From 0b83636e914a894b324836e3fb2f20a2f7599fc4 Mon Sep 17 00:00:00 2001

From: Jindrich Novy <jnovy@redhat.com>

Date: Wed, 27 May 2020 11:01:02 +0200

Subject: [PATCH] Fix possible infinite loops and use-after-free

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Error: USE_AFTER_FREE (CWE-416): [#def1]

libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".

libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".

   77|   {

   78|       while (slirp->icmp.so_next != &slirp->icmp) {

   79|->         icmp_detach(slirp->icmp.so_next);

   80|       }

   81|   }

Error: USE_AFTER_FREE (CWE-416): [#def27]

libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".

libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".

   54|   {

   55|       while (slirp->udb.so_next != &slirp->udb) {

   56|->         udp_detach(slirp->udb.so_next);

   57|       }

   58|   }

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

---

 src/ip_icmp.c | 7 +++++--

 src/udp.c     | 5 ++++-

 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/ip_icmp.c b/src/ip_icmp.c

index fe0add4..7533595 100644

--- libslirp-4.3.0/src/ip_icmp.c

+++ libslirp-4.3.0/src/ip_icmp.c

@@ -75,8 +75,11 @@ void icmp_init(Slirp *slirp)

 void icmp_cleanup(Slirp *slirp)

 {

-    while (slirp->icmp.so_next != &slirp->icmp) {

-        icmp_detach(slirp->icmp.so_next);

+    struct socket *so, *so_next;

+

+    for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so_next) {

+        so_next = so->so_next;

+        icmp_detach(so);

     }

 }

diff --git a/src/udp.c b/src/udp.c

index 6bde20f..9ed1e74 100644

--- libslirp-4.3.0/src/udp.c

+++ libslirp-4.3.0/src/udp.c

@@ -52,7 +52,10 @@ void udp_init(Slirp *slirp)

 void udp_cleanup(Slirp *slirp)

 {

-    while (slirp->udb.so_next != &slirp->udb) {

+    struct socket *so, *so_next;

+

+    for (so = slirp->udb.so_next; so != &slirp->udb; so = so_next) {

+        so_next = so->so_next;

         udp_detach(slirp->udb.so_next);

     }

 }

-- 

2.26.2

From 2d79c0b7d78e55624790a102fbd924a4259eef16 Mon Sep 17 00:00:00 2001

From: Jindrich Novy <jnovy@redhat.com>

Date: Wed, 27 May 2020 11:07:19 +0200

Subject: [PATCH] Use secure string copy to avoid overflow

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Error: STRING_OVERFLOW (CWE-120): [#def2]

libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.

  275|       if (slirp_debug & DBG_MISC) {

  276|           char bufa[20], bufb[20];

  277|->         strcpy(bufa, inet_ntoa(ip->ip_src));

  278|           strcpy(bufb, inet_ntoa(ip->ip_dst));

  279|           DEBUG_MISC(" %.16s to %.16s", bufa, bufb);

Error: STRING_OVERFLOW (CWE-120): [#def3]

libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.

  276|           char bufa[20], bufb[20];

  277|           strcpy(bufa, inet_ntoa(ip->ip_src));

  278|->         strcpy(bufb, inet_ntoa(ip->ip_dst));

  279|           DEBUG_MISC(" %.16s to %.16s", bufa, bufb);

  280|       }

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

---

 src/ip_icmp.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ip_icmp.c b/src/ip_icmp.c

index 7533595..13a0e55 100644

--- libslirp-4.3.0/src/ip_icmp.c

+++ libslirp-4.3.0/src/ip_icmp.c

@@ -277,8 +277,8 @@ void icmp_send_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsize,

     ip = mtod(msrc, struct ip *);

     if (slirp_debug & DBG_MISC) {

         char bufa[20], bufb[20];

-        strcpy(bufa, inet_ntoa(ip->ip_src));

-        strcpy(bufb, inet_ntoa(ip->ip_dst));

+        slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src));

+        slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst));

         DEBUG_MISC(" %.16s to %.16s", bufa, bufb);

     }

     if (ip->ip_off & IP_OFFMASK)

-- 

2.26.2

From 961a676e93fe7d599d3856e63bd132fe0d2decb2 Mon Sep 17 00:00:00 2001

From: Jindrich Novy <jnovy@redhat.com>

Date: Wed, 27 May 2020 11:16:57 +0200

Subject: [PATCH] Check lseek() for failure

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Error: CHECKED_RETURN (CWE-252): [#def26]

libslirp-4.3.0/src/tftp.c:121: check_return: Calling "lseek(spt->fd, block_nr * spt->block_size, 0)" without checking return value. This library function may fail and return an error code.

  119|

  120|       if (len) {

  121|->         lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);

  122|

  123|           bytes_read = read(spt->fd, buf, len);

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

---

 src/tftp.c | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tftp.c b/src/tftp.c

index c209145..c6950ee 100644

--- libslirp-4.3.0/src/tftp.c

+++ libslirp-4.3.0/src/tftp.c

@@ -118,7 +118,9 @@ static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr,

     }

     if (len) {

-        lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);

+        if (lseek(spt->fd, block_nr * spt->block_size, SEEK_SET) == (off_t)-1) {

+            return -1;

+        }

         bytes_read = read(spt->fd, buf, len);

     }

-- 

2.26.2

From b0fc01a6b8cf6a50a1af69845cca692cc42dd970 Mon Sep 17 00:00:00 2001

From: Jindrich Novy <jnovy@redhat.com>

Date: Wed, 27 May 2020 11:18:36 +0200

Subject: [PATCH] Be sure to initialize sockaddr structure

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Error: UNINIT (CWE-457): [#def30]

libslirp-4.3.0/src/udp.c:325: var_decl: Declaring variable "addr" without initializer.

libslirp-4.3.0/src/udp.c:342: uninit_use_in_call: Using uninitialized value "addr". Field "addr.sin_zero" is uninitialized when calling "bind".

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

---

 src/udp.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/src/udp.c b/src/udp.c

index 9ed1e74..0ad44d7 100644

--- libslirp-4.3.0/src/udp.c

+++ libslirp-4.3.0/src/udp.c

@@ -329,6 +329,7 @@ struct socket *udp_listen(Slirp *slirp, uint32_t haddr, unsigned hport,

     struct socket *so;

     socklen_t addrlen = sizeof(struct sockaddr_in);

+    memset(&addr, 0, sizeof(addr));

     so = socreate(slirp);

     so->s = slirp_socket(AF_INET, SOCK_DGRAM, 0);

     if (so->s < 0) {

-- 

2.26.2