slirp: Add sanity check for str option length (6e157a03) · Commits · SUMMER2020 / students / proj-2021291

net/slirp.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -350,6 +350,15 @@ static int net_slirp_init(NetClientState peer, const char model,
		return -1;
		}

		if (vdomainname && strlen(vdomainname) > 255) {
		error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
		return -1;
		}

		if (vhostname && strlen(vhostname) > 255) {
		error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
		return -1;
		}

		nc = qemu_new_net_client(&net_slirp_info, peer, model, name);

slirp/bootp.c

+22 −10

Original line number	Diff line number	Diff line
		@@ -159,6 +159,7 @@ static void bootp_reply(Slirp slirp, const struct bootp_t bp)
		struct in_addr preq_addr;
		int dhcp_msg_type, val;
		uint8_t *q;
		uint8_t *end;
		uint8_t client_ethaddr[ETH_ALEN];

		/* extract exact DHCP msg type */
		@@ -240,6 +241,7 @@ static void bootp_reply(Slirp slirp, const struct bootp_t bp)
		rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */

		q = rbp->bp_vend;
		end = (uint8_t *)&rbp[1];
		memcpy(q, rfc1533_cookie, 4);
		q += 4;

		@@ -292,24 +294,33 @@ static void bootp_reply(Slirp slirp, const struct bootp_t bp)

		if (*slirp->client_hostname) {
		val = strlen(slirp->client_hostname);
		if (q + val + 2 >= end) {
		g_warning("DHCP packet size exceeded, "
		"omitting host name option.");
		} else {
		*q++ = RFC1533_HOSTNAME;
		*q++ = val;
		memcpy(q, slirp->client_hostname, val);
		q += val;
		}
		}

		if (slirp->vdomainname) {
		val = strlen(slirp->vdomainname);
		if (q + val + 2 >= end) {
		g_warning("DHCP packet size exceeded, "
		"omitting domain name option.");
		} else {
		*q++ = RFC1533_DOMAINNAME;
		*q++ = val;
		memcpy(q, slirp->vdomainname, val);
		q += val;
		}
		}

		if (slirp->vdnssearch) {
		size_t spaceleft = sizeof(rbp->bp_vend) - (q - rbp->bp_vend);
		val = slirp->vdnssearch_len;
		if (val + 1 > spaceleft) {
		if (q + val >= end) {
		g_warning("DHCP packet size exceeded, "
		"omitting domain-search option.");
		} else {
		@@ -331,6 +342,7 @@ static void bootp_reply(Slirp slirp, const struct bootp_t bp)
		memcpy(q, nak_msg, sizeof(nak_msg) - 1);
		q += sizeof(nak_msg) - 1;
		}
		assert(q < end);
		*q = RFC1533_END;

		daddr.sin_addr.s_addr = 0xffffffffu;