aboutsummaryrefslogtreecommitdiff
path: root/slirp
AgeCommit message (Collapse)Author
2017-06-06migration: remove register_savevm()Laurent Vivier
We can replace the four remaining calls of register_savevm() by calls to register_savevm_live(). So we can remove the function and as we don't allocate anymore the ops pointer with g_new0() we don't have to free it then. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-06-02char: move CharBackend handling in char-fe unitMarc-André Lureau
Move all the frontend struct and methods to a seperate unit. This avoids accidentally mixing backend and frontend calls, and helps with readabilty. Make qemu_chr_replay() a macro shared by both char and char-fe. Export qemu_chr_write(), and use a macro for qemu_chr_write_all() (nb: yes, CharBackend is for char frontend :) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-06-02chardev: move headers to include/chardevMarc-André Lureau
So they are all in one place. The following patch will move serial & parallel declarations to the respective headers. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-05-27Fix total IP header length in forwarded TCP packetsSjors Gielen
When forwarding TCP packets, the internal tcpiphdr struct length was wrongly used inside the IP header. This commit changes the behaviour to what is used by tcp_output.c, using the correct full IP header + payload length. Signed-off-by: Sjors Gielen <sjors@sjorsgielen.nl> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-05-27slirp: fix leakMarc-André Lureau
Spotted by ASAN: /x86_64/hmp/pc-0.12: ================================================================= ==22538==ERROR: LeakSanitizer: detected memory leaks Direct leak of 224 byte(s) in 1 object(s) allocated from: #0 0x7f0f63cdee60 in malloc (/lib64/libasan.so.3+0xc6e60) #1 0x556f11ff32d7 in tcp_newtcpcb /home/elmarco/src/qemu/slirp/tcp_subr.c:250 #2 0x556f11fdb1d1 in tcp_listen /home/elmarco/src/qemu/slirp/socket.c:688 #3 0x556f11fca9d5 in slirp_add_hostfwd /home/elmarco/src/qemu/slirp/slirp.c:1052 #4 0x556f11f8db41 in slirp_hostfwd /home/elmarco/src/qemu/net/slirp.c:506 #5 0x556f11f8dd83 in hmp_hostfwd_add /home/elmarco/src/qemu/net/slirp.c:535 There might be a better way to fix this, but calling slirp tcp_close() doesn't work. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-05-27slirp: Fix wrong mss bug.Tao Wu
This bug was introduced by https://github.com/qemu/qemu/commit/98c6305 Signed-off-by: Tao Wu <lepton@google.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-bu: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify remaining except for loopDr. David Alan Gilbert
This converts the remaining components, except for the top level loop, to VMState. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify socket levelDr. David Alan Gilbert
Working up the stack, this replaces the slirp_socket_load/save with VMState definitions. A place holder for IPv6 support is added as a comment; it needs testing once the rest of the IPv6 code is there. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: Common lhost/fhost unionDr. David Alan Gilbert
The socket structure has a pair of unions for lhost and fhost addresses; the unions are identical so split them out into a separate union declaration. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMStatify sbufDr. David Alan Gilbert
Convert the sbuf structure to a VMStateDescription. Note this uses the VMSTATE_WITH_TMP mechanism to calculate and reload the offsets based on the pointers. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: VMState conversion; tcpcbDr. David Alan Gilbert
Convert the migration of the struct tcpcb to use a VMStateDescription, the rest of it will come later. Mostly mechanical, except for conversion of some 'char' to uint8_t to ensure portability. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: fix pinging the virtual ipv4 DNS serverSamuel Thibault
so that people do not think it is not working at least basically. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-29slirp: tftp, copy sockaddr_sizeMarc-André Lureau
ASAN detects an "unknown-crash" when running pxe-test: /ppc64/pxe/spapr-vlan: ================================================================= ==7143==ERROR: AddressSanitizer: unknown-crash on address 0x7f6dcd298d30 at pc 0x55e22218830d bp 0x7f6dcd2989e0 sp 0x7f6dcd2989d0 READ of size 128 at 0x7f6dcd298d30 thread T2 #0 0x55e22218830c in tftp_session_allocate /home/elmarco/src/qq/slirp/tftp.c:73 #1 0x55e22218a1f8 in tftp_handle_rrq /home/elmarco/src/qq/slirp/tftp.c:289 #2 0x55e22218b54c in tftp_input /home/elmarco/src/qq/slirp/tftp.c:446 #3 0x55e2221833fe in udp6_input /home/elmarco/src/qq/slirp/udp6.c:82 #4 0x55e222137b17 in ip6_input /home/elmarco/src/qq/slirp/ip6_input.c:67 Address 0x7f6dcd298d30 is located in stack of thread T2 at offset 96 in frame #0 0x55e222182420 in udp6_input /home/elmarco/src/qq/slirp/udp6.c:13 This frame has 3 object(s): [32, 48) '<unknown>' [96, 124) 'lhost' <== Memory access at offset 96 partially overflows this variable [160, 200) 'save_ip' <== Memory access at offset 96 partially underflows this variable The sockaddr_storage pointer is the sockaddr_in6 lhost on the stack. Copy only the source addr size. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-04-25slirp: add a fake NC-SI backendCédric Le Goater
NC-SI (Network Controller Sideband Interface) enables a BMC to manage a set of NICs on a system. This model takes the simplest approach and reverses the NC-SI packets to pretend a NIC is present and exercise the Linux driver. The NCSI header file <ncsi-pkt.h> comes from mainline Linux and was untabified. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-03-29slirp: Send RDNSS in RA only if host has an IPv6 DNS serverSamuel Thibault
Previously we would always send an RDNSS option in the RA, making the guest try to resolve DNS through IPv6, even if the host does not actually have and IPv6 DNS server available. This makes the RDNSS option enabled only when an IPv6 DNS server is available. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-29slirp: Make RA build more flexibleSamuel Thibault
Do not hardcode the RA size at all, use a pl_size variable which accounts the accumulated size, and fill rip->ip_pl at the end. This will allow to make some blocks optional. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-29slirp: fix compilation errors with DEBUG setLaurent Vivier
slirp/slirp.c: In function 'get_dns_addr_resolv_conf': slirp/slirp.c:202:29: error: initialization discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] char *res = inet_ntop(af, tmp_addr, s, sizeof(s)); ^~~~~~~~~ slirp/slirp.c:204:25: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] res = "(string conversion error)"; Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: tcp_listen(): Don't try to close() an fd we never openedPeter Maydell
Coverity points out (CID 1005725) that an error-exit path in tcp_listen() will try to close(s) even if the reason it got there was that the qemu_socket() failed and s was never opened. Not only that, this isn't even the right function to use, because we need closesocket() to do the right thing on Windows. Change to using the right function and only calling it if needed. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: Convert mbufs to use g_malloc() and g_free()Peter Maydell
The mbuf code currently doesn't check the result of doing a malloc() or realloc() of its data (spotted by Coverity, CID 1238946). Since the m_inc() API assumes that extending an mbuf must succeed, just convert to g_malloc() and g_free(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2017-02-26slirp: Check qemu_socket() return value in udp_listen()Peter Maydell
Check the return value from qemu_socket() rather than trying to pass it to bind() as an fd argument even if it's negative. This wouldn't have caused any negative consequences, because it won't be a valid fd number and the bind call will fail; but Coverity complains (CID 1005723). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-12-21slirp: support dynamic block size for TFTP transfersHervé Poussineau
The blocksize option is defined in RFC 1783 and RFC 2348. We now support block sizes between 1 and 1428 bytes, instead of 512 only. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-12-20slirp, disas: Replace min/max with MIN/MAX macrosYuval Shaia
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-11-14slirp: Fix access to freed memorySamuel Thibault
if_start() goes through the slirp->if_fastq and slirp->if_batchq list of pending messages, and accesses ifm->ifq_so->so_nqueued of its elements if ifm->ifq_so != NULL. When freeing a socket, we thus need to make sure that any pending message for this socket does not refer to the socket any more. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Tested-by: Brian Candler <b.candler@pobox.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-09-13hw: replace most use of qemu_chr_fe_write with qemu_chr_fe_write_allDaniel P. Berrange
The qemu_chr_fe_write method will return -1 on EAGAIN if the chardev backend write would block. Almost no callers of the qemu_chr_fe_write() method check the return value, instead blindly assuming data was successfully sent. In most cases this will lead to silent data loss on interactive consoles, but in some cases (eg RNG EGD) it'll just cause corruption of the protocol being spoken. We unfortunately can't fix the virtio-console code, due to a bug in the Linux guest drivers, which would cause the entire Linux kernel to hang if we delay processing of the incoming data in any way. Fixing this requires first fixing the guest driver to not hold spinlocks while writing to the hvc device backend. Fixes bug: https://bugs.launchpad.net/qemu/+bug/1586756 Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1473170165-540-4-git-send-email-berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-16slirp: Rename "struct arphdr" to "struct slirp_arphdr"Thomas Huth
struct arphdr is already used by the system headers on OpenBSD and thus QEMU does not compile here anymore. Fix it by renaming our struct to slirp_arphdr instead. Reported-by: Brad Smith Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Thomas Huth <thuth@redhat.com> Message-id: 1471249494-17392-1-git-send-email-thuth@redhat.com Buglink: https://bugs.launchpad.net/qemu/+bug/1613133 Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08error: Strip trailing '\n' from error string arguments (again)Markus Armbruster
Commit 9af9e0f, 6daf194d, be62a2eb and 312fd5f got rid of a bunch, but they keep coming back. checkpatch.pl tries to flag them since commit 5d596c2, but it's not very good at it. Offenders tracked down with Coccinelle script scripts/coccinelle/err-bad-newline.cocci, an updated version of the script from commit 312fd5f. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1470224274-31522-2-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-07-12Clean up decorations and whitespace around header guardsMarkus Armbruster
Cleaned up with scripts/clean-header-guards.pl. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12Clean up ill-advised or unusual header guardsMarkus Armbruster
Cleaned up with scripts/clean-header-guards.pl. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12Clean up header guards that don't match their file nameMarkus Armbruster
Header guard symbols should match their file name to make guard collisions less likely. Offenders found with scripts/clean-header-guards.pl -vn. Cleaned up with scripts/clean-header-guards.pl, followed by some renaming of new guard symbols picked by the script to better ones. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12Use #include "..." for our own headers, <...> for othersMarkus Armbruster
Tracked down with an ugly, brittle and probably buggy Perl script. Also move includes converted to <...> up so they get included before ours where that's obviously okay. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-03slirp: Add support for stateless DHCPv6Thomas Huth
Provide basic support for stateless DHCPv6 (see RFC 3736) so that guests can also automatically boot via IPv6 with SLIRP (for IPv6 network booting, see RFC 5970 for details). Tested with: qemu-system-ppc64 -nographic -vga none -boot n -net nic \ -net user,ipv6=yes,ipv4=no,tftp=/path/to/tftp,bootfile=ppc64.img Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-07-03slirp: Remove superfluous memset() calls from the TFTP codeThomas Huth
Commit fad7fb9ccd8013ea03 ("Add IPv6 support to the TFTP code") refactored some common code for preparing the mbuf into a new function called tftp_prep_mbuf_data(). One part of this common code is to do a "memset(m->m_data, 0, m->m_size);" for the related buffer first. However, at two spots, the memset() was not removed from the calling function, so it currently done twice in these code paths. Thus let's delete these superfluous memsets in the calling functions now. Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-07-03slirp: Add RDNSS advertisementSamuel Thibault
This adds the RDNSS option to IPv6 router advertisements, so that the guest can autoconfigure the DNS server address. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com> --- Changes since last submission: - Disable on windows, until we have support for it
2016-07-03slirp: Support link-local DNS addressesSamuel Thibault
They look like fe80::%eth0 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com> --- Changes since last submission: - fix windows build
2016-07-03slirp: Add dns6 resolutionSamuel Thibault
This makes get_dns_addr address family-agnostic, thus allowing to add the IPv6 case. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
2016-07-03slirp: Split get_dns_addrSamuel Thibault
Separate get_dns_addr into get_dns_addr_cached and get_dns_addr_resolv_conf to make conversion to IPv6 easier. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
2016-06-07slirp: Use DIV_ROUND_UPLaurent Vivier
Replace (((n) + (d) - 1) /(d)) by DIV_ROUND_UP(n,d). This patch is the result of coccinelle script scripts/coccinelle/round.cocci CC: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Laurent Vivier <lvivier@redhat.com> Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-06-07all: Remove unnecessary glib.h includesPeter Maydell
Remove glib.h includes, as it is provided by osdep.h. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-19qemu-common: stop including qemu/host-utils.h from qemu-common.hPaolo Bonzini
Move it to the actual users. There are some inclusions of qemu/host-utils.h in headers, but they are all necessary. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-18Fix some typos found by codespellStefan Weil
Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-16slirp: Clean up osdep.h related header inclusionsThomas Huth
qemu/osdep.h is included in some headers twice - one time should be sufficient. Also remove the inclusion of time.h since that is already done by osdep.h, too (this makes scripts/clean-includes happy again). Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-05-16slirp: Remove some unused code from slirp.hThomas Huth
These hunks are apparently not used anymore, so let's delete them. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-05-16slirp: Remove obsolete backward-compatibility cruftThomas Huth
The slirp code does not use index() and gethostid() anymore, so these parts can be removed without problems. memmove() and strerror() should be available on each of the supported platforms nowadays, too, so these wrappers are also not needed anymore. And we certainly also do not support Ultrix anymore, so no need to keep the code for this platform anymore. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-05-16slirp: Clean up slirp_config.hThomas Huth
There are a lot of unused #defines / #undefs in slirp_config.h, which are apparently left-overs from the very early slirp code. Since there is no more code that uses them, let's simply remove them from our version of slirp. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-04-28slirp: fix guest network access with darwin hostSamuel Thibault
On Darwin, connect, sendto and friends want the exact size of the sockaddr, not more (and in particular, not sizeof(struct sockaddr_storaget)) This commit adds the sockaddr_size helper to be used when passing a sockaddr size to such function, and makes use of it int sendto and connect calls. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: John Arbuckle <programmingkidx@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-15wxx: Fix broken TCP networking (regression)Stefan Weil
It is broken since commit c619644067f98098dcdbc951e2dda79e97560afa. Reported-by: Michael Fritscher <michael@fritscher.net> Tested-by: Michael Fritscher <michael@fritscher.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Stefan Weil <sw@weilnetz.de>
2016-04-07slirp: handle deferred ECONNREFUSED on non-blocking TCP socketsSteven Luo
slirp currently only handles ECONNREFUSED in the case where connect() returns immediately with that error; since we use non-blocking sockets, most of the time we won't receive the error until we later try to read from the socket. Ensure that we deliver the appropriate RST to the guest in this case. Signed-off-by: Steven Luo <steven+qemu@steven676.net> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-04-07slirp: Propagate host TCP RST to the guest.Edgar E. Iglesias
When the host aborts (RST) its side of a TCP connection we need to propagate that RST to the guest. The current code can leave such guest connections dangling forever. Spotted by Jason Wessel. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> [steven@steven676.net: coding style adjustments] Signed-off-by: Steven Luo <steven+qemu@steven676.net> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-04-07slirp: avoid use-after-free in slirp_pollfds_poll() if soread() returns an errorSteven Luo
Samuel Thibault pointed out that it's possible that slirp_pollfds_poll() will try to use a socket even after soread() returns an error, resulting in an use-after-free if the socket was removed while handling the error. Avoid this by refusing to continue to work with the socket in this case. Signed-off-by: Steven Luo <steven+qemu@steven676.net> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2016-04-07slirp: don't crash when tcp_sockclosed() is called with a NULL tpSteven Luo
Signed-off-by: Steven Luo <steven+qemu@steven676.net> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>