src/mbuf.c | 11 11 + 0 - 0 !
src/mbuf.h | 1 1 + 0 - 0 !
2 files changed, 12 insertions(+)

 add mtod_check()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Recent security issues demonstrate the lack of safety care when casting
a mbuf to a particular structure type. At least, it should check that
the buffer is large enough. The following patches will make use of this
function.

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>

src/bootp.c | 26 15 + 11 - 0 !
src/bootp.h | 2 1 + 1 - 0 !
src/mbuf.c | 5 5 + 0 - 0 !
src/mbuf.h | 1 1 + 0 - 0 !
4 files changed, 22 insertions(+), 12 deletions(-)

 bootp: limit vendor-specific area to input packet memory buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989993

sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
from the structure, to help with the following patch checking for
minimal header size. Modify the bootp_reply() function to take the
buffer boundaries and avoiding potential buffer overflow.

Related to CVE-2021-3592.

https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>

src/bootp.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 fix "dhcp broken in libslirp v4.6.0"
Comment: this fixes "bootp: limit vendor-specific area to input packet memory buffer" commit

Fix issue 48

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

src/bootp.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 bootp: check bootp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989993

Fixes: CVE-2021-3592
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>

src/tftp.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 tftp: check tftp_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989996

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>

src/tftp.c | 60 31 + 29 - 0 !
src/tftp.h | 6 5 + 1 - 0 !
2 files changed, 36 insertions(+), 30 deletions(-)

 tftp: introduce a header structure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989996

Instead of using a composed structure and potentially reading past the

src/udp.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 udp: check upd_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989995

Fixes: CVE-2021-3594
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>

src/udp6.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 upd6: check udp6_input buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug-Debian: https://bugs.debian.org/989994

Fixes: CVE-2021-3593
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45

Signed-off-by: Marc-Andr Lureau <marcandre.lureau@redhat.com>