Commits on Source (95)
-
Marc-André Lureau authored
Release v4.7.0 See merge request !119
c9dbaae6 -
Samuel Thibault authored
Fixes #58
84232aeb -
Samuel Thibault authored
Include <sys/socket.h> and <arpa/inet.h> for AF_INET6 and inet_pton Closes #58 See merge request !120
a7387792 -
Paolo Bonzini authored
These functions do not have a prototype and are not meant to be public. Declare them as static. Signed-off-by:Paolo Bonzini <pbonzini@redhat.com>
84b276c5 -
Paolo Bonzini authored
Enable extra warnings based no what QEMU uses. Signed-off-by:9d59bb77 -
Samuel Thibault authored
win32: declare some local functions as static See merge request !121
11d70507 -
Ivan Holmes authored929f968f
-
Samuel Thibault authored
Add support for Haiku to meson.build See merge request !123
a4434c81 -
Peter Delevoryas authoredThe manufacturer's ID is used in NC-SI commands such as "Get Version ID" [1]. It is also essential to providing a path towards adding OEM (non-standardized) NC-SI commands. This field should be derived from the IANA Private Enterprise Numbers list, per the NC-SI specification. It may be useful for things besides NC-SI, but NC-SI responses for BMC's in QEMU are the main use case I have in mind. Note: I did not add this attribute to slirp_init, since it is deprecated. [1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf [2] https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers Signed-off-by:
Peter Delevoryas <pdel@fb.com>
b397a330 -
Peter Delevoryas authored
This will let us use Slirp fields to generate more interesting NC-SI responses. Signed-off-by:5025b871 -
Peter Delevoryas authored
Get Version ID is one of the first commands used in NC-SI, because BMC's use a lot of OEM NC-SI extensions, and you need to query the device's manufacturer through Get Version ID before you can decide which OEM NC-SI extensions to use. The response format is documented in the NC-SI spec[1]. We're just setting the NC-SI version supported to 1.0.0 (BCD-encoded[2]) and returning the manufacturer's ID in network byte-order. [1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf [2] https://en.wikipedia.org/wiki/Binary-coded_decimal Signed-off-by:
a3efc04d -
Samuel Thibault authored
ncsi: Add basic Get Version ID response See merge request !122
3ee97215 -
Windows Vista is not supported by its vendor anymore. Additionally, glib uses 0x0601 as setting for _WIN32_WINNT since version 2.53.6 already, so unless libslirp is used with a very old version of glib, we are depending on Windows 7 anyway. Signed-off-by:
Thomas Huth <thuth@redhat.com> Reviewed-by:
Samuel Thibault <samuel.thibault@ens-lyon.org> Message-Id: <20220516090410.39727-1-thuth@redhat.com>
2facdf28 -
Peter Delevoryas authored
This change passes the command header as an additional read-only parameter to each response handler so that they can make more response handling descisions based on the command header fields. This is especially useful for handling OEM NC-SI commands, or any protocol that's encapsulated in an NC-SI header. Signed-off-by:da3afd3c -
Peter Delevoryas authored
In the Linux NC-SI driver[1], each response's length is validated with a statically declared payload length, _unless_ it's an OEM command or some more complicated NC-SI packet that you can't determine the length of just from the "type" field, in which case it just uses the length provided by the response's header. To support OEM response handlers without requiring too many modifications we can make the default payload length use the value specified in the handler table, and then allow OEM handlers to override the length by modifying the "length" in the response header within the handler implementation. [1] https://github.com/torvalds/linux/blob/ec7f49619d8ee13e108740c82f942cd401b989e9/net/ncsi/ncsi-rsp.c#L1215-L1220 Signed-off-by:
ec7f20e8 -
Peter Delevoryas authored
Signed-off-by:0f8dcfa2 -
Peter Delevoryas authored
This commit just sets up the OEM command handler to respond with "unsupported" for now, as verified in the test. Signed-off-by:70f26099 -
Peter Delevoryas authored
If a network card supports NC-SI, then it redirects all traffic with the out-of-band (OOB) management controller's (MC) ethernet address to the out-of-band management controller, usually over some sideband RMII interface, not like the PCIe connection to the main host. It's also pretty common for the network card to provision the out-of-band management controller's ethernet address. At startup, the OOB MC asks the network card what its MAC address is through OEM NC-SI commands. This protocol is so common that it's going to be standardized soon in NC-SI 1.2.0 [1] as "Get MC MAC Address". Note: At some point, the network card may provision *multiple* OOB ethernet addresses, but right now everything just uses one. [1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.2.0WIP80.pdf Signed-off-by:
177ff459 -
Peter Delevoryas authored
Attempted to mirror the upstream Linux driver[1] as closely as reasonably possible. [1] https://github.com/torvalds/linux/blob/42226c989789d8da4af1de0c31070c96726d990c/net/ncsi/ncsi-rsp.c#L614-L638 Signed-off-by:
ca73d965 -
Samuel Thibault authored
ncsi: Add Mellanox Get MAC Address handler See merge request !125
ff0694bb -
Samuel Thibault authored
We can just write the macro on one line.
a066eb6c -
Samuel Thibault authored
and just revert to meson.project_version()
ab9fb33c -
Samuel Thibault authoredb1aec45b
-
Samuel Thibault authored
It doesn't have it.
468dabb5 -
Samuel Thibault authored
Since msvc provides the support through push/pop pragmas.
2059a5f6 -
Samuel Thibault authored
It uses a saner strictly "from low to high bit" rule.
1d71fdaf -
Samuel Thibault authored996e8cbb
-
Samuel Thibault authored5ca84a7c
-
Samuel Thibault authoreda2bd2836
-
Samuel Thibault authored8ea3ab15
-
Samuel Thibault authored6fcc368a
-
Samuel Thibault authorede6a7465c
-
Samuel Thibault authored
The toolchain usually used there would typically completely fail to run it.
b56fbdee -
Samuel Thibault authoreda70bd550
-
Samuel Thibault authored
To be able to use typeof. Fixes #60
d4422354 -
Marc-André Lureau authored
msvc fixes Closes #60 See merge request !124
dddb2be9 -
Marc-André Lureau authored
Signed-off-by:Marc-André Lureau <marcandre.lureau@redhat.com>
e7362700 -
Marc-André Lureau authored177da3d7
-
Samuel Thibault authored
msvc: enable vmstate code on !gnuc See merge request !126
baf33604 -
Samuel Thibault authored
Fixes #63
6489ebbc -
Samuel Thibault authored
Fixes #62
cc20d9ac -
Marc-André Lureau authored
Signed-off-by:88b10e6b -
Marc-André Lureau authored
Commit e7362700 ("msvc: enable vmstate code on !gnuc") forgot to remove HAVE_VMSTATE condition... Signed-off-by:
60967ef1 -
Samuel Thibault authored
Fix vmstate regression See merge request !127
7132fef2 -
Bastian Blank authored
The IPv6 support in libslirp fails to work with any NDP proxy. The code used to interpret the NA packets uses the wrong address to insert into it's neighbor table, the address of the source of the packet, aka the proxy itself. However the NA packet got the real target address readily available. Just use it directly instead. Signed-off-by:Bastian Blank <waldi@debian.org>
1feabfef -
Samuel Thibault authored
Use target address from Neighbor Advertisement See merge request !129
c7c151fe -
Samuel Thibault authored
rather than rejecting only when all of them are bogus. Reported-by:
Michael T <michael.gr220@gmail.com> Signed-off-by:
0f080379 -
Samuel Thibault authored38638382
-
Fixes #64
37bcba8e -
3610e4d2
-
Samuel Thibault authored
slirp: use localhost as dns when /etc/resolv.conf empty Closes #25 See merge request !130
0dd7f050 -
bbe0e841 -
Samuel Thibault authored
Detach UDP socket if errno is ENOTCONN (Socket is not connected) Closes #65 See merge request !132
15c52d69 -
Samuel Thibault authored
It is defined by BaseTsd.h as LONG_PTR, which is 32bit size on win32, and 64bit size on win64. It seems that mingw rather uses int for the 32bit case, but better stick to the MS definition, and int/LONG_PTR will be abi-compatible on 32bit. Fixes #68
22616071 -
Samuel Thibault authored
While windows does not care for case, mingw does, and has all its header lower case.
fc5eaaf6 -
Sometimes ipq were casted to ipasfrag, and the original and casted pointer were used simultaneously in ip_reass(). GCC 12.1.0 assumes these pointers are not aliases, and therefore incorrectly the pointed data will not be modified when it is actually modified with another pointer. To fix this problem, introduce a new type "ipas", which is a universal type denoting an entry in the assembly queue and contains union for specialization as queue head (frequently referred as "q" or "ipq" in the source code) or IP fragment ("f" or "ipf"). This bug was found by Alexander Bulekov when fuzzing QEMU: https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/ The fixed test case is: fuzz/crash_449dd4ad72212627fe3245c875f79a7033cc5382 Signed-off-by:Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by:
26be815b -
In macOS, as already commented in this source file as well, packets from SOCK_DGRAM + IPPROTO_ICMP sockets include IP header while Linux doesn't not prepend the header. Due to the discrepancy, in macOS, we need to handle received ICMP packets as if they are IP packets so that its IPv4 header gets stripped. As pointed out in review comments, it appears CONFIG_BSD is no longer propagated from QEMU. This patch fixes the issue by detecting BSD (including macOS) by ourselves.
6fc8d283 -
Samuel Thibault authored
icmp: Handle ICMP packets as IPPROTO_IP on BSD See merge request !133
2533bf21 -
Samuel Thibault authored44e7877a
-
Samuel Thibault authored
Fixes #72
129077f9 -
Samuel Thibault authored
Fixes #70
8399d506 -
It's not being used. Signed-off-by:fd0e7c8e -
The macro just makes things more difficult to debug, inline it. Signed-off-by:d0158bf4 -
Samuel Thibault authored
When several packets are queued for emission for the same socket session, we need to clean them all. Spotted thanks to ASAN & fuzzing. Signed-off-by:d3963e92 -
Making the code unnecessarily complicated. Signed-off-by:c195d025 -
Samuel Thibault authored
As coverity reports, we are not supposed to do anything with a freed pointer, not even assigning it to m. So break the loop before doing so.
41b92e27 -
Samuel Thibault authored
For reassembly, tcpiphdr2qlink needs an additional struct qlink before the tcpiphdr
b39edde0 -
Samuel Thibault authored
In case of socket error, we are not consuming the package. So duplicate it after socket operations, once we are sure that we will consume the packet.
0ad461c2 -
Samuel Thibault authored
Spotted thanks to ASAN & fuzzing.
bdba265d -
You can run the tests over the corpus with a "regular" build, then $ fuzzing/fuzz-input ../fuzzing/IN/* Or building with fuzzing enabled, and running: $ CFLAGS="-fsanitize=fuzzer" CC=clang CXX=clang++ meson -Db_lundef=false $ fuzzing/fuzz-input ../fuzzing/IN I have an initial corpus which was generated by running fuzz-input for a few hours starting with qemu.pkt, which is the first packet sent by qemu. Sadly, it only covers 25%... I tried to increase the coverage manually, see for example tftp-get-blah.pkt, but that's not so simple, as multiple packets may be required to setup a session etc. Neverthess, the fuzzing already found a few issues, so it might be worth to add it in this current form. fuzzing/oss-fuzz.sh is used by oss-fuzz, for Google fuzzing. (see documentation if you want to reproduce the build locally) Signed-off-by:b5f4b774 -
The slirp_fuzz_ip_header harness should be working and is a basic example of a custom mutator focusing on part of the input. The slirp_fuzz_udp harness needs a bit of work to calculate the checksum properly. The code can be built using `meson build` followed by `ninja -C build`, the current meson.build file is not suitable with a general usage. To run the fuzzing code just run `build/fuzzing/fuzz-ip-header fuzzing/IN -detect_leaks=0`, crash will be sent to current folder and new input will go directly in the `IN` folder. The main point to focus on to improve the fuzzing should be generating a better corpus.
0e9b0ad4 -
- by adding trace examples - by separating fuzzing different headers / data - by adding an echo TCP server forward - also factorizing code along the way Also-by:
JC <luffy33820@gmail.com> Also-by:
Alisee Lafontaine <alisee.lafontaine@u-bordeaux.fr>
884d39ee -
We don't know in advance what the trace will have received as sequence number, so when fuzzing tcp, just align on what the trace says
f045cdc9 -
Samuel Thibault authored
It's no use sending to the slirp stack the trace packets which are supposed to be generated by the stack. Also no use fuzzing them, then.
6f28e96e -
Samuel Thibault authoredea785a27
-
Samuel Thibault authored
Spotted thanks to ASAN & fuzzing.
c29ec30a -
Samuel Thibault authored
To avoid leak reports.
4de210bc -
Samuel Thibault authoredceb6fb6d
-
Samuel Thibault authored
382bff02 ("Fix possible infinite loops and use-after-free") rewrote the loop to make it cleaner that we go through items, but was always detaching the first elements, which happens to be right, but less clear than detaching the element being processed. Fixes #32 Reported-by: Peter Maydell
c76d880a -
Samuel Thibault authored
Fixes #34
9dee7f19 -
Samuel Thibault authoredf619f9f4
-
Samuel Thibault authoredaf234819
-
Samuel Thibault authored95f4a84d
-
Samuel Thibault authoreddcdfd78b
-
Samuel Thibault authoredef3ee739
-
Samuel Thibault authored
Since we increase m->m_len by header_size, we mustn't add header_size again when copying. n->m_len also needs to be subtracted header_size, since we advance n->m_data by header_size. This only had effect for ipv6 trafic with debug builds
afed1c10 -
Samuel Thibault authored0b3155e1
-
Samuel Thibault authoredab0db890
-
Samuel Thibault authored3a9992eb
-
Samuel Thibault authored7f792810
-
Samuel Thibault authored9d171be3
-
Samuel Thibault authored42694bf9
-
Samuel Thibault authoredbc0ccfd1
-
Samuel Thibault authored
Fixes #76
629a69ce -
Samuel Thibault authored
Signed-off-by:
fuzzing/IN_arp/arp.pcap
0 → 100644
File added
fuzzing/IN_dhcp/dhcp.pkt
0 → 100644
File added
fuzzing/IN_dhcp/dhcp_capture.pcap
0 → 100644
File added
fuzzing/IN_icmp/icmp_capture.pcap
0 → 100644
File added
fuzzing/IN_icmp/ping_10-0-2-2.pcap
0 → 100644
File added
fuzzing/IN_icmp6/icmp_capture.pcap
0 → 100644
File added
fuzzing/IN_icmp6/ndp.pcap
0 → 120000
fuzzing/IN_icmp6/ping_10-0-2-2.pcap
0 → 100644
File added
fuzzing/IN_ip-header/dhcp.pkt
0 → 120000
fuzzing/IN_ip-header/dhcp_capture.pcap
0 → 120000
fuzzing/IN_ip-header/icmp_capture.pcap
0 → 120000
fuzzing/IN_ip-header/nc-10.0.2.2-8080.pcap
0 → 120000
fuzzing/IN_ip-header/nc-ident.pcap
0 → 120000
fuzzing/IN_ip-header/ping_10-0-2-2.pcap
0 → 120000
fuzzing/IN_ip-header/tcp_qemucapt.pcap
0 → 120000
fuzzing/IN_ip-header/tftp-get-blah.pkt
0 → 120000
fuzzing/IN_ip-header/tftp_capture.pcap
0 → 120000