Age | Commit message (Collapse) | Author | Files | Lines |
|
it fixes a tightloop when a packet with len==0 is received.
Closes: https://github.com/rootless-containers/slirp4netns/issues/227
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
|
|
sizeof() returns a size_t so the tcpiphdr / ip+tcphdr difference will be
a size_t and always be >= 0, while this intended to detect the
difference getting < 0.
This is actually a no-op with the current code because it currently has
tcpiphdr bigger than ip+tcphdr.
Spotted by Coverity: CID 212435.
Spotted by Coverity: CID 212440.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
ip_stripoptions is moving data long in the same buffer; that's undefined
with memcpy, use memmove.
Buglink: https://bugs.launchpad.net/qemu/+bug/1878043
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
snprintf() always nul-terminate.
The return value is the number of business bytes that would be produced
if the buffer was large enough.
If it returns N for a N size buffer, it means truncation occurred (and
we lost one business byte).
Related to: #22
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The size for Header has to be accounted for as well.
|
|
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid an could
lead to data leakage in icmp6_send_echoreply().
|
|
The code is unreachable, so no need to break.
This silence static analyzer warnings.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Fix the following GCC warnings:
src/ncsi.c: In function ‘ncsi_input’:
src/ncsi.c:139:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
139 | struct ncsi_pkt_hdr *nh = (struct ncsi_pkt_hdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:747:31: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
747 | struct slirp_arphdr *ah = (struct slirp_arphdr *)(pkt + ETH_HLEN);
| ^
src/dnssearch.c: In function ‘translate_dnssearch’:
src/dnssearch.c:242:33: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
242 | num_domains = g_strv_length((const GStrv)names);
| ^
src/slirp.c: In function ‘arp_input’:
src/slirp.c:764:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
764 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:783:48: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
783 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
src/slirp.c:804:44: error: passing argument 3 of ‘arp_table_add’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
804 | arp_table_add(slirp, ah->ar_sip, ah->ar_sha);
| ~~^~~~~~~~
In file included from src/slirp.c:25:
src/slirp.h:101:60: note: expected ‘uint8_t *’ {aka ‘unsigned char *’} but argument is of type ‘const unsigned char *’
101 | void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]);
| ~~~~~~~~^~~~~~~~~~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
A packed struct needs different gcc attributes for compilations
with MinGW compilers because glib-2.0 adds compiler flag
-mms-bitfields which modifies the packing algorithm.
Attribute gcc_struct reverses the negative effects of -mms-bitfields.
We already have the SLIRP_PACKED definition for that, use it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Error: CHECKED_RETURN (CWE-252): [#def26]
libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code.
119|
120| if (len) {
121|-> lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
122|
123| bytes_read = read(spt->fd, buf, len);
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: UNINIT (CWE-457): [#def30]
libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer.
libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind".
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: STRING_OVERFLOW (CWE-120): [#def2]
libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.
275| if (slirp_debug & DBG_MISC) {
276| char bufa[20], bufb[20];
277|-> strcpy(bufa, inet_ntoa(ip->ip_src));
278| strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
Error: STRING_OVERFLOW (CWE-120): [#def3]
libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.
276| char bufa[20], bufb[20];
277| strcpy(bufa, inet_ntoa(ip->ip_src));
278|-> strcpy(bufb, inet_ntoa(ip->ip_dst));
279| DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
280| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Error: USE_AFTER_FREE (CWE-416): [#def1]
libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".
libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".
77| {
78| while (slirp->icmp.so_next != &slirp->icmp) {
79|-> icmp_detach(slirp->icmp.so_next);
80| }
81| }
Error: USE_AFTER_FREE (CWE-416): [#def27]
libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".
libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".
54| {
55| while (slirp->udb.so_next != &slirp->udb) {
56|-> udp_detach(slirp->udb.so_next);
57| }
58| }
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Follow-up to 1021b0dc38d39f1dc95a296fe3e05a24a087cdc6
(https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/31)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
Fixes #16
Signed-off-by: 5eraph <5eraph@protonmail.com>
|
|
Fixes #16
Signed-off-by: 5eraph <5eraph@protonmail.com>
|
|
Fixes: 09d410adbff5422b7ba7596bce0ca71f9f807ea9 ("allow custom MTU")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Teach slirp_version_string() to return vcs version
See merge request slirp/libslirp!34
|
|
Meson build will use a vcs-generate version, while Makefile will
always use -git version, since it is only intended for submodule
usage. Eventually can be improved if needed.
Fixes:
https://gitlab.freedesktop.org/slirp/libslirp/issues/17
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Oops, it turns out the variable is there for portability reasons.
This reverts commit d65f3030a82743bf506b0611a6a1a0358ea5d52b.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Currently, any address within the subnetwork will fallback on
loopback. It seems it has always been like that, but it seems wrong,
and I don't see a good reason to keep it this way. Fortunately, lack
of ARP reply made this unusable in practice, so we shouldn't break
much existing users.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Somewhat related to #16, but not as restrictive.
(imho, it should be possible to access any port on the given DNS IP,
not just 53)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The value is only set on success.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Fixes #14
Signed-off-by: 5eraph <bcervenka@protonmail.com>
|
|
misc: slirp_fmt*() improvements
See merge request slirp/libslirp!28
|
|
The refactoring done in commit d181d14b "slirp: use a dedicated field
for chardev pointer" forgot to change one place in slirp_state_load
where 'ex_exec' was used to store the chardev ptr. This broke loading
of saved state.
Later commit 4f38cfb5 "slirp: remove unused EMU_RSH" removed this line
all together, as it now looked like it didn't do anything.
This commit ensures that guestfwd is properly setup on the socket when
loading state.
Signed-off-by: Anders Waldenborg <anders@0x63.nu>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
The GLib impl guarantees GNU compatible format strings, which fixes
the horror of Windows platform format strings.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
|
|
Make it safer to OOB (sb_cc must not go out of sb_data), warn on
truncation, abort on error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-6-marcandre.lureau@redhat.com>
|
|
Make it OOB-safe, warn on truncation, always \0-end, abort on error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-5-marcandre.lureau@redhat.com>
|
|
Those are safe and should never fail. Nevertheless, use
slirp_snfillf0() for more safety.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-4-marcandre.lureau@redhat.com>
|
|
Warn if result is truncated, return bytes actually written (excluding \0).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-3-marcandre.lureau@redhat.com>
|
|
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
The current computation is a bit convoluted, and doesn't reflect >0.
What is actually computed is sizeof():
struct tftp_t {
struct udphdr udp;
uint16_t tp_op;
union {
...
char tp_buf[TFTP_BLOCKSIZE_MAX + 2];
} x;
}
- sizeof(struct udphdr) == udp field
- (TFTP_BLOCKSIZE_MAX + 2) == tp_buf field
+ n
What remains is: G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Minor code simplification.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
If the given bootp_filename is too long, it is silently truncated in
bootp.c snprintf().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
I am (overly?) optimistic this macro will be added to glib:
https://gitlab.gnome.org/GNOME/glib/merge_requests/1333
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
tftp restricts relative or directory path access on Linux systems.
Apply same restrictions on Windows systems too. It helps to avoid
directory traversal issue.
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
|
|
While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
|
|
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
|
|
The main loop only checks for one available byte, while we sometimes
need two bytes.
|