From 3bb5804776e5141690ff6fbb5b07b2a0307391ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 28 Jan 2020 13:32:53 +0000
Subject: [PATCH 1/2] slirp: disable tcp_emu()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: <20200128133253.794107-2-marcandre.lureau@redhat.com>
Patchwork-id: 93569
O-Subject: [RHEL-8.2.0 qemu-kvm + RHEL-7.7 qemu-kvm + RHEL-6.11 qemu-kvm PATCH 1/1] slirp: disable tcp_emu()
Bugzilla: 1791677
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

Since libslirp 4.1, tcp_emu() is disabled by default because it is
known to cause several CVEs and is not useful today in most
cases. Qemu upstream doesn't have an option to enable it back at this
point, it's not clear if we ever want to expose that option anyway.

See also upstream commit 07c2a44b67e ("emu: disable by default")

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1791677
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 slirp/tcp_subr.c | 4 ++--
 slirp/udp.c      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index b95ba23..ac14366 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -568,7 +568,7 @@ tcp_tos(struct socket *so)
 	while(tcptos[i].tos) {
 		if ((tcptos[i].fport && (ntohs(so->so_fport) == tcptos[i].fport)) ||
 		    (tcptos[i].lport && (ntohs(so->so_lport) == tcptos[i].lport))) {
-			so->so_emu = tcptos[i].emu;
+			so->so_emu = 0; /* disabled */
 			return tcptos[i].tos;
 		}
 		i++;
@@ -578,7 +578,7 @@ tcp_tos(struct socket *so)
 	for (emup = tcpemu; emup; emup = emup->next) {
 		if ((emup->fport && (ntohs(so->so_fport) == emup->fport)) ||
 		    (emup->lport && (ntohs(so->so_lport) == emup->lport))) {
-			so->so_emu = emup->emu;
+			so->so_emu = 0; /* disabled */
 			return emup->tos;
 		}
 	}
diff --git a/slirp/udp.c b/slirp/udp.c
index 227d779..f5f5548 100644
--- a/slirp/udp.c
+++ b/slirp/udp.c
@@ -313,7 +313,7 @@ udp_tos(struct socket *so)
 	while(udptos[i].tos) {
 		if ((udptos[i].fport && ntohs(so->so_fport) == udptos[i].fport) ||
 		    (udptos[i].lport && ntohs(so->so_lport) == udptos[i].lport)) {
-		    	so->so_emu = udptos[i].emu;
+			so->so_emu = 0; /* disabled */
 			return udptos[i].tos;
 		}
 		i++;
-- 
1.8.3.1