From a9ef3cc7115c9cdd9e0bf3eed9ed36c6b2f28c08 Mon Sep 17 00:00:00 2001 From: Toshaan Bharvani Date: Thu, 2 Jun 2022 17:23:12 +0200 Subject: [PATCH] initial package creation Signed-off-by: Toshaan Bharvani --- SOURCES/0001-Add-mtod_check.patch | 54 ++++ ...1-Fix-DHCP-broken-in-libslirp-v4.6.0.patch | 30 +++ .../0001-New-utility-slirp_ether_ntoa.patch | 186 +++++++++++++ ...place-inet_ntoa-with-safer-inet_ntop.patch | 173 ++++++++++++ ...or-specific-area-to-input-packet-mem.patch | 161 +++++++++++ ...-bootp-check-bootp_input-buffer-size.patch | 36 +++ ...04-upd6-check-udp6_input-buffer-size.patch | 36 +++ ...05-tftp-check-tftp_input-buffer-size.patch | 37 +++ ...06-tftp-introduce-a-header-structure.patch | 249 ++++++++++++++++++ ...0007-udp-check-upd_input-buffer-size.patch | 36 +++ SPECS/libslirp.spec | 124 +++++++++ 11 files changed, 1122 insertions(+) create mode 100644 SOURCES/0001-Add-mtod_check.patch create mode 100644 SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch create mode 100644 SOURCES/0001-New-utility-slirp_ether_ntoa.patch create mode 100644 SOURCES/0002-Replace-inet_ntoa-with-safer-inet_ntop.patch create mode 100644 SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch create mode 100644 SOURCES/0003-bootp-check-bootp_input-buffer-size.patch create mode 100644 SOURCES/0004-upd6-check-udp6_input-buffer-size.patch create mode 100644 SOURCES/0005-tftp-check-tftp_input-buffer-size.patch create mode 100644 SOURCES/0006-tftp-introduce-a-header-structure.patch create mode 100644 SOURCES/0007-udp-check-upd_input-buffer-size.patch create mode 100644 SPECS/libslirp.spec diff --git a/SOURCES/0001-Add-mtod_check.patch b/SOURCES/0001-Add-mtod_check.patch new file mode 100644 index 0000000..fbdead1 --- /dev/null +++ b/SOURCES/0001-Add-mtod_check.patch @@ -0,0 +1,54 @@ +From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH 1/7] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17) +--- + src/mbuf.c | 11 +++++++++++ + src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/src/mbuf.c b/src/mbuf.c +index 54ec721..cb2e971 100644 +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++ if (m->m_len >= len) { ++ return m->m_data; ++ } ++ ++ DEBUG_ERROR("mtod failed"); ++ ++ return NULL; ++} +diff --git a/src/mbuf.h b/src/mbuf.h +index 546e785..2015e32 100644 +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.29.0 + diff --git a/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch b/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch new file mode 100644 index 0000000..bd4e685 --- /dev/null +++ b/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch @@ -0,0 +1,30 @@ +From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Thu, 17 Jun 2021 18:01:32 +0900 +Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0" + +Fix issue 48 + +Signed-off-by: Akihiro Suda +--- + src/bootp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/bootp.c b/src/bootp.c +index cafa1eb..0a35873 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp, + + daddr.sin_addr.s_addr = 0xffffffffu; + +- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr); ++ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN); ++ ++ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr); + udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); + } + +-- +2.29.0 + diff --git a/SOURCES/0001-New-utility-slirp_ether_ntoa.patch b/SOURCES/0001-New-utility-slirp_ether_ntoa.patch new file mode 100644 index 0000000..823785b --- /dev/null +++ b/SOURCES/0001-New-utility-slirp_ether_ntoa.patch @@ -0,0 +1,186 @@ +From c6fcedf4f53e070dfcb7a6910624705cdcc0a027 Mon Sep 17 00:00:00 2001 +From: Doug Evans +Date: Tue, 23 Feb 2021 15:23:19 -0800 +Subject: [PATCH 1/2] New utility slirp_ether_ntoa + +... and call it everywhere a macaddr is pretty-printed. + +Signed-off-by: Doug Evans +(cherry picked from commit ac00ba460e101bbce0a167b4f0517378a0fbe6b8) +--- + src/arp_table.c | 12 +++++++----- + src/ndp_table.c | 18 ++++++++++-------- + src/slirp.c | 11 +++++------ + src/util.c | 11 +++++++++++ + src/util.h | 8 ++++++++ + 5 files changed, 41 insertions(+), 19 deletions(-) + +diff --git a/src/arp_table.c b/src/arp_table.c +index 959e5b9ec0af..ba8c8a4eee88 100644 +--- a/src/arp_table.c ++++ b/src/arp_table.c +@@ -34,11 +34,12 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, + ~slirp->vnetwork_mask.s_addr | slirp->vnetwork_addr.s_addr; + ArpTable *arptbl = &slirp->arp_table; + int i; ++ char ethaddr_str[ETH_ADDRSTRLEN]; + + DEBUG_CALL("arp_table_add"); + DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr })); +- DEBUG_ARG("hw addr = %02x:%02x:%02x:%02x:%02x:%02x", ethaddr[0], ethaddr[1], +- ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5]); ++ DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str, ++ sizeof(ethaddr_str))); + + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { + /* Do not register broadcast addresses */ +@@ -67,6 +68,7 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, + ~slirp->vnetwork_mask.s_addr | slirp->vnetwork_addr.s_addr; + ArpTable *arptbl = &slirp->arp_table; + int i; ++ char ethaddr_str[ETH_ADDRSTRLEN]; + + DEBUG_CALL("arp_table_search"); + DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr })); +@@ -81,9 +83,9 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, + for (i = 0; i < ARP_TABLE_SIZE; i++) { + if (arptbl->table[i].ar_sip == ip_addr) { + memcpy(out_ethaddr, arptbl->table[i].ar_sha, ETH_ALEN); +- DEBUG_ARG("found hw addr = %02x:%02x:%02x:%02x:%02x:%02x", +- out_ethaddr[0], out_ethaddr[1], out_ethaddr[2], +- out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]); ++ DEBUG_ARG("found hw addr = %s", ++ slirp_ether_ntoa(out_ethaddr, ethaddr_str, ++ sizeof(ethaddr_str))); + return 1; + } + } +diff --git a/src/ndp_table.c b/src/ndp_table.c +index 110d6ea0e43f..61ae8e0468fc 100644 +--- a/src/ndp_table.c ++++ b/src/ndp_table.c +@@ -12,13 +12,14 @@ void ndp_table_add(Slirp *slirp, struct in6_addr ip_addr, + char addrstr[INET6_ADDRSTRLEN]; + NdpTable *ndp_table = &slirp->ndp_table; + int i; ++ char ethaddr_str[ETH_ADDRSTRLEN]; + + inet_ntop(AF_INET6, &(ip_addr), addrstr, INET6_ADDRSTRLEN); + + DEBUG_CALL("ndp_table_add"); + DEBUG_ARG("ip = %s", addrstr); +- DEBUG_ARG("hw addr = %02x:%02x:%02x:%02x:%02x:%02x", ethaddr[0], ethaddr[1], +- ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5]); ++ DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str, ++ sizeof(ethaddr_str))); + + if (IN6_IS_ADDR_MULTICAST(&ip_addr) || in6_zero(&ip_addr)) { + /* Do not register multicast or unspecified addresses */ +@@ -50,6 +51,7 @@ bool ndp_table_search(Slirp *slirp, struct in6_addr ip_addr, + char addrstr[INET6_ADDRSTRLEN]; + NdpTable *ndp_table = &slirp->ndp_table; + int i; ++ char ethaddr_str[ETH_ADDRSTRLEN]; + + inet_ntop(AF_INET6, &(ip_addr), addrstr, INET6_ADDRSTRLEN); + +@@ -66,18 +68,18 @@ bool ndp_table_search(Slirp *slirp, struct in6_addr ip_addr, + out_ethaddr[3] = ip_addr.s6_addr[13]; + out_ethaddr[4] = ip_addr.s6_addr[14]; + out_ethaddr[5] = ip_addr.s6_addr[15]; +- DEBUG_ARG("multicast addr = %02x:%02x:%02x:%02x:%02x:%02x", +- out_ethaddr[0], out_ethaddr[1], out_ethaddr[2], +- out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]); ++ DEBUG_ARG("multicast addr = %s", ++ slirp_ether_ntoa(out_ethaddr, ethaddr_str, ++ sizeof(ethaddr_str))); + return 1; + } + + for (i = 0; i < NDP_TABLE_SIZE; i++) { + if (in6_equal(&ndp_table->table[i].ip_addr, &ip_addr)) { + memcpy(out_ethaddr, ndp_table->table[i].eth_addr, ETH_ALEN); +- DEBUG_ARG("found hw addr = %02x:%02x:%02x:%02x:%02x:%02x", +- out_ethaddr[0], out_ethaddr[1], out_ethaddr[2], +- out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]); ++ DEBUG_ARG("found hw addr = %s", ++ slirp_ether_ntoa(out_ethaddr, ethaddr_str, ++ sizeof(ethaddr_str))); + return 1; + } + } +diff --git a/src/slirp.c b/src/slirp.c +index abb6f9a966d8..1f2513a9e1a4 100644 +--- a/src/slirp.c ++++ b/src/slirp.c +@@ -1054,6 +1054,7 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) + uint8_t ethaddr[ETH_ALEN]; + const struct ip *iph = (const struct ip *)ifm->m_data; + int ret; ++ char ethaddr_str[ETH_ADDRSTRLEN]; + + if (ifm->m_len + ETH_HLEN > sizeof(buf)) { + return 1; +@@ -1079,12 +1080,10 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) + } + + memcpy(eh->h_dest, ethaddr, ETH_ALEN); +- DEBUG_ARG("src = %02x:%02x:%02x:%02x:%02x:%02x", eh->h_source[0], +- eh->h_source[1], eh->h_source[2], eh->h_source[3], +- eh->h_source[4], eh->h_source[5]); +- DEBUG_ARG("dst = %02x:%02x:%02x:%02x:%02x:%02x", eh->h_dest[0], +- eh->h_dest[1], eh->h_dest[2], eh->h_dest[3], eh->h_dest[4], +- eh->h_dest[5]); ++ DEBUG_ARG("src = %s", slirp_ether_ntoa(eh->h_source, ethaddr_str, ++ sizeof(ethaddr_str))); ++ DEBUG_ARG("dst = %s", slirp_ether_ntoa(eh->h_dest, ethaddr_str, ++ sizeof(ethaddr_str))); + memcpy(buf + sizeof(struct ethhdr), ifm->m_data, ifm->m_len); + slirp_send_packet_all(slirp, buf, ifm->m_len + ETH_HLEN); + return 1; +diff --git a/src/util.c b/src/util.c +index 2d8fb9642e76..67ef66786f54 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -427,3 +427,14 @@ int slirp_fmt0(char *str, size_t size, const char *format, ...) + + return rv; + } ++ ++const char *slirp_ether_ntoa(const uint8_t *addr, char *out_str, ++ size_t out_str_size) ++{ ++ assert(out_str_size >= ETH_ADDRSTRLEN); ++ ++ slirp_fmt0(out_str, out_str_size, "%02x:%02x:%02x:%02x:%02x:%02x", ++ addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); ++ ++ return out_str; ++} +diff --git a/src/util.h b/src/util.h +index d67b3d0de9aa..8134db961779 100644 +--- a/src/util.h ++++ b/src/util.h +@@ -84,6 +84,7 @@ struct iovec { + #define SCALE_MS 1000000 + + #define ETH_ALEN 6 ++#define ETH_ADDRSTRLEN 18 /* "xx:xx:xx:xx:xx:xx", with trailing NUL */ + #define ETH_HLEN 14 + #define ETH_P_IP (0x0800) /* Internet Protocol packet */ + #define ETH_P_ARP (0x0806) /* Address Resolution packet */ +@@ -186,4 +187,11 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str); + int slirp_fmt(char *str, size_t size, const char *format, ...) G_GNUC_PRINTF(3, 4); + int slirp_fmt0(char *str, size_t size, const char *format, ...) G_GNUC_PRINTF(3, 4); + ++/* ++ * Pretty print a MAC address into out_str. ++ * As a convenience returns out_str. ++ */ ++const char *slirp_ether_ntoa(const uint8_t *addr, char *out_str, ++ size_t out_str_len); ++ + #endif +-- +2.34.1.428.gdcc0cd074f0c + diff --git a/SOURCES/0002-Replace-inet_ntoa-with-safer-inet_ntop.patch b/SOURCES/0002-Replace-inet_ntoa-with-safer-inet_ntop.patch new file mode 100644 index 0000000..908b144 --- /dev/null +++ b/SOURCES/0002-Replace-inet_ntoa-with-safer-inet_ntop.patch @@ -0,0 +1,173 @@ +From 849c972aa16a85c860f67d7e7f1fbe58e45187d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 9 Feb 2022 22:15:08 +0400 +Subject: [PATCH 2/2] Replace inet_ntoa() with safer inet_ntop() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +inet_ntoa() returns a static pointer which is subject to safety issues. +Use the recommended alternative. + +Signed-off-by: Marc-André Lureau +--- + src/arp_table.c | 8 ++++++-- + src/ip_icmp.c | 10 ++++++---- + src/misc.c | 22 +++++++++++++--------- + src/socket.c | 5 +++-- + src/udp.c | 5 +++-- + 5 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/src/arp_table.c b/src/arp_table.c +index ba8c8a4eee88..3cf2ecc238bc 100644 +--- a/src/arp_table.c ++++ b/src/arp_table.c +@@ -35,9 +35,11 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, + ArpTable *arptbl = &slirp->arp_table; + int i; + char ethaddr_str[ETH_ADDRSTRLEN]; ++ char addr[INET_ADDRSTRLEN]; + + DEBUG_CALL("arp_table_add"); +- DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr })); ++ DEBUG_ARG("ip = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = ip_addr }, ++ addr, sizeof(addr))); + DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str, + sizeof(ethaddr_str))); + +@@ -69,9 +71,11 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, + ArpTable *arptbl = &slirp->arp_table; + int i; + char ethaddr_str[ETH_ADDRSTRLEN]; ++ char addr[INET_ADDRSTRLEN]; + + DEBUG_CALL("arp_table_search"); +- DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr })); ++ DEBUG_ARG("ip = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = ip_addr }, ++ addr, sizeof(addr))); + + /* If broadcast address */ + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { +diff --git a/src/ip_icmp.c b/src/ip_icmp.c +index f4d686b0222d..26e44a3fd49c 100644 +--- a/src/ip_icmp.c ++++ b/src/ip_icmp.c +@@ -291,10 +291,12 @@ void icmp_forward_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsi + goto end_error; + ip = mtod(msrc, struct ip *); + if (slirp_debug & DBG_MISC) { +- char bufa[20], bufb[20]; +- slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src)); +- slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst)); +- DEBUG_MISC(" %.16s to %.16s", bufa, bufb); ++ char addr_src[INET_ADDRSTRLEN]; ++ char addr_dst[INET_ADDRSTRLEN]; ++ ++ inet_ntop(AF_INET, &ip->ip_src, addr_src, sizeof(addr_src)); ++ inet_ntop(AF_INET, &ip->ip_dst, addr_dst, sizeof(addr_dst)); ++ DEBUG_MISC(" %.16s to %.16s", addr_src, addr_dst); + } + if (ip->ip_off & IP_OFFMASK) + goto end_error; /* Only reply to fragment 0 */ +diff --git a/src/misc.c b/src/misc.c +index e6bc0a207d0b..1306f68eb539 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -293,6 +293,7 @@ char *slirp_connection_info(Slirp *slirp) + uint16_t dst_port; + struct socket *so; + const char *state; ++ char addr[INET_ADDRSTRLEN]; + char buf[20]; + + g_string_append_printf(str, +@@ -322,10 +323,11 @@ char *slirp_connection_info(Slirp *slirp) + } + slirp_fmt0(buf, sizeof(buf), " TCP[%s]", state); + g_string_append_printf(str, "%-19s %3d %15s %5d ", buf, so->s, +- src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : +- "*", ++ src.sin_addr.s_addr ? ++ inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*", + ntohs(src.sin_port)); +- g_string_append_printf(str, "%15s %5d %5d %5d\n", inet_ntoa(dst_addr), ++ g_string_append_printf(str, "%15s %5d %5d %5d\n", ++ inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)), + ntohs(dst_port), so->so_rcv.sb_cc, + so->so_snd.sb_cc); + } +@@ -346,10 +348,11 @@ char *slirp_connection_info(Slirp *slirp) + dst_port = so->so_fport; + } + g_string_append_printf(str, "%-19s %3d %15s %5d ", buf, so->s, +- src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : +- "*", ++ src.sin_addr.s_addr ? ++ inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*", + ntohs(src.sin_port)); +- g_string_append_printf(str, "%15s %5d %5d %5d\n", inet_ntoa(dst_addr), ++ g_string_append_printf(str, "%15s %5d %5d %5d\n", ++ inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)), + ntohs(dst_port), so->so_rcv.sb_cc, + so->so_snd.sb_cc); + } +@@ -360,9 +363,10 @@ char *slirp_connection_info(Slirp *slirp) + src.sin_addr = so->so_laddr; + dst_addr = so->so_faddr; + g_string_append_printf(str, "%-19s %3d %15s - ", buf, so->s, +- src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : +- "*"); +- g_string_append_printf(str, "%15s - %5d %5d\n", inet_ntoa(dst_addr), ++ src.sin_addr.s_addr ? ++ inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*"); ++ g_string_append_printf(str, "%15s - %5d %5d\n", ++ inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)), + so->so_rcv.sb_cc, so->so_snd.sb_cc); + } + +diff --git a/src/socket.c b/src/socket.c +index c0b02ad131f3..6607e319ad6c 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -743,13 +743,14 @@ struct socket *tcp_listen(Slirp *slirp, uint32_t haddr, unsigned hport, + struct sockaddr_in addr; + struct socket *so; + int s, opt = 1; ++ char inet_addr[INET_ADDRSTRLEN]; + socklen_t addrlen = sizeof(addr); + memset(&addr, 0, addrlen); + + DEBUG_CALL("tcp_listen"); +- DEBUG_ARG("haddr = %s", inet_ntoa((struct in_addr){ .s_addr = haddr })); ++ DEBUG_ARG("haddr = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = haddr }, inet_addr, sizeof(inet_addr))); + DEBUG_ARG("hport = %d", ntohs(hport)); +- DEBUG_ARG("laddr = %s", inet_ntoa((struct in_addr){ .s_addr = laddr })); ++ DEBUG_ARG("laddr = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = laddr }, inet_addr, sizeof(inet_addr))); + DEBUG_ARG("lport = %d", ntohs(lport)); + DEBUG_ARG("flags = %x", flags); + +diff --git a/src/udp.c b/src/udp.c +index e4578aa94ed5..0547cd6fc5c3 100644 +--- a/src/udp.c ++++ b/src/udp.c +@@ -248,14 +248,15 @@ bad: + int udp_output(struct socket *so, struct mbuf *m, struct sockaddr_in *saddr, + struct sockaddr_in *daddr, int iptos) + { ++ char addr[INET_ADDRSTRLEN]; + register struct udpiphdr *ui; + int error = 0; + + DEBUG_CALL("udp_output"); + DEBUG_ARG("so = %p", so); + DEBUG_ARG("m = %p", m); +- DEBUG_ARG("saddr = %s", inet_ntoa(saddr->sin_addr)); +- DEBUG_ARG("daddr = %s", inet_ntoa(daddr->sin_addr)); ++ DEBUG_ARG("saddr = %s", inet_ntop(AF_INET, &saddr->sin_addr, addr, sizeof(addr))); ++ DEBUG_ARG("daddr = %s", inet_ntop(AF_INET, &daddr->sin_addr, addr, sizeof(addr))); + + /* + * Adjust for header +-- +2.34.1.428.gdcc0cd074f0c + diff --git a/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch b/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch new file mode 100644 index 0000000..88e5ba0 --- /dev/null +++ b/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch @@ -0,0 +1,161 @@ +From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory + buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275) +--- + src/bootp.c | 26 +++++++++++++++----------- + src/bootp.h | 2 +- + src/mbuf.c | 5 +++++ + src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/src/bootp.c b/src/bootp.c +index 46e9681..e0db8d1 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++ const uint8_t *bp_end, ++ int *pmsg_type, + struct in_addr *preq_addr) + { +- const uint8_t *p, *p_end; ++ const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L); + + p = bp->bp_vend; +- p_end = p + DHCP_OPT_LEN; + if (memcmp(p, rfc1533_cookie, 4) != 0) + return; + p += 4; +- while (p < p_end) { ++ while (p < bp_end) { + tag = p[0]; + if (tag == RFC1533_PAD) { + p++; +@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + break; + } else { + p++; +- if (p >= p_end) ++ if (p >= bp_end) + break; + len = *p++; +- if (p + len > p_end) { ++ if (p + len > bp_end) { + break; + } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); +@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + } + } + +-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) ++static void bootp_reply(Slirp *slirp, ++ const struct bootp_t *bp, ++ const uint8_t *bp_end) + { + BOOTPClient *bc = NULL; + struct mbuf *m; +@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + uint8_t client_ethaddr[ETH_ALEN]; + + /* extract exact DHCP msg type */ +- dhcp_decode(bp, &dhcp_msg_type, &preq_addr); ++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr); + DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type); + if (preq_addr.s_addr != htonl(0L)) + DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr)); +@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + return; + } + m->m_data += IF_MAXLINKHDR; ++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN); + rbp = (struct bootp_t *)m->m_data; + m->m_data += sizeof(struct udpiphdr); +- memset(rbp, 0, sizeof(struct bootp_t)); ++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN); + + if (dhcp_msg_type == DHCPDISCOVER) { + if (preq_addr.s_addr != htonl(0L)) { +@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ + + q = rbp->bp_vend; +- end = (uint8_t *)&rbp[1]; ++ end = rbp->bp_vend + DHCP_OPT_LEN; + memcpy(q, rfc1533_cookie, 4); + q += 4; + +@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m) + struct bootp_t *bp = mtod(m, struct bootp_t *); + + if (bp->bp_op == BOOTP_REQUEST) { +- bootp_reply(m->slirp, bp); ++ bootp_reply(m->slirp, bp, m_end(m)); + } + } +diff --git a/src/bootp.h b/src/bootp.h +index a57fa51..31ce5fd 100644 +--- a/src/bootp.h ++++ b/src/bootp.h +@@ -114,7 +114,7 @@ struct bootp_t { + uint8_t bp_hwaddr[16]; + uint8_t bp_sname[64]; + char bp_file[128]; +- uint8_t bp_vend[DHCP_OPT_LEN]; ++ uint8_t bp_vend[]; + }; + + typedef struct { +diff --git a/src/mbuf.c b/src/mbuf.c +index cb2e971..0c1a530 100644 +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len) + + return NULL; + } ++ ++void *m_end(struct mbuf *m) ++{ ++ return m->m_data + m->m_len; ++} +diff --git a/src/mbuf.h b/src/mbuf.h +index 2015e32..a9752a3 100644 +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); + void *mtod_check(struct mbuf *, size_t len); ++void *m_end(struct mbuf *); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.29.0 + diff --git a/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch b/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch new file mode 100644 index 0000000..c97cb12 --- /dev/null +++ b/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch @@ -0,0 +1,36 @@ +From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:15:14 +0400 +Subject: [PATCH 3/7] bootp: check bootp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3592 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c) +--- + src/bootp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bootp.c b/src/bootp.c +index e0db8d1..cafa1eb 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp, + + void bootp_input(struct mbuf *m) + { +- struct bootp_t *bp = mtod(m, struct bootp_t *); ++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t)); + +- if (bp->bp_op == BOOTP_REQUEST) { ++ if (bp && bp->bp_op == BOOTP_REQUEST) { + bootp_reply(m->slirp, bp, m_end(m)); + } + } +-- +2.29.0 + diff --git a/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch b/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch new file mode 100644 index 0000000..a832f6b --- /dev/null +++ b/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch @@ -0,0 +1,36 @@ +From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH 4/7] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b) +--- + src/udp6.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/udp6.c b/src/udp6.c +index fdd8089..236b962 100644 +--- a/src/udp6.c ++++ b/src/udp6.c +@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +- uh = mtod(m, struct udphdr *); ++ uh = mtod_check(m, sizeof(struct udphdr)); ++ if (uh == NULL) { ++ goto bad; ++ } + m->m_len += iphlen; + m->m_data -= iphlen; + +-- +2.29.0 + diff --git a/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch b/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch new file mode 100644 index 0000000..1d879cc --- /dev/null +++ b/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch @@ -0,0 +1,37 @@ +From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH 5/7] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d) +--- + src/tftp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/tftp.c b/src/tftp.c +index c6950ee..e06911d 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = (struct tftp_t *)m->m_data; ++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++ if (tp == NULL) { ++ return; ++ } + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: +-- +2.29.0 + diff --git a/SOURCES/0006-tftp-introduce-a-header-structure.patch b/SOURCES/0006-tftp-introduce-a-header-structure.patch new file mode 100644 index 0000000..f163137 --- /dev/null +++ b/SOURCES/0006-tftp-introduce-a-header-structure.patch @@ -0,0 +1,249 @@ +From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH 6/7] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30) +--- + src/tftp.c | 60 ++++++++++++++++++++++++++++-------------------------- + src/tftp.h | 6 +++++- + 2 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/src/tftp.c b/src/tftp.c +index e06911d..a19c889 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +- spt->client_port = tp->udp.uh_sport; ++ spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(&spt->client_addr, srcsas)) { +- if (spt->client_port == tp->udp.uh_sport) { ++ if (spt->client_port == hdr->udp.uh_sport) { + return k; + } + } +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt, + } + + static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + if (spt->client_addr.ss_family == AF_INET6) { + struct sockaddr_in6 sa6, da6; + + sa6.sin6_addr = spt->slirp->vhost_addr6; +- sa6.sin6_port = recv_tp->udp.uh_dport; ++ sa6.sin6_port = hdr->udp.uh_dport; + da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr; + da6.sin6_port = spt->client_port; + +@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, + struct sockaddr_in sa4, da4; + + sa4.sin_addr = spt->slirp->vhost_addr; +- sa4.sin_port = recv_tp->udp.uh_dport; ++ sa4.sin_port = hdr->udp.uh_dport; + da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr; + da4.sin_port = spt->client_port; + +@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[], + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_OACK); ++ tp->hdr.tp_op = htons(TFTP_OACK); + for (i = 0; i < nb; i++) { + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]); + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]); + } + +- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n; +- tftp_udp_output(spt, m, recv_tp); ++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n; ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + return 0; + } +@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode, + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_ERROR); ++ tp->hdr.tp_op = htons(TFTP_ERROR); + tp->x.tp_error.tp_error_code = htons(errorcode); + slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), + msg); + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 + + strlen(msg) - sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + out: + tftp_session_terminate(spt); + } + + static void tftp_send_next_block(struct tftp_session *spt, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + struct mbuf *m; + struct tftp_t *tp; +@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt, + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_DATA); ++ tp->hdr.tp_op = htons(TFTP_DATA); + tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff); + + nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, +@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt, + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) - + sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, hdr); + + if (nobytes == spt->block_size) { + tftp_session_update(spt); +@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + int nb_options = 0; + + /* check if a session already exists and if so terminate it */ +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, &tp->hdr); + if (s >= 0) { + tftp_session_terminate(&slirp->tftp_sessions[s]); + } + +- s = tftp_session_allocate(slirp, srcsas, tp); ++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr); + + if (s < 0) { + return; +@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + } + + spt->block_nr = 0; +- tftp_send_next_block(spt, tp); ++ tftp_send_next_block(spt, &tp->hdr); + } + + static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; + } + +- tftp_send_next_block(&slirp->tftp_sessions[s], tp); ++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr); + } + + static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; +@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr)); + +- if (tp == NULL) { ++ if (hdr == NULL) { + return; + } + +- switch (ntohs(tp->tp_op)) { ++ switch (ntohs(hdr->tp_op)) { + case TFTP_RRQ: +- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_rrq(m->slirp, srcsas, ++ mtod(m, struct tftp_t *), ++ m->m_len); + break; + + case TFTP_ACK: +- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_ack(m->slirp, srcsas, hdr); + break; + + case TFTP_ERROR: +- tftp_handle_error(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_error(m->slirp, srcsas, hdr); + break; + } + } +diff --git a/src/tftp.h b/src/tftp.h +index 6d75478..cafab03 100644 +--- a/src/tftp.h ++++ b/src/tftp.h +@@ -20,9 +20,13 @@ + #define TFTP_FILENAME_MAX 512 + #define TFTP_BLOCKSIZE_MAX 1428 + +-struct tftp_t { ++struct tftphdr { + struct udphdr udp; + uint16_t tp_op; ++} SLIRP_PACKED; ++ ++struct tftp_t { ++ struct tftphdr hdr; + union { + struct { + uint16_t tp_block_nr; +-- +2.29.0 + diff --git a/SOURCES/0007-udp-check-upd_input-buffer-size.patch b/SOURCES/0007-udp-check-upd_input-buffer-size.patch new file mode 100644 index 0000000..7fc155d --- /dev/null +++ b/SOURCES/0007-udp-check-upd_input-buffer-size.patch @@ -0,0 +1,36 @@ +From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 7/7] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824) +--- + src/udp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/udp.c b/src/udp.c +index 050cee4..e4578aa 100644 +--- a/src/udp.c ++++ b/src/udp.c +@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +- ip = mtod(m, struct ip *); ++ ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++ if (ip == NULL) { ++ goto bad; ++ } + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.29.0 + diff --git a/SPECS/libslirp.spec b/SPECS/libslirp.spec new file mode 100644 index 0000000..e5e5776 --- /dev/null +++ b/SPECS/libslirp.spec @@ -0,0 +1,124 @@ +Name: libslirp +Version: 4.4.0 +Release: 7%{?dist} +Summary: A general purpose TCP-IP emulator + +# check the SPDX tags in source files for details +License: BSD and MIT +URL: https://gitlab.freedesktop.org/slirp/%{name} +Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz +Patch0001: 0001-Add-mtod_check.patch +Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch +Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch +Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch +Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch +Patch0006: 0006-tftp-introduce-a-header-structure.patch +Patch0007: 0007-udp-check-upd_input-buffer-size.patch +Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch +Patch0009: 0001-New-utility-slirp_ether_ntoa.patch +Patch00010: 0002-Replace-inet_ntoa-with-safer-inet_ntop.patch + + +BuildRequires: git-core +BuildRequires: meson +BuildRequires: gcc +BuildRequires: glib2-devel + +%description +A general purpose TCP-IP emulator used by virtual machine hypervisors +to provide virtual networking services. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%autosetup -S git_am + +%build +%meson +%meson_build + + +%install +%meson_install + + +%files +%license COPYRIGHT +%doc README.md CHANGELOG.md +%{_libdir}/%{name}.so.0* + +%files devel +%dir %{_includedir}/slirp/ +%{_includedir}/slirp/* +%{_libdir}/%{name}.so +%{_libdir}/pkgconfig/slirp.pc + + +%changelog +* Fri Feb 11 2022 Jindrich Novy - 4.4.0-7 +- fix also socket.c, thanks to Marc-André Lureau +- Related: #2000051 + +* Fri Feb 11 2022 Jindrich Novy - 4.4.0-6 +- add patches fixing gating tests from Marc-André Lureau +- Related: #2000051 + +* Wed Feb 09 2022 Jindrich Novy - 4.4.0-5 +- add gating.yaml +- Related: #2000051 + +* Mon Aug 09 2021 Mohan Boddu - 4.4.0-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Jun 18 2021 Marc-André Lureau - 4.4.0-3 +- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access + Resolves: rhbz#1970826 rhbz#1970839 rhbz#1970857 rhbz#1970847 + +* Fri Apr 16 2021 Mohan Boddu - 4.4.0-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Dec 2 18:19:30 +04 2020 Marc-André Lureau - 4.4.0-1 +- new version + +* Fri Nov 27 20:10:28 +04 2020 Marc-André Lureau - 4.3.1-3 +- Fix CVE-2020-29129 CVE-2020-29130 out-of-bounds access while processing ARP/NCSI packets + rhbz#1902232 + +* Tue Jul 28 2020 Fedora Release Engineering - 4.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 08 2020 Marc-André Lureau - 4.3.1-1 +- New v4.3.1 release + +* Thu Apr 23 2020 Marc-André Lureau - 4.3.0-1 +- New v4.3.0 release + +* Mon Apr 20 2020 Marc-André Lureau - 4.2.0-2 +- CVE-2020-1983 fix + +* Tue Mar 17 2020 Marc-André Lureau - 4.2.0-1 +- New v4.2.0 release + +* Wed Jan 29 2020 Fedora Release Engineering - 4.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Dec 03 2019 Marc-André Lureau - 4.1.0-1 +- New v4.1.0 release + +* Fri Aug 2 2019 Marc-André Lureau - 4.0.0-3 +- Fix CVE-2019-14378, rhbz#1735654 + +* Thu Jul 25 2019 Fedora Release Engineering - 4.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 22 2019 Marc-André Lureau - 4.0.0-1 +- Initial package, rhbz#1712980