import libslirp-4.4.0-1.module+el8.6.0+14672+b2f82327
This commit is contained in:
commit
200e31bdfd
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/libslirp-4.4.0.tar.xz
|
1
.libslirp.metadata
Normal file
1
.libslirp.metadata
Normal file
@ -0,0 +1 @@
|
||||
5ef4ed055299eab0703d4c49da552fdb61357f13 SOURCES/libslirp-4.4.0.tar.xz
|
54
SOURCES/0001-Add-mtod_check.patch
Normal file
54
SOURCES/0001-Add-mtod_check.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 15:58:25 +0400
|
||||
Subject: [PATCH 1/7] Add mtod_check()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Recent security issues demonstrate the lack of safety care when casting
|
||||
a mbuf to a particular structure type. At least, it should check that
|
||||
the buffer is large enough. The following patches will make use of this
|
||||
function.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17)
|
||||
---
|
||||
src/mbuf.c | 11 +++++++++++
|
||||
src/mbuf.h | 1 +
|
||||
2 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/mbuf.c b/src/mbuf.c
|
||||
index 54ec721..cb2e971 100644
|
||||
--- a/src/mbuf.c
|
||||
+++ b/src/mbuf.c
|
||||
@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
|
||||
|
||||
return (struct mbuf *)0;
|
||||
}
|
||||
+
|
||||
+void *mtod_check(struct mbuf *m, size_t len)
|
||||
+{
|
||||
+ if (m->m_len >= len) {
|
||||
+ return m->m_data;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG_ERROR("mtod failed");
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
diff --git a/src/mbuf.h b/src/mbuf.h
|
||||
index 546e785..2015e32 100644
|
||||
--- a/src/mbuf.h
|
||||
+++ b/src/mbuf.h
|
||||
@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
|
||||
void m_adj(struct mbuf *, int);
|
||||
int m_copy(struct mbuf *, struct mbuf *, int, int);
|
||||
struct mbuf *dtom(Slirp *, void *);
|
||||
+void *mtod_check(struct mbuf *, size_t len);
|
||||
|
||||
static inline void ifs_init(struct mbuf *ifm)
|
||||
{
|
||||
--
|
||||
2.29.0
|
||||
|
30
SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
Normal file
30
SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001
|
||||
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
||||
Date: Thu, 17 Jun 2021 18:01:32 +0900
|
||||
Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0"
|
||||
|
||||
Fix issue 48
|
||||
|
||||
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
||||
---
|
||||
src/bootp.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/bootp.c b/src/bootp.c
|
||||
index cafa1eb..0a35873 100644
|
||||
--- a/src/bootp.c
|
||||
+++ b/src/bootp.c
|
||||
@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp,
|
||||
|
||||
daddr.sin_addr.s_addr = 0xffffffffu;
|
||||
|
||||
- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
|
||||
+ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN);
|
||||
+
|
||||
+ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr);
|
||||
udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
|
||||
}
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
@ -0,0 +1,161 @@
|
||||
From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 19:25:28 +0400
|
||||
Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory
|
||||
buffer
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
|
||||
from the structure, to help with the following patch checking for
|
||||
minimal header size. Modify the bootp_reply() function to take the
|
||||
buffer boundaries and avoiding potential buffer overflow.
|
||||
|
||||
Related to CVE-2021-3592.
|
||||
|
||||
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275)
|
||||
---
|
||||
src/bootp.c | 26 +++++++++++++++-----------
|
||||
src/bootp.h | 2 +-
|
||||
src/mbuf.c | 5 +++++
|
||||
src/mbuf.h | 1 +
|
||||
4 files changed, 22 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/bootp.c b/src/bootp.c
|
||||
index 46e9681..e0db8d1 100644
|
||||
--- a/src/bootp.c
|
||||
+++ b/src/bootp.c
|
||||
@@ -92,21 +92,22 @@ found:
|
||||
return bc;
|
||||
}
|
||||
|
||||
-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
||||
+static void dhcp_decode(const struct bootp_t *bp,
|
||||
+ const uint8_t *bp_end,
|
||||
+ int *pmsg_type,
|
||||
struct in_addr *preq_addr)
|
||||
{
|
||||
- const uint8_t *p, *p_end;
|
||||
+ const uint8_t *p;
|
||||
int len, tag;
|
||||
|
||||
*pmsg_type = 0;
|
||||
preq_addr->s_addr = htonl(0L);
|
||||
|
||||
p = bp->bp_vend;
|
||||
- p_end = p + DHCP_OPT_LEN;
|
||||
if (memcmp(p, rfc1533_cookie, 4) != 0)
|
||||
return;
|
||||
p += 4;
|
||||
- while (p < p_end) {
|
||||
+ while (p < bp_end) {
|
||||
tag = p[0];
|
||||
if (tag == RFC1533_PAD) {
|
||||
p++;
|
||||
@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
||||
break;
|
||||
} else {
|
||||
p++;
|
||||
- if (p >= p_end)
|
||||
+ if (p >= bp_end)
|
||||
break;
|
||||
len = *p++;
|
||||
- if (p + len > p_end) {
|
||||
+ if (p + len > bp_end) {
|
||||
break;
|
||||
}
|
||||
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
|
||||
@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
||||
}
|
||||
}
|
||||
|
||||
-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
|
||||
+static void bootp_reply(Slirp *slirp,
|
||||
+ const struct bootp_t *bp,
|
||||
+ const uint8_t *bp_end)
|
||||
{
|
||||
BOOTPClient *bc = NULL;
|
||||
struct mbuf *m;
|
||||
@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
|
||||
uint8_t client_ethaddr[ETH_ALEN];
|
||||
|
||||
/* extract exact DHCP msg type */
|
||||
- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
|
||||
+ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
|
||||
DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
|
||||
if (preq_addr.s_addr != htonl(0L))
|
||||
DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
|
||||
@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
|
||||
return;
|
||||
}
|
||||
m->m_data += IF_MAXLINKHDR;
|
||||
+ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
|
||||
rbp = (struct bootp_t *)m->m_data;
|
||||
m->m_data += sizeof(struct udpiphdr);
|
||||
- memset(rbp, 0, sizeof(struct bootp_t));
|
||||
+ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
|
||||
|
||||
if (dhcp_msg_type == DHCPDISCOVER) {
|
||||
if (preq_addr.s_addr != htonl(0L)) {
|
||||
@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
|
||||
rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
|
||||
|
||||
q = rbp->bp_vend;
|
||||
- end = (uint8_t *)&rbp[1];
|
||||
+ end = rbp->bp_vend + DHCP_OPT_LEN;
|
||||
memcpy(q, rfc1533_cookie, 4);
|
||||
q += 4;
|
||||
|
||||
@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
|
||||
struct bootp_t *bp = mtod(m, struct bootp_t *);
|
||||
|
||||
if (bp->bp_op == BOOTP_REQUEST) {
|
||||
- bootp_reply(m->slirp, bp);
|
||||
+ bootp_reply(m->slirp, bp, m_end(m));
|
||||
}
|
||||
}
|
||||
diff --git a/src/bootp.h b/src/bootp.h
|
||||
index a57fa51..31ce5fd 100644
|
||||
--- a/src/bootp.h
|
||||
+++ b/src/bootp.h
|
||||
@@ -114,7 +114,7 @@ struct bootp_t {
|
||||
uint8_t bp_hwaddr[16];
|
||||
uint8_t bp_sname[64];
|
||||
char bp_file[128];
|
||||
- uint8_t bp_vend[DHCP_OPT_LEN];
|
||||
+ uint8_t bp_vend[];
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
diff --git a/src/mbuf.c b/src/mbuf.c
|
||||
index cb2e971..0c1a530 100644
|
||||
--- a/src/mbuf.c
|
||||
+++ b/src/mbuf.c
|
||||
@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
|
||||
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+void *m_end(struct mbuf *m)
|
||||
+{
|
||||
+ return m->m_data + m->m_len;
|
||||
+}
|
||||
diff --git a/src/mbuf.h b/src/mbuf.h
|
||||
index 2015e32..a9752a3 100644
|
||||
--- a/src/mbuf.h
|
||||
+++ b/src/mbuf.h
|
||||
@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
|
||||
int m_copy(struct mbuf *, struct mbuf *, int, int);
|
||||
struct mbuf *dtom(Slirp *, void *);
|
||||
void *mtod_check(struct mbuf *, size_t len);
|
||||
+void *m_end(struct mbuf *);
|
||||
|
||||
static inline void ifs_init(struct mbuf *ifm)
|
||||
{
|
||||
--
|
||||
2.29.0
|
||||
|
36
SOURCES/0003-bootp-check-bootp_input-buffer-size.patch
Normal file
36
SOURCES/0003-bootp-check-bootp_input-buffer-size.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 16:15:14 +0400
|
||||
Subject: [PATCH 3/7] bootp: check bootp_input buffer size
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: CVE-2021-3592
|
||||
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c)
|
||||
---
|
||||
src/bootp.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/bootp.c b/src/bootp.c
|
||||
index e0db8d1..cafa1eb 100644
|
||||
--- a/src/bootp.c
|
||||
+++ b/src/bootp.c
|
||||
@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
|
||||
|
||||
void bootp_input(struct mbuf *m)
|
||||
{
|
||||
- struct bootp_t *bp = mtod(m, struct bootp_t *);
|
||||
+ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
|
||||
|
||||
- if (bp->bp_op == BOOTP_REQUEST) {
|
||||
+ if (bp && bp->bp_op == BOOTP_REQUEST) {
|
||||
bootp_reply(m->slirp, bp, m_end(m));
|
||||
}
|
||||
}
|
||||
--
|
||||
2.29.0
|
||||
|
36
SOURCES/0004-upd6-check-udp6_input-buffer-size.patch
Normal file
36
SOURCES/0004-upd6-check-udp6_input-buffer-size.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 16:32:55 +0400
|
||||
Subject: [PATCH 4/7] upd6: check udp6_input buffer size
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: CVE-2021-3593
|
||||
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b)
|
||||
---
|
||||
src/udp6.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/udp6.c b/src/udp6.c
|
||||
index fdd8089..236b962 100644
|
||||
--- a/src/udp6.c
|
||||
+++ b/src/udp6.c
|
||||
@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m)
|
||||
ip = mtod(m, struct ip6 *);
|
||||
m->m_len -= iphlen;
|
||||
m->m_data += iphlen;
|
||||
- uh = mtod(m, struct udphdr *);
|
||||
+ uh = mtod_check(m, sizeof(struct udphdr));
|
||||
+ if (uh == NULL) {
|
||||
+ goto bad;
|
||||
+ }
|
||||
m->m_len += iphlen;
|
||||
m->m_data -= iphlen;
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
37
SOURCES/0005-tftp-check-tftp_input-buffer-size.patch
Normal file
37
SOURCES/0005-tftp-check-tftp_input-buffer-size.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 16:34:30 +0400
|
||||
Subject: [PATCH 5/7] tftp: check tftp_input buffer size
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: CVE-2021-3595
|
||||
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d)
|
||||
---
|
||||
src/tftp.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tftp.c b/src/tftp.c
|
||||
index c6950ee..e06911d 100644
|
||||
--- a/src/tftp.c
|
||||
+++ b/src/tftp.c
|
||||
@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
|
||||
void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
|
||||
{
|
||||
- struct tftp_t *tp = (struct tftp_t *)m->m_data;
|
||||
+ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
|
||||
+
|
||||
+ if (tp == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
switch (ntohs(tp->tp_op)) {
|
||||
case TFTP_RRQ:
|
||||
--
|
||||
2.29.0
|
||||
|
249
SOURCES/0006-tftp-introduce-a-header-structure.patch
Normal file
249
SOURCES/0006-tftp-introduce-a-header-structure.patch
Normal file
@ -0,0 +1,249 @@
|
||||
From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 20:01:20 +0400
|
||||
Subject: [PATCH 6/7] tftp: introduce a header structure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Instead of using a composed structure and potentially reading past the
|
||||
incoming buffer, use a different structure for the header.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30)
|
||||
---
|
||||
src/tftp.c | 60 ++++++++++++++++++++++++++++--------------------------
|
||||
src/tftp.h | 6 +++++-
|
||||
2 files changed, 36 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/src/tftp.c b/src/tftp.c
|
||||
index e06911d..a19c889 100644
|
||||
--- a/src/tftp.c
|
||||
+++ b/src/tftp.c
|
||||
@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
|
||||
}
|
||||
|
||||
static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
- struct tftp_t *tp)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
struct tftp_session *spt;
|
||||
int k;
|
||||
@@ -75,7 +75,7 @@ found:
|
||||
memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
|
||||
spt->fd = -1;
|
||||
spt->block_size = 512;
|
||||
- spt->client_port = tp->udp.uh_sport;
|
||||
+ spt->client_port = hdr->udp.uh_sport;
|
||||
spt->slirp = slirp;
|
||||
|
||||
tftp_session_update(spt);
|
||||
@@ -84,7 +84,7 @@ found:
|
||||
}
|
||||
|
||||
static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
- struct tftp_t *tp)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
struct tftp_session *spt;
|
||||
int k;
|
||||
@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
|
||||
if (tftp_session_in_use(spt)) {
|
||||
if (sockaddr_equal(&spt->client_addr, srcsas)) {
|
||||
- if (spt->client_port == tp->udp.uh_sport) {
|
||||
+ if (spt->client_port == hdr->udp.uh_sport) {
|
||||
return k;
|
||||
}
|
||||
}
|
||||
@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
|
||||
}
|
||||
|
||||
static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
|
||||
- struct tftp_t *recv_tp)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
if (spt->client_addr.ss_family == AF_INET6) {
|
||||
struct sockaddr_in6 sa6, da6;
|
||||
|
||||
sa6.sin6_addr = spt->slirp->vhost_addr6;
|
||||
- sa6.sin6_port = recv_tp->udp.uh_dport;
|
||||
+ sa6.sin6_port = hdr->udp.uh_dport;
|
||||
da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
|
||||
da6.sin6_port = spt->client_port;
|
||||
|
||||
@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
|
||||
struct sockaddr_in sa4, da4;
|
||||
|
||||
sa4.sin_addr = spt->slirp->vhost_addr;
|
||||
- sa4.sin_port = recv_tp->udp.uh_dport;
|
||||
+ sa4.sin_port = hdr->udp.uh_dport;
|
||||
da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
|
||||
da4.sin_port = spt->client_port;
|
||||
|
||||
@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
|
||||
|
||||
tp = tftp_prep_mbuf_data(spt, m);
|
||||
|
||||
- tp->tp_op = htons(TFTP_OACK);
|
||||
+ tp->hdr.tp_op = htons(TFTP_OACK);
|
||||
for (i = 0; i < nb; i++) {
|
||||
n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
|
||||
n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
|
||||
}
|
||||
|
||||
- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
|
||||
- tftp_udp_output(spt, m, recv_tp);
|
||||
+ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
|
||||
+ tftp_udp_output(spt, m, &recv_tp->hdr);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
|
||||
|
||||
tp = tftp_prep_mbuf_data(spt, m);
|
||||
|
||||
- tp->tp_op = htons(TFTP_ERROR);
|
||||
+ tp->hdr.tp_op = htons(TFTP_ERROR);
|
||||
tp->x.tp_error.tp_error_code = htons(errorcode);
|
||||
slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
|
||||
msg);
|
||||
|
||||
m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
|
||||
strlen(msg) - sizeof(struct udphdr);
|
||||
- tftp_udp_output(spt, m, recv_tp);
|
||||
+ tftp_udp_output(spt, m, &recv_tp->hdr);
|
||||
|
||||
out:
|
||||
tftp_session_terminate(spt);
|
||||
}
|
||||
|
||||
static void tftp_send_next_block(struct tftp_session *spt,
|
||||
- struct tftp_t *recv_tp)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
struct mbuf *m;
|
||||
struct tftp_t *tp;
|
||||
@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
|
||||
|
||||
tp = tftp_prep_mbuf_data(spt, m);
|
||||
|
||||
- tp->tp_op = htons(TFTP_DATA);
|
||||
+ tp->hdr.tp_op = htons(TFTP_DATA);
|
||||
tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
|
||||
|
||||
nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
|
||||
@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
|
||||
|
||||
m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
|
||||
sizeof(struct udphdr);
|
||||
- tftp_udp_output(spt, m, recv_tp);
|
||||
+ tftp_udp_output(spt, m, hdr);
|
||||
|
||||
if (nobytes == spt->block_size) {
|
||||
tftp_session_update(spt);
|
||||
@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
int nb_options = 0;
|
||||
|
||||
/* check if a session already exists and if so terminate it */
|
||||
- s = tftp_session_find(slirp, srcsas, tp);
|
||||
+ s = tftp_session_find(slirp, srcsas, &tp->hdr);
|
||||
if (s >= 0) {
|
||||
tftp_session_terminate(&slirp->tftp_sessions[s]);
|
||||
}
|
||||
|
||||
- s = tftp_session_allocate(slirp, srcsas, tp);
|
||||
+ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
|
||||
|
||||
if (s < 0) {
|
||||
return;
|
||||
@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
}
|
||||
|
||||
spt->block_nr = 0;
|
||||
- tftp_send_next_block(spt, tp);
|
||||
+ tftp_send_next_block(spt, &tp->hdr);
|
||||
}
|
||||
|
||||
static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
- struct tftp_t *tp, int pktlen)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
int s;
|
||||
|
||||
- s = tftp_session_find(slirp, srcsas, tp);
|
||||
+ s = tftp_session_find(slirp, srcsas, hdr);
|
||||
|
||||
if (s < 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
|
||||
+ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
|
||||
}
|
||||
|
||||
static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
- struct tftp_t *tp, int pktlen)
|
||||
+ struct tftphdr *hdr)
|
||||
{
|
||||
int s;
|
||||
|
||||
- s = tftp_session_find(slirp, srcsas, tp);
|
||||
+ s = tftp_session_find(slirp, srcsas, hdr);
|
||||
|
||||
if (s < 0) {
|
||||
return;
|
||||
@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
|
||||
|
||||
void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
|
||||
{
|
||||
- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
|
||||
+ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
|
||||
|
||||
- if (tp == NULL) {
|
||||
+ if (hdr == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
- switch (ntohs(tp->tp_op)) {
|
||||
+ switch (ntohs(hdr->tp_op)) {
|
||||
case TFTP_RRQ:
|
||||
- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
|
||||
+ tftp_handle_rrq(m->slirp, srcsas,
|
||||
+ mtod(m, struct tftp_t *),
|
||||
+ m->m_len);
|
||||
break;
|
||||
|
||||
case TFTP_ACK:
|
||||
- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
|
||||
+ tftp_handle_ack(m->slirp, srcsas, hdr);
|
||||
break;
|
||||
|
||||
case TFTP_ERROR:
|
||||
- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
|
||||
+ tftp_handle_error(m->slirp, srcsas, hdr);
|
||||
break;
|
||||
}
|
||||
}
|
||||
diff --git a/src/tftp.h b/src/tftp.h
|
||||
index 6d75478..cafab03 100644
|
||||
--- a/src/tftp.h
|
||||
+++ b/src/tftp.h
|
||||
@@ -20,9 +20,13 @@
|
||||
#define TFTP_FILENAME_MAX 512
|
||||
#define TFTP_BLOCKSIZE_MAX 1428
|
||||
|
||||
-struct tftp_t {
|
||||
+struct tftphdr {
|
||||
struct udphdr udp;
|
||||
uint16_t tp_op;
|
||||
+} SLIRP_PACKED;
|
||||
+
|
||||
+struct tftp_t {
|
||||
+ struct tftphdr hdr;
|
||||
union {
|
||||
struct {
|
||||
uint16_t tp_block_nr;
|
||||
--
|
||||
2.29.0
|
||||
|
36
SOURCES/0007-udp-check-upd_input-buffer-size.patch
Normal file
36
SOURCES/0007-udp-check-upd_input-buffer-size.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 4 Jun 2021 16:40:23 +0400
|
||||
Subject: [PATCH 7/7] udp: check upd_input buffer size
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: CVE-2021-3594
|
||||
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
|
||||
---
|
||||
src/udp.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/udp.c b/src/udp.c
|
||||
index 050cee4..e4578aa 100644
|
||||
--- a/src/udp.c
|
||||
+++ b/src/udp.c
|
||||
@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen)
|
||||
/*
|
||||
* Get IP and UDP header together in first mbuf.
|
||||
*/
|
||||
- ip = mtod(m, struct ip *);
|
||||
+ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
|
||||
+ if (ip == NULL) {
|
||||
+ goto bad;
|
||||
+ }
|
||||
uh = (struct udphdr *)((char *)ip + iphlen);
|
||||
|
||||
/*
|
||||
--
|
||||
2.29.0
|
||||
|
111
SPECS/libslirp.spec
Normal file
111
SPECS/libslirp.spec
Normal file
@ -0,0 +1,111 @@
|
||||
Name: libslirp
|
||||
Version: 4.4.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A general purpose TCP-IP emulator
|
||||
|
||||
# check the SPDX tags in source files for details
|
||||
License: BSD and MIT
|
||||
URL: https://gitlab.freedesktop.org/slirp/%{name}
|
||||
Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
|
||||
Patch0001: 0001-Add-mtod_check.patch
|
||||
Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch
|
||||
Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch
|
||||
Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch
|
||||
Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch
|
||||
Patch0006: 0006-tftp-introduce-a-header-structure.patch
|
||||
Patch0007: 0007-udp-check-upd_input-buffer-size.patch
|
||||
Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
|
||||
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: meson
|
||||
BuildRequires: gcc
|
||||
BuildRequires: glib2-devel
|
||||
|
||||
%description
|
||||
A general purpose TCP-IP emulator used by virtual machine hypervisors
|
||||
to provide virtual networking services.
|
||||
|
||||
|
||||
%package devel
|
||||
Summary: Development files for %{name}
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
The %{name}-devel package contains libraries and header files for
|
||||
developing applications that use %{name}.
|
||||
|
||||
|
||||
%prep
|
||||
%autosetup -S git_am
|
||||
|
||||
%build
|
||||
%meson
|
||||
%meson_build
|
||||
|
||||
|
||||
%install
|
||||
%meson_install
|
||||
|
||||
|
||||
%files
|
||||
%license COPYRIGHT
|
||||
%doc README.md CHANGELOG.md
|
||||
%{_libdir}/%{name}.so.0*
|
||||
|
||||
%files devel
|
||||
%dir %{_includedir}/slirp/
|
||||
%{_includedir}/slirp/*
|
||||
%{_libdir}/%{name}.so
|
||||
%{_libdir}/pkgconfig/slirp.pc
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jun 28 2021 Jindrich Novy <jnovy@redhat.com> - 4.4.0-1
|
||||
- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
|
||||
- Related: #1934415
|
||||
|
||||
* Thu Jul 30 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.1-1
|
||||
- update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1
|
||||
- Related: #1821193
|
||||
|
||||
* Wed Jul 08 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-5
|
||||
- replace patch for CVE-2020-10756 with dedicated upstream one
|
||||
- Related: #1821193
|
||||
|
||||
* Fri Jul 03 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-4
|
||||
- fix "CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability"
|
||||
- Related: #1821193
|
||||
|
||||
* Thu May 28 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-3
|
||||
- fix static analysis issues merged upstream
|
||||
(https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41)
|
||||
- Related: #1821193
|
||||
|
||||
* Mon May 11 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-2
|
||||
- initial libslirp build for container-tools 8.3.0 module
|
||||
- Resolves: #1821193
|
||||
|
||||
* Thu Apr 23 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.3.0-1
|
||||
- New v4.3.0 release
|
||||
|
||||
* Mon Apr 20 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.2.0-2
|
||||
- CVE-2020-1983 fix
|
||||
|
||||
* Tue Mar 17 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.2.0-1
|
||||
- New v4.2.0 release
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Tue Dec 03 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.1.0-1
|
||||
- New v4.1.0 release
|
||||
|
||||
* Fri Aug 2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3
|
||||
- Fix CVE-2019-14378, rhbz#1735654
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Wed May 22 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-1
|
||||
- Initial package, rhbz#1712980
|
Loading…
Reference in New Issue
Block a user