[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 31/97] slirp: Add sanity check for str option length
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 31/97] slirp: Add sanity check for str option length |
Date: |
Mon, 1 Apr 2019 15:59:05 -0500 |
From: Fam Zheng <address@hidden>
When user provides a long domainname or hostname that doesn't fit in the
DHCP packet, we mustn't overflow the response packet buffer. Instead,
report errors, following the g_warning() in the slirp->vdnssearch
branch.
Also check the strlen against 256 when initializing slirp, which limit
is also from the protocol where one byte represents the string length.
This gives an early error before the warning which is harder to notice
or diagnose.
Reported-by: Thomas Huth <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Cc: address@hidden
Signed-off-by: Fam Zheng <address@hidden>
Tested-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
(cherry picked from commit 6e157a0339793bb081705f52318fc77afd10addf)
Signed-off-by: Michael Roth <address@hidden>
---
net/slirp.c | 9 +++++++++
slirp/bootp.c | 32 ++++++++++++++++++++++----------
2 files changed, 31 insertions(+), 10 deletions(-)
diff --git a/net/slirp.c b/net/slirp.c
index 1e14318b4d..fd21dc728c 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -365,6 +365,15 @@ static int net_slirp_init(NetClientState *peer, const char
*model,
return -1;
}
+ if (vdomainname && strlen(vdomainname) > 255) {
+ error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
+ return -1;
+ }
+
+ if (vhostname && strlen(vhostname) > 255) {
+ error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
+ return -1;
+ }
nc = qemu_new_net_client(&net_slirp_info, peer, model, name);
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 9e7b53ba94..1e8185f0ec 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -159,6 +159,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t
*bp)
struct in_addr preq_addr;
int dhcp_msg_type, val;
uint8_t *q;
+ uint8_t *end;
uint8_t client_ethaddr[ETH_ALEN];
/* extract exact DHCP msg type */
@@ -240,6 +241,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t
*bp)
rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
q = rbp->bp_vend;
+ end = (uint8_t *)&rbp[1];
memcpy(q, rfc1533_cookie, 4);
q += 4;
@@ -292,24 +294,33 @@ static void bootp_reply(Slirp *slirp, const struct
bootp_t *bp)
if (*slirp->client_hostname) {
val = strlen(slirp->client_hostname);
- *q++ = RFC1533_HOSTNAME;
- *q++ = val;
- memcpy(q, slirp->client_hostname, val);
- q += val;
+ if (q + val + 2 >= end) {
+ g_warning("DHCP packet size exceeded, "
+ "omitting host name option.");
+ } else {
+ *q++ = RFC1533_HOSTNAME;
+ *q++ = val;
+ memcpy(q, slirp->client_hostname, val);
+ q += val;
+ }
}
if (slirp->vdomainname) {
val = strlen(slirp->vdomainname);
- *q++ = RFC1533_DOMAINNAME;
- *q++ = val;
- memcpy(q, slirp->vdomainname, val);
- q += val;
+ if (q + val + 2 >= end) {
+ g_warning("DHCP packet size exceeded, "
+ "omitting domain name option.");
+ } else {
+ *q++ = RFC1533_DOMAINNAME;
+ *q++ = val;
+ memcpy(q, slirp->vdomainname, val);
+ q += val;
+ }
}
if (slirp->vdnssearch) {
- size_t spaceleft = sizeof(rbp->bp_vend) - (q - rbp->bp_vend);
val = slirp->vdnssearch_len;
- if (val + 1 > spaceleft) {
+ if (q + val >= end) {
g_warning("DHCP packet size exceeded, "
"omitting domain-search option.");
} else {
@@ -331,6 +342,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t
*bp)
memcpy(q, nak_msg, sizeof(nak_msg) - 1);
q += sizeof(nak_msg) - 1;
}
+ assert(q < end);
*q = RFC1533_END;
daddr.sin_addr.s_addr = 0xffffffffu;
--
2.17.1
- [Qemu-devel] [PATCH 12/97] spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn, (continued)
- [Qemu-devel] [PATCH 12/97] spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 11/97] target/arm: Add sve-max-vq cpu property to -cpu max, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 17/97] block/qapi: Fix memory leak in qmp_query_blockstats(), Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 16/97] target/arm: Use FZ not FZ16 for SVE FCVT single-half and double-half, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 19/97] qemu-img: fix regression copying secrets during convert, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 20/97] nvme: Fix nvme_init error handling, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 27/97] block: iotest to catch abort on forced blockjob cancel, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 24/97] vnc: fix memleak of the "vnc-worker-output" name, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 26/97] block: for jobs, do not clear user_paused until after the resume, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 28/97] virtio: update MemoryRegionCaches when guest negotiates features, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 31/97] slirp: Add sanity check for str option length,
Michael Roth <=
- [Qemu-devel] [PATCH 25/97] i386: Disable TOPOEXT by default on "-cpu host", Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 36/97] job: Fix nested aio_poll() hanging in job_txn_apply, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 18/97] mirror: Fail gracefully for source == target, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 37/97] target/xtensa: fix s32c1i TCGMemOp flags, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 38/97] nbd/server: fix bitmap export, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 39/97] clean up callback when del virtqueue, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 43/97] block/rbd: add deprecation documentation for filename keyvalue pairs, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 42/97] block/rbd: add iotest for rbd legacy keyvalue filename parsing, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 45/97] ne2000: fix possible out of bound access in ne2000_receive, Michael Roth, 2019/04/01
- [Qemu-devel] [PATCH 47/97] pcnet: fix possible buffer overflow, Michael Roth, 2019/04/01