aboutsummaryrefslogtreecommitdiff
path: root/slirp
AgeCommit message (Collapse)Author
2018-08-07slirp: Correct size check in m_inc()Peter Maydell
The data in an mbuf buffer is not necessarily at the start of the allocated buffer. (For instance m_adj() allows data to be trimmed from the start by just advancing the pointer and reducing the length.) This means that the allocated buffer size (m->m_size) and the amount of space from the m_data pointer to the end of the buffer (M_ROOM(m)) are not necessarily the same. Commit 864036e251f54c9 tried to change the m_inc() function from taking the new allocated-buffer-size to taking the new room-size, but forgot to change the initial "do we already have enough space" check. This meant that if we were trying to extend a buffer which had a leading gap between the buffer start and the data, we might incorrectly decide it didn't need to be extended, and then overrun the end of the buffer, causing memory corruption and an eventual crash. Change the "already big enough?" condition from checking the argument against m->m_size to checking against M_ROOM(). This only makes a difference for the callsite in m_cat(); the other three callsites all start with a freshly allocated mbuf from m_get(), which will have m->m_size == M_ROOM(m). Fixes: 864036e251f54c9 Fixes: https://bugs.launchpad.net/qemu/+bug/1785670 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Message-id: 20180807114501.12370-1-peter.maydell@linaro.org Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2018-06-08slirp: reformat m_inc routinePrasad J Pandit
Coding style changes to the m_inc routine and minor refactoring. Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-06-08slirp: correct size computation while concatenating mbufPrasad J Pandit
While reassembling incoming fragmented datagrams, 'm_cat' routine extends the 'mbuf' buffer, if it has insufficient room. It computes a wrong buffer size, which leads to overwriting adjacent heap buffer area. Correct this size computation in m_cat. Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-06-01slirp: Fix spurious error report when sending directlySamuel Thibault
Move check to where it actually is useful, and reduce scope of 'len' variable along the way. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2018-05-31slirp/ncsi: add checksum supportCédric Le Goater
The checksum field of a NC-SI packet contains a value that may be included in each command and response. The verification is optional but the Linux driver does so when a non-zero value is provided. Let's extend the model to compute the checksum value and exercise a little more the Linux driver. See section "8.2.2.3 - 2's Complement Checksum Compensation" in the Network Controller Sideband Interface (NC-SI) Specification for more details. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp/ncsi: add a "Get Parameters" responseCédric Le Goater
Command 0x17 'Get Parameters' is used to get configuration parameter values currently in effect on the controller and it is mandatory in the NS-CI specification. Provide a minimum response to exercise the kernel. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp/ncsi: fix "Get Version ID" payload lengthCédric Le Goater
Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp: Send window updates to guest after window was closedJames Clarke
If the receive window presented to the guest closes, slirp should send a window update once the window reopens sufficiently, rather than forcing the guest to send a window probe, which can take several seconds. Signed-off-by: James Clarke <jrtc27@jrtc27.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp/debug: Print IP addresses in human readable formAlexey Kardashevskiy
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp: disable Nagle in ingoing connectionsSamuel Thibault
This follows 3929766fb3e4 ('slirp: disable Nagle in outgoing connections'): for the same reasons, ingoing connections should have the Nagle algorithm disabled. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2018-05-31slirp: disable Nagle in outgoing connectionsAndreas Gustafsson
When setting up an outgoing user mode networking TCP connection, disable the Nagle algorithm in the host-side connection. Either the guest is already doing Nagle, in which case there is no point in doing it twice, or it has chosen to disable it, in which case we should respect that choice. This change speeds up GDB remote debugging over TCP over user mode networking (with GDB runing on the guest) by multiple orders of magnitude, and has been part of the local patches applied by pkgsrc since 2012 with no reported ill effects. Signed-off-by: Andreas Gustafsson <gson@gson.org> Reviewed-by: Kamil Rytarowski <n54@gmx.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-31slirp: Add domainname option to slirp's DHCP serverBenjamin Drung
This patch will allow the user to include the domainname option in replies from the built-in DHCP server. Signed-off-by: Benjamin Drung <benjamin.drung@profitbricks.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-05-20slirp/debug: Print IP addresses in human readable formAlexey Kardashevskiy
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2018-01-14slirp: add in6_dhcp_multicast()Philippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14slirp: removed unused codePhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14slirp: remove unnecessary struct declarationPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14slirp: remove unused headerPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14slirp: avoid IN6_IS_ADDR_UNSPECIFIED(), rather use in6_zero()Philippe Mathieu-Daudé
Host: Mac OS 10.12.5 Compiler: Apple LLVM version 8.1.0 (clang-802.0.42) slirp/ip6_icmp.c:80:38: warning: taking address of packed member 'ip_src' of class or structure 'ip6' may result in an unaligned pointer value [-Waddress-of-packed-member] IN6_IS_ADDR_UNSPECIFIED(&ip->ip_src)) { ^~~~~~~~~~ /usr/include/netinet6/in6.h:238:42: note: expanded from macro 'IN6_IS_ADDR_UNSPECIFIED' ((*(const __uint32_t *)(const void *)(&(a)->s6_addr[0]) == 0) && \ ^ Reported-by: John Arbuckle <programmingkidx@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-11-09slirp: don't zero the whole ti_i when m == NULLTao Wu
98c63057d2144fb81681580cd84c13c93794c96e ('slirp: Factorizing tcpiphdr structure with an union') introduced a memset call to clear possibly-undefined fields in ti. This however overwrites src/dst/pr which are used below. So let us clear only the unused fields. This should fix some rare cases (some RST cases, keep alive probes) where packets would be sent to 0.0.0.0. Signed-off-by: Tao Wu <lepton@google.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-09-27migration: pre_save return intDr. David Alan Gilbert
Modify the pre_save method on VMStateDescription to return an int rather than void so that it potentially can fail. Changed zillions of devices to make them return 0; the only case I've made it return non-0 is hw/intc/s390_flic_kvm.c that already had an error_report/return case. Note: If you add an error exit in your pre_save you must emit an error_report to say why. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-Id: <20170925112917.21340-2-dgilbert@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-09-24slirp: Add a special case for the NULL socketKevin Cernekee
NULL sockets are used for NDP, BOOTP, and other critical operations. If the topmost mbuf in a NULL session is blocked pending resolution, it may cause problems if it blocks other packets with a NULL socket. So do not add mbufs with a NULL socket field to the same session. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-09-24slirp: Fix intermittent send queue hangs on a socketKevin Cernekee
if_output() originally sent one mbuf per call and used the slirp->next_m variable to keep track of where it left off. But nowadays it tries to send all of the mbufs from the fastq, and one mbuf from each session on the batchq. The next_m variable is both redundant and harmful: there is a case[0] involving delayed packets in which next_m ends up pointing to &slirp->if_batchq when an active session still exists, and this blocks all traffic for that session until qemu is restarted. The test case was created to reproduce a problem that was seen on long-running Chromium OS VM tests[1] which rapidly create and destroy ssh connections through hostfwd. [0] https://pastebin.com/NNy6LreF [1] https://bugs.chromium.org/p/chromium/issues/detail?id=766323 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-08-30slirp: fix clearing ifq_so from pending packetsSamuel Thibault
The if_fastq and if_batchq contain not only packets, but queues of packets for the same socket. When sofree frees a socket, it thus has to clear ifq_so from all the packets from the queues, not only the first. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-08-03slirp: check len against dhcp options array endPrasad J Pandit
While parsing dhcp options string in 'dhcp_decode', if an options' length 'len' appeared towards the end of 'bp_vend' array, ensuing read could lead to an OOB memory access issue. Add check to avoid it. This is CVE-2017-11434. Reported-by: Reno Robert <renorobert@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-07-15slirp: Handle error returns from sosendoob()Peter Maydell
sosendoob() can return a failure code, but all its callers ignore it. This is OK in sbappend(), as the comment there states -- we will try again later in sowrite(). Add a (void) cast to tell Coverity so. In sowrite() we do need to check the return value -- we should handle a write failure in sosendoob() the same way we handle a write failure for the normal data. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-07-15slirp: Handle error returns from slirp_send() in sosendoob()Peter Maydell
The code in sosendoob() assumes that slirp_send() always succeeds, but it might return an OS error code (for instance if the other end has disconnected). Catch these and return the caller either -1 on error or the number of urgent bytes actually written. (None of the callers check this return value currently, though.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-07-15slirp: fork_exec(): Don't close() a negative number in fork_exec()Peter Maydell
In a fork_exec() error path we try to closesocket(s) when s might be a negative number because the thing that failed was the qemu_socket() call. Add a guard so we don't do this. (Spotted by Coverity: CID 1005727 issue 1 of 2.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-07-15slirp: use DIV_ROUND_UPMarc-André Lureau
I used the clang-tidy qemu-round check to generate the fix: https://github.com/elmarco/clang-tools-extra Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-06-13migration: Split registration functions from vmstate.hJuan Quintela
They are indpendent, and nowadays almost every device register things with qdev->vmsd. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Peter Xu <peterx@redhat.com>
2017-06-06migration: remove register_savevm()Laurent Vivier
We can replace the four remaining calls of register_savevm() by calls to register_savevm_live(). So we can remove the function and as we don't allocate anymore the ops pointer with g_new0() we don't have to free it then. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-06-02char: move CharBackend handling in char-fe unitMarc-André Lureau
Move all the frontend struct and methods to a seperate unit. This avoids accidentally mixing backend and frontend calls, and helps with readabilty. Make qemu_chr_replay() a macro shared by both char and char-fe. Export qemu_chr_write(), and use a macro for qemu_chr_write_all() (nb: yes, CharBackend is for char frontend :) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-06-02chardev: move headers to include/chardevMarc-André Lureau
So they are all in one place. The following patch will move serial & parallel declarations to the respective headers. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-05-27Fix total IP header length in forwarded TCP packetsSjors Gielen
When forwarding TCP packets, the internal tcpiphdr struct length was wrongly used inside the IP header. This commit changes the behaviour to what is used by tcp_output.c, using the correct full IP header + payload length. Signed-off-by: Sjors Gielen <sjors@sjorsgielen.nl> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-05-27slirp: fix leakMarc-André Lureau
Spotted by ASAN: /x86_64/hmp/pc-0.12: ================================================================= ==22538==ERROR: LeakSanitizer: detected memory leaks Direct leak of 224 byte(s) in 1 object(s) allocated from: #0 0x7f0f63cdee60 in malloc (/lib64/libasan.so.3+0xc6e60) #1 0x556f11ff32d7 in tcp_newtcpcb /home/elmarco/src/qemu/slirp/tcp_subr.c:250 #2 0x556f11fdb1d1 in tcp_listen /home/elmarco/src/qemu/slirp/socket.c:688 #3 0x556f11fca9d5 in slirp_add_hostfwd /home/elmarco/src/qemu/slirp/slirp.c:1052 #4 0x556f11f8db41 in slirp_hostfwd /home/elmarco/src/qemu/net/slirp.c:506 #5 0x556f11f8dd83 in hmp_hostfwd_add /home/elmarco/src/qemu/net/slirp.c:535 There might be a better way to fix this, but calling slirp tcp_close() doesn't work. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-05-27slirp: Fix wrong mss bug.Tao Wu
This bug was introduced by https://github.com/qemu/qemu/commit/98c6305 Signed-off-by: Tao Wu <lepton@google.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-bu: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify remaining except for loopDr. David Alan Gilbert
This converts the remaining components, except for the top level loop, to VMState. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify socket levelDr. David Alan Gilbert
Working up the stack, this replaces the slirp_socket_load/save with VMState definitions. A place holder for IPv6 support is added as a comment; it needs testing once the rest of the IPv6 code is there. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: Common lhost/fhost unionDr. David Alan Gilbert
The socket structure has a pair of unions for lhost and fhost addresses; the unions are identical so split them out into a separate union declaration. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify sbufDr. David Alan Gilbert
Convert the sbuf structure to a VMStateDescription. Note this uses the VMSTATE_WITH_TMP mechanism to calculate and reload the offsets based on the pointers. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMState conversion; tcpcbDr. David Alan Gilbert
Convert the migration of the struct tcpcb to use a VMStateDescription, the rest of it will come later. Mostly mechanical, except for conversion of some 'char' to uint8_t to ensure portability. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: fix pinging the virtual ipv4 DNS serverSamuel Thibault
so that people do not think it is not working at least basically. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: tftp, copy sockaddr_sizeMarc-André Lureau
ASAN detects an "unknown-crash" when running pxe-test: /ppc64/pxe/spapr-vlan: ================================================================= ==7143==ERROR: AddressSanitizer: unknown-crash on address 0x7f6dcd298d30 at pc 0x55e22218830d bp 0x7f6dcd2989e0 sp 0x7f6dcd2989d0 READ of size 128 at 0x7f6dcd298d30 thread T2 #0 0x55e22218830c in tftp_session_allocate /home/elmarco/src/qq/slirp/tftp.c:73 #1 0x55e22218a1f8 in tftp_handle_rrq /home/elmarco/src/qq/slirp/tftp.c:289 #2 0x55e22218b54c in tftp_input /home/elmarco/src/qq/slirp/tftp.c:446 #3 0x55e2221833fe in udp6_input /home/elmarco/src/qq/slirp/udp6.c:82 #4 0x55e222137b17 in ip6_input /home/elmarco/src/qq/slirp/ip6_input.c:67 Address 0x7f6dcd298d30 is located in stack of thread T2 at offset 96 in frame #0 0x55e222182420 in udp6_input /home/elmarco/src/qq/slirp/udp6.c:13 This frame has 3 object(s): [32, 48) '<unknown>' [96, 124) 'lhost' <== Memory access at offset 96 partially overflows this variable [160, 200) 'save_ip' <== Memory access at offset 96 partially underflows this variable The sockaddr_storage pointer is the sockaddr_in6 lhost on the stack. Copy only the source addr size. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-25slirp: add a fake NC-SI backendCédric Le Goater
NC-SI (Network Controller Sideband Interface) enables a BMC to manage a set of NICs on a system. This model takes the simplest approach and reverses the NC-SI packets to pretend a NIC is present and exercise the Linux driver. The NCSI header file <ncsi-pkt.h> comes from mainline Linux and was untabified. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-03-29slirp: Send RDNSS in RA only if host has an IPv6 DNS serverSamuel Thibault
Previously we would always send an RDNSS option in the RA, making the guest try to resolve DNS through IPv6, even if the host does not actually have and IPv6 DNS server available. This makes the RDNSS option enabled only when an IPv6 DNS server is available. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-29slirp: Make RA build more flexibleSamuel Thibault
Do not hardcode the RA size at all, use a pl_size variable which accounts the accumulated size, and fill rip->ip_pl at the end. This will allow to make some blocks optional. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-29slirp: fix compilation errors with DEBUG setLaurent Vivier
slirp/slirp.c: In function 'get_dns_addr_resolv_conf': slirp/slirp.c:202:29: error: initialization discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] char *res = inet_ntop(af, tmp_addr, s, sizeof(s)); ^~~~~~~~~ slirp/slirp.c:204:25: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] res = "(string conversion error)"; Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: tcp_listen(): Don't try to close() an fd we never openedPeter Maydell
Coverity points out (CID 1005725) that an error-exit path in tcp_listen() will try to close(s) even if the reason it got there was that the qemu_socket() failed and s was never opened. Not only that, this isn't even the right function to use, because we need closesocket() to do the right thing on Windows. Change to using the right function and only calling it if needed. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: Convert mbufs to use g_malloc() and g_free()Peter Maydell
The mbuf code currently doesn't check the result of doing a malloc() or realloc() of its data (spotted by Coverity, CID 1238946). Since the m_inc() API assumes that extending an mbuf must succeed, just convert to g_malloc() and g_free(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: Check qemu_socket() return value in udp_listen()Peter Maydell
Check the return value from qemu_socket() rather than trying to pass it to bind() as an fd argument even if it's negative. This wouldn't have caused any negative consequences, because it won't be a valid fd number and the bind call will fail; but Coverity complains (CID 1005723). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-12-21slirp: support dynamic block size for TFTP transfersHervé Poussineau
The blocksize option is defined in RFC 1783 and RFC 2348. We now support block sizes between 1 and 1428 bytes, instead of 512 only. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>