.gitignore

@@ -1 +1 @@
-SOURCES/libslirp-4.3.1.tar.xz
+SOURCES/libslirp-4.4.0.tar.xz

.libslirp.metadata

@@ -1 +1 @@
-f69c50c264a465bde6fe0cd6b577e2f1c0b20ece SOURCES/libslirp-4.3.1.tar.xz
+5ef4ed055299eab0703d4c49da552fdb61357f13 SOURCES/libslirp-4.4.0.tar.xz

SOURCES/0001-Add-mtod_check.patch

@@ -0,0 +1,54 @@
+From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 1/7] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17)
+---
+ src/mbuf.c | 11 +++++++++++
+ src/mbuf.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/mbuf.c b/src/mbuf.c
+index 54ec721..cb2e971 100644
+--- a/src/mbuf.c
++++ b/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+ 
+     return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++    if (m->m_len >= len) {
++        return m->m_data;
++    }
++
++    DEBUG_ERROR("mtod failed");
++
++    return NULL;
++}
+diff --git a/src/mbuf.h b/src/mbuf.h
+index 546e785..2015e32 100644
+--- a/src/mbuf.h
++++ b/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.29.0
+

SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch

@@ -0,0 +1,30 @@
+From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Thu, 17 Jun 2021 18:01:32 +0900
+Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0"
+
+Fix issue 48
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ src/bootp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index cafa1eb..0a35873 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp,
+ 
+     daddr.sin_addr.s_addr = 0xffffffffu;
+ 
+-    m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
++    assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN);
++
++    m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr);
+     udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
+ }
+ 
+-- 
+2.29.0
+

SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch

@@ -0,0 +1,161 @@
+From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory
+ buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275)
+---
+ src/bootp.c | 26 +++++++++++++++-----------
+ src/bootp.h |  2 +-
+ src/mbuf.c  |  5 +++++
+ src/mbuf.h  |  1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index 46e9681..e0db8d1 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+     return bc;
+ }
+ 
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++                        const uint8_t *bp_end,
++                        int *pmsg_type,
+                         struct in_addr *preq_addr)
+ {
+-    const uint8_t *p, *p_end;
++    const uint8_t *p;
+     int len, tag;
+ 
+     *pmsg_type = 0;
+     preq_addr->s_addr = htonl(0L);
+ 
+     p = bp->bp_vend;
+-    p_end = p + DHCP_OPT_LEN;
+     if (memcmp(p, rfc1533_cookie, 4) != 0)
+         return;
+     p += 4;
+-    while (p < p_end) {
++    while (p < bp_end) {
+         tag = p[0];
+         if (tag == RFC1533_PAD) {
+             p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             break;
+         } else {
+             p++;
+-            if (p >= p_end)
++            if (p >= bp_end)
+                 break;
+             len = *p++;
+-            if (p + len > p_end) {
++            if (p + len > bp_end) {
+                 break;
+             }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+     }
+ }
+ 
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++                        const struct bootp_t *bp,
++                        const uint8_t *bp_end)
+ {
+     BOOTPClient *bc = NULL;
+     struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     uint8_t client_ethaddr[ETH_ALEN];
+ 
+     /* extract exact DHCP msg type */
+-    dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++    dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+     DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+     if (preq_addr.s_addr != htonl(0L))
+         DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+         return;
+     }
+     m->m_data += IF_MAXLINKHDR;
++    m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+     rbp = (struct bootp_t *)m->m_data;
+     m->m_data += sizeof(struct udpiphdr);
+-    memset(rbp, 0, sizeof(struct bootp_t));
++    memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ 
+     if (dhcp_msg_type == DHCPDISCOVER) {
+         if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+     rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+ 
+     q = rbp->bp_vend;
+-    end = (uint8_t *)&rbp[1];
++    end = rbp->bp_vend + DHCP_OPT_LEN;
+     memcpy(q, rfc1533_cookie, 4);
+     q += 4;
+ 
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+     struct bootp_t *bp = mtod(m, struct bootp_t *);
+ 
+     if (bp->bp_op == BOOTP_REQUEST) {
+-        bootp_reply(m->slirp, bp);
++        bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+diff --git a/src/bootp.h b/src/bootp.h
+index a57fa51..31ce5fd 100644
+--- a/src/bootp.h
++++ b/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+     uint8_t bp_hwaddr[16];
+     uint8_t bp_sname[64];
+     char bp_file[128];
+-    uint8_t bp_vend[DHCP_OPT_LEN];
++    uint8_t bp_vend[];
+ };
+ 
+ typedef struct {
+diff --git a/src/mbuf.c b/src/mbuf.c
+index cb2e971..0c1a530 100644
+--- a/src/mbuf.c
++++ b/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+ 
+     return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++    return m->m_data + m->m_len;
++}
+diff --git a/src/mbuf.h b/src/mbuf.h
+index 2015e32..a9752a3 100644
+--- a/src/mbuf.h
++++ b/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+ 
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+-- 
+2.29.0
+

SOURCES/0003-bootp-check-bootp_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 3/7] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c)
+---
+ src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bootp.c b/src/bootp.c
+index e0db8d1..cafa1eb 100644
+--- a/src/bootp.c
++++ b/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+ 
+ void bootp_input(struct mbuf *m)
+ {
+-    struct bootp_t *bp = mtod(m, struct bootp_t *);
++    struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+ 
+-    if (bp->bp_op == BOOTP_REQUEST) {
++    if (bp && bp->bp_op == BOOTP_REQUEST) {
+         bootp_reply(m->slirp, bp, m_end(m));
+     }
+ }
+-- 
+2.29.0
+

SOURCES/0004-upd6-check-udp6_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:32:55 +0400
+Subject: [PATCH 4/7] upd6: check udp6_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3593
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b)
+---
+ src/udp6.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/udp6.c b/src/udp6.c
+index fdd8089..236b962 100644
+--- a/src/udp6.c
++++ b/src/udp6.c
+@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m)
+     ip = mtod(m, struct ip6 *);
+     m->m_len -= iphlen;
+     m->m_data += iphlen;
+-    uh = mtod(m, struct udphdr *);
++    uh = mtod_check(m, sizeof(struct udphdr));
++    if (uh == NULL) {
++        goto bad;
++    }
+     m->m_len += iphlen;
+     m->m_data -= iphlen;
+ 
+-- 
+2.29.0
+

SOURCES/0005-tftp-check-tftp_input-buffer-size.patch

@@ -0,0 +1,37 @@
+From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:34:30 +0400
+Subject: [PATCH 5/7] tftp: check tftp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3595
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d)
+---
+ src/tftp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/tftp.c b/src/tftp.c
+index c6950ee..e06911d 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
++    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++
++    if (tp == NULL) {
++        return;
++    }
+ 
+     switch (ntohs(tp->tp_op)) {
+     case TFTP_RRQ:
+-- 
+2.29.0
+

SOURCES/0006-tftp-introduce-a-header-structure.patch

@@ -0,0 +1,249 @@
+From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 20:01:20 +0400
+Subject: [PATCH 6/7] tftp: introduce a header structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of using a composed structure and potentially reading past the
+incoming buffer, use a different structure for the header.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30)
+---
+ src/tftp.c | 60 ++++++++++++++++++++++++++++--------------------------
+ src/tftp.h |  6 +++++-
+ 2 files changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/src/tftp.c b/src/tftp.c
+index e06911d..a19c889 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
+ }
+ 
+ static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                                 struct tftp_t *tp)
++                                 struct tftphdr *hdr)
+ {
+     struct tftp_session *spt;
+     int k;
+@@ -75,7 +75,7 @@ found:
+     memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
+     spt->fd = -1;
+     spt->block_size = 512;
+-    spt->client_port = tp->udp.uh_sport;
++    spt->client_port = hdr->udp.uh_sport;
+     spt->slirp = slirp;
+ 
+     tftp_session_update(spt);
+@@ -84,7 +84,7 @@ found:
+ }
+ 
+ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                             struct tftp_t *tp)
++                             struct tftphdr *hdr)
+ {
+     struct tftp_session *spt;
+     int k;
+@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+         if (tftp_session_in_use(spt)) {
+             if (sockaddr_equal(&spt->client_addr, srcsas)) {
+-                if (spt->client_port == tp->udp.uh_sport) {
++                if (spt->client_port == hdr->udp.uh_sport) {
+                     return k;
+                 }
+             }
+@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
+ }
+ 
+ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+-                            struct tftp_t *recv_tp)
++                            struct tftphdr *hdr)
+ {
+     if (spt->client_addr.ss_family == AF_INET6) {
+         struct sockaddr_in6 sa6, da6;
+ 
+         sa6.sin6_addr = spt->slirp->vhost_addr6;
+-        sa6.sin6_port = recv_tp->udp.uh_dport;
++        sa6.sin6_port = hdr->udp.uh_dport;
+         da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
+         da6.sin6_port = spt->client_port;
+ 
+@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+         struct sockaddr_in sa4, da4;
+ 
+         sa4.sin_addr = spt->slirp->vhost_addr;
+-        sa4.sin_port = recv_tp->udp.uh_dport;
++        sa4.sin_port = hdr->udp.uh_dport;
+         da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
+         da4.sin_port = spt->client_port;
+ 
+@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_OACK);
++    tp->hdr.tp_op = htons(TFTP_OACK);
+     for (i = 0; i < nb; i++) {
+         n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
+         n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
+     }
+ 
+-    m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
+-    tftp_udp_output(spt, m, recv_tp);
++    m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
++    tftp_udp_output(spt, m, &recv_tp->hdr);
+ 
+     return 0;
+ }
+@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_ERROR);
++    tp->hdr.tp_op = htons(TFTP_ERROR);
+     tp->x.tp_error.tp_error_code = htons(errorcode);
+     slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
+                   msg);
+ 
+     m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
+                strlen(msg) - sizeof(struct udphdr);
+-    tftp_udp_output(spt, m, recv_tp);
++    tftp_udp_output(spt, m, &recv_tp->hdr);
+ 
+ out:
+     tftp_session_terminate(spt);
+ }
+ 
+ static void tftp_send_next_block(struct tftp_session *spt,
+-                                 struct tftp_t *recv_tp)
++                                 struct tftphdr *hdr)
+ {
+     struct mbuf *m;
+     struct tftp_t *tp;
+@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+ 
+     tp = tftp_prep_mbuf_data(spt, m);
+ 
+-    tp->tp_op = htons(TFTP_DATA);
++    tp->hdr.tp_op = htons(TFTP_DATA);
+     tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
+ 
+     nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
+@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+ 
+     m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
+                sizeof(struct udphdr);
+-    tftp_udp_output(spt, m, recv_tp);
++    tftp_udp_output(spt, m, hdr);
+ 
+     if (nobytes == spt->block_size) {
+         tftp_session_update(spt);
+@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     int nb_options = 0;
+ 
+     /* check if a session already exists and if so terminate it */
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, &tp->hdr);
+     if (s >= 0) {
+         tftp_session_terminate(&slirp->tftp_sessions[s]);
+     }
+ 
+-    s = tftp_session_allocate(slirp, srcsas, tp);
++    s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
+ 
+     if (s < 0) {
+         return;
+@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     }
+ 
+     spt->block_nr = 0;
+-    tftp_send_next_block(spt, tp);
++    tftp_send_next_block(spt, &tp->hdr);
+ }
+ 
+ static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                            struct tftp_t *tp, int pktlen)
++                            struct tftphdr *hdr)
+ {
+     int s;
+ 
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, hdr);
+ 
+     if (s < 0) {
+         return;
+     }
+ 
+-    tftp_send_next_block(&slirp->tftp_sessions[s], tp);
++    tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
+ }
+ 
+ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+-                              struct tftp_t *tp, int pktlen)
++                              struct tftphdr *hdr)
+ {
+     int s;
+ 
+-    s = tftp_session_find(slirp, srcsas, tp);
++    s = tftp_session_find(slirp, srcsas, hdr);
+ 
+     if (s < 0) {
+         return;
+@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+ 
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+-    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++    struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
+ 
+-    if (tp == NULL) {
++    if (hdr == NULL) {
+         return;
+     }
+ 
+-    switch (ntohs(tp->tp_op)) {
++    switch (ntohs(hdr->tp_op)) {
+     case TFTP_RRQ:
+-        tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_rrq(m->slirp, srcsas,
++                        mtod(m, struct tftp_t *),
++                        m->m_len);
+         break;
+ 
+     case TFTP_ACK:
+-        tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_ack(m->slirp, srcsas, hdr);
+         break;
+ 
+     case TFTP_ERROR:
+-        tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
++        tftp_handle_error(m->slirp, srcsas, hdr);
+         break;
+     }
+ }
+diff --git a/src/tftp.h b/src/tftp.h
+index 6d75478..cafab03 100644
+--- a/src/tftp.h
++++ b/src/tftp.h
+@@ -20,9 +20,13 @@
+ #define TFTP_FILENAME_MAX 512
+ #define TFTP_BLOCKSIZE_MAX 1428
+ 
+-struct tftp_t {
++struct tftphdr {
+     struct udphdr udp;
+     uint16_t tp_op;
++} SLIRP_PACKED;
++
++struct tftp_t {
++    struct tftphdr hdr;
+     union {
+         struct {
+             uint16_t tp_block_nr;
+-- 
+2.29.0
+

SOURCES/0007-udp-check-upd_input-buffer-size.patch

@@ -0,0 +1,36 @@
+From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:40:23 +0400
+Subject: [PATCH 7/7] udp: check upd_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3594
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824)
+---
+ src/udp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/udp.c b/src/udp.c
+index 050cee4..e4578aa 100644
+--- a/src/udp.c
++++ b/src/udp.c
+@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen)
+     /*
+      * Get IP and UDP header together in first mbuf.
+      */
+-    ip = mtod(m, struct ip *);
++    ip = mtod_check(m, iphlen + sizeof(struct udphdr));
++    if (ip == NULL) {
++        goto bad;
++    }
+     uh = (struct udphdr *)((char *)ip + iphlen);
+ 
+     /*
+-- 
+2.29.0
+

SPECS/libslirp.spec

@@ -1,12 +1,22 @@
 Name:           libslirp
-Version:        4.3.1
+Version:        4.4.0
 Release:        1%{?dist}
 Summary:        A general purpose TCP-IP emulator
 
 # check the SPDX tags in source files for details
 License:        BSD and MIT
 URL:            https://gitlab.freedesktop.org/slirp/%{name}
-Source0:        https://elmarco.fedorapeople.org/libslirp-%{version}.tar.xz
+Source0:        %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz
+Patch0001: 0001-Add-mtod_check.patch
+Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch
+Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch
+Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch
+Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch
+Patch0006: 0006-tftp-introduce-a-header-structure.patch
+Patch0007: 0007-udp-check-upd_input-buffer-size.patch
+Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch
+
+
 BuildRequires:  git-core
 BuildRequires:  meson
 BuildRequires:  gcc
@@ -51,6 +61,10 @@ developing applications that use %{name}.
 
 
 %changelog
+* Mon Jun 28 2021 Jindrich Novy <jnovy@redhat.com> - 4.4.0-1
+- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access
+- Related: #1934415
+
 * Thu Jul 30 2020 Jindrich Novy <jnovy@redhat.com> - 4.3.1-1
 - update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1
 - Related: #1821193