- Jan 14, 2020
-
-
tftp restricts relative or directory path access on Linux systems. Apply same restrictions on Windows systems too. It helps to avoid directory traversal issue. Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 Reported-by:
Peter Maydell <peter.maydell@linaro.org> Signed-off-by:
Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by:
Samuel Thibault <samuel.thibault@ens-lyon.org> Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
-
- Jan 12, 2020
-
-
While emulating services in tcp_emu(), it uses 'mbuf' size 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) size to avoid possible OOB access. Signed-off-by:
-
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size 'm->m_size' to write DCC commands via snprintf(3). This may lead to OOB write access, because 'bptr' points somewhere in the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) size to avoid OOB access. Reported-by:
Vishnu Dev TJ <vishnudevtj@gmail.com> Signed-off-by:
-
- Jan 08, 2020
-
-
Samuel Thibault authored
tcp_emu: Fix oob access See merge request !27
-
Samuel Thibault authored
The main loop only checks for one available byte, while we sometimes need two bytes.
-
- Jan 04, 2020
-
-
Marc-André Lureau authored
Add slirp_add_unix() See merge request !26
-
Renzo Davoli authored
Add a new function to forward to a unix socket. Signed-off-by:
Renzo Davoli <renzo@cs.unibo.it> [ Marc-André - a bunch of cleanups ] Signed-off-by:
Marc-André Lureau <marcandre.lureau@redhat.com>
-
Renzo Davoli authored
Signed-off-by:
-
- Jan 03, 2020
-
-
Marc-André Lureau authored
Signed-off-by:
-
- Dec 30, 2019
-
-
'ncsi_calculate_checksum' computes an optional checksum value for the ncsi response packet by reading the data as series of 2 byte words. But it receives the data length in number of bytes. Fix the for loop to run for half the iterations to compute checksum for valid data bytes and avoid OOB access. Reported-by:
Xingwei Lin <linyi.lxw@antfin.com> Signed-off-by:
-
git-publish [1] is a convenient tool to send patches and has been popular among QEMU developers. Recently it has been made available in Fedora/Debian official repo. [1]: https://github.com/stefanha/git-publish Signed-off-by:
Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190822144427.24085-1-philmd@redhat.com>
-
- Dec 04, 2019
-
-
Marc-André Lureau authored
Release v4.1.0 See merge request !21
-
- Dec 03, 2019
-
-
Marc-André Lureau authored
Signed-off-by: -
Marc-André Lureau authored
libtool versions must be translated to maj.min.rev, where maj = current - age. Also fix lt_current usage, quoting Samuel Thibault: soversion is not the same as lt_current. soversion must be lt_current - lt_age, so that the soname stays the same when binary compatibility is preserved (here, 0), and gets bumped on compatibility break. Yes, on compatibility break the bump will be big. That's because non-soname OSes the compatibility support is different. The details are hairy, yes :) Instead, rely on meson doing the right thing with soversion by default. Signed-off-by: -
Marc-André Lureau authored
Signed-off-by:
-
- Dec 01, 2019
-
-
Marc-André Lureau authored
Mem cleanups See merge request !20
-
PanNengyuan authored
qemu crashes with a segfault (NULL pointer access in tcp_sockclosed), tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp) access the null pointer(tp). This fixes: 384 break; 385 } CID 68914397: (NULL_RETURNS) 386. dereference: Dereferencing a pointer that might be "NULL" "tp" when calling "tcp_output". 386 tcp_output(tp); 387} Reported-by:Euler Robot <euler.robot@huawei.com> Signed-off-by:
PanNengyuan <pannengyuan@huawei.com> Message-Id: <1574644852-24440-1-git-send-email-pannengyuan@huawei.com> Fixes: 804f441a Signed-off-by:
-
- Nov 22, 2019
-
-
Samuel Thibault authored
Make host receive broadcast packets Closes #9 See merge request !15
-
Marc-André Lureau authored
Signed-off-by: -
Marc-André Lureau authored
Silence: src/vmstate.c:324:17: warning: Value stored to 'ret' is never read Signed-off-by: -
Marc-André Lureau authored
This has also the side-effect of silencing a false-positive in scan-build. Signed-off-by: -
Marc-André Lureau authored
realloc/g_realloc() allocates memory if given ptr is NULL. Note: This changes a bit the code, since now sb_cc is always reset to 0, even if old and new value are the same. This seems more coherent, but may have weird side-effects if code relies on it. Reviewing usage of sbreserve() reveals that it is used before the socket buffer receives any data, at tcp_input() socket creation time, and during tcp_mss() which is earlier in TCP socket state. Signed-off-by: -
Marc-André Lureau authored
Negative values wouldn't make sense in those functions and could lead to weird results. Signed-off-by:
-
- Nov 21, 2019
-
-
Samuel Thibault authored
arp: Allow 0.0.0.0 destination address Closes #9 See merge request !16
-
Marc-André Lureau authored
sbreserve() will always succeed or abort(). Signed-off-by: -
Marc-André Lureau authored
Now that tcp_newtcpcb() always returns != NULL. Signed-off-by: -
Marc-André Lureau authored
glib mem functions are already used in various places. Let's not mix the two, and instead abort on OOM conditions. Signed-off-by: -
Marc-André Lureau authored
Let see if it happens, and drop it eventually some day. Signed-off-by: -
Marc-André Lureau authored
We shouldn't be reading undefined data, check that the data to read remains within sb_cc limit. Signed-off-by: -
Marc-André Lureau authored
The only sbcopy() caller is tcp_output(). There, len is constrained to be 0 <= len <= sb_cc. Let's add some assert to avoid potential undefined behaviour (the function didn't return the actual number of bytes copied). Signed-off-by: -
Jindrich Novy authored
Signed-off-by:
Jindrich Novy <jnovy@redhat.com> [ Marc-André - modified to use a temporary variable ] Signed-off-by:
-
Marc-André Lureau authored
socket: avoid getpeername after shutdown(SHUT_WR) Closes #12 See merge request !19
-
Giuseppe Scrivano authored
avoid using getpeername(2) if the socket was already closed for writing, as it will report the socket as disconnected. Using getsockopt instead ensures there is no error returned. Closes: slirp/libslirp#12 Signed-off-by:
Giuseppe Scrivano <gscrivan@redhat.com>
-
- Nov 07, 2019
-
-
Samuel Thibault authored
misc: fix compilation warnings See merge request slirp/libslirp!18
-
Marc-André Lureau authored
Introduced in previous commit: ../src/misc.c: In function ‘fork_exec’: ../src/misc.c:184:9: warning: assignment to ‘GError *’ {aka ‘struct _GError *’} from ‘gboolean’ {aka ‘int’} makes pointer from integer without a cast [-Wint-conversion] 184 | err = g_shell_parse_argv(ex, &argc, &argv, &err); | ^ ../src/misc.c:173:14: warning: unused variable ‘ret’ [-Wunused-variable] 173 | gboolean ret; | ^~~ Signed-off-by:
-
- Nov 03, 2019
-
-
g_shell_parse_argv does only tokenization, and no replacement, so it is safe to use it here. This quesion arised when modifying QEMU because the new version 4 of Samba disables version 1 of the SMB protocols, to run old Win clients I am developing a patch that gets the value of the environment variable SMBDOPTIONS and appends it to the smbd command line; it allows the user to specify additional samba daemon parameters before starting qemu. Example: export SMBDOPTIONS="--option='server min protocol=CORE' -d 4" Signed-off-by:Jordi Pujol Palomer <jordipujolp@gmail.com>
-
- Oct 13, 2019
-
-
Samuel Thibault authored
That can show up with DHCP packets. Fixes #9 Signed-off-by:
-
Samuel Thibault authored
This is needed for using an external DHCP server Fixes #9
-
- Oct 07, 2019
-
-
Marc-André Lureau authored
meson: make it subproject friendly See merge request slirp/libslirp!14
-
- Oct 06, 2019
-
-
Marc-André Lureau authored
Using library() allows to build either static or shared library. Declare a dependency, so parent projects can link with it easily: slirp_proj = subproject('slirp') slirp = slirp_proj.get_variable('libslirp_dep') Signed-off-by:
-
