| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Make it OOB-safe, warn on truncation, always \0-end, abort on error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-5-marcandre.lureau@redhat.com>
|
|
Those are safe and should never fail. Nevertheless, use
slirp_snfillf0() for more safety.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-4-marcandre.lureau@redhat.com>
|
|
Warn if result is truncated, return bytes actually written (excluding \0).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-3-marcandre.lureau@redhat.com>
|
|
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
The current computation is a bit convoluted, and doesn't reflect >0.
What is actually computed is sizeof():
struct tftp_t {
struct udphdr udp;
uint16_t tp_op;
union {
...
char tp_buf[TFTP_BLOCKSIZE_MAX + 2];
} x;
}
- sizeof(struct udphdr) == udp field
- (TFTP_BLOCKSIZE_MAX + 2) == tp_buf field
+ n
What remains is: G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Minor code simplification.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
If the given bootp_filename is too long, it is silently truncated in
bootp.c snprintf().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
I am (overly?) optimistic this macro will be added to glib:
https://gitlab.gnome.org/GNOME/glib/merge_requests/1333
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
tftp restricts relative or directory path access on Linux systems.
Apply same restrictions on Windows systems too. It helps to avoid
directory traversal issue.
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
|
|
While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
|
|
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
|
|
The main loop only checks for one available byte, while we sometimes
need two bytes.
|
|
Add a new function to forward to a unix socket.
Signed-off-by: Renzo Davoli <renzo@cs.unibo.it>
[ Marc-André - a bunch of cleanups ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Renzo Davoli <renzo@cs.unibo.it>
[ Marc-André Lureau - squash & fixup indentation ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
'ncsi_calculate_checksum' computes an optional checksum value for
the ncsi response packet by reading the data as series of 2 byte
words. But it receives the data length in number of bytes. Fix the for
loop to run for half the iterations to compute checksum for valid
data bytes and avoid OOB access.
Reported-by: Xingwei Lin <linyi.lxw@antfin.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20191230063934.65562-1-ppandit@redhat.com>
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Mem cleanups
See merge request slirp/libslirp!20
|
|
qemu crashes with a segfault (NULL pointer access in tcp_sockclosed),
tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp)
access the null pointer(tp).
This fixes:
384 break;
385 }
CID 68914397: (NULL_RETURNS)
386. dereference: Dereferencing a pointer that might be "NULL"
"tp" when calling "tcp_output".
386 tcp_output(tp);
387}
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
Message-Id: <1574644852-24440-1-git-send-email-pannengyuan@huawei.com>
Fixes: 804f441a9d6998a57040bf36685a17a6436b2ea8
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Make host receive broadcast packets
Closes #9
See merge request slirp/libslirp!15
|
|
Silence:
src/vmstate.c:324:17: warning: Value stored to 'ret' is never read
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
This has also the side-effect of silencing a false-positive in
scan-build.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
realloc/g_realloc() allocates memory if given ptr is NULL.
Note:
This changes a bit the code, since now sb_cc is always reset to 0,
even if old and new value are the same. This seems more coherent, but
may have weird side-effects if code relies on it.
Reviewing usage of sbreserve() reveals that it is used before the
socket buffer receives any data, at tcp_input() socket creation time,
and during tcp_mss() which is earlier in TCP socket state.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Negative values wouldn't make sense in those functions and could lead
to weird results.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
arp: Allow 0.0.0.0 destination address
Closes #9
See merge request slirp/libslirp!16
|
|
sbreserve() will always succeed or abort().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Now that tcp_newtcpcb() always returns != NULL.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
glib mem functions are already used in various places. Let's not mix
the two, and instead abort on OOM conditions.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Let see if it happens, and drop it eventually some day.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
We shouldn't be reading undefined data, check that the data to read
remains within sb_cc limit.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
The only sbcopy() caller is tcp_output(). There, len is constrained to
be 0 <= len <= sb_cc. Let's add some assert to avoid potential
undefined behaviour (the function didn't return the actual number of
bytes copied).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Signed-off-by: Jindrich Novy <jnovy@redhat.com>
[ Marc-André - modified to use a temporary variable ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
avoid using getpeername(2) if the socket was already closed for
writing, as it will report the socket as disconnected.
Using getsockopt instead ensures there is no error returned.
Closes: https://gitlab.freedesktop.org/slirp/libslirp/issues/12
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Introduced in previous commit:
../src/misc.c: In function ‘fork_exec’:
../src/misc.c:184:9: warning: assignment to ‘GError *’ {aka ‘struct _GError *’} from ‘gboolean’ {aka ‘int’} makes pointer from integer without a cast [-Wint-conversion]
184 | err = g_shell_parse_argv(ex, &argc, &argv, &err);
| ^
../src/misc.c:173:14: warning: unused variable ‘ret’ [-Wunused-variable]
173 | gboolean ret;
| ^~~
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
g_shell_parse_argv does only tokenization, and no replacement, so it is
safe to use it here.
This quesion arised when modifying QEMU because the new version 4 of
Samba disables version 1 of the SMB protocols, to run old Win clients I
am developing a patch that gets the value of the environment variable
SMBDOPTIONS and appends it to the smbd command line; it allows the user to
specify additional samba daemon parameters before starting qemu. Example:
export SMBDOPTIONS="--option='server min protocol=CORE' -d 4"
Signed-off-by: Jordi Pujol Palomer <jordipujolp@gmail.com>
|
|
That can show up with DHCP packets.
Fixes #9
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
This is needed for using an external DHCP server
Fixes #9
|
|
Using ip_deq after m_free might read pointers from an allocation reuse.
This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
fix a typo in a comment
See merge request slirp/libslirp!11
|
|
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
tcp_emu() is known to have caused several CVEs, and not useful today in most cases.
https://nvd.nist.gov/vuln/detail/CVE-2019-6778
https://nvd.nist.gov/vuln/detail/CVE-2019-9824
The feature can be still enabled by setting SlirpConfig.enable_emu to
true.
Closes https://gitlab.freedesktop.org/slirp/libslirp/issues/11
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
ip_reass: explain why we should not always update the q pointer
Closes #10
See merge request slirp/libslirp!9
|
|
Closes #10
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
From https://github.com/rootless-containers/slirp4netns/blob/4889f5299f407d7d7566c76a3b8b5f71c99b6db5/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch
Original commits:
* https://github.com/rootless-containers/slirp4netns/commit/6325473781bb344c225f54e2d28800fb0619d7ee
* https://github.com/rootless-containers/slirp4netns/commit/13b24026867d4c30d5d1465ac82e3bb890bf4caa
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
From https://github.com/rootless-containers/slirp4netns/blob/4889f5299f407d7d7566c76a3b8b5f71c99b6db5/qemu_patches/0002-slirp-allow-custom-MTU.patch
Original commits:
* https://github.com/rootless-containers/slirp4netns/commit/ea630a7e945cf538184ff1b1b4bd7b8ddc01993e
* https://github.com/rootless-containers/slirp4netns/commit/1508a66c93c223555f08651592dde3d2d708b166
* https://github.com/rootless-containers/slirp4netns/commit/19f3f41df4066d6103e6f882500e24db7ea7d9e1
* https://github.com/rootless-containers/slirp4netns/commit/a11abedafcc627ef0657999e63b211b0f26d4c02
* https://github.com/rootless-containers/slirp4netns/commit/2adbd7c449944d3b837164c86eedd3dcabbba1a6
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
From https://github.com/rootless-containers/slirp4netns/blob/4889f5299f407d7d7566c76a3b8b5f71c99b6db5/qemu_patches/0001-slirp-add-slirp_initx-SlirpConfig-SlirpCb-void.patch
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
