aboutsummaryrefslogtreecommitdiff
path: root/slirp
AgeCommit message (Collapse)Author
2014-09-23slirp: udp: fix NULL pointer dereference because of uninitialized socketPetr Matousek
When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-24slirp/misc: Use the GLib memory allocation APIszhanghailiang
Here we don't check the return value of malloc() which may fail. Use the g_new() instead, which will abort the program when there is not enough memory. Also, use g_strdup instead of strdup and remove the unnecessary strdup function. Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-24Increase maximum number of session of the internal TFTP server.Bernhard Übelacker
Grub fails to boot from internal TFTP server when loading more than 3 initrd files. Grub first opens a session to the TFTP server for every initrd file and retrieves only the file size for all. Then it wants to download the content using the old sessions which are already expired. Increasing the maximum number of session of the internal TFTP server avoids this issue. The error message reads as following: error: timeout reading `/boot/ISO.ROOT/BOOTMGR'. Press any key to continue... Signed-off-by: Bernhard Übelacker <bernhardu@vr-web.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10slirp: Remove unused zero_ethaddr[] variablePeter Maydell
The zero_ethaddr[] array is never used; delete it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-09slirp/arp: do not special-case bogus IP addressesSamuel Thibault
Do not special-case addresses with zero host part, as we do not necessarily know how big it is, and the guest can fake them anyway. Silently avoid having 0.0.0.0 as a destination, however. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> [Edgar: Minor change to subject] Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2014-04-25slirp: Remove default_mon usageCole Robinson
These errors don't seem user initiated, so forcibly printing to the monitor doesn't seem right. Just use error_report. Drop lprint since it's now unused. Cc: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-03-25Fixed various typosDeepak Kathayat
Signed-off-by: Deepak Kathayat <deepak.mk17@gmail.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-26misc: Spelling and grammar fixes in commentsStefan Weil
* it's -> its * grammar fix in ui/vnc-enc-zywrle.h Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Don Koch <dkoch@verizon.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-10-02slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDRSebastian Ottlik
SO_REUSEADDR should be avoided on Windows but is desired on other operating systems. So instead of setting it we call socket_set_fast_reuse that will result in the appropriate behaviour on all operating systems. Signed-off-by: Sebastian Ottlik <ottlik@fzi.de> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Weil <sw@weilnetz.de>
2013-09-17slirp: clean up slirp_update_timeoutJan Kiszka
No need to write out the timeout early, keep it local until we are done. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: set mainloop timeout with more precise valueLiu Ping Fan
If slirp needs to emulate tcp timeout, then the timeout value for mainloop should be more precise, which is determined by slirp's fasttimo or slowtimo. Achieve this by swap the logic sequence of slirp_pollfds_fill and slirp_update_timeout. Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: define timeout as macroLiu Ping Fan
Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: make timeout localLiu Ping Fan
Each slirp has its own time to caculate timeout. Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-01slirp/arp_table.c: Avoid shifting into sign bit of signed integersPeter Maydell
"0xf << 28" shifts right into the sign bit, since 0xf is a signed integer. Use the 'U' suffix to force an unsigned shift to avoid this undefined behaviour and a clang sanitizer warning. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Acked-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-09-01slirp: Port redirection option behave differently on Linux and WindowsTaimoor Mirza
port redirection code uses SO_REUSEADDR socket option before binding to host port. Behavior of SO_REUSEADDR is different on Windows and Linux. Relaunching QEMU with same host and guest port redirection values on Linux throws error but on Windows it does not throw any error. Problem is discussed in http://lists.gnu.org/archive/html/qemu-devel/2013-04/msg03089.html Signed-off-by: Taimoor Mirza <tmirza@codesourcery.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-08-22aio / timers: Switch entire codebase to the new timer APIAlex Bligh
This is an autogenerated patch using scripts/switch-timer-api. Switch the entire code base to using the new timer API. Note this patch may introduce some line length issues. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-08-22aio / timers: Untangle include filesAlex Bligh
include/qemu/timer.h has no need to include main-loop.h and doing so causes an issue for the next patch. Unfortunately various files assume including timers.h will pull in main-loop.h. Untangle this mess. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-07-19slirp: remove mbuf(m_hdr,m_dat) indirectionMichael Tokarev
2013-06-19make user networking hostfwd work with restrict=yGertjan Halkes
This patch allows the hostfwd option to override the restrict=y setting in the user network stack, as explicitly stated in the documentation on the restrict option: restrict=on|off If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside. This option does not affect any explicitly set forwarding rules. Qemu bug tracker: https://bugs.launchpad.net/qemu/+bug/829455 Signed-off-by: Gertjan Halkes <qemu@ghalkes.nl> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-06-01slirp: cleanup leftovers from misc.hMichael Tokarev
There are quite a few leftover declarations in slirp/misc.h. Remove them. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-05-18remove some double-includesMichael Tokarev
Some source files #include the same header more than once for no good reason. Remove second #includes in such cases. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-04-15sysemu: avoid proliferation of include/ subdirectoriesPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-02oslib-posix: rename socket_set_nonblock() to qemu_set_nonblock()Stefan Hajnoczi
The fcntl(fd, F_SETFL, O_NONBLOCK) flag is not specific to sockets. Rename to qemu_set_nonblock() just like qemu_set_cloexec(). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-03-22MinGW: Replace setsockopt by qemu_setsocketoptStefan Weil
Instead of adding missing type casts which are needed by MinGW for the 4th argument, the patch uses qemu_setsockopt which was invented for this purpose. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-03-04move socket_set_nodelay to osdep.cMORITA Kazutaka
Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-03-04slirp/tcp_subr.c: fix coding style in tcp_connectMORITA Kazutaka
Fix coding style in tcp_connect before the next patch. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-02-26slirp: Properly initialize pollfds_idx of new socketsJan Kiszka
Otherwise we may start processing sockets in slirp_pollfds_poll that were created past slirp_pollfds_fill. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-02-21slirp: switch to GPollFDStefan Hajnoczi
Slirp uses rfds/wfds/xfds more extensively than other QEMU components. The rarely-used out-of-band TCP data feature is used. That means we need the full table of select(2) to g_poll(3) events: rfds -> G_IO_IN | G_IO_HUP | G_IO_ERR wfds -> G_IO_OUT | G_IO_ERR xfds -> G_IO_PRI I came up with this table by looking at Linux fs/select.c which maps select(2) to poll(2) internally. Another detail to watch out for are the global variables that reference rfds/wfds/xfds during slirp_select_poll(). sofcantrcvmore() and sofcantsendmore() use these globals to clear fd_set bits. When sofcantrcvmore() is called, the wfds bit is cleared so that the write handler will no longer be run for this iteration of the event loop. This actually seems buggy to me since TCP connections can be half-closed and we'd still want to handle data in half-duplex fashion. I think the real intention is to avoid running the read/write handler when the socket has been fully closed. This is indicated with the SS_NOFDREF state bit so we now check for it before invoking the TCP write handler. Note that UDP/ICMP code paths don't care because they are connectionless. Note that slirp/ has a lot of tabs and sometimes mixed tabs with spaces. I followed the style of the surrounding code. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1361356113-11049-6-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-21slirp: slirp/slirp.c coding style cleanupStefan Hajnoczi
The slirp glue code uses tabs in some places. Since the next patch will modify the file, convert tabs to spaces and fix checkpatch.pl issues. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1361356113-11049-5-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-01-30g_strdup(NULL) returns NULL; simplifyMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-12slirp: remove unused field ttBlue Swirl
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-12-19softmmu: move remaining include files to include/ subdirectoriesPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19misc: move include files to include/qemu/Paolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19monitor: move include files to include/monitor/Paolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19janitor: add guards to headersPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-07Fix comments (adress -> address, layed -> laid, wierd -> weird)Stefan Weil
Remove also a duplicated 'the'. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2012-11-15slirp: Add domain-search option to slirp's DHCP serverKlaus Stengel
This patch will allow the user to include the domain-search option in replies from the built-in DHCP server. The domain suffixes can be specified by adding dnssearch= entries to the "-net user" parameter. [Jan: tiny style adjustments] Signed-off-by: Klaus Stengel <Klaus.Stengel@asamnet.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-11-15slirp: Don't crash on packets from 0.0.0.0/8.Nickolai Zeldovich
LWIP can generate packets with a source of 0.0.0.0, which triggers an assertion failure in arp_table_add(). Instead of crashing, simply return to avoid adding an invalid ARP table entry. Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-11-10slirp: remove unused function u_sleepBlue Swirl
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-10-05cleanup useless return sentenceAmos Kong
This patch cleans up return sentences in the end of void functions. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Amos Kong <akong@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
2012-10-05slirp: Fix spelling in comment (enought -> enough, insure -> ensure)Stefan Weil
Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
2012-09-14slirp: Implement TFTP Blocksize optionHervé Poussineau
This option is described in RFC 1783. As this is only an optional field, we may ignore it in some situations and handle it in some others. However, MS Windows 2003 PXE boot client requests a block size of the MTU (most of the times 1472 bytes), and doesn't work if the option is not acknowledged (with whatever value). According to the RFC 1783, we cannot acknowledge the option with a bigger value than the requested one. As current implementation is using 512 bytes by block, accept the option with a value of 512 if the option was specified, and don't acknowledge it if it is not present or less than 512 bytes. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Remove unused return value of tftp_send_next_blockJan Kiszka
No caller actually makes use of this value, so let's simplify the code. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Handle more than 65535 blocks in TFTP transfersHervé Poussineau
RFC 1350 does not mention block count roll-over. However, a lot of TFTP servers implement it to be able to transmit big files, so do it also. Current block size is 512 bytes, so TFTP files were limited to 32 MB. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: improve TFTP performanceHervé Poussineau
When transferring a file, keep it open during the whole transfer, instead of opening/closing it for each block. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Fix error reported by static code analysisStefan Weil
Report from smatch: slirp/tcp_subr.c:127 tcp_respond(17) error: we previously assumed 'tp' could be null (see line 124) Return if 'tp' is NULL. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Remove wrong type casts ins debug statementsStefan Weil
The type casts of pointers to long are not allowed when sizeof(pointer) != sizeof(long). Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-08-06slirp: fix build on mingw32Anthony Liguori
in_addr_t isn't available on mingw32. Just use an unsigned long instead. I considered typedef'ing in_addr_t on mingw32 but this would potentially be brittle if mingw32 did introduce the type. Cc: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-08-03slirp: Handle whole 127.0.0.0/8 network as local addresses.Anders Waldenborg
Changes so translation of remote address to the host's ip address in the virtual network happens for all addresses in the 127.0.0.0/8 network, not just 127.0.0.1. This fixes so that hostfwd bound to addresses such as 127.0.0.2 works. Signed-off-by: Anders Waldenborg <anders@0x63.nu> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-08-01net: determine if packets can be sent before net queue deliver packetsZhi Yong Wu
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>