From nobody Fri Dec 19 20:11:19 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1554153326673696.7835129825535;
 Mon, 1 Apr 2019 14:15:26 -0700 (PDT)
Received: from localhost ([127.0.0.1]:40962 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1hB4H5-0004VX-JB
	for importer@patchew.org; Mon, 01 Apr 2019 17:15:23 -0400
Received: from eggs.gnu.org ([209.51.188.92]:40767)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1hB44W-0001Ir-2z
	for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:02:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1hB44U-0003MH-Hb
	for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:02:23 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:34054)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mdroth@linux.vnet.ibm.com>)
	id 1hB44Q-0003CF-Jz
	for qemu-devel@nongnu.org; Mon, 01 Apr 2019 17:02:20 -0400
Received: from pps.filterd (m0098410.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
	x31L1oZL061872
	for <qemu-devel@nongnu.org>; Mon, 1 Apr 2019 17:02:01 -0400
Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151])
	by mx0a-001b2d01.pphosted.com with ESMTP id 2rksw4s07y-1
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
	for <qemu-devel@nongnu.org>; Mon, 01 Apr 2019 17:02:01 -0400
Received: from localhost
	by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
	Mon, 1 Apr 2019 22:02:00 +0100
Received: from b03cxnp07029.gho.boulder.ibm.com (9.17.130.16)
	by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
	Mon, 1 Apr 2019 22:01:58 +0100
Received: from b03ledav001.gho.boulder.ibm.com
	(b03ledav001.gho.boulder.ibm.com [9.17.130.232])
	by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id x31L1vOf30146734
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Mon, 1 Apr 2019 21:01:57 GMT
Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 65AB56E056;
	Mon,  1 Apr 2019 21:01:57 +0000 (GMT)
Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 3C32A6E054;
	Mon,  1 Apr 2019 21:01:57 +0000 (GMT)
Received: from localhost (unknown [9.80.94.43])
	by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP;
	Mon,  1 Apr 2019 21:01:57 +0000 (GMT)
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Mon,  1 Apr 2019 15:59:05 -0500
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com>
References: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com>
X-TM-AS-GCONF: 00
x-cbid: 19040121-0036-0000-0000-00000AA31DCD
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00010857; HX=3.00000242; KW=3.00000007;
	PH=3.00000004; SC=3.00000283; SDB=6.01182941; UDB=6.00619269;
	IPR=6.00963683;
	MB=3.00026249; MTD=3.00000008; XFM=3.00000015; UTC=2019-04-01 21:02:00
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19040121-0037-0000-0000-00004B3CB177
Message-Id: <20190401210011.16009-32-mdroth@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2019-04-01_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	priorityscore=1501
	malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0
	clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
	mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1 engine=8.0.1-1810050000 definitions=main-1904010136
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic]
X-Received-From: 148.163.156.1
Subject: [Qemu-devel] [PATCH 31/97] slirp: Add sanity check for str option
 length
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>,
 Fam Zheng <famz@redhat.com>,
	qemu-stable@nongnu.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

From: Fam Zheng <famz@redhat.com>

When user provides a long domainname or hostname that doesn't fit in the
DHCP packet, we mustn't overflow the response packet buffer. Instead,
report errors, following the g_warning() in the slirp->vdnssearch
branch.

Also check the strlen against 256 when initializing slirp, which limit
is also from the protocol where one byte represents the string length.
This gives an early error before the warning which is harder to notice
or diagnose.

Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 6e157a0339793bb081705f52318fc77afd10addf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/slirp.c   |  9 +++++++++
 slirp/bootp.c | 32 ++++++++++++++++++++++----------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/net/slirp.c b/net/slirp.c
index 1e14318b4d..fd21dc728c 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -365,6 +365,15 @@ static int net_slirp_init(NetClientState *peer, const =
char *model,
         return -1;
     }
=20
+    if (vdomainname && strlen(vdomainname) > 255) {
+        error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
+        return -1;
+    }
+
+    if (vhostname && strlen(vhostname) > 255) {
+        error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
+        return -1;
+    }
=20
     nc =3D qemu_new_net_client(&net_slirp_info, peer, model, name);
=20
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 9e7b53ba94..1e8185f0ec 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -159,6 +159,7 @@ static void bootp_reply(Slirp *slirp, const struct boot=
p_t *bp)
     struct in_addr preq_addr;
     int dhcp_msg_type, val;
     uint8_t *q;
+    uint8_t *end;
     uint8_t client_ethaddr[ETH_ALEN];
=20
     /* extract exact DHCP msg type */
@@ -240,6 +241,7 @@ static void bootp_reply(Slirp *slirp, const struct boot=
p_t *bp)
     rbp->bp_siaddr =3D saddr.sin_addr; /* Server IP address */
=20
     q =3D rbp->bp_vend;
+    end =3D (uint8_t *)&rbp[1];
     memcpy(q, rfc1533_cookie, 4);
     q +=3D 4;
=20
@@ -292,24 +294,33 @@ static void bootp_reply(Slirp *slirp, const struct bo=
otp_t *bp)
=20
         if (*slirp->client_hostname) {
             val =3D strlen(slirp->client_hostname);
-            *q++ =3D RFC1533_HOSTNAME;
-            *q++ =3D val;
-            memcpy(q, slirp->client_hostname, val);
-            q +=3D val;
+            if (q + val + 2 >=3D end) {
+                g_warning("DHCP packet size exceeded, "
+                    "omitting host name option.");
+            } else {
+                *q++ =3D RFC1533_HOSTNAME;
+                *q++ =3D val;
+                memcpy(q, slirp->client_hostname, val);
+                q +=3D val;
+            }
         }
=20
         if (slirp->vdomainname) {
             val =3D strlen(slirp->vdomainname);
-            *q++ =3D RFC1533_DOMAINNAME;
-            *q++ =3D val;
-            memcpy(q, slirp->vdomainname, val);
-            q +=3D val;
+            if (q + val + 2 >=3D end) {
+                g_warning("DHCP packet size exceeded, "
+                    "omitting domain name option.");
+            } else {
+                *q++ =3D RFC1533_DOMAINNAME;
+                *q++ =3D val;
+                memcpy(q, slirp->vdomainname, val);
+                q +=3D val;
+            }
         }
=20
         if (slirp->vdnssearch) {
-            size_t spaceleft =3D sizeof(rbp->bp_vend) - (q - rbp->bp_vend);
             val =3D slirp->vdnssearch_len;
-            if (val + 1 > spaceleft) {
+            if (q + val >=3D end) {
                 g_warning("DHCP packet size exceeded, "
                     "omitting domain-search option.");
             } else {
@@ -331,6 +342,7 @@ static void bootp_reply(Slirp *slirp, const struct boot=
p_t *bp)
         memcpy(q, nak_msg, sizeof(nak_msg) - 1);
         q +=3D sizeof(nak_msg) - 1;
     }
+    assert(q < end);
     *q =3D RFC1533_END;
=20
     daddr.sin_addr.s_addr =3D 0xffffffffu;
--=20
2.17.1