| Message ID | 20181110134548.14741-6-marcandre.lureau@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | slirp: cleanups | expand |
Marc-André Lureau, le sam. 10 nov. 2018 17:45:40 +0400, a ecrit: > EMU_RSH handling was dropped in commit > 0d62c4cfe21752df4c1d6e2c2398f15d5eaa794a. > > The assignment, and subsequent free() of ex_ptr->ex_exec to so->extra > looks unsafe (double free is likely to occur). Applied to my tree, thanks! Samuel
On 10/11/2018 14:45, Marc-André Lureau wrote: > EMU_RSH handling was dropped in commit > 0d62c4cfe21752df4c1d6e2c2398f15d5eaa794a. > > The assignment, and subsequent free() of ex_ptr->ex_exec to so->extra > looks unsafe (double free is likely to occur). > > Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > slirp/misc.h | 1 - > slirp/slirp.c | 2 -- > slirp/socket.c | 4 ---- > slirp/tcp_subr.c | 1 - > 4 files changed, 8 deletions(-) > > diff --git a/slirp/misc.h b/slirp/misc.h > index 64ca88c3b7..94829722cd 100644 > --- a/slirp/misc.h > +++ b/slirp/misc.h > @@ -26,7 +26,6 @@ struct ex_list { > #define EMU_REALAUDIO 0x5 > #define EMU_RLOGIN 0x6 > #define EMU_IDENT 0x7 > -#define EMU_RSH 0x8 > > #define EMU_NOCONNECT 0x10 /* Don't connect */ > > diff --git a/slirp/slirp.c b/slirp/slirp.c > index 58d1ef64e9..daa0d5d4bd 100644 > --- a/slirp/slirp.c > +++ b/slirp/slirp.c > @@ -1491,8 +1491,6 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id) > } > if (!ex_ptr) > return -EINVAL; > - > - so->extra = (void *)ex_ptr->ex_exec; > } > > return vmstate_load_state(f, &vmstate_slirp, slirp, version_id); > diff --git a/slirp/socket.c b/slirp/socket.c > index 322383a1f9..ff6ef1e334 100644 > --- a/slirp/socket.c > +++ b/slirp/socket.c > @@ -91,10 +91,6 @@ sofree(struct socket *so) > soqfree(so, &slirp->if_fastq); > soqfree(so, &slirp->if_batchq); > > - if (so->so_emu==EMU_RSH && so->extra) { > - sofree(so->extra); > - so->extra=NULL; > - } > if (so == slirp->tcp_last_so) { > slirp->tcp_last_so = &slirp->tcb; > } else if (so == slirp->udp_last_so) { > diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c > index e0bf7ad070..eb894b6527 100644 > --- a/slirp/tcp_subr.c > +++ b/slirp/tcp_subr.c > @@ -546,7 +546,6 @@ static const struct tos_t tcptos[] = { > {0, 23, IPTOS_LOWDELAY, 0}, /* telnet */ > {0, 80, IPTOS_THROUGHPUT, 0}, /* WWW */ > {0, 513, IPTOS_LOWDELAY, EMU_RLOGIN|EMU_NOCONNECT}, /* rlogin */ > - {0, 514, IPTOS_LOWDELAY, EMU_RSH|EMU_NOCONNECT}, /* shell */ > {0, 544, IPTOS_LOWDELAY, EMU_KSH}, /* kshell */ > {0, 543, IPTOS_LOWDELAY, 0}, /* klogin */ > {0, 6667, IPTOS_THROUGHPUT, EMU_IRC}, /* IRC */ > Ouch, do we really want to have a stateful firewall in QEMU? I would say burn all of tcp_emu with fire... Paolo
diff --git a/slirp/misc.h b/slirp/misc.h index 64ca88c3b7..94829722cd 100644 --- a/slirp/misc.h +++ b/slirp/misc.h @@ -26,7 +26,6 @@ struct ex_list { #define EMU_REALAUDIO 0x5 #define EMU_RLOGIN 0x6 #define EMU_IDENT 0x7 -#define EMU_RSH 0x8 #define EMU_NOCONNECT 0x10 /* Don't connect */ diff --git a/slirp/slirp.c b/slirp/slirp.c index 58d1ef64e9..daa0d5d4bd 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -1491,8 +1491,6 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id) } if (!ex_ptr) return -EINVAL; - - so->extra = (void *)ex_ptr->ex_exec; } return vmstate_load_state(f, &vmstate_slirp, slirp, version_id); diff --git a/slirp/socket.c b/slirp/socket.c index 322383a1f9..ff6ef1e334 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -91,10 +91,6 @@ sofree(struct socket *so) soqfree(so, &slirp->if_fastq); soqfree(so, &slirp->if_batchq); - if (so->so_emu==EMU_RSH && so->extra) { - sofree(so->extra); - so->extra=NULL; - } if (so == slirp->tcp_last_so) { slirp->tcp_last_so = &slirp->tcb; } else if (so == slirp->udp_last_so) { diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index e0bf7ad070..eb894b6527 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -546,7 +546,6 @@ static const struct tos_t tcptos[] = { {0, 23, IPTOS_LOWDELAY, 0}, /* telnet */ {0, 80, IPTOS_THROUGHPUT, 0}, /* WWW */ {0, 513, IPTOS_LOWDELAY, EMU_RLOGIN|EMU_NOCONNECT}, /* rlogin */ - {0, 514, IPTOS_LOWDELAY, EMU_RSH|EMU_NOCONNECT}, /* shell */ {0, 544, IPTOS_LOWDELAY, EMU_KSH}, /* kshell */ {0, 543, IPTOS_LOWDELAY, 0}, /* klogin */ {0, 6667, IPTOS_THROUGHPUT, EMU_IRC}, /* IRC */
EMU_RSH handling was dropped in commit 0d62c4cfe21752df4c1d6e2c2398f15d5eaa794a. The assignment, and subsequent free() of ex_ptr->ex_exec to so->extra looks unsafe (double free is likely to occur). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> --- slirp/misc.h | 1 - slirp/slirp.c | 2 -- slirp/socket.c | 4 ---- slirp/tcp_subr.c | 1 - 4 files changed, 8 deletions(-)