Commits · 3f17948137155f025f7809fdc38576d5d2451c3d · slirp / libslirp

14 Jun, 2021 5 commits

tftp: check tftp_input buffer size · 3f179481

Marc-André Lureau authored Jun 04, 2021

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

3f179481

upd6: check udp6_input buffer size · de71c15d

Marc-André Lureau authored Jun 04, 2021

Fixes: CVE-2021-3593
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

de71c15d

bootp: check bootp_input buffer size · 2eca0838

Marc-André Lureau authored Jun 04, 2021

Fixes: CVE-2021-3592
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

2eca0838

bootp: limit vendor-specific area to input packet memory buffer · f13cad45

Marc-André Lureau authored Jun 04, 2021

sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
from the structure, to help with the following patch checking for
minimal header size. Modify the bootp_reply() function to take the
buffer boundaries and avoiding potential buffer overflow.

Related to CVE-2021-3592.

https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

f13cad45

Add mtod_check() · 93e645e7

Marc-André Lureau authored Jun 04, 2021



Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

93e645e7

06 Jun, 2021 8 commits

poll_fd: add missing fd registration for UDP and ICMP · 5758d835
Samuel Thibault authored Jun 07, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
5758d835
icmp: Document the use of UDP echo service · 3704690e
Samuel Thibault authored Jun 07, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
3704690e
mbuf: Avoid warning · 8c621ee8
Samuel Thibault authored Jun 06, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
8c621ee8
timer_mod: explicit that expire_time is in ms, not ns · f40fe880
Samuel Thibault authored Jun 06, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
f40fe880
Merge branch 'valgrind' into 'master' · 9c1ea76f
Samuel Thibault authored Jun 06, 2021
```
mbuf: Add debugging helpers for allocation

See merge request !90
```
9c1ea76f

mbuf: Add debugging helpers for allocation · 5853f708

Samuel Thibault authored Jun 06, 2021



This adds a few helpers for debugging mbuf allocations when running in
debugging mode (lsan, valgrind, etc.)

- We do not want to cache allocations, so always set M_DOFREE to prevent
  us from putting any mbuf in it.
- We want to update the mbuf allocation owner on function call for more
  precise leak reporting.

Based on Jeremy Marchand's fuzzing work.
Signed-off-by: jeremy marchand <jeremy.marchand@etu.u-bordeaux.fr>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

5853f708

Check that we have the expected room before m_data · fedf9f18
Samuel Thibault authored Jun 06, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
fedf9f18

Merge branch 'ncsi_pack' into 'master' · 5695ba4d

Samuel Thibault authored Jun 06, 2021

ncsi: make ncsi_calculate_checksum work with unaligned data

Closes #43

See merge request !89

5695ba4d

03 Jun, 2021 2 commits
- ncsi: Mark ncsi headers with SLIRP_PACKED · 4bbfdff0
  Samuel Thibault authored Jun 03, 2021
```
Fixes #43
```
  4bbfdff0
- ncsi: make ncsi_calculate_checksum work with unaligned data · a4a65093
  Samuel Thibault authored Jun 03, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
  a4a65093
25 May, 2021 2 commits
- Merge branch 'fixes' into 'master' · dfe1229f
  Samuel Thibault authored May 25, 2021
```
Fix typos in comments

See merge request !88
```
  dfe1229f
- src/ip: Fix typos in comments · a54479fc
  Thomas Huth authored May 25, 2021
```
Found with the "codespell" utility.
Signed-off-by: Thomas Huth <thuth@redhat.com>
```
  a54479fc
19 May, 2021 2 commits
- changelog: post-release · 5500c69e
  Marc-André Lureau authored May 19, 2021
```
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
```
  5500c69e
- Merge branch '4.5.0' into 'master' · 35284272
  Marc-André Lureau authored May 19, 2021
```
Release v4.5.0

Closes #40

See merge request !87
```
  35284272
18 May, 2021 1 commit
- Release v4.5.0 · a62890e7
  Marc-André Lureau authored May 18, 2021
```
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
```
  a62890e7
09 May, 2021 2 commits
- SlirpCb: explicit that it is fine for a guest to drop frames · c221087f
  Samuel Thibault authored May 09, 2021
  
  c221087f
- Merge branch 'master' into 'master' · f23fd3f0
  Samuel Thibault authored May 09, 2021
```
ndp_table: For unspecified address, return broadcast ethernet address

See merge request !86
```
  f23fd3f0
08 May, 2021 1 commit

ndp_table: For unspecified address, return broadcast ethernet address · 1d6a89cc

Samuel Thibault authored May 09, 2021

We cannot let the guest crash libslirp by making it answer a tftp
request such as shown in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33873
https://gitlab.com/qemu-project/qemu/-/issues/111

unspecified addresses may also be used for non-configured devices, so it
makes sense to use the broadcast ethernet address in that case, just
like we do with IPv4.

1d6a89cc

07 May, 2021 2 commits

Merge branch 'philmd' into 'master' · 61b287a1
Marc-André Lureau authored May 07, 2021
```
Remove alloca() call in get_dns_addr_resolv_conf()

See merge request !84
```
61b287a1

Remove alloca() call in get_dns_addr_resolv_conf() · 6690d556

philmd authored May 07, 2021



The ALLOCA(3) man-page mentions its "use is discouraged".

For now get_dns_addr_resolv_conf() is called with pointer to
a in_addr/in6_addr structure, and its size. Declare a union
of these structures on the stack, able to hold both of them.
This allows us to remove the alloca() call, keeping the buffer
on the stack.

Add an assertion in the unlikely case another inet address
is handled by this function.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210507133212.1952121-1-philmd@redhat.com>

6690d556

12 Apr, 2021 2 commits

Merge branch 'lazy-ipv6-resolution' into 'master' · 4e6444e8
Samuel Thibault authored Apr 12, 2021
```
Perform lazy guest address resolution for IPv6

See merge request !81
```
4e6444e8

Perform lazy guest address resolution for IPv6 · f8bc26ad

Doug Evans authored Apr 07, 2021



Previously QEMU rejected IPv6 host-forward attempts that had an
unspecified guest address. This is because for IPv6 the guest's
IP address isn't necessarily known ahead of time: Libslirp only
provides a "stateless" DHCPv6 server, which if the macaddr is
random then the IPv6 address is random too.

This patch changes this to do the address resolution lazily, in the
hopes that the guest's IPv6 address is known at the time the user
wants to connect to the guest. The request can still fail if the
guest doesn't have an IPv6 address yet (e.g., it's still early in
the boot). Such requests are immediately rejected.
Signed-off-by: Doug Evans <dje@google.com>

f8bc26ad

07 Apr, 2021 1 commit
- Merge branch 'listen_v6only' into 'master' · fcf2568d
  Samuel Thibault authored Apr 07, 2021
```
Listen v6only

See merge request !77
```
  fcf2568d
06 Apr, 2021 3 commits
- Merge branch 'newtcpcb-no-fail' into 'master' · 4b30c086
  Samuel Thibault authored Apr 06, 2021
```
tcpx_listen: tcp_newtcpcb doesn't fail

See merge request !79
```
  4b30c086
- Merge branch 'listen-errno' into 'master' · 209288ae
  Samuel Thibault authored Apr 06, 2021
```
slirp_add_host*fwd: Ensure all error paths set errno

See merge request !80
```
  209288ae
- slirp_add_host*fwd: Ensure all error paths set errno · cc53bd21
  Doug Evans authored Mar 29, 2021
```
Debugging bind/listen failures without errno can get painful.
Signed-off-by: Doug Evans <dje@google.com>
```
  cc53bd21
29 Mar, 2021 2 commits
- tcpx_listen: tcp_newtcpcb doesn't fail · 0d90aa7c
  Doug Evans authored Mar 29, 2021
```
Signed-off-by: Doug Evans <dje@google.com>
```
  0d90aa7c
- Remove slirp_add/remove_ipv6_hostfwd · 9aaa17b5
  Samuel Thibault authored Mar 29, 2021
```
They are superseded by slirp_add/remove_hostxfwd
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
  9aaa17b5
17 Mar, 2021 4 commits

Merge branch 'verbose-if-start' into 'master' · 487f4bf4
Samuel Thibault authored Mar 17, 2021
```
Move DEBUG_CALL("if_start") to DEBUG_VERBOSE_CALL

See merge request !78
```
487f4bf4
Merge branch 'hostxfwd' into 'master' · 43930496
Samuel Thibault authored Mar 17, 2021
```
Add ipv4/ipv6-agnostic host forwarding functions

See merge request !75
```
43930496

hostfwd: Add SLIRP_HOSTFWD_V6ONLY flag · d9c09e57

Samuel Thibault authored Mar 05, 2021



That allows to request binding on v6 addresses only.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

d9c09e57

Move DEBUG_CALL("if_start") to DEBUG_VERBOSE_CALL · 0c07defb

Doug Evans authored Mar 17, 2021



This debugging printf reduces the overall S/N ratio of debug output
in the normal case, so separate it out.
Signed-off-by: Doug Evans <dje@google.com>

0c07defb

05 Mar, 2021 2 commits
- Add ipv4/ipv6-agnostic host forwarding functions · 666235c0
  Samuel Thibault authored Mar 01, 2021
```
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
```
  666235c0
- udpx/tcpx_listen: Use struct sockaddr * types · 84579d03
  Samuel Thibault authored Mar 05, 2021
```
This actually makes most of the code simpler.
```
  84579d03
04 Mar, 2021 1 commit
- Merge branch 'neighbor-info' into 'master' · 8dc8d72a
  Samuel Thibault authored Mar 04, 2021
```
Neighbor info

See merge request !71
```
  8dc8d72a