[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] f853ac: net/slirp: Tell the users when they a
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] f853ac: net/slirp: Tell the users when they are using depr... |
|
Date: |
Thu, 04 Feb 2016 08:30:03 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: f853ac66c7b49a3a064ee838683c27fc3c9b86cc
https://github.com/qemu/qemu/commit/f853ac66c7b49a3a064ee838683c27fc3c9b86cc
Author: Thomas Huth <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M net/slirp.c
M os-posix.c
M vl.c
Log Message:
-----------
net/slirp: Tell the users when they are using deprecated options
We don't want to support the legacy -tftp, -bootp, -smb and
-net channel options forever. So let's start telling the users
that they are deprecated and what option should be used instead.
Signed-off-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: c8c6afa8867b43e6b2a0553a8eb6c880f27a8379
https://github.com/qemu/qemu/commit/c8c6afa8867b43e6b2a0553a8eb6c880f27a8379
Author: Thomas Huth <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M qemu-doc.texi
Log Message:
-----------
qemu-doc: Do not promote deprecated -smb and -redir options
Since -smb and -redir are deprecated options, we should not
use them as examples in the documentation anymore.
Signed-off-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 244381ec19ce1412b474f41b5f30fe1da846451b
https://github.com/qemu/qemu/commit/244381ec19ce1412b474f41b5f30fe1da846451b
Author: Prasad J Pandit <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M hw/net/cadence_gem.c
Log Message:
-----------
net: cadence_gem: check packet size in gem_recieve
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.
Reported-by: Ling Liu <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: d7f053652fef48bee7c461c162c8d4d2c96ab157
https://github.com/qemu/qemu/commit/d7f053652fef48bee7c461c162c8d4d2c96ab157
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M hw/net/cadence_gem.c
Log Message:
-----------
cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 86c9e1e9d7400c25821ff12cce80336a1cdded59
https://github.com/qemu/qemu/commit/86c9e1e9d7400c25821ff12cce80336a1cdded59
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/udp.c
Log Message:
-----------
slirp: goto bad in udp_input if sosendto fails
Before this patch, if sosendto fails, udp_input is executed as if the
packet was sent, recording the packet for icmp errors, which does not
makes sense since the packet was not actually sent, errors would be
related to a previous packet.
This patch adds a goto bad to cut the execution of this function.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: fc3779a1189cbe6e777a0f7608741f3841cdcfea
https://github.com/qemu/qemu/commit/fc3779a1189cbe6e777a0f7608741f3841cdcfea
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/mbuf.c
M slirp/mbuf.h
M slirp/slirp.c
Log Message:
-----------
slirp: Generalizing and neutralizing ARP code
Basically, this patch replaces "arp" by "resolution" every time "arp"
means "mac resolution" and not specifically ARP.
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 18137fba35980de428664fca3576b5d187e96fef
https://github.com/qemu/qemu/commit/18137fba35980de428664fca3576b5d187e96fef
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/slirp.c
Log Message:
-----------
slirp: Adding address family switch for produced frames
In if_encap, a switch is added to prepare for the IPv6 case. Some code
is factorized.
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Commit: eae303ff23f51259eddc8856c71453d887ffe51a
https://github.com/qemu/qemu/commit/eae303ff23f51259eddc8856c71453d887ffe51a
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/ip_icmp.c
M slirp/slirp.c
M slirp/socket.c
M slirp/socket.h
M slirp/tcp_input.c
M slirp/tcp_subr.c
M slirp/udp.c
Log Message:
-----------
slirp: Make Socket structure IPv6 compatible
This patch replaces foreign and local address/port couples in Socket
structure by 2 sockaddr_storage which can be casted in sockaddr_in.
Direct access to address and port is still possible thanks to some
\#define, so retrocompatibility of the existing code is assured.
The ss_family field of sockaddr_storage is declared after each socket
creation.
The whole structure is also saved/restored when a Qemu session is
saved/restored.
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 5379229a2708df3a1506113315214c3ce5325859
https://github.com/qemu/qemu/commit/5379229a2708df3a1506113315214c3ce5325859
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/bootp.c
M slirp/ip_icmp.c
M slirp/socket.c
M slirp/socket.h
M slirp/tcp_subr.c
M slirp/tftp.c
M slirp/udp.c
M slirp/udp.h
Log Message:
-----------
slirp: Factorizing address translation
This patch factorizes some duplicate code into a new function,
sotranslate_out(). This function perform the address translation when a
packet is transmitted to the host network. If the packet is destinated
to the host, the loopback address is used, and if the packet is
destinated to the virtual DNS, the real DNS address is used. This code
is just a copy of the existent, but factorized and ready to manage the
IPv6 case.
On the same model, the major part of udp_output() code is moved into a
new sotranslate_in(). This function is directly used in sorecvfrom(),
like sotranslate_out() in sosendto().
udp_output() becoming useless, it is removed and udp_output2() is
renamed into udp_output(). This adds consistency with the udp6_output()
function introduced by further patches.
Lastly, this factorizes some duplicate code into sotranslate_accept(), which
performs the address translation when a connection is established on the host
for port forwarding: if it comes from localhost, the host virtual address is
used instead.
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: a5fd24aa6d0f26aeb9f15b24daa2d68427631c40
https://github.com/qemu/qemu/commit/a5fd24aa6d0f26aeb9f15b24daa2d68427631c40
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/socket.c
M slirp/socket.h
M slirp/tcp_input.c
M slirp/udp.c
Log Message:
-----------
slirp: Factorizing and cleaning solookup()
solookup() was only compatible with TCP. Having the socket list in
argument, it is now compatible with UDP too.
Some optimization code is factorized inside the function (the function
look at the last returned result before browsing the complete socket
list).
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 8a87f121ca82fbb34877ec843dfc50b327baef9d
https://github.com/qemu/qemu/commit/8a87f121ca82fbb34877ec843dfc50b327baef9d
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/socket.c
M slirp/socket.h
M slirp/tcp_input.c
M slirp/udp.c
Log Message:
-----------
slirp: Add sockaddr_equal, make solookup family-agnostic
This patch makes solookup() compatible with varying address
families, by using a new sockaddr_equal() function that compares
two sockaddr_storage.
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 9b5a30dc41c7455a17c88ed1a3677ba5f937f31d
https://github.com/qemu/qemu/commit/9b5a30dc41c7455a17c88ed1a3677ba5f937f31d
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/ip_icmp.c
M slirp/udp.c
M slirp/udp.h
Log Message:
-----------
slirp: Make udp_attach IPv6 compatible
A unsigned short is now passed in argument to udp_attach instead of using a
hardcoded "AF_INET" to call qemu_socket().
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: cc573a6924da3f487410c27e2dc0e2aeeeb55b06
https://github.com/qemu/qemu/commit/cc573a6924da3f487410c27e2dc0e2aeeeb55b06
Author: Guillaume Subiron <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M slirp/slirp.h
M slirp/tcp_input.c
M slirp/tcp_subr.c
Log Message:
-----------
slirp: Adding family argument to tcp_fconnect()
This patch simply adds a unsigned short family argument to remove the hardcoded
"AF_INET" in the call of qemu_socket().
This prepares for IPv6 support.
Signed-off-by: Guillaume Subiron <address@hidden>
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: dd793a74882477ca38d49e191110c17dfee51dcc
https://github.com/qemu/qemu/commit/dd793a74882477ca38d49e191110c17dfee51dcc
Author: Laszlo Ersek <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M hw/net/e1000.c
Log Message:
-----------
e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
area,
- while the TDH and RDH registers store the offset (in whole tx / rx
descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
that QEMU currently has here is a check against reaching the original
TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
"total_size" bytes have been received; preferably in a single step, or
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
RX descriptors are skipped without receiving data, while RDH is
incremented just the same. QEMU tries to prevent an infinite loop
(processing only null RX descriptors) by detecting whether RDH assumes
its original value during the loop. (Again, wrapping from RDLEN to 0 is
normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
This is CVE-2016-1981.
Cc: "Michael S. Tsirkin" <address@hidden>
Cc: Petr Matousek <address@hidden>
Cc: Stefano Stabellini <address@hidden>
Cc: Prasad Pandit <address@hidden>
Cc: Michael Roth <address@hidden>
Cc: Jason Wang <address@hidden>
Cc: address@hidden
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
Signed-off-by: Laszlo Ersek <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: ab685220f64d170522c6647c71509fdb03920bd9
https://github.com/qemu/qemu/commit/ab685220f64d170522c6647c71509fdb03920bd9
Author: Vincenzo Maffione <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M net/netmap.c
Log Message:
-----------
net: netmap: use nm_open() to open netmap ports
This patch simplifies the netmap backend code by means of the nm_open()
helper function provided by netmap_user.h, which hides the details of
open(), iotcl() and mmap() carried out on the netmap device.
Moreover, the semantic of nm_open() makes it possible to open special
netmap ports (e.g. pipes, monitors) and use special modes (e.g. host rings
only, single queue mode, exclusive access).
Signed-off-by: Vincenzo Maffione <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 25aaadf063c447def3442f30390334cb3ada37db
https://github.com/qemu/qemu/commit/25aaadf063c447def3442f30390334cb3ada37db
Author: Li Zhijian <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M include/net/net.h
M net/filter.c
M net/net.c
Log Message:
-----------
net: always walk through filters in reverse if traffic is egress
Previously, if we attach more than one filters for a single netdev,
both ingress and egress traffic will go through net filters in same
order like:
ingress: netdev ->filter1 ->filter2 ->...filter[n] ->emulated device
egress: emulated device ->filter1 ->filter2 ->...filter[n] ->netdev.
This is against the natural feeling and will complicate filters
configuration since in some scenes, we hope filters handle the egress
traffic in a reverse order. For example, in colo-proxy (will be
implemented later), we have a redirector filter and a colo-rewriter
filter, we need the filter behave like:
ingress(->)/egress(<-): chardev<->redirector<->colo-rewriter<->emulated device
Since both buffer filter and dump do not require strict order of
filters, this patch switches to always let egress traffic walk through
net filters in reverse to simplify the possible filters configuration
in the future.
Signed-off-by: Wen Congyang <address@hidden>
Signed-off-by: Li Zhijian <address@hidden>
Reviewed-by: Yang Hongyang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: aa9156f4b1036ee7caf9d2a254dfc7147a084f41
https://github.com/qemu/qemu/commit/aa9156f4b1036ee7caf9d2a254dfc7147a084f41
Author: zhanghailiang <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M include/net/filter.h
M net/filter.c
M net/net.c
Log Message:
-----------
net/filter: Fix the output information for command 'info network'
The properties of netfilter object could be changed by 'qom-set'
command, but the output of 'info network' command is not updated,
because it got the old information through nf->info_str, it will
not be updated while we change the value of netfilter's property.
Here we split a helper function that could collect the output
information for filter, and also remove the useless member
'info_str' from struct NetFilterState.
Signed-off-by: zhanghailiang <address@hidden>
Cc: Jason Wang <address@hidden>
Cc: Eric Blake <address@hidden>
Cc: Markus Armbruster <address@hidden>
Cc: Yang Hongyang <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: bac8e20367994991eebd94b4407179684a5995ce
https://github.com/qemu/qemu/commit/bac8e20367994991eebd94b4407179684a5995ce
Author: Peter Maydell <address@hidden>
Date: 2016-02-04 (Thu, 04 Feb 2016)
Changed paths:
M hw/net/cadence_gem.c
M hw/net/e1000.c
M include/net/filter.h
M include/net/net.h
M net/filter.c
M net/net.c
M net/netmap.c
M net/slirp.c
M os-posix.c
M qemu-doc.texi
M slirp/bootp.c
M slirp/ip_icmp.c
M slirp/mbuf.c
M slirp/mbuf.h
M slirp/slirp.c
M slirp/slirp.h
M slirp/socket.c
M slirp/socket.h
M slirp/tcp_input.c
M slirp/tcp_subr.c
M slirp/tftp.c
M slirp/udp.c
M slirp/udp.h
M vl.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into
staging
# gpg: Signature made Thu 04 Feb 2016 08:26:24 GMT using RSA key ID 398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <address@hidden>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
net/filter: Fix the output information for command 'info network'
net: always walk through filters in reverse if traffic is egress
net: netmap: use nm_open() to open netmap ports
e1000: eliminate infinite loops on out-of-bounds transfer start
slirp: Adding family argument to tcp_fconnect()
slirp: Make udp_attach IPv6 compatible
slirp: Add sockaddr_equal, make solookup family-agnostic
slirp: Factorizing and cleaning solookup()
slirp: Factorizing address translation
slirp: Make Socket structure IPv6 compatible
slirp: Adding address family switch for produced frames
slirp: Generalizing and neutralizing ARP code
slirp: goto bad in udp_input if sosendto fails
cadence_gem: fix buffer overflow
net: cadence_gem: check packet size in gem_recieve
qemu-doc: Do not promote deprecated -smb and -redir options
net/slirp: Tell the users when they are using deprecated options
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/ae533a46a10a...bac8e2036799
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] f853ac: net/slirp: Tell the users when they are using depr...,
GitHub <=