Age | Commit message (Collapse) | Author | Files | Lines |
|
stable-4.2: Fix CVE-2020-29129, CVE-2020-29130
See merge request slirp/libslirp!58
|
|
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
CVE-2020-29129 CVE-2020-29130
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
-> https://www.openwall.com/lists/oss-security/2020/11/27/1
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Stable 4.2 backports
See merge request slirp/libslirp!50
|
|
ip_stripoptions is moving data long in the same buffer; that's undefined
with memcpy, use memmove.
Buglink: https://bugs.launchpad.net/qemu/+bug/1878043
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
snprintf() always nul-terminate.
The return value is the number of business bytes that would be produced
if the buffer was large enough.
If it returns N for a N size buffer, it means truncation occurred (and
we lost one business byte).
Related to: #22
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The size for Header has to be accounted for as well.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid an could
lead to data leakage in icmp6_send_echoreply().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The code is unreachable, so no need to break.
This silence static analyzer warnings.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Fix the following GCC warnings:
src/ncsi.c: In function ‘ncsi_input’:
src/ncsi.c:139:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
139 | struct ncsi_pkt_hdr *nh = (struct ncsi_pkt_hdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:747:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
747 | struct slirp_arphdr *ah = (struct slirp_arphdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((const GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:764:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
764 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:783:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
783 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:804:44: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
804 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
A packed struct needs different gcc attributes for compilations
with MinGW compilers because glib-2.0 adds compiler flag
-mms-bitfields which modifies the packing algorithm.
Attribute gcc_struct reverses the negative effects of -mms-bitfields.
We already have the SLIRP_PACKED definition for that, use it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: CHECKED_RETURN (CWE-252): [#def26]
libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code.
119|
120| if (len) {
121|-> lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
122|
123| bytes_read = read(spt->fd, buf, len);
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: UNINIT (CWE-457): [#def30]
libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer.
libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind".
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: STRING_OVERFLOW (CWE-120): [#def2]
libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.
275| if (slirp_debug & DBG_MISC) {
276| char bufa[20], bufb[20];
277|-> strcpy(bufa, inet_ntoa(ip->ip_src));
278| strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
Error: STRING_OVERFLOW (CWE-120): [#def3]
libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.
276| char bufa[20], bufb[20];
277| strcpy(bufa, inet_ntoa(ip->ip_src));
278|-> strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
280| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: USE_AFTER_FREE (CWE-416): [#def1]
libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".
libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".
77| {
78| while (slirp->icmp.so_next != &slirp->icmp) {
79|-> icmp_detach(slirp->icmp.so_next);
80| }
81| }
Error: USE_AFTER_FREE (CWE-416): [#def27]
libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".
libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".
54| {
55| while (slirp->udb.so_next != &slirp->udb) {
56|-> udp_detach(slirp->udb.so_next);
57| }
58| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d)
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
build-sys: fix NetBSD build regression
See merge request slirp/libslirp!36
|
|
Fixes: 09d410adbff5422b7ba7596bce0ca71f9f807ea9 ("allow custom MTU")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
We didn't specify any version so far, but the git generated version
requires 0.49:
WARNING: Project specifies a minimum meson_version '>= 0.48' but uses features which were added in newer versions:
* 0.49.0: {'Calling "add_dist_script" with multiple arguments'}
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Teach slirp_version_string() to return vcs version
See merge request slirp/libslirp!34
|
|
Fix mingw scope-id warning
See merge request slirp/libslirp!35
|
|
Meson build will use a vcs-generate version, while Makefile will
always use -git version, since it is only intended for submodule
usage. Eventually can be improved if needed.
Fixes:
https://gitlab.freedesktop.org/slirp/libslirp/issues/17
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Oops, it turns out the variable is there for portability reasons.
This reverts commit d65f3030a82743bf506b0611a6a1a0358ea5d52b.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Release v4.2.0
Closes #15
See merge request slirp/libslirp!33
|
|
Translate fixes
See merge request slirp/libslirp!32
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Currently, any address within the subnetwork will fallback on
loopback. It seems it has always been like that, but it seems wrong,
and I don't see a good reason to keep it this way. Fortunately, lack
of ARP reply made this unusable in practice, so we shouldn't break
much existing users.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Somewhat related to #16, but not as restrictive.
(imho, it should be possible to access any port on the given DNS IP,
not just 53)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The value is only set on success.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
use specific outbound IP address
See merge request slirp/libslirp!30
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Fixes #14
Signed-off-by: 5eraph <bcervenka@protonmail.com>
|
|
misc: slirp_fmt*() improvements
See merge request slirp/libslirp!28
|
|
Fix loading of guestfwd state
Unsure how testing usually is done for changes in this project.
I have built qemu with this change and it fixes the bug in my setup (testbed where a system is booted a snapshot is created, and then that snapshot is restored many times to run different tests. Outbound syslog uses a guestfwd to a qemu chardev)
See merge request slirp/libslirp!29
|
|
The refactoring done in commit d181d14b "slirp: use a dedicated field
for chardev pointer" forgot to change one place in slirp_state_load
where 'ex_exec' was used to store the chardev ptr. This broke loading
of saved state.
Later commit 4f38cfb5 "slirp: remove unused EMU_RSH" removed this line
all together, as it now looked like it didn't do anything.
This commit ensures that guestfwd is properly setup on the socket when
loading state.
Signed-off-by: Anders Waldenborg <anders@0x63.nu>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
The GLib impl guarantees GNU compatible format strings, which fixes
the horror of Windows platform format strings.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
|
|
Make it safer to OOB (sb_cc must not go out of sb_data), warn on
truncation, abort on error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-6-marcandre.lureau@redhat.com>
|
|
Make it OOB-safe, warn on truncation, always \0-end, abort on error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-5-marcandre.lureau@redhat.com>
|
|
Those are safe and should never fail. Nevertheless, use
slirp_snfillf0() for more safety.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-4-marcandre.lureau@redhat.com>
|
|
Warn if result is truncated, return bytes actually written (excluding \0).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-3-marcandre.lureau@redhat.com>
|
|
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
The current computation is a bit convoluted, and doesn't reflect >0.
What is actually computed is sizeof():
struct tftp_t {
struct udphdr udp;
uint16_t tp_op;
union {
...
char tp_buf[TFTP_BLOCKSIZE_MAX + 2];
} x;
}
- sizeof(struct udphdr) == udp field
- (TFTP_BLOCKSIZE_MAX + 2) == tp_buf field
+ n
What remains is: G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|