.gitignore

@@ -1 +1 @@
-SOURCES/libslirp-4.3.1.tar.xz
+SOURCES/libslirp-4.4.0.tar.xz

.libslirp.metadata

@@ -1 +1 @@
-f69c50c264a465bde6fe0cd6b577e2f1c0b20ece SOURCES/libslirp-4.3.1.tar.xz
+5ef4ed055299eab0703d4c49da552fdb61357f13 SOURCES/libslirp-4.4.0.tar.xz

SOURCES/0001-Add-mtod_check.patch

@@ -0,0 +1,54 @@
+From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 1/7] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17)
+---
+ src/mbuf.c | 11 +++++++++++
+ src/mbuf.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/mbuf.c b/src/mbuf.c
+index 54ec721..cb2e971 100644
+--- a/src/mbuf.c
++++ b/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+ 
+     return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++    if (m->m_len >= len) {
++        return m->m_data;
++    }
++
++    DEBUG_ERROR("mtod failed");
++
++    return NULL;
++}
+diff --git a/src/mbuf.h b/src/mbuf.h
+index 546e785..2015e32 100644
+--- a/src/mbuf.h
++++ b/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.29.0
+

SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch

@@ -0,0 +1,30 @@
+From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Thu, 17 Jun 2021 18:01:32 +0900
+Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0"
+
+Fix issue 48
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ src/bootp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index cafa1eb..0a35873 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp,
+ 
+     daddr.sin_addr.s_addr = 0xffffffffu;
+ 
+-    m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
++    assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN);
++
++    m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr);
+     udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
+ }
+ 
+-- 
+2.29.0
+

SOURCES/0001-New-utility-slirp_ether_ntoa.patch

@@ -0,0 +1,186 @@
+From c6fcedf4f53e070dfcb7a6910624705cdcc0a027 Mon Sep 17 00:00:00 2001
+From: Doug Evans <dje@google.com>
+Date: Tue, 23 Feb 2021 15:23:19 -0800
+Subject: [PATCH 1/2] New utility slirp_ether_ntoa
+
+... and call it everywhere a macaddr is pretty-printed.
+
+Signed-off-by: Doug Evans <dje@google.com>
+(cherry picked from commit ac00ba460e101bbce0a167b4f0517378a0fbe6b8)
+---
+ src/arp_table.c | 12 +++++++-----
+ src/ndp_table.c | 18 ++++++++++--------
+ src/slirp.c     | 11 +++++------
+ src/util.c      | 11 +++++++++++
+ src/util.h      |  8 ++++++++
+ 5 files changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/src/arp_table.c b/src/arp_table.c
+index 959e5b9ec0af..ba8c8a4eee88 100644
+--- a/src/arp_table.c
++++ b/src/arp_table.c
+@@ -34,11 +34,12 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr,
+         ~slirp->vnetwork_mask.s_addr | slirp->vnetwork_addr.s_addr;
+     ArpTable *arptbl = &slirp->arp_table;
+     int i;
++    char ethaddr_str[ETH_ADDRSTRLEN];
+ 
+     DEBUG_CALL("arp_table_add");
+     DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr }));
+-    DEBUG_ARG("hw addr = %02x:%02x:%02x:%02x:%02x:%02x", ethaddr[0], ethaddr[1],
+-              ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5]);
++    DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str,
++                                               sizeof(ethaddr_str)));
+ 
+     if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
+         /* Do not register broadcast addresses */
+@@ -67,6 +68,7 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
+         ~slirp->vnetwork_mask.s_addr | slirp->vnetwork_addr.s_addr;
+     ArpTable *arptbl = &slirp->arp_table;
+     int i;
++    char ethaddr_str[ETH_ADDRSTRLEN];
+ 
+     DEBUG_CALL("arp_table_search");
+     DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr }));
+@@ -81,9 +83,9 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
+     for (i = 0; i < ARP_TABLE_SIZE; i++) {
+         if (arptbl->table[i].ar_sip == ip_addr) {
+             memcpy(out_ethaddr, arptbl->table[i].ar_sha, ETH_ALEN);
+-            DEBUG_ARG("found hw addr = %02x:%02x:%02x:%02x:%02x:%02x",
+-                      out_ethaddr[0], out_ethaddr[1], out_ethaddr[2],
+-                      out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]);
++            DEBUG_ARG("found hw addr = %s",
++                      slirp_ether_ntoa(out_ethaddr, ethaddr_str,
++                                       sizeof(ethaddr_str)));
+             return 1;
+         }
+     }
+diff --git a/src/ndp_table.c b/src/ndp_table.c
+index 110d6ea0e43f..61ae8e0468fc 100644
+--- a/src/ndp_table.c
++++ b/src/ndp_table.c
+@@ -12,13 +12,14 @@ void ndp_table_add(Slirp *slirp, struct in6_addr ip_addr,
+     char addrstr[INET6_ADDRSTRLEN];
+     NdpTable *ndp_table = &slirp->ndp_table;
+     int i;
++    char ethaddr_str[ETH_ADDRSTRLEN];
+ 
+     inet_ntop(AF_INET6, &(ip_addr), addrstr, INET6_ADDRSTRLEN);
+ 
+     DEBUG_CALL("ndp_table_add");
+     DEBUG_ARG("ip = %s", addrstr);
+-    DEBUG_ARG("hw addr = %02x:%02x:%02x:%02x:%02x:%02x", ethaddr[0], ethaddr[1],
+-              ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5]);
++    DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str,
++                                               sizeof(ethaddr_str)));
+ 
+     if (IN6_IS_ADDR_MULTICAST(&ip_addr) || in6_zero(&ip_addr)) {
+         /* Do not register multicast or unspecified addresses */
+@@ -50,6 +51,7 @@ bool ndp_table_search(Slirp *slirp, struct in6_addr ip_addr,
+     char addrstr[INET6_ADDRSTRLEN];
+     NdpTable *ndp_table = &slirp->ndp_table;
+     int i;
++    char ethaddr_str[ETH_ADDRSTRLEN];
+ 
+     inet_ntop(AF_INET6, &(ip_addr), addrstr, INET6_ADDRSTRLEN);
+ 
+@@ -66,18 +68,18 @@ bool ndp_table_search(Slirp *slirp, struct in6_addr ip_addr,
+         out_ethaddr[3] = ip_addr.s6_addr[13];
+         out_ethaddr[4] = ip_addr.s6_addr[14];
+         out_ethaddr[5] = ip_addr.s6_addr[15];
+-        DEBUG_ARG("multicast addr = %02x:%02x:%02x:%02x:%02x:%02x",
+-                  out_ethaddr[0], out_ethaddr[1], out_ethaddr[2],
+-                  out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]);
++        DEBUG_ARG("multicast addr = %s",
++                  slirp_ether_ntoa(out_ethaddr, ethaddr_str,
++                                   sizeof(ethaddr_str)));
+         return 1;
+     }
+ 
+     for (i = 0; i < NDP_TABLE_SIZE; i++) {
+         if (in6_equal(&ndp_table->table[i].ip_addr, &ip_addr)) {
+             memcpy(out_ethaddr, ndp_table->table[i].eth_addr, ETH_ALEN);
+-            DEBUG_ARG("found hw addr = %02x:%02x:%02x:%02x:%02x:%02x",
+-                      out_ethaddr[0], out_ethaddr[1], out_ethaddr[2],
+-                      out_ethaddr[3], out_ethaddr[4], out_ethaddr[5]);
++            DEBUG_ARG("found hw addr = %s",
++                      slirp_ether_ntoa(out_ethaddr, ethaddr_str,
++                                       sizeof(ethaddr_str)));
+             return 1;
+         }
+     }
+diff --git a/src/slirp.c b/src/slirp.c
+index abb6f9a966d8..1f2513a9e1a4 100644
+--- a/src/slirp.c
++++ b/src/slirp.c
+@@ -1054,6 +1054,7 @@ int if_encap(Slirp *slirp, struct mbuf *ifm)
+     uint8_t ethaddr[ETH_ALEN];
+     const struct ip *iph = (const struct ip *)ifm->m_data;
+     int ret;
++    char ethaddr_str[ETH_ADDRSTRLEN];
+ 
+     if (ifm->m_len + ETH_HLEN > sizeof(buf)) {
+         return 1;
+@@ -1079,12 +1080,10 @@ int if_encap(Slirp *slirp, struct mbuf *ifm)
+     }
+ 
+     memcpy(eh->h_dest, ethaddr, ETH_ALEN);
+-    DEBUG_ARG("src = %02x:%02x:%02x:%02x:%02x:%02x", eh->h_source[0],
+-              eh->h_source[1], eh->h_source[2], eh->h_source[3],
+-              eh->h_source[4], eh->h_source[5]);
+-    DEBUG_ARG("dst = %02x:%02x:%02x:%02x:%02x:%02x", eh->h_dest[0],
+-              eh->h_dest[1], eh->h_dest[2], eh->h_dest[3], eh->h_dest[4],
+-              eh->h_dest[5]);
++    DEBUG_ARG("src = %s", slirp_ether_ntoa(eh->h_source, ethaddr_str,
++                                           sizeof(ethaddr_str)));
++    DEBUG_ARG("dst = %s", slirp_ether_ntoa(eh->h_dest, ethaddr_str,
++                                           sizeof(ethaddr_str)));
+     memcpy(buf + sizeof(struct ethhdr), ifm->m_data, ifm->m_len);
+     slirp_send_packet_all(slirp, buf, ifm->m_len + ETH_HLEN);
+     return 1;
+diff --git a/src/util.c b/src/util.c
+index 2d8fb9642e76..67ef66786f54 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -427,3 +427,14 @@ int slirp_fmt0(char *str, size_t size, const char *format, ...)
+ 
+     return rv;
+ }
++
++const char *slirp_ether_ntoa(const uint8_t *addr, char *out_str,
++                             size_t out_str_size)
++{
++    assert(out_str_size >= ETH_ADDRSTRLEN);
++
++    slirp_fmt0(out_str, out_str_size, "%02x:%02x:%02x:%02x:%02x:%02x",
++               addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
++
++    return out_str;
++}
+diff --git a/src/util.h b/src/util.h
+index d67b3d0de9aa..8134db961779 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -84,6 +84,7 @@ struct iovec {
+ #define SCALE_MS 1000000
+ 
+ #define ETH_ALEN 6
++#define ETH_ADDRSTRLEN 18 /* "xx:xx:xx:xx:xx:xx", with trailing NUL */
+ #define ETH_HLEN 14
+ #define ETH_P_IP (0x0800) /* Internet Protocol packet  */
+ #define ETH_P_ARP (0x0806) /* Address Resolution packet */
+@@ -186,4 +187,11 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str);
+ int slirp_fmt(char *str, size_t size, const char *format, ...) G_GNUC_PRINTF(3, 4);
+ int slirp_fmt0(char *str, size_t size, const char *format, ...) G_GNUC_PRINTF(3, 4);
+ 
++/*
++ * Pretty print a MAC address into out_str.
++ * As a convenience returns out_str.
++ */
++const char *slirp_ether_ntoa(const uint8_t *addr, char *out_str,
++                             size_t out_str_len);
++
+ #endif
+-- 
+2.34.1.428.gdcc0cd074f0c
+

SOURCES/0002-Replace-inet_ntoa-with-safer-inet_ntop.patch

@@ -0,0 +1,173 @@
+From 849c972aa16a85c860f67d7e7f1fbe58e45187d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 9 Feb 2022 22:15:08 +0400
+Subject: [PATCH 2/2] Replace inet_ntoa() with safer inet_ntop()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+inet_ntoa() returns a static pointer which is subject to safety issues.
+Use the recommended alternative.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/arp_table.c |  8 ++++++--
+ src/ip_icmp.c   | 10 ++++++----
+ src/misc.c      | 22 +++++++++++++---------
+ src/socket.c    |  5 +++--
+ src/udp.c       |  5 +++--
+ 5 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/src/arp_table.c b/src/arp_table.c
+index ba8c8a4eee88..3cf2ecc238bc 100644
+--- a/src/arp_table.c
++++ b/src/arp_table.c
+@@ -35,9 +35,11 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr,
+     ArpTable *arptbl = &slirp->arp_table;
+     int i;
+     char ethaddr_str[ETH_ADDRSTRLEN];
++    char addr[INET_ADDRSTRLEN];
+ 
+     DEBUG_CALL("arp_table_add");
+-    DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr }));
++    DEBUG_ARG("ip = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = ip_addr },
++                                   addr, sizeof(addr)));
+     DEBUG_ARG("hw addr = %s", slirp_ether_ntoa(ethaddr, ethaddr_str,
+                                                sizeof(ethaddr_str)));
+ 
+@@ -69,9 +71,11 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
+     ArpTable *arptbl = &slirp->arp_table;
+     int i;
+     char ethaddr_str[ETH_ADDRSTRLEN];
++    char addr[INET_ADDRSTRLEN];
+ 
+     DEBUG_CALL("arp_table_search");
+-    DEBUG_ARG("ip = %s", inet_ntoa((struct in_addr){ .s_addr = ip_addr }));
++    DEBUG_ARG("ip = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = ip_addr },
++                                   addr, sizeof(addr)));
+ 
+     /* If broadcast address */
+     if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
+diff --git a/src/ip_icmp.c b/src/ip_icmp.c
+index f4d686b0222d..26e44a3fd49c 100644
+--- a/src/ip_icmp.c
++++ b/src/ip_icmp.c
+@@ -291,10 +291,12 @@ void icmp_forward_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsi
+         goto end_error;
+     ip = mtod(msrc, struct ip *);
+     if (slirp_debug & DBG_MISC) {
+-        char bufa[20], bufb[20];
+-        slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src));
+-        slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst));
+-        DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
++        char addr_src[INET_ADDRSTRLEN];
++        char addr_dst[INET_ADDRSTRLEN];
++
++        inet_ntop(AF_INET, &ip->ip_src, addr_src, sizeof(addr_src));
++        inet_ntop(AF_INET, &ip->ip_dst, addr_dst, sizeof(addr_dst));
++        DEBUG_MISC(" %.16s to %.16s", addr_src, addr_dst);
+     }
+     if (ip->ip_off & IP_OFFMASK)
+         goto end_error; /* Only reply to fragment 0 */
+diff --git a/src/misc.c b/src/misc.c
+index e6bc0a207d0b..1306f68eb539 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -293,6 +293,7 @@ char *slirp_connection_info(Slirp *slirp)
+     uint16_t dst_port;
+     struct socket *so;
+     const char *state;
++    char addr[INET_ADDRSTRLEN];
+     char buf[20];
+ 
+     g_string_append_printf(str,
+@@ -322,10 +323,11 @@ char *slirp_connection_info(Slirp *slirp)
+         }
+         slirp_fmt0(buf, sizeof(buf), "  TCP[%s]", state);
+         g_string_append_printf(str, "%-19s %3d %15s %5d ", buf, so->s,
+-                               src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) :
+-                                                     "*",
++                               src.sin_addr.s_addr ?
++                               inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*",
+                                ntohs(src.sin_port));
+-        g_string_append_printf(str, "%15s %5d %5d %5d\n", inet_ntoa(dst_addr),
++        g_string_append_printf(str, "%15s %5d %5d %5d\n",
++                               inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)),
+                                ntohs(dst_port), so->so_rcv.sb_cc,
+                                so->so_snd.sb_cc);
+     }
+@@ -346,10 +348,11 @@ char *slirp_connection_info(Slirp *slirp)
+             dst_port = so->so_fport;
+         }
+         g_string_append_printf(str, "%-19s %3d %15s %5d ", buf, so->s,
+-                               src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) :
+-                                                     "*",
++                               src.sin_addr.s_addr ?
++                               inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*",
+                                ntohs(src.sin_port));
+-        g_string_append_printf(str, "%15s %5d %5d %5d\n", inet_ntoa(dst_addr),
++        g_string_append_printf(str, "%15s %5d %5d %5d\n",
++                               inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)),
+                                ntohs(dst_port), so->so_rcv.sb_cc,
+                                so->so_snd.sb_cc);
+     }
+@@ -360,9 +363,10 @@ char *slirp_connection_info(Slirp *slirp)
+         src.sin_addr = so->so_laddr;
+         dst_addr = so->so_faddr;
+         g_string_append_printf(str, "%-19s %3d %15s  -    ", buf, so->s,
+-                               src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) :
+-                                                     "*");
+-        g_string_append_printf(str, "%15s  -    %5d %5d\n", inet_ntoa(dst_addr),
++                               src.sin_addr.s_addr ?
++                               inet_ntop(AF_INET, &src.sin_addr, addr, sizeof(addr)) : "*");
++        g_string_append_printf(str, "%15s  -    %5d %5d\n",
++                               inet_ntop(AF_INET, &dst_addr, addr, sizeof(addr)),
+                                so->so_rcv.sb_cc, so->so_snd.sb_cc);
+     }
+ 
+diff --git a/src/socket.c b/src/socket.c
+index c0b02ad131f3..6607e319ad6c 100644
+--- a/src/socket.c
++++ b/src/socket.c
+@@ -743,13 +743,14 @@ struct socket *tcp_listen(Slirp *slirp, uint32_t haddr, unsigned hport,
+     struct sockaddr_in addr;
+     struct socket *so;
+     int s, opt = 1;
++    char inet_addr[INET_ADDRSTRLEN];
+     socklen_t addrlen = sizeof(addr);
+     memset(&addr, 0, addrlen);
+ 
+     DEBUG_CALL("tcp_listen");
+-    DEBUG_ARG("haddr = %s", inet_ntoa((struct in_addr){ .s_addr = haddr }));
++    DEBUG_ARG("haddr = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = haddr }, inet_addr, sizeof(inet_addr)));
+     DEBUG_ARG("hport = %d", ntohs(hport));
+-    DEBUG_ARG("laddr = %s", inet_ntoa((struct in_addr){ .s_addr = laddr }));
++    DEBUG_ARG("laddr = %s", inet_ntop(AF_INET, &(struct in_addr){ .s_addr = laddr }, inet_addr, sizeof(inet_addr)));
+     DEBUG_ARG("lport = %d", ntohs(lport));
+     DEBUG_ARG("flags = %x", flags);
+ 
+diff --git a/src/udp.c b/src/udp.c
+index e4578aa94ed5..0547cd6fc5c3 100644
+--- a/src/udp.c
++++ b/src/udp.c
+@@ -248,14 +248,15 @@ bad:
+ int udp_output(struct socket *so, struct mbuf *m, struct sockaddr_in *saddr,
+                struct sockaddr_in *daddr, int iptos)
+ {
++    char addr[INET_ADDRSTRLEN];
+     register struct udpiphdr *ui;
+     int error = 0;
+ 
+     DEBUG_CALL("udp_output");
+     DEBUG_ARG("so = %p", so);
+     DEBUG_ARG("m = %p", m);
+-    DEBUG_ARG("saddr = %s", inet_ntoa(saddr->sin_addr));
+-    DEBUG_ARG("daddr = %s", inet_ntoa(daddr->sin_addr));
++    DEBUG_ARG("saddr = %s", inet_ntop(AF_INET, &saddr->sin_addr, addr, sizeof(addr)));
++    DEBUG_ARG("daddr = %s", inet_ntop(AF_INET, &daddr->sin_addr, addr, sizeof(addr)));
+ 
+     /*
+      * Adjust for header
+-- 
+2.34.1.428.gdcc0cd074f0c
+

SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch

@@ -0,0 +1,161 @@
+From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory
+ buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275)
+---
+ src/bootp.c | 26 +++++++++++++++-----------
+ src/bootp.h |  2 +-
+ src/mbuf.c  |  5 +++++
+ src/mbuf.h  |  1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index 46e9681..e0db8d1 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+     return bc;
+ }
+ 
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++                        const uint8_t *bp_end,
++                        int *pmsg_type,
+                         struct in_addr *preq_addr)
+ {
+-    const uint8_t *p, *p_end;
++    const uint8_t *p;
+     int len, tag;
+ 
+     *pmsg_type = 0;
+     preq_addr->s_addr = htonl(0L);
+ 
+     p = bp->bp_vend;
+-    p_end = p + DHCP_OPT_LEN;
+     if (memcmp(p, rfc1533_cookie, 4) != 0)
+         return;
+     p += 4;
+-    while (p < p_end) {
++    while (p < bp_end) {
+         tag = p[0];
+         if (tag == RFC1533_PAD) {
+             p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             break;
+         } else {
+             p++;
+-            if (p >= p_end)
++            if (p >= bp_end)
+                 break;
+             len = *p++;
+-            if (p + len > p_end) {
++            if (p + len > bp_end) {
+                 break;
+             }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+     }
+ }
+ 
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++                        const struct bootp_t *bp,
++                        const uint8_t *bp_end)
+ {
+     BOOTPClient *bc = NULL;
+     struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     uint8_t client_ethaddr[ETH_ALEN];
+ 
+     /* extract exact DHCP msg type */
+-    dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++    dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+     DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+     if (preq_addr.s_addr != htonl(0L))
+         DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+         return;
+     }
+     m->m_data += IF_MAXLINKHDR;
++    m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+     rbp = (struct bootp_t *)m->m_data;
+     m->m_data += sizeof(struct udpiphdr);
+-    memset(rbp, 0, sizeof(struct bootp_t));
++    memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ 
+     if (dhcp_msg_type == DHCPDISCOVER) {
+         if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+ 
+     q = rbp->bp_vend;
+-    end = (uint8_t *)&rbp[1];
++    end = rbp->bp_vend + DHCP_OPT_LEN;
+     memcpy(q, rfc1533_cookie, 4);
+     q += 4;
+ 
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+     struct bootp_t *bp = mtod(m, struct bootp_t *);
+ 
+     if (bp->bp_op == BOOTP_REQUEST) {
+-        bootp_reply(m->slirp, bp);
++        bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+diff --git a/src/bootp.h b/src/bootp.h
+index a57fa51..31ce5fd 100644
+--- a/src/bootp.h
++++ b/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+     uint8_t bp_hwaddr[16];
+     uint8_t bp_sname[64];
+     char bp_file[128];
+-    uint8_t bp_vend[DHCP_OPT_LEN];
++    uint8_t bp_vend[];
+ };
+ 
+ typedef struct {
+diff --git a/src/mbuf.c b/src/mbuf.c
+index cb2e971..0c1a530 100644
+--- a/src/mbuf.c
++++ b/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+ 
+     return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++    return m->m_data + m->m_len;
++}
+diff --git a/src/mbuf.h b/src/mbuf.h
+index 2015e32..a9752a3 100644
+--- a/src/mbuf.h
++++ b/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.29.0
+

SOURCES/0003-bootp-check-bootp_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 3/7] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c)
+---
+ src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index e0db8d1..cafa1eb 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+ 
+ void bootp_input(struct mbuf *m)
+ {
+-    struct bootp_t *bp = mtod(m, struct bootp_t *);
++    struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+ 
+-    if (bp->bp_op == BOOTP_REQUEST) {
++    if (bp && bp->bp_op == BOOTP_REQUEST) {
+         bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+-- 
+2.29.0
+

SOURCES/0004-upd6-check-udp6_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:32:55 +0400
+Subject: [PATCH 4/7] upd6: check udp6_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3593
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b)
+---
+ src/udp6.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/udp6.c b/src/udp6.c
+index fdd8089..236b962 100644
+--- a/src/udp6.c
++++ b/src/udp6.c
+@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m)
+     ip = mtod(m, struct ip6 *);
+     m->m_len -= iphlen;
+     m->m_data += iphlen;
+-    uh = mtod(m, struct udphdr *);
++    uh = mtod_check(m, sizeof(struct udphdr));
++    if (uh == NULL) {
++        goto bad;
++    }
+     m->m_len += iphlen;
+     m->m_data -= iphlen;
+ 
+-- 
+2.29.0
+

SOURCES/0005-tftp-check-tftp_input-buffer-size.patch

@@ -0,0 +1,37 @@
+From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:34:30 +0400
+Subject: [PATCH 5/7] tftp: check tftp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3595
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d)
+---
+ src/tftp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/tftp.c b/src/tftp.c
+index c6950ee..e06911d 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
++    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++
++    if (tp == NULL) {
++        return;
++    }
+ 
+     switch (ntohs(tp->tp_op)) {
+     case TFTP_RRQ:
+-- 
+2.29.0
+

SOURCES/0006-tftp-introduce-a-header-structure.patch

@@ -0,0 +1,249 @@
+From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 20:01:20 +0400
+Subject: [PATCH 6/7] tftp: introduce a header structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of using a composed structure and potentially reading past the
+incoming buffer, use a different structure for the header.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30)
+---
+ src/tftp.c | 60 ++++++++++++++++++++++++++++--------------------------
+ src/tftp.h |  6 +++++-
+ 2 files changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/src/tftp.c b/src/tftp.c
+index e06911d..a19c889 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
+ }
+ 
+ static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                                 struct tftp_t *tp)
++                                 struct tftphdr *hdr)
+ {
+     struct tftp_session *spt;
+     int k;
+@@ -75,7 +75,7 @@ found:
+     memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
+     spt->fd = -1;
+     spt->block_size = 512;
+-    spt->client_port = tp->udp.uh_sport;
++    spt->client_port = hdr->udp.uh_sport;
+     spt->slirp = slirp;
+ 
+     tftp_session_update(spt);
+@@ -84,7 +84,7 @@ found:
+ }
+ 
+ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                             struct tftp_t *tp)
++                             struct tftphdr *hdr)
+ {
+     struct tftp_session *spt;
+     int k;
+@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+         if (tftp_session_in_use(spt)) {
+             if (sockaddr_equal(&spt->client_addr, srcsas)) {
+-                if (spt->client_port == tp->udp.uh_sport) {
++                if (spt->client_port == hdr->udp.uh_sport) {
+                     return k;
+                 }
+             }
+@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
+ }
+ 
+ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+-                            struct tftp_t *recv_tp)
++                            struct tftphdr *hdr)
+ {
+     if (spt->client_addr.ss_family == AF_INET6) {
+         struct sockaddr_in6 sa6, da6;
+ 
+         sa6.sin6_addr = spt->slirp->vhost_addr6;
+-        sa6.sin6_port = recv_tp->udp.uh_dport;
++        sa6.sin6_port = hdr->udp.uh_dport;
+         da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
+         da6.sin6_port = spt->client_port;
+ 
+@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+         struct sockaddr_in sa4, da4;
+ 
+         sa4.sin_addr = spt->slirp->vhost_addr;
+-        sa4.sin_port = recv_tp->udp.uh_dport;
++        sa4.sin_port = hdr->udp.uh_dport;
+         da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
+         da4.sin_port = spt->client_port;
+ 
+@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_OACK);
++    tp->hdr.tp_op = htons(TFTP_OACK);
+     for (i = 0; i < nb; i++) {
+         n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
+         n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
+     }
+ 
+-    m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
+-    tftp_udp_output(spt, m, recv_tp);
++    m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
++    tftp_udp_output(spt, m, &recv_tp->hdr);
+ 
+     return 0;
+ }
+@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_ERROR);
++    tp->hdr.tp_op = htons(TFTP_ERROR);
+     tp->x.tp_error.tp_error_code = htons(errorcode);
+     slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
+                   msg);
+ 
+     m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
+                strlen(msg) - sizeof(struct udphdr);
+-    tftp_udp_output(spt, m, recv_tp);
++    tftp_udp_output(spt, m, &recv_tp->hdr);
+ 
+ out:
+     tftp_session_terminate(spt);
+ }
+ 
+ static void tftp_send_next_block(struct tftp_session *spt,
+-                                 struct tftp_t *recv_tp)
++                                 struct tftphdr *hdr)
+ {
+     struct mbuf *m;
+     struct tftp_t *tp;
+@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_DATA);
++    tp->hdr.tp_op = htons(TFTP_DATA);
+     tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
+ 
+     nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
+@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+ 
+     m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
+                sizeof(struct udphdr);
+-    tftp_udp_output(spt, m, recv_tp);
++    tftp_udp_output(spt, m, hdr);
+ 
+     if (nobytes == spt->block_size) {
+         tftp_session_update(spt);
+@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     int nb_options = 0;
+ 
+     /* check if a session already exists and if so terminate it */
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, &tp->hdr);
+     if (s >= 0) {
+         tftp_session_terminate(&slirp->tftp_sessions[s]);
+     }
+ 
+-    s = tftp_session_allocate(slirp, srcsas, tp);
++    s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
+ 
+     if (s < 0) {
+         return;
+@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     }
+ 
+     spt->block_nr = 0;
+-    tftp_send_next_block(spt, tp);
++    tftp_send_next_block(spt, &tp->hdr);
+ }
+ 
+ static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                            struct tftp_t *tp, int pktlen)
++                            struct tftphdr *hdr)
+ {
+     int s;
+ 
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, hdr);
+ 
+     if (s < 0) {
+         return;
+     }
+ 
+-    tftp_send_next_block(&slirp->tftp_sessions[s], tp);
++    tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
+ }
+ 
+ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                              struct tftp_t *tp, int pktlen)
++                              struct tftphdr *hdr)
+ {
+     int s;
+ 
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, hdr);
+ 
+     if (s < 0) {
+         return;
+@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+-    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++    struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
+ 
+-    if (tp == NULL) {
++    if (hdr == NULL) {
+         return;
+     }
+ 
+-    switch (ntohs(tp->tp_op)) {
++    switch (ntohs(hdr->tp_op)) {
+     case TFTP_RRQ:
+-        tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_rrq(m->slirp, srcsas,
++                        mtod(m, struct tftp_t *),
++                        m->m_len);
+         break;
+ 
+     case TFTP_ACK:
+-        tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_ack(m->slirp, srcsas, hdr);
+         break;
+ 
+     case TFTP_ERROR:
+-        tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_error(m->slirp, srcsas, hdr);
+         break;
+     }
+ }
+diff --git a/src/tftp.h b/src/tftp.h
+index 6d75478..cafab03 100644
+--- a/src/tftp.h
++++ b/src/tftp.h
+@@ -20,9 +20,13 @@
+ #define TFTP_FILENAME_MAX 512
+ #define TFTP_BLOCKSIZE_MAX 1428
+ 
+-struct tftp_t {
++struct tftphdr {
+     struct udphdr udp;
+     uint16_t tp_op;
++} SLIRP_PACKED;
++
++struct tftp_t {
++    struct tftphdr hdr;
+     union {
+         struct {
+             uint16_t tp_block_nr;
+-- 
+2.29.0
+

SOURCES/0007-udp-check-upd_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:40:23 +0400
+Subject: [PATCH 7/7] udp: check upd_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3594
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
+---
+ src/udp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/udp.c b/src/udp.c
+index 050cee4..e4578aa 100644
+--- a/src/udp.c
++++ b/src/udp.c
+@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen)
+     /*
+      * Get IP and UDP header together in first mbuf.
+      */
+-    ip = mtod(m, struct ip *);
++    ip = mtod_check(m, iphlen + sizeof(struct udphdr));
++    if (ip == NULL) {
++        goto bad;
++    }
+     uh = (struct udphdr *)((char *)ip + iphlen);
+ 
+     /*
+-- 
+2.29.0
+

SPECS/libslirp.spec

@@ -1,12 +1,24 @@
 Name:           libslirp
-Version:        4.3.1
-Release:        1%{?dist}
+Version:        4.4.0
+Release:        7%{?dist}
 Summary:        A general purpose TCP-IP emulator
 
 # check the SPDX tags in source files for details
 License:        BSD and MIT
 URL:            https://gitlab.freedesktop.org/slirp/%{name}
-Source0:        https://elmarco.fedorapeople.org/libslirp-%{version}.tar.xz
+Source0:        %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
+Patch0001: 0001-Add-mtod_check.patch
+Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch
+Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch
+Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch
+Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch
+Patch0006: 0006-tftp-introduce-a-header-structure.patch
+Patch0007: 0007-udp-check-upd_input-buffer-size.patch
+Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
+Patch0009: 0001-New-utility-slirp_ether_ntoa.patch
+Patch00010: 0002-Replace-inet_ntoa-with-safer-inet_ntop.patch
+
+
 BuildRequires:  git-core
 BuildRequires:  meson
 BuildRequires:  gcc
@@ -51,26 +63,41 @@ developing applications that use %{name}.
 
 
 %changelog
-* Thu Jul 30 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.1-1
-- update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1
-- Related: #1821193
+* Fri Feb 11 2022 Jindrich Novy <jnovy@redhat.com> - 4.4.0-7
+- fix also socket.c, thanks to Marc-André Lureau
+- Related: #2000051
 
-* Wed Jul 08 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-5
-- replace patch for CVE-2020-10756 with dedicated upstream one
-- Related: #1821193
+* Fri Feb 11 2022 Jindrich Novy <jnovy@redhat.com> - 4.4.0-6
+- add patches fixing gating tests from Marc-André Lureau
+- Related: #2000051
 
-* Fri Jul 03 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-4
-- fix "CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability"
-- Related: #1821193
+* Wed Feb 09 2022 Jindrich Novy <jnovy@redhat.com> - 4.4.0-5
+- add gating.yaml
+- Related: #2000051
 
-* Thu May 28 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-3
-- fix static analysis issues merged upstream
-  (https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/41)
-- Related: #1821193
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4.0-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Mon May 11 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.0-2
-- initial libslirp build for container-tools 8.3.0 module
-- Resolves: #1821193
+* Fri Jun 18 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.4.0-3
+- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
+  Resolves: rhbz#1970826 rhbz#1970839 rhbz#1970857 rhbz#1970847
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.4.0-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Dec  2 18:19:30 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.4.0-1
+- new version
+
+* Fri Nov 27 20:10:28 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.3.1-3
+- Fix CVE-2020-29129 CVE-2020-29130 out-of-bounds access while processing ARP/NCSI packets
+  rhbz#1902232
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 08 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.3.1-1
+- New v4.3.1 release
 
 * Thu Apr 23 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.3.0-1
 - New v4.3.0 release