Compare commits

...

No commits in common. "c8-stream-3.0" and "c8-stream-rhel8" have entirely different histories.

11 changed files with 657 additions and 4 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libslirp-4.3.1.tar.xz
SOURCES/libslirp-4.4.0.tar.xz

View File

@ -1 +1 @@
f69c50c264a465bde6fe0cd6b577e2f1c0b20ece SOURCES/libslirp-4.3.1.tar.xz
5ef4ed055299eab0703d4c49da552fdb61357f13 SOURCES/libslirp-4.4.0.tar.xz

View File

@ -0,0 +1,54 @@
From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 15:58:25 +0400
Subject: [PATCH 1/7] Add mtod_check()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17)
---
src/mbuf.c | 11 +++++++++++
src/mbuf.h | 1 +
2 files changed, 12 insertions(+)
diff --git a/src/mbuf.c b/src/mbuf.c
index 54ec721..cb2e971 100644
--- a/src/mbuf.c
+++ b/src/mbuf.c
@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
return (struct mbuf *)0;
}
+
+void *mtod_check(struct mbuf *m, size_t len)
+{
+ if (m->m_len >= len) {
+ return m->m_data;
+ }
+
+ DEBUG_ERROR("mtod failed");
+
+ return NULL;
+}
diff --git a/src/mbuf.h b/src/mbuf.h
index 546e785..2015e32 100644
--- a/src/mbuf.h
+++ b/src/mbuf.h
@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
void m_adj(struct mbuf *, int);
int m_copy(struct mbuf *, struct mbuf *, int, int);
struct mbuf *dtom(Slirp *, void *);
+void *mtod_check(struct mbuf *, size_t len);
static inline void ifs_init(struct mbuf *ifm)
{
--
2.29.0

View File

@ -0,0 +1,30 @@
From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 17 Jun 2021 18:01:32 +0900
Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0"
Fix issue 48
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
src/bootp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/bootp.c b/src/bootp.c
index cafa1eb..0a35873 100644
--- a/src/bootp.c
+++ b/src/bootp.c
@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp,
daddr.sin_addr.s_addr = 0xffffffffu;
- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
+ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN);
+
+ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr);
udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
}
--
2.29.0

View File

@ -0,0 +1,161 @@
From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 19:25:28 +0400
Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory
buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
from the structure, to help with the following patch checking for
minimal header size. Modify the bootp_reply() function to take the
buffer boundaries and avoiding potential buffer overflow.
Related to CVE-2021-3592.
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275)
---
src/bootp.c | 26 +++++++++++++++-----------
src/bootp.h | 2 +-
src/mbuf.c | 5 +++++
src/mbuf.h | 1 +
4 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/src/bootp.c b/src/bootp.c
index 46e9681..e0db8d1 100644
--- a/src/bootp.c
+++ b/src/bootp.c
@@ -92,21 +92,22 @@ found:
return bc;
}
-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+static void dhcp_decode(const struct bootp_t *bp,
+ const uint8_t *bp_end,
+ int *pmsg_type,
struct in_addr *preq_addr)
{
- const uint8_t *p, *p_end;
+ const uint8_t *p;
int len, tag;
*pmsg_type = 0;
preq_addr->s_addr = htonl(0L);
p = bp->bp_vend;
- p_end = p + DHCP_OPT_LEN;
if (memcmp(p, rfc1533_cookie, 4) != 0)
return;
p += 4;
- while (p < p_end) {
+ while (p < bp_end) {
tag = p[0];
if (tag == RFC1533_PAD) {
p++;
@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
break;
} else {
p++;
- if (p >= p_end)
+ if (p >= bp_end)
break;
len = *p++;
- if (p + len > p_end) {
+ if (p + len > bp_end) {
break;
}
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
}
}
-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+static void bootp_reply(Slirp *slirp,
+ const struct bootp_t *bp,
+ const uint8_t *bp_end)
{
BOOTPClient *bc = NULL;
struct mbuf *m;
@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
uint8_t client_ethaddr[ETH_ALEN];
/* extract exact DHCP msg type */
- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
+ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
if (preq_addr.s_addr != htonl(0L))
DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
return;
}
m->m_data += IF_MAXLINKHDR;
+ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
rbp = (struct bootp_t *)m->m_data;
m->m_data += sizeof(struct udpiphdr);
- memset(rbp, 0, sizeof(struct bootp_t));
+ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
if (dhcp_msg_type == DHCPDISCOVER) {
if (preq_addr.s_addr != htonl(0L)) {
@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
q = rbp->bp_vend;
- end = (uint8_t *)&rbp[1];
+ end = rbp->bp_vend + DHCP_OPT_LEN;
memcpy(q, rfc1533_cookie, 4);
q += 4;
@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
struct bootp_t *bp = mtod(m, struct bootp_t *);
if (bp->bp_op == BOOTP_REQUEST) {
- bootp_reply(m->slirp, bp);
+ bootp_reply(m->slirp, bp, m_end(m));
}
}
diff --git a/src/bootp.h b/src/bootp.h
index a57fa51..31ce5fd 100644
--- a/src/bootp.h
+++ b/src/bootp.h
@@ -114,7 +114,7 @@ struct bootp_t {
uint8_t bp_hwaddr[16];
uint8_t bp_sname[64];
char bp_file[128];
- uint8_t bp_vend[DHCP_OPT_LEN];
+ uint8_t bp_vend[];
};
typedef struct {
diff --git a/src/mbuf.c b/src/mbuf.c
index cb2e971..0c1a530 100644
--- a/src/mbuf.c
+++ b/src/mbuf.c
@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
return NULL;
}
+
+void *m_end(struct mbuf *m)
+{
+ return m->m_data + m->m_len;
+}
diff --git a/src/mbuf.h b/src/mbuf.h
index 2015e32..a9752a3 100644
--- a/src/mbuf.h
+++ b/src/mbuf.h
@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
int m_copy(struct mbuf *, struct mbuf *, int, int);
struct mbuf *dtom(Slirp *, void *);
void *mtod_check(struct mbuf *, size_t len);
+void *m_end(struct mbuf *);
static inline void ifs_init(struct mbuf *ifm)
{
--
2.29.0

View File

@ -0,0 +1,36 @@
From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:15:14 +0400
Subject: [PATCH 3/7] bootp: check bootp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CVE-2021-3592
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c)
---
src/bootp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/bootp.c b/src/bootp.c
index e0db8d1..cafa1eb 100644
--- a/src/bootp.c
+++ b/src/bootp.c
@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
void bootp_input(struct mbuf *m)
{
- struct bootp_t *bp = mtod(m, struct bootp_t *);
+ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
- if (bp->bp_op == BOOTP_REQUEST) {
+ if (bp && bp->bp_op == BOOTP_REQUEST) {
bootp_reply(m->slirp, bp, m_end(m));
}
}
--
2.29.0

View File

@ -0,0 +1,36 @@
From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:32:55 +0400
Subject: [PATCH 4/7] upd6: check udp6_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CVE-2021-3593
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b)
---
src/udp6.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/udp6.c b/src/udp6.c
index fdd8089..236b962 100644
--- a/src/udp6.c
+++ b/src/udp6.c
@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m)
ip = mtod(m, struct ip6 *);
m->m_len -= iphlen;
m->m_data += iphlen;
- uh = mtod(m, struct udphdr *);
+ uh = mtod_check(m, sizeof(struct udphdr));
+ if (uh == NULL) {
+ goto bad;
+ }
m->m_len += iphlen;
m->m_data -= iphlen;
--
2.29.0

View File

@ -0,0 +1,37 @@
From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:34:30 +0400
Subject: [PATCH 5/7] tftp: check tftp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d)
---
src/tftp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/tftp.c b/src/tftp.c
index c6950ee..e06911d 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
{
- struct tftp_t *tp = (struct tftp_t *)m->m_data;
+ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+ if (tp == NULL) {
+ return;
+ }
switch (ntohs(tp->tp_op)) {
case TFTP_RRQ:
--
2.29.0

View File

@ -0,0 +1,249 @@
From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 20:01:20 +0400
Subject: [PATCH 6/7] tftp: introduce a header structure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Instead of using a composed structure and potentially reading past the
incoming buffer, use a different structure for the header.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30)
---
src/tftp.c | 60 ++++++++++++++++++++++++++++--------------------------
src/tftp.h | 6 +++++-
2 files changed, 36 insertions(+), 30 deletions(-)
diff --git a/src/tftp.c b/src/tftp.c
index e06911d..a19c889 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
}
static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
- struct tftp_t *tp)
+ struct tftphdr *hdr)
{
struct tftp_session *spt;
int k;
@@ -75,7 +75,7 @@ found:
memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
spt->fd = -1;
spt->block_size = 512;
- spt->client_port = tp->udp.uh_sport;
+ spt->client_port = hdr->udp.uh_sport;
spt->slirp = slirp;
tftp_session_update(spt);
@@ -84,7 +84,7 @@ found:
}
static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
- struct tftp_t *tp)
+ struct tftphdr *hdr)
{
struct tftp_session *spt;
int k;
@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
if (tftp_session_in_use(spt)) {
if (sockaddr_equal(&spt->client_addr, srcsas)) {
- if (spt->client_port == tp->udp.uh_sport) {
+ if (spt->client_port == hdr->udp.uh_sport) {
return k;
}
}
@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
}
static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
- struct tftp_t *recv_tp)
+ struct tftphdr *hdr)
{
if (spt->client_addr.ss_family == AF_INET6) {
struct sockaddr_in6 sa6, da6;
sa6.sin6_addr = spt->slirp->vhost_addr6;
- sa6.sin6_port = recv_tp->udp.uh_dport;
+ sa6.sin6_port = hdr->udp.uh_dport;
da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
da6.sin6_port = spt->client_port;
@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
struct sockaddr_in sa4, da4;
sa4.sin_addr = spt->slirp->vhost_addr;
- sa4.sin_port = recv_tp->udp.uh_dport;
+ sa4.sin_port = hdr->udp.uh_dport;
da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
da4.sin_port = spt->client_port;
@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
tp = tftp_prep_mbuf_data(spt, m);
- tp->tp_op = htons(TFTP_OACK);
+ tp->hdr.tp_op = htons(TFTP_OACK);
for (i = 0; i < nb; i++) {
n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
}
- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
- tftp_udp_output(spt, m, recv_tp);
+ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
+ tftp_udp_output(spt, m, &recv_tp->hdr);
return 0;
}
@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
tp = tftp_prep_mbuf_data(spt, m);
- tp->tp_op = htons(TFTP_ERROR);
+ tp->hdr.tp_op = htons(TFTP_ERROR);
tp->x.tp_error.tp_error_code = htons(errorcode);
slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
msg);
m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
strlen(msg) - sizeof(struct udphdr);
- tftp_udp_output(spt, m, recv_tp);
+ tftp_udp_output(spt, m, &recv_tp->hdr);
out:
tftp_session_terminate(spt);
}
static void tftp_send_next_block(struct tftp_session *spt,
- struct tftp_t *recv_tp)
+ struct tftphdr *hdr)
{
struct mbuf *m;
struct tftp_t *tp;
@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
tp = tftp_prep_mbuf_data(spt, m);
- tp->tp_op = htons(TFTP_DATA);
+ tp->hdr.tp_op = htons(TFTP_DATA);
tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
sizeof(struct udphdr);
- tftp_udp_output(spt, m, recv_tp);
+ tftp_udp_output(spt, m, hdr);
if (nobytes == spt->block_size) {
tftp_session_update(spt);
@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
int nb_options = 0;
/* check if a session already exists and if so terminate it */
- s = tftp_session_find(slirp, srcsas, tp);
+ s = tftp_session_find(slirp, srcsas, &tp->hdr);
if (s >= 0) {
tftp_session_terminate(&slirp->tftp_sessions[s]);
}
- s = tftp_session_allocate(slirp, srcsas, tp);
+ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
if (s < 0) {
return;
@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
}
spt->block_nr = 0;
- tftp_send_next_block(spt, tp);
+ tftp_send_next_block(spt, &tp->hdr);
}
static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
- struct tftp_t *tp, int pktlen)
+ struct tftphdr *hdr)
{
int s;
- s = tftp_session_find(slirp, srcsas, tp);
+ s = tftp_session_find(slirp, srcsas, hdr);
if (s < 0) {
return;
}
- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
+ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
}
static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
- struct tftp_t *tp, int pktlen)
+ struct tftphdr *hdr)
{
int s;
- s = tftp_session_find(slirp, srcsas, tp);
+ s = tftp_session_find(slirp, srcsas, hdr);
if (s < 0) {
return;
@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
{
- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
- if (tp == NULL) {
+ if (hdr == NULL) {
return;
}
- switch (ntohs(tp->tp_op)) {
+ switch (ntohs(hdr->tp_op)) {
case TFTP_RRQ:
- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
+ tftp_handle_rrq(m->slirp, srcsas,
+ mtod(m, struct tftp_t *),
+ m->m_len);
break;
case TFTP_ACK:
- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
+ tftp_handle_ack(m->slirp, srcsas, hdr);
break;
case TFTP_ERROR:
- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
+ tftp_handle_error(m->slirp, srcsas, hdr);
break;
}
}
diff --git a/src/tftp.h b/src/tftp.h
index 6d75478..cafab03 100644
--- a/src/tftp.h
+++ b/src/tftp.h
@@ -20,9 +20,13 @@
#define TFTP_FILENAME_MAX 512
#define TFTP_BLOCKSIZE_MAX 1428
-struct tftp_t {
+struct tftphdr {
struct udphdr udp;
uint16_t tp_op;
+} SLIRP_PACKED;
+
+struct tftp_t {
+ struct tftphdr hdr;
union {
struct {
uint16_t tp_block_nr;
--
2.29.0

View File

@ -0,0 +1,36 @@
From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 16:40:23 +0400
Subject: [PATCH 7/7] udp: check upd_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CVE-2021-3594
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
---
src/udp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/udp.c b/src/udp.c
index 050cee4..e4578aa 100644
--- a/src/udp.c
+++ b/src/udp.c
@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen)
/*
* Get IP and UDP header together in first mbuf.
*/
- ip = mtod(m, struct ip *);
+ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
+ if (ip == NULL) {
+ goto bad;
+ }
uh = (struct udphdr *)((char *)ip + iphlen);
/*
--
2.29.0

View File

@ -1,12 +1,22 @@
Name: libslirp
Version: 4.3.1
Version: 4.4.0
Release: 1%{?dist}
Summary: A general purpose TCP-IP emulator
# check the SPDX tags in source files for details
License: BSD and MIT
URL: https://gitlab.freedesktop.org/slirp/%{name}
Source0: https://elmarco.fedorapeople.org/libslirp-%{version}.tar.xz
Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
Patch0001: 0001-Add-mtod_check.patch
Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch
Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch
Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch
Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch
Patch0006: 0006-tftp-introduce-a-header-structure.patch
Patch0007: 0007-udp-check-upd_input-buffer-size.patch
Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
BuildRequires: git-core
BuildRequires: meson
BuildRequires: gcc
@ -51,6 +61,10 @@ developing applications that use %{name}.
%changelog
* Mon Jun 28 2021 Jindrich Novy <jnovy@redhat.com> - 4.4.0-1
- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
- Related: #1934415
* Thu Jul 30 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.1-1
- update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1
- Related: #1821193