c046a42c-6fe2-441c-8c8c-71466251a162
2008-08-30Fix some warnings that would be generated by gcc -Wredundant-declsblueswir11-3/+3
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5115 c046a42c-6fe2-441c-8c8c-71466251a162
2007-10-26 Use const and static as needed, disable unused codeblueswir11-17/+10
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3452 c046a42c-6fe2-441c-8c8c-71466251a162
2007-09-17find -type f | xargs sed -i 's/[\t ]*$//g' # Yes, again. Note the star in ↵ths1-2/+2
the regex. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3177 c046a42c-6fe2-441c-8c8c-71466251a162
2007-09-16find -type f | xargs sed -i 's/[\t ]$//g' # on most filesths1-16/+16
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3173 c046a42c-6fe2-441c-8c8c-71466251a162
2006-05-01fixed realloc logic (Ed Swierk)bellard1-3/+4
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@1879 c046a42c-6fe2-441c-8c8c-71466251a162
2004-04-22initial user mode network supportbellard1-0/+245
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@733 c046a42c-6fe2-441c-8c8c-71466251a162