| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
m_cleanup didn't cleanup the if_batchq and if_fastq queues, resulting in
a memory leak (reported by ASAN while fuzzing).
|
|
When emitting NDP Neighbour Sollicitations, ip6_output immediately calls
if_encap without going through any queue. if_encap however does not free
the mbuf, so ip6_output has to do it.
This was leaking one mbuf per NDP NS sent by slirp. Hopefully the guest was
not using more than NDP_TABLE_SIZE (16) IPv6 addresses, in which case it was
limited to a bound number, but more addresses would result to leaks.
|
|
Libslirp currently only provides a stateless DHCPv6 server,
and thus can't do the "addr-any -> guest IP address" translation
that is done for ipv4. Until a stateful DHCPv6 server is available,
reject addr-any.
Signed-off-by: Doug Evans <dje@google.com>
|
|
Signed-off-by: Doug Evans <dje@google.com>
|
|
|
|
|
|
Add ipv6 host forward support
See merge request slirp/libslirp!62
|
|
Two exported functions are added which are the ipv6 versions of their
ipv4 counterparts: slirp_add_ipv6_hostfwd, slirp_remove_ipv6_hostfwd.
Signed-off-by: Doug Evans <dje@google.com>
|
|
This is actually similar to the fix in 9f78e94912f9 ("Fix a typo that
can cause slow socket response on Windows."), except that here there is
no semantic change since s = so->s above.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
We observed slow responses on a host forwarded port on Windows. Investigation revealed that qemu_fd_register was being called with fd=-1 and this caused g_poll in qemu_poll_ns timing out. I tracked this behavior to following commit:
748f8f4 slirp: replace qemu_set_nonblock()
@@ -482,7 +483,8 @@ void tcp_connect(struct socket *inso)
tcp_close(sototcpcb(so)); /* This will sofree() as well */
return;
}
- qemu_set_nonblock(s);
+ slirp_set_nonblock(s);
+ so->slirp->cb->register_poll_fd(so->s);
It seems that calling register_poll_fd with so->s instead of s may be a typo. Changing it back to s solves this issue. The commit 748f8f4 made similar change in tcp_fconnect but I have not touched it.
Signed-off-by: Hafiz Abid Qadeer <abidh@codesourcery.com>
|
|
../../subprojects/libslirp/src/slirp.c:131:17: error: unused variable
'old_stat' [-Werror,-Wunused-variable]
struct stat old_stat;
^
../../subprojects/libslirp/src/slirp.c:143:10: error: unused variable
'buff' [-Werror,-Wunused-variable]
char buff[512];
^
2 errors generated.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Blocked signal state is inherited across exec(), so let's zero that out rather
than inherit whatever it was when we spawned the child.
POSIX has some strange rules about SIG_IGN'd SIGCHLD across exec, so let's not
do that, just for consistency.
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
socket: consume empty packets
See merge request slirp/libslirp!55
|
|
it fixes a tightloop when a packet with len==0 is received.
Closes: https://github.com/rootless-containers/slirp4netns/issues/227
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Enable forwarding ICMP errors
See merge request slirp/libslirp!49
|
|
udp, udp6, icmp: handle TTL value
See merge request slirp/libslirp!48
|
|
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
CVE-2020-29129 CVE-2020-29130
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
-> https://www.openwall.com/lists/oss-security/2020/11/27/1
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
iOS does not support reading /etc/resolv.conf so we have to use libresolv
Also modified build script to support building on Darwin systems.
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
|
|
sizeof() returns a size_t so the tcpiphdr / ip+tcphdr difference will be
a size_t and always be >= 0, while this intended to detect the
difference getting < 0.
This is actually a no-op with the current code because it currently has
tcpiphdr bigger than ip+tcphdr.
Spotted by Coverity: CID 212435.
Spotted by Coverity: CID 212440.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Not all icmp errors are reported as errno errors. Linux however lets us
get them through a message error queue.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
They work like icmp_send_error and icmp6_send_error but allow to specify
the source IP address
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
For traceroute and such, we need to handle the TTL value like a router.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
ip_stripoptions is moving data long in the same buffer; that's undefined
with memcpy, use memmove.
Buglink: https://bugs.launchpad.net/qemu/+bug/1878043
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
snprintf() always nul-terminate.
The return value is the number of business bytes that would be produced
if the buffer was large enough.
If it returns N for a N size buffer, it means truncation occurred (and
we lost one business byte).
Related to: #22
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The size for Header has to be accounted for as well.
|
|
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid an could
lead to data leakage in icmp6_send_echoreply().
|
|
The code is unreachable, so no need to break.
This silence static analyzer warnings.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Fix the following GCC warnings:
src/ncsi.c: In function ‘ncsi_input’:
src/ncsi.c:139:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
139 | struct ncsi_pkt_hdr *nh = (struct ncsi_pkt_hdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:747:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
747 | struct slirp_arphdr *ah = (struct slirp_arphdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((const GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:764:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
764 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:783:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
783 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:804:44: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
804 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
A packed struct needs different gcc attributes for compilations
with MinGW compilers because glib-2.0 adds compiler flag
-mms-bitfields which modifies the packing algorithm.
Attribute gcc_struct reverses the negative effects of -mms-bitfields.
We already have the SLIRP_PACKED definition for that, use it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Error: CHECKED_RETURN (CWE-252): [#def26]
libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code.
119|
120| if (len) {
121|-> lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
122|
123| bytes_read = read(spt->fd, buf, len);
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: UNINIT (CWE-457): [#def30]
libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer.
libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind".
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: STRING_OVERFLOW (CWE-120): [#def2]
libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.
275| if (slirp_debug & DBG_MISC) {
276| char bufa[20], bufb[20];
277|-> strcpy(bufa, inet_ntoa(ip->ip_src));
278| strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
Error: STRING_OVERFLOW (CWE-120): [#def3]
libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.
276| char bufa[20], bufb[20];
277| strcpy(bufa, inet_ntoa(ip->ip_src));
278|-> strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
280| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: USE_AFTER_FREE (CWE-416): [#def1]
libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".
libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".
77| {
78| while (slirp->icmp.so_next != &slirp->icmp) {
79|-> icmp_detach(slirp->icmp.so_next);
80| }
81| }
Error: USE_AFTER_FREE (CWE-416): [#def27]
libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".
libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".
54| {
55| while (slirp->udb.so_next != &slirp->udb) {
56|-> udp_detach(slirp->udb.so_next);
57| }
58| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Follow-up to 1021b0dc38d39f1dc95a296fe3e05a24a087cdc6
(https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/31)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
Fixes #16
Signed-off-by: 5eraph <5eraph@protonmail.com>
|
|
Fixes #16
Signed-off-by: 5eraph <5eraph@protonmail.com>
|
|
Fixes: 09d410adbff5422b7ba7596bce0ca71f9f807ea9 ("allow custom MTU")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Teach slirp_version_string() to return vcs version
See merge request slirp/libslirp!34
|
|
Meson build will use a vcs-generate version, while Makefile will
always use -git version, since it is only intended for submodule
usage. Eventually can be improved if needed.
Fixes:
https://gitlab.freedesktop.org/slirp/libslirp/issues/17
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Oops, it turns out the variable is there for portability reasons.
This reverts commit d65f3030a82743bf506b0611a6a1a0358ea5d52b.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Currently, any address within the subnetwork will fallback on
loopback. It seems it has always been like that, but it seems wrong,
and I don't see a good reason to keep it this way. Fortunately, lack
of ARP reply made this unusable in practice, so we shouldn't break
much existing users.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Somewhat related to #16, but not as restrictive.
(imho, it should be possible to access any port on the given DNS IP,
not just 53)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The value is only set on success.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Fixes #14
Signed-off-by: 5eraph <bcervenka@protonmail.com>
|
