summaryrefslogtreecommitdiff
path: root/slirp
AgeCommit message (Collapse)AuthorFilesLines
2014-09-23slirp: udp: fix NULL pointer dereference because of uninitialized socketPetr Matousek1-1/+1
When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-24slirp/misc: Use the GLib memory allocation APIszhanghailiang3-24/+3
Here we don't check the return value of malloc() which may fail. Use the g_new() instead, which will abort the program when there is not enough memory. Also, use g_strdup instead of strdup and remove the unnecessary strdup function. Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-24Increase maximum number of session of the internal TFTP server.Bernhard Übelacker1-1/+1
Grub fails to boot from internal TFTP server when loading more than 3 initrd files. Grub first opens a session to the TFTP server for every initrd file and retrieves only the file size for all. Then it wants to download the content using the old sessions which are already expired. Increasing the maximum number of session of the internal TFTP server avoids this issue. The error message reads as following: error: timeout reading `/boot/ISO.ROOT/BOOTMGR'. Press any key to continue... Signed-off-by: Bernhard Übelacker <bernhardu@vr-web.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10slirp: Remove unused zero_ethaddr[] variablePeter Maydell1-2/+0
The zero_ethaddr[] array is never used; delete it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-09slirp/arp: do not special-case bogus IP addressesSamuel Thibault2-9/+6
Do not special-case addresses with zero host part, as we do not necessarily know how big it is, and the guest can fake them anyway. Silently avoid having 0.0.0.0 as a destination, however. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> [Edgar: Minor change to subject] Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2014-04-25slirp: Remove default_mon usageCole Robinson3-17/+6
These errors don't seem user initiated, so forcibly printing to the monitor doesn't seem right. Just use error_report. Drop lprint since it's now unused. Cc: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-03-25Fixed various typosDeepak Kathayat1-1/+1
Signed-off-by: Deepak Kathayat <deepak.mk17@gmail.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-26misc: Spelling and grammar fixes in commentsStefan Weil1-1/+1
* it's -> its * grammar fix in ui/vnc-enc-zywrle.h Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Don Koch <dkoch@verizon.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-10-02slirp: call socket_set_fast_reuse instead of setting SO_REUSEADDRSebastian Ottlik4-11/+6
SO_REUSEADDR should be avoided on Windows but is desired on other operating systems. So instead of setting it we call socket_set_fast_reuse that will result in the appropriate behaviour on all operating systems. Signed-off-by: Sebastian Ottlik <ottlik@fzi.de> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Weil <sw@weilnetz.de>
2013-09-17slirp: clean up slirp_update_timeoutJan Kiszka1-2/+2
No need to write out the timeout early, keep it local until we are done. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: set mainloop timeout with more precise valueLiu Ping Fan2-6/+25
If slirp needs to emulate tcp timeout, then the timeout value for mainloop should be more precise, which is determined by slirp's fasttimo or slowtimo. Achieve this by swap the logic sequence of slirp_pollfds_fill and slirp_update_timeout. Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: define timeout as macroLiu Ping Fan1-5/+12
Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-17slirp: make timeout localLiu Ping Fan2-12/+13
Each slirp has its own time to caculate timeout. Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-09-01slirp/arp_table.c: Avoid shifting into sign bit of signed integersPeter Maydell1-2/+2
"0xf << 28" shifts right into the sign bit, since 0xf is a signed integer. Use the 'U' suffix to force an unsigned shift to avoid this undefined behaviour and a clang sanitizer warning. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Acked-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-09-01slirp: Port redirection option behave differently on Linux and WindowsTaimoor Mirza1-0/+2
port redirection code uses SO_REUSEADDR socket option before binding to host port. Behavior of SO_REUSEADDR is different on Windows and Linux. Relaunching QEMU with same host and guest port redirection values on Linux throws error but on Windows it does not throw any error. Problem is discussed in http://lists.gnu.org/archive/html/qemu-devel/2013-04/msg03089.html Signed-off-by: Taimoor Mirza <tmirza@codesourcery.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-08-22aio / timers: Switch entire codebase to the new timer APIAlex Bligh2-3/+3
This is an autogenerated patch using scripts/switch-timer-api. Switch the entire code base to using the new timer API. Note this patch may introduce some line length issues. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-08-22aio / timers: Untangle include filesAlex Bligh1-0/+1
include/qemu/timer.h has no need to include main-loop.h and doing so causes an issue for the next patch. Unfortunately various files assume including timers.h will pull in main-loop.h. Untangle this mess. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-07-19slirp: remove mbuf(m_hdr,m_dat) indirectionMichael Tokarev2-39/+24
2013-06-19make user networking hostfwd work with restrict=yGertjan Halkes1-10/+16
This patch allows the hostfwd option to override the restrict=y setting in the user network stack, as explicitly stated in the documentation on the restrict option: restrict=on|off If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside. This option does not affect any explicitly set forwarding rules. Qemu bug tracker: https://bugs.launchpad.net/qemu/+bug/829455 Signed-off-by: Gertjan Halkes <qemu@ghalkes.nl> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2013-06-01slirp: cleanup leftovers from misc.hMichael Tokarev1-14/+0
There are quite a few leftover declarations in slirp/misc.h. Remove them. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-05-18remove some double-includesMichael Tokarev1-2/+0
Some source files #include the same header more than once for no good reason. Remove second #includes in such cases. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-04-15sysemu: avoid proliferation of include/ subdirectoriesPaolo Bonzini1-1/+1
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-02oslib-posix: rename socket_set_nonblock() to qemu_set_nonblock()Stefan Hajnoczi2-3/+3
The fcntl(fd, F_SETFL, O_NONBLOCK) flag is not specific to sockets. Rename to qemu_set_nonblock() just like qemu_set_cloexec(). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-03-22MinGW: Replace setsockopt by qemu_setsocketoptStefan Weil4-9/+9
Instead of adding missing type casts which are needed by MinGW for the 4th argument, the patch uses qemu_setsockopt which was invented for this purpose. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-03-04move socket_set_nodelay to osdep.cMORITA Kazutaka1-2/+1
Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-03-04slirp/tcp_subr.c: fix coding style in tcp_connectMORITA Kazutaka1-68/+72
Fix coding style in tcp_connect before the next patch. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-02-26slirp: Properly initialize pollfds_idx of new socketsJan Kiszka1-0/+1
Otherwise we may start processing sockets in slirp_pollfds_poll that were created past slirp_pollfds_fill. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-02-21slirp: switch to GPollFDStefan Hajnoczi5-68/+83
Slirp uses rfds/wfds/xfds more extensively than other QEMU components. The rarely-used out-of-band TCP data feature is used. That means we need the full table of select(2) to g_poll(3) events: rfds -> G_IO_IN | G_IO_HUP | G_IO_ERR wfds -> G_IO_OUT | G_IO_ERR xfds -> G_IO_PRI I came up with this table by looking at Linux fs/select.c which maps select(2) to poll(2) internally. Another detail to watch out for are the global variables that reference rfds/wfds/xfds during slirp_select_poll(). sofcantrcvmore() and sofcantsendmore() use these globals to clear fd_set bits. When sofcantrcvmore() is called, the wfds bit is cleared so that the write handler will no longer be run for this iteration of the event loop. This actually seems buggy to me since TCP connections can be half-closed and we'd still want to handle data in half-duplex fashion. I think the real intention is to avoid running the read/write handler when the socket has been fully closed. This is indicated with the SS_NOFDREF state bit so we now check for it before invoking the TCP write handler. Note that UDP/ICMP code paths don't care because they are connectionless. Note that slirp/ has a lot of tabs and sometimes mixed tabs with spaces. I followed the style of the surrounding code. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1361356113-11049-6-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-21slirp: slirp/slirp.c coding style cleanupStefan Hajnoczi1-297/+311
The slirp glue code uses tabs in some places. Since the next patch will modify the file, convert tabs to spaces and fix checkpatch.pl issues. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1361356113-11049-5-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-01-30g_strdup(NULL) returns NULL; simplifyMarkus Armbruster1-6/+2
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-12slirp: remove unused field ttBlue Swirl1-1/+0
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-12-19softmmu: move remaining include files to include/ subdirectoriesPaolo Bonzini1-1/+1
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19misc: move include files to include/qemu/Paolo Bonzini5-6/+6
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19monitor: move include files to include/monitor/Paolo Bonzini1-2/+2
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19janitor: add guards to headersPaolo Bonzini3-0/+12
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-07Fix comments (adress -> address, layed -> laid, wierd -> weird)Stefan Weil1-1/+1
Remove also a duplicated 'the'. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2012-11-15slirp: Add domain-search option to slirp's DHCP serverKlaus Stengel6-3/+341
This patch will allow the user to include the domain-search option in replies from the built-in DHCP server. The domain suffixes can be specified by adding dnssearch= entries to the "-net user" parameter. [Jan: tiny style adjustments] Signed-off-by: Klaus Stengel <Klaus.Stengel@asamnet.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-11-15slirp: Don't crash on packets from 0.0.0.0/8.Nickolai Zeldovich1-1/+3
LWIP can generate packets with a source of 0.0.0.0, which triggers an assertion failure in arp_table_add(). Instead of crashing, simply return to avoid adding an invalid ARP table entry. Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-11-10slirp: remove unused function u_sleepBlue Swirl2-15/+0
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-10-05cleanup useless return sentenceAmos Kong3-4/+0
This patch cleans up return sentences in the end of void functions. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Amos Kong <akong@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
2012-10-05slirp: Fix spelling in comment (enought -> enough, insure -> ensure)Stefan Weil1-2/+2
Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
2012-09-14slirp: Implement TFTP Blocksize optionHervé Poussineau1-9/+33
This option is described in RFC 1783. As this is only an optional field, we may ignore it in some situations and handle it in some others. However, MS Windows 2003 PXE boot client requests a block size of the MTU (most of the times 1472 bytes), and doesn't work if the option is not acknowledged (with whatever value). According to the RFC 1783, we cannot acknowledge the option with a bigger value than the requested one. As current implementation is using 512 bytes by block, accept the option with a value of 512 if the option was specified, and don't acknowledge it if it is not present or less than 512 bytes. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Remove unused return value of tftp_send_next_blockJan Kiszka1-9/+5
No caller actually makes use of this value, so let's simplify the code. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Handle more than 65535 blocks in TFTP transfersHervé Poussineau2-14/+11
RFC 1350 does not mention block count roll-over. However, a lot of TFTP servers implement it to be able to transmit big files, so do it also. Current block size is 512 bytes, so TFTP files were limited to 32 MB. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: improve TFTP performanceHervé Poussineau2-14/+19
When transferring a file, keep it open during the whole transfer, instead of opening/closing it for each block. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Fix error reported by static code analysisStefan Weil1-1/+1
Report from smatch: slirp/tcp_subr.c:127 tcp_respond(17) error: we previously assumed 'tp' could be null (see line 124) Return if 'tp' is NULL. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-09-13slirp: Remove wrong type casts ins debug statementsStefan Weil1-3/+3
The type casts of pointers to long are not allowed when sizeof(pointer) != sizeof(long). Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-08-06slirp: fix build on mingw32Anthony Liguori2-2/+2
in_addr_t isn't available on mingw32. Just use an unsigned long instead. I considered typedef'ing in_addr_t on mingw32 but this would potentially be brittle if mingw32 did introduce the type. Cc: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-08-03slirp: Handle whole 127.0.0.0/8 network as local addresses.Anders Waldenborg3-2/+9
Changes so translation of remote address to the host's ip address in the virtual network happens for all addresses in the 127.0.0.0/8 network, not just 127.0.0.1. This fixes so that hostfwd bound to addresses such as 127.0.0.2 works. Signed-off-by: Anders Waldenborg <anders@0x63.nu> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-08-01net: determine if packets can be sent before net queue deliver packetsZhi Yong Wu2-6/+0
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>