| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
|
|
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
|
|
tcp_emu: Fix oob access
See merge request slirp/libslirp!27
|
|
The main loop only checks for one available byte, while we sometimes
need two bytes.
|
|
Add slirp_add_unix()
See merge request slirp/libslirp!26
|
|
Add a new function to forward to a unix socket.
Signed-off-by: Renzo Davoli <renzo@cs.unibo.it>
[ Marc-André - a bunch of cleanups ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Renzo Davoli <renzo@cs.unibo.it>
[ Marc-André Lureau - squash & fixup indentation ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
'ncsi_calculate_checksum' computes an optional checksum value for
the ncsi response packet by reading the data as series of 2 byte
words. But it receives the data length in number of bytes. Fix the for
loop to run for half the iterations to compute checksum for valid
data bytes and avoid OOB access.
Reported-by: Xingwei Lin <linyi.lxw@antfin.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20191230063934.65562-1-ppandit@redhat.com>
|
|
git-publish [1] is a convenient tool to send patches and has been
popular among QEMU developers. Recently it has been made available in
Fedora/Debian official repo.
[1]: https://github.com/stefanha/git-publish
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190822144427.24085-1-philmd@redhat.com>
|
|
Release v4.1.0
See merge request slirp/libslirp!21
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
libtool versions must be translated to maj.min.rev, where maj =
current - age.
Also fix lt_current usage, quoting Samuel Thibault:
soversion is not the same as lt_current. soversion must be lt_current
- lt_age, so that the soname stays the same when binary compatibility
is preserved (here, 0), and gets bumped on compatibility break. Yes,
on compatibility break the bump will be big. That's because non-soname
OSes the compatibility support is different. The details are hairy,
yes :)
Instead, rely on meson doing the right thing with soversion by
default.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Mem cleanups
See merge request slirp/libslirp!20
|
|
qemu crashes with a segfault (NULL pointer access in tcp_sockclosed),
tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp)
access the null pointer(tp).
This fixes:
384 break;
385 }
CID 68914397: (NULL_RETURNS)
386. dereference: Dereferencing a pointer that might be "NULL"
"tp" when calling "tcp_output".
386 tcp_output(tp);
387}
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
Message-Id: <1574644852-24440-1-git-send-email-pannengyuan@huawei.com>
Fixes: 804f441a9d6998a57040bf36685a17a6436b2ea8
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Make host receive broadcast packets
Closes #9
See merge request slirp/libslirp!15
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Silence:
src/vmstate.c:324:17: warning: Value stored to 'ret' is never read
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
This has also the side-effect of silencing a false-positive in
scan-build.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
realloc/g_realloc() allocates memory if given ptr is NULL.
Note:
This changes a bit the code, since now sb_cc is always reset to 0,
even if old and new value are the same. This seems more coherent, but
may have weird side-effects if code relies on it.
Reviewing usage of sbreserve() reveals that it is used before the
socket buffer receives any data, at tcp_input() socket creation time,
and during tcp_mss() which is earlier in TCP socket state.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Negative values wouldn't make sense in those functions and could lead
to weird results.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
arp: Allow 0.0.0.0 destination address
Closes #9
See merge request slirp/libslirp!16
|
|
sbreserve() will always succeed or abort().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Now that tcp_newtcpcb() always returns != NULL.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
glib mem functions are already used in various places. Let's not mix
the two, and instead abort on OOM conditions.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Let see if it happens, and drop it eventually some day.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
We shouldn't be reading undefined data, check that the data to read
remains within sb_cc limit.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The only sbcopy() caller is tcp_output(). There, len is constrained to
be 0 <= len <= sb_cc. Let's add some assert to avoid potential
undefined behaviour (the function didn't return the actual number of
bytes copied).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
[ Marc-André - modified to use a temporary variable ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
socket: avoid getpeername after shutdown(SHUT_WR)
Closes #12
See merge request slirp/libslirp!19
|
|
avoid using getpeername(2) if the socket was already closed for
writing, as it will report the socket as disconnected.
Using getsockopt instead ensures there is no error returned.
Closes: https://gitlab.freedesktop.org/slirp/libslirp/issues/12
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
misc: fix compilation warnings
See merge request slirp/libslirp!18
|
|
Introduced in previous commit:
../src/misc.c: In function ‘fork_exec’:
../src/misc.c:184:9: warning: assignment to ‘GError *’ {aka ‘struct _GError *’} from ‘gboolean’ {aka ‘int’} makes pointer from integer without a cast [-Wint-conversion]
184 | err = g_shell_parse_argv(ex, &argc, &argv, &err);
| ^
../src/misc.c:173:14: warning: unused variable ‘ret’ [-Wunused-variable]
173 | gboolean ret;
| ^~~
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
g_shell_parse_argv does only tokenization, and no replacement, so it is
safe to use it here.
This quesion arised when modifying QEMU because the new version 4 of
Samba disables version 1 of the SMB protocols, to run old Win clients I
am developing a patch that gets the value of the environment variable
SMBDOPTIONS and appends it to the smbd command line; it allows the user to
specify additional samba daemon parameters before starting qemu. Example:
export SMBDOPTIONS="--option='server min protocol=CORE' -d 4"
Signed-off-by: Jordi Pujol Palomer <jordipujolp@gmail.com>
|
|
That can show up with DHCP packets.
Fixes #9
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
This is needed for using an external DHCP server
Fixes #9
|
|
meson: make it subproject friendly
See merge request slirp/libslirp!14
|
|
Using library() allows to build either static or shared library.
Declare a dependency, so parent projects can link with it easily:
slirp_proj = subproject('slirp')
slirp = slirp_proj.get_variable('libslirp_dep')
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
ip_reass: Fix use after free
See merge request slirp/libslirp!12
|
|
Using ip_deq after m_free might read pointers from an allocation reuse.
This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
fix a typo in a comment
See merge request slirp/libslirp!11
|
|
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
emu: disable by default
Closes #11
See merge request slirp/libslirp!10
|
|
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
tcp_emu() is known to have caused several CVEs, and not useful today in most cases.
https://nvd.nist.gov/vuln/detail/CVE-2019-6778
https://nvd.nist.gov/vuln/detail/CVE-2019-9824
The feature can be still enabled by setting SlirpConfig.enable_emu to
true.
Closes https://gitlab.freedesktop.org/slirp/libslirp/issues/11
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
ip_reass: explain why we should not always update the q pointer
Closes #10
See merge request slirp/libslirp!9
|
|
Closes #10
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
