commit | 69b0d71870eca29f04d59da277a42d6515c3edd6 | [log] [tgz] |
---|---|---|
author | Prasad J Pandit <pjp@fedoraproject.org> | Thu Nov 26 19:27:06 2020 +0530 |
committer | Marc-André Lureau <marcandre.lureau@redhat.com> | Fri Nov 27 20:42:31 2020 +0400 |
tree | bb7e5b1557ef32b34840dbc11c0d83ff8313aa25 | |
parent | eff957d5b04578573fa6bc6e851e950da80ba51b [diff] |
slirp: check pkt_len before reading protocol header While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' routines, ensure that pkt_len is large enough to accommodate the respective protocol headers, lest it should do an OOB access. Add check to avoid it. CVE-2020-29129 CVE-2020-29130 QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets -> https://www.openwall.com/lists/oss-security/2020/11/27/1 Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <20201126135706.273950-1-ppandit@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
libslirp is a user-mode networking library used by virtual machines, containers or various tools.
A C compiler, make/meson and glib2 development libraries.
(see also .gitlab-ci.yml DEPS variable for the list of dependencies on Fedora)
You may build and install the shared library with meson:
meson build ninja -C build install
And configure QEMU with --enable-slirp=system to link against it.
(QEMU may build with the submodule static library using --enable-slirp=git)
Unfortunately, there are no automated tests available.
You may run QEMU -net user
linked with your development version.
Feel free to open issues on the project issues page.
You may clone the gitlab project and create a merge request.
Contributing with gitlab allows gitlab workflow, tracking issues, running CI etc.
Alternatively, you may send patches to slirp@lists.freedesktop.org mailing list.
We intend to use libtool's versioning for the shared libraries and use SemVer for project versions.
For the versions available, see the tags on this repository.
See the COPYRIGHT file for details.