Casting pointers to long won't work on 64 bit Windows.
It is not needed with the right format strings.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Fix this by checking that the socket is not just a socket stub.
This is CVE-2014-3640.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Here we don't check the return value of malloc() which may fail.
Use the g_new() instead, which will abort the program when
there is not enough memory.
Also, use g_strdup instead of strdup and remove the unnecessary
strdup function.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Grub fails to boot from internal TFTP server when loading more than
3 initrd files.
Grub first opens a session to the TFTP server for every initrd file and
retrieves only the file size for all.
Then it wants to download the content using the old sessions which are
already expired.
Increasing the maximum number of session of the internal TFTP
server avoids this issue.
The error message reads as following:
error: timeout reading
`/boot/ISO.ROOT/BOOTMGR'.
Press any key to continue...
Signed-off-by: Bernhard Übelacker <bernhardu@vr-web.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The zero_ethaddr[] array is never used; delete it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Do not special-case addresses with zero host part, as we do not
necessarily know how big it is, and the guest can fake them anyway.
Silently avoid having 0.0.0.0 as a destination, however.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
[Edgar: Minor change to subject]
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
These errors don't seem user initiated, so forcibly printing to the
monitor doesn't seem right. Just use error_report.
Drop lprint since it's now unused.
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
* it's -> its
* grammar fix in ui/vnc-enc-zywrle.h
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Don Koch <dkoch@verizon.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
SO_REUSEADDR should be avoided on Windows but is desired on other operating
systems. So instead of setting it we call socket_set_fast_reuse that will result
in the appropriate behaviour on all operating systems.
Signed-off-by: Sebastian Ottlik <ottlik@fzi.de>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
If slirp needs to emulate tcp timeout, then the timeout value
for mainloop should be more precise, which is determined by
slirp's fasttimo or slowtimo. Achieve this by swap the logic
sequence of slirp_pollfds_fill and slirp_update_timeout.
Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Each slirp has its own time to caculate timeout.
Signed-off-by: Liu Ping Fan <pingfank@linux.vnet.ibm.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
"0xf << 28" shifts right into the sign bit, since 0xf is a signed
integer. Use the 'U' suffix to force an unsigned shift to avoid
this undefined behaviour and a clang sanitizer warning.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
port redirection code uses SO_REUSEADDR socket option before binding to
host port. Behavior of SO_REUSEADDR is different on Windows and Linux.
Relaunching QEMU with same host and guest port redirection values on Linux
throws error but on Windows it does not throw any error.
Problem is discussed in http://lists.gnu.org/archive/html/qemu-devel/2013-04/msg03089.html
Signed-off-by: Taimoor Mirza <tmirza@codesourcery.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This is an autogenerated patch using scripts/switch-timer-api.
Switch the entire code base to using the new timer API.
Note this patch may introduce some line length issues.
Signed-off-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
include/qemu/timer.h has no need to include main-loop.h and
doing so causes an issue for the next patch. Unfortunately
various files assume including timers.h will pull in main-loop.h.
Untangle this mess.
Signed-off-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This patch allows the hostfwd option to override the restrict=y setting in
the user network stack, as explicitly stated in the documentation on the
restrict option:
restrict=on|off
If this option is enabled, the guest will be isolated, i.e. it
will not be able to contact the host and no guest IP packets
will be routed over the host to the outside. This option does
not affect any explicitly set forwarding rules.
Qemu bug tracker:
https://bugs.launchpad.net/qemu/+bug/829455
Signed-off-by: Gertjan Halkes <qemu@ghalkes.nl>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Some source files #include the same header more than
once for no good reason. Remove second #includes in
such cases.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The fcntl(fd, F_SETFL, O_NONBLOCK) flag is not specific to sockets.
Rename to qemu_set_nonblock() just like qemu_set_cloexec().
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Instead of adding missing type casts which are needed by MinGW for the
4th argument, the patch uses qemu_setsockopt which was invented for this
purpose.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fix coding style in tcp_connect before the next patch.
Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Otherwise we may start processing sockets in slirp_pollfds_poll that
were created past slirp_pollfds_fill.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Slirp uses rfds/wfds/xfds more extensively than other QEMU components.
The rarely-used out-of-band TCP data feature is used. That means we
need the full table of select(2) to g_poll(3) events:
rfds -> G_IO_IN | G_IO_HUP | G_IO_ERR
wfds -> G_IO_OUT | G_IO_ERR
xfds -> G_IO_PRI
I came up with this table by looking at Linux fs/select.c which maps
select(2) to poll(2) internally.
Another detail to watch out for are the global variables that reference
rfds/wfds/xfds during slirp_select_poll(). sofcantrcvmore() and
sofcantsendmore() use these globals to clear fd_set bits. When
sofcantrcvmore() is called, the wfds bit is cleared so that the write
handler will no longer be run for this iteration of the event loop.
This actually seems buggy to me since TCP connections can be half-closed
and we'd still want to handle data in half-duplex fashion. I think the
real intention is to avoid running the read/write handler when the
socket has been fully closed. This is indicated with the SS_NOFDREF
state bit so we now check for it before invoking the TCP write handler.
Note that UDP/ICMP code paths don't care because they are
connectionless.
Note that slirp/ has a lot of tabs and sometimes mixed tabs with spaces.
I followed the style of the surrounding code.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1361356113-11049-6-git-send-email-stefanha@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
The slirp glue code uses tabs in some places. Since the next patch will
modify the file, convert tabs to spaces and fix checkpatch.pl issues.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1361356113-11049-5-git-send-email-stefanha@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This patch will allow the user to include the domain-search option in
replies from the built-in DHCP server. The domain suffixes can be
specified by adding dnssearch= entries to the "-net user" parameter.
[Jan: tiny style adjustments]
Signed-off-by: Klaus Stengel <Klaus.Stengel@asamnet.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
LWIP can generate packets with a source of 0.0.0.0, which triggers an
assertion failure in arp_table_add(). Instead of crashing, simply return
to avoid adding an invalid ARP table entry.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This patch cleans up return sentences in the end of void functions.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Amos Kong <akong@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
This option is described in RFC 1783. As this is only an optional field,
we may ignore it in some situations and handle it in some others.
However, MS Windows 2003 PXE boot client requests a block size of the MTU
(most of the times 1472 bytes), and doesn't work if the option is not
acknowledged (with whatever value).
According to the RFC 1783, we cannot acknowledge the option with a bigger
value than the requested one.
As current implementation is using 512 bytes by block, accept the option
with a value of 512 if the option was specified, and don't acknowledge it
if it is not present or less than 512 bytes.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
RFC 1350 does not mention block count roll-over. However, a lot of TFTP servers
implement it to be able to transmit big files, so do it also.
Current block size is 512 bytes, so TFTP files were limited to 32 MB.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When transferring a file, keep it open during the whole transfer,
instead of opening/closing it for each block.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Report from smatch:
slirp/tcp_subr.c:127 tcp_respond(17) error:
we previously assumed 'tp' could be null (see line 124)
Return if 'tp' is NULL.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The type casts of pointers to long are not allowed
when sizeof(pointer) != sizeof(long).
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Stefan Weil