diff options
Diffstat (limited to 'qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch')
-rw-r--r-- | qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch | 209 |
1 files changed, 0 insertions, 209 deletions
diff --git a/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch b/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch deleted file mode 100644 index 819edeb..0000000 --- a/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 3e8a2a9a3a467e7ab02cc28f99bdcd5d2e30d217 Mon Sep 17 00:00:00 2001 -From: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> -Date: Wed, 6 Mar 2019 17:04:14 +0900 -Subject: [PATCH 3/3] slirp: add disable_host_loopback (prohibit connections to - 127.0.0.1) - -From slirp4netns project: -* https://github.com/rootless-containers/slirp4netns/commit/6325473781bb344c225f54e2d28800fb0619d7ee -* https://github.com/rootless-containers/slirp4netns/commit/13b24026867d4c30d5d1465ac82e3bb890bf4caa - -Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> -Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> ---- - slirp/src/ip_icmp.c | 6 +++- - slirp/src/libslirp.h | 2 ++ - slirp/src/slirp.c | 1 + - slirp/src/slirp.h | 2 ++ - slirp/src/socket.c | 68 +++++++++++++++++++++++++------------------- - slirp/src/socket.h | 2 +- - slirp/src/tcp_subr.c | 4 ++- - 7 files changed, 53 insertions(+), 32 deletions(-) - -diff --git a/slirp/src/ip_icmp.c b/slirp/src/ip_icmp.c -index 1aea18afa7..b0f116dd22 100644 ---- a/slirp/src/ip_icmp.c -+++ b/slirp/src/ip_icmp.c -@@ -189,7 +189,11 @@ icmp_input(struct mbuf *m, int hlen) - - /* Send the packet */ - addr = so->fhost.ss; -- sotranslate_out(so, &addr); -+ if (sotranslate_out(so, &addr) < 0) { -+ icmp_send_error(m, ICMP_UNREACH, ICMP_UNREACH_NET, 0, strerror(errno)); -+ udp_detach(so); -+ return; -+ } - - if(sendto(so->s, icmp_ping_msg, strlen(icmp_ping_msg), 0, - (struct sockaddr *)&addr, sockaddr_size(&addr)) == -1) { -diff --git a/slirp/src/libslirp.h b/slirp/src/libslirp.h -index 4e2d4ee6c7..d8e69828ba 100644 ---- a/slirp/src/libslirp.h -+++ b/slirp/src/libslirp.h -@@ -87,6 +87,8 @@ typedef struct SlirpConfig{ - int if_mtu; - /* Default: IF_MRU_DEFAULT */ - int if_mru; -+ /* Prohibit connecting to 127.0.0.1:* */ -+ bool disable_host_loopback; - } SlirpConfig; - - Slirp *slirp_initx(const SlirpConfig *cfg, const SlirpCb *callbacks, void *opaque); -diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c -index 8c02913769..cc1215d2dd 100644 ---- a/slirp/src/slirp.c -+++ b/slirp/src/slirp.c -@@ -325,6 +325,7 @@ Slirp *slirp_initx(const SlirpConfig *cfg, const SlirpCb *callbacks, void *opaqu - } - slirp->if_mtu = cfg->if_mtu == 0 ? IF_MTU_DEFAULT : cfg->if_mtu; - slirp->if_mru = cfg->if_mru == 0 ? IF_MRU_DEFAULT : cfg->if_mru; -+ slirp->disable_host_loopback = cfg->disable_host_loopback; - - return slirp; - } -diff --git a/slirp/src/slirp.h b/slirp/src/slirp.h -index 1c485be36f..fce6583f8a 100644 ---- a/slirp/src/slirp.h -+++ b/slirp/src/slirp.h -@@ -149,6 +149,8 @@ struct Slirp { - int if_mtu; - int if_mru; - -+ bool disable_host_loopback; -+ - /* mbuf states */ - struct quehead m_freelist; - struct quehead m_usedlist; -diff --git a/slirp/src/socket.c b/slirp/src/socket.c -index 4a3c935e25..be27e523e6 100644 ---- a/slirp/src/socket.c -+++ b/slirp/src/socket.c -@@ -659,7 +659,9 @@ sosendto(struct socket *so, struct mbuf *m) - - addr = so->fhost.ss; - DEBUG_CALL(" sendto()ing)"); -- sotranslate_out(so, &addr); -+ if (sotranslate_out(so, &addr) < 0) { -+ return -1; -+ } - - /* Don't care what port we get */ - ret = sendto(so->s, m->m_data, m->m_len, 0, -@@ -825,49 +827,57 @@ sofwdrain(struct socket *so) - /* - * Translate addr in host addr when it is a virtual address - */ --void sotranslate_out(struct socket *so, struct sockaddr_storage *addr) -+int sotranslate_out(struct socket *so, struct sockaddr_storage *addr) - { -+ int rc = 0; - Slirp *slirp = so->slirp; - struct sockaddr_in *sin = (struct sockaddr_in *)addr; - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; - - switch (addr->ss_family) { -- case AF_INET: -- if ((so->so_faddr.s_addr & slirp->vnetwork_mask.s_addr) == -- slirp->vnetwork_addr.s_addr) { -- /* It's an alias */ -- if (so->so_faddr.s_addr == slirp->vnameserver_addr.s_addr) { -- if (get_dns_addr(&sin->sin_addr) < 0) { -+ case AF_INET: -+ if ((so->so_faddr.s_addr & slirp->vnetwork_mask.s_addr) == -+ slirp->vnetwork_addr.s_addr) { -+ /* It's an alias */ -+ if (so->so_faddr.s_addr == slirp->vnameserver_addr.s_addr) { -+ if (get_dns_addr(&sin->sin_addr) >= 0) { -+ goto ret; -+ } -+ } -+ if (slirp->disable_host_loopback) { -+ rc = -1; -+ errno = EPERM; -+ goto ret; -+ } else { - sin->sin_addr = loopback_addr; - } -- } else { -- sin->sin_addr = loopback_addr; - } -- } -- -- DEBUG_MISC(" addr.sin_port=%d, addr.sin_addr.s_addr=%.16s", -- ntohs(sin->sin_port), inet_ntoa(sin->sin_addr)); -- break; -- -- case AF_INET6: -- if (in6_equal_net(&so->so_faddr6, &slirp->vprefix_addr6, -- slirp->vprefix_len)) { -- if (in6_equal(&so->so_faddr6, &slirp->vnameserver_addr6)) { -- uint32_t scope_id; -- if (get_dns6_addr(&sin6->sin6_addr, &scope_id) >= 0) { -- sin6->sin6_scope_id = scope_id; -+ break; -+ case AF_INET6: -+ if (in6_equal_net(&so->so_faddr6, &slirp->vprefix_addr6, -+ slirp->vprefix_len)) { -+ if (in6_equal(&so->so_faddr6, &slirp->vnameserver_addr6)) { -+ uint32_t scope_id; -+ if (get_dns6_addr(&sin6->sin6_addr, &scope_id) >= 0) { -+ sin6->sin6_scope_id = scope_id; -+ goto ret; -+ } -+ } -+ if (slirp->disable_host_loopback){ -+ rc = -1; -+ errno = EPERM; -+ goto ret; - } else { - sin6->sin6_addr = in6addr_loopback; - } -- } else { -- sin6->sin6_addr = in6addr_loopback; - } -- } -- break; -+ break; - -- default: -- break; -+ default: -+ break; - } -+ret: -+ return rc; - } - - void sotranslate_in(struct socket *so, struct sockaddr_storage *addr) -diff --git a/slirp/src/socket.h b/slirp/src/socket.h -index 25403898cd..791ae9482c 100644 ---- a/slirp/src/socket.h -+++ b/slirp/src/socket.h -@@ -151,7 +151,7 @@ struct iovec; /* For win32 */ - size_t sopreprbuf(struct socket *so, struct iovec *iov, int *np); - int soreadbuf(struct socket *so, const char *buf, int size); - --void sotranslate_out(struct socket *, struct sockaddr_storage *); -+int sotranslate_out(struct socket *, struct sockaddr_storage *); - void sotranslate_in(struct socket *, struct sockaddr_storage *); - void sotranslate_accept(struct socket *); - void sodrop(struct socket *, int num); -diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c -index e88e51e39c..4224213c14 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -420,7 +420,9 @@ int tcp_fconnect(struct socket *so, unsigned short af) - - addr = so->fhost.ss; - DEBUG_CALL(" connect()ing"); -- sotranslate_out(so, &addr); -+ if (sotranslate_out(so, &addr) < 0) { -+ return -1; -+ } - - /* We don't care what port we get */ - ret = connect(s, (struct sockaddr *)&addr, sockaddr_size(&addr)); --- -2.20.1 - |