From e88718fc0b0399147327adfb369793407482a895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 22 Jun 2017 14:41:45 +0200 Subject: [PATCH 1/4] slirp: use DIV_ROUND_UP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I used the clang-tidy qemu-round check to generate the fix: https://github.com/elmarco/clang-tools-extra Signed-off-by: Marc-André Lureau Signed-off-by: Samuel Thibault --- slirp/ip6.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/slirp/ip6.h b/slirp/ip6.h index 0908855f0f..b1bea43b3c 100644 --- a/slirp/ip6.h +++ b/slirp/ip6.h @@ -57,9 +57,9 @@ static inline bool in6_equal_mach(const struct in6_addr *a, const struct in6_addr *b, int prefix_len) { - if (memcmp(&(a->s6_addr[(prefix_len + 7) / 8]), - &(b->s6_addr[(prefix_len + 7) / 8]), - 16 - (prefix_len + 7) / 8) != 0) { + if (memcmp(&(a->s6_addr[DIV_ROUND_UP(prefix_len, 8)]), + &(b->s6_addr[DIV_ROUND_UP(prefix_len, 8)]), + 16 - DIV_ROUND_UP(prefix_len, 8)) != 0) { return 0; } From 12dccfe4f57ead8166567ec8a60d2ce91e266f04 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Sun, 9 Jul 2017 18:54:22 +0100 Subject: [PATCH 2/4] slirp: fork_exec(): Don't close() a negative number in fork_exec() In a fork_exec() error path we try to closesocket(s) when s might be a negative number because the thing that failed was the qemu_socket() call. Add a guard so we don't do this. (Spotted by Coverity: CID 1005727 issue 1 of 2.) Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Samuel Thibault --- slirp/misc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/slirp/misc.c b/slirp/misc.c index 88e9d94197..260187b6b6 100644 --- a/slirp/misc.c +++ b/slirp/misc.c @@ -112,7 +112,9 @@ fork_exec(struct socket *so, const char *ex, int do_pty) bind(s, (struct sockaddr *)&addr, addrlen) < 0 || listen(s, 1) < 0) { error_report("Error: inet socket: %s", strerror(errno)); - closesocket(s); + if (s >= 0) { + closesocket(s); + } return 0; } From 0b466065eba289c437e3edc2e97144fc5cd6a889 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 5 Jun 2017 17:19:35 +0100 Subject: [PATCH 3/4] slirp: Handle error returns from slirp_send() in sosendoob() The code in sosendoob() assumes that slirp_send() always succeeds, but it might return an OS error code (for instance if the other end has disconnected). Catch these and return the caller either -1 on error or the number of urgent bytes actually written. (None of the callers check this return value currently, though.) Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Samuel Thibault --- slirp/socket.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/slirp/socket.c b/slirp/socket.c index 3b49a69a93..a17caa9fa7 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -345,34 +345,41 @@ sosendoob(struct socket *so) if (sb->sb_rptr < sb->sb_wptr) { /* We can send it directly */ n = slirp_send(so, sb->sb_rptr, so->so_urgc, (MSG_OOB)); /* |MSG_DONTWAIT)); */ - so->so_urgc -= n; - - DEBUG_MISC((dfd, " --- sent %d bytes urgent data, %d urgent bytes left\n", n, so->so_urgc)); } else { /* * Since there's no sendv or sendtov like writev, * we must copy all data to a linear buffer then * send it all */ + uint32_t urgc = so->so_urgc; len = (sb->sb_data + sb->sb_datalen) - sb->sb_rptr; - if (len > so->so_urgc) len = so->so_urgc; + if (len > urgc) { + len = urgc; + } memcpy(buff, sb->sb_rptr, len); - so->so_urgc -= len; - if (so->so_urgc) { + urgc -= len; + if (urgc) { n = sb->sb_wptr - sb->sb_data; - if (n > so->so_urgc) n = so->so_urgc; + if (n > urgc) { + n = urgc; + } memcpy((buff + len), sb->sb_data, n); - so->so_urgc -= n; len += n; } n = slirp_send(so, buff, len, (MSG_OOB)); /* |MSG_DONTWAIT)); */ -#ifdef DEBUG - if (n != len) - DEBUG_ERROR((dfd, "Didn't send all data urgently XXXXX\n")); -#endif - DEBUG_MISC((dfd, " ---2 sent %d bytes urgent data, %d urgent bytes left\n", n, so->so_urgc)); } +#ifdef DEBUG + if (n != len) { + DEBUG_ERROR((dfd, "Didn't send all data urgently XXXXX\n")); + } +#endif + if (n < 0) { + return n; + } + so->so_urgc -= n; + DEBUG_MISC((dfd, " ---2 sent %d bytes urgent data, %d urgent bytes left\n", n, so->so_urgc)); + sb->sb_cc -= n; sb->sb_rptr += n; if (sb->sb_rptr >= (sb->sb_data + sb->sb_datalen)) From 75cb298d905030fca897ea1d80e409c7f7e3e5ea Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 14 Jul 2017 12:12:25 +0100 Subject: [PATCH 4/4] slirp: Handle error returns from sosendoob() sosendoob() can return a failure code, but all its callers ignore it. This is OK in sbappend(), as the comment there states -- we will try again later in sowrite(). Add a (void) cast to tell Coverity so. In sowrite() we do need to check the return value -- we should handle a write failure in sosendoob() the same way we handle a write failure for the normal data. Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Samuel Thibault --- slirp/sbuf.c | 2 +- slirp/socket.c | 23 +++++++++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/slirp/sbuf.c b/slirp/sbuf.c index 10119d3ad5..912f235f65 100644 --- a/slirp/sbuf.c +++ b/slirp/sbuf.c @@ -91,7 +91,7 @@ sbappend(struct socket *so, struct mbuf *m) if (so->so_urgc) { sbappendsb(&so->so_rcv, m); m_free(m); - sosendoob(so); + (void)sosendoob(so); return; } diff --git a/slirp/socket.c b/slirp/socket.c index a17caa9fa7..ecec0295a9 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -404,7 +404,15 @@ sowrite(struct socket *so) DEBUG_ARG("so = %p", so); if (so->so_urgc) { - sosendoob(so); + uint32_t expected = so->so_urgc; + if (sosendoob(so) < expected) { + /* Treat a short write as a fatal error too, + * rather than continuing on and sending the urgent + * data as if it were non-urgent and leaving the + * so_urgc count wrong. + */ + goto err_disconnected; + } if (sb->sb_cc == 0) return 0; } @@ -448,11 +456,7 @@ sowrite(struct socket *so) return 0; if (nn <= 0) { - DEBUG_MISC((dfd, " --- sowrite disconnected, so->so_state = %x, errno = %d\n", - so->so_state, errno)); - sofcantsendmore(so); - tcp_sockclosed(sototcpcb(so)); - return -1; + goto err_disconnected; } #ifndef HAVE_READV @@ -479,6 +483,13 @@ sowrite(struct socket *so) sofcantsendmore(so); return nn; + +err_disconnected: + DEBUG_MISC((dfd, " --- sowrite disconnected, so->so_state = %x, errno = %d\n", + so->so_state, errno)); + sofcantsendmore(so); + tcp_sockclosed(sototcpcb(so)); + return -1; } /*