summaryrefslogtreecommitdiff
path: root/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch
diff options
context:
space:
mode:
Diffstat (limited to 'qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch')
-rw-r--r--qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch209
1 files changed, 0 insertions, 209 deletions
diff --git a/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch b/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch
deleted file mode 100644
index 819edeb..0000000
--- a/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From 3e8a2a9a3a467e7ab02cc28f99bdcd5d2e30d217 Mon Sep 17 00:00:00 2001
-From: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
-Date: Wed, 6 Mar 2019 17:04:14 +0900
-Subject: [PATCH 3/3] slirp: add disable_host_loopback (prohibit connections to
- 127.0.0.1)
-
-From slirp4netns project:
-* https://github.com/rootless-containers/slirp4netns/commit/6325473781bb344c225f54e2d28800fb0619d7ee
-* https://github.com/rootless-containers/slirp4netns/commit/13b24026867d4c30d5d1465ac82e3bb890bf4caa
-
-Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
-Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
----
- slirp/src/ip_icmp.c | 6 +++-
- slirp/src/libslirp.h | 2 ++
- slirp/src/slirp.c | 1 +
- slirp/src/slirp.h | 2 ++
- slirp/src/socket.c | 68 +++++++++++++++++++++++++-------------------
- slirp/src/socket.h | 2 +-
- slirp/src/tcp_subr.c | 4 ++-
- 7 files changed, 53 insertions(+), 32 deletions(-)
-
-diff --git a/slirp/src/ip_icmp.c b/slirp/src/ip_icmp.c
-index 1aea18afa7..b0f116dd22 100644
---- a/slirp/src/ip_icmp.c
-+++ b/slirp/src/ip_icmp.c
-@@ -189,7 +189,11 @@ icmp_input(struct mbuf *m, int hlen)
-
- /* Send the packet */
- addr = so->fhost.ss;
-- sotranslate_out(so, &addr);
-+ if (sotranslate_out(so, &addr) < 0) {
-+ icmp_send_error(m, ICMP_UNREACH, ICMP_UNREACH_NET, 0, strerror(errno));
-+ udp_detach(so);
-+ return;
-+ }
-
- if(sendto(so->s, icmp_ping_msg, strlen(icmp_ping_msg), 0,
- (struct sockaddr *)&addr, sockaddr_size(&addr)) == -1) {
-diff --git a/slirp/src/libslirp.h b/slirp/src/libslirp.h
-index 4e2d4ee6c7..d8e69828ba 100644
---- a/slirp/src/libslirp.h
-+++ b/slirp/src/libslirp.h
-@@ -87,6 +87,8 @@ typedef struct SlirpConfig{
- int if_mtu;
- /* Default: IF_MRU_DEFAULT */
- int if_mru;
-+ /* Prohibit connecting to 127.0.0.1:* */
-+ bool disable_host_loopback;
- } SlirpConfig;
-
- Slirp *slirp_initx(const SlirpConfig *cfg, const SlirpCb *callbacks, void *opaque);
-diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
-index 8c02913769..cc1215d2dd 100644
---- a/slirp/src/slirp.c
-+++ b/slirp/src/slirp.c
-@@ -325,6 +325,7 @@ Slirp *slirp_initx(const SlirpConfig *cfg, const SlirpCb *callbacks, void *opaqu
- }
- slirp->if_mtu = cfg->if_mtu == 0 ? IF_MTU_DEFAULT : cfg->if_mtu;
- slirp->if_mru = cfg->if_mru == 0 ? IF_MRU_DEFAULT : cfg->if_mru;
-+ slirp->disable_host_loopback = cfg->disable_host_loopback;
-
- return slirp;
- }
-diff --git a/slirp/src/slirp.h b/slirp/src/slirp.h
-index 1c485be36f..fce6583f8a 100644
---- a/slirp/src/slirp.h
-+++ b/slirp/src/slirp.h
-@@ -149,6 +149,8 @@ struct Slirp {
- int if_mtu;
- int if_mru;
-
-+ bool disable_host_loopback;
-+
- /* mbuf states */
- struct quehead m_freelist;
- struct quehead m_usedlist;
-diff --git a/slirp/src/socket.c b/slirp/src/socket.c
-index 4a3c935e25..be27e523e6 100644
---- a/slirp/src/socket.c
-+++ b/slirp/src/socket.c
-@@ -659,7 +659,9 @@ sosendto(struct socket *so, struct mbuf *m)
-
- addr = so->fhost.ss;
- DEBUG_CALL(" sendto()ing)");
-- sotranslate_out(so, &addr);
-+ if (sotranslate_out(so, &addr) < 0) {
-+ return -1;
-+ }
-
- /* Don't care what port we get */
- ret = sendto(so->s, m->m_data, m->m_len, 0,
-@@ -825,49 +827,57 @@ sofwdrain(struct socket *so)
- /*
- * Translate addr in host addr when it is a virtual address
- */
--void sotranslate_out(struct socket *so, struct sockaddr_storage *addr)
-+int sotranslate_out(struct socket *so, struct sockaddr_storage *addr)
- {
-+ int rc = 0;
- Slirp *slirp = so->slirp;
- struct sockaddr_in *sin = (struct sockaddr_in *)addr;
- struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
-
- switch (addr->ss_family) {
-- case AF_INET:
-- if ((so->so_faddr.s_addr & slirp->vnetwork_mask.s_addr) ==
-- slirp->vnetwork_addr.s_addr) {
-- /* It's an alias */
-- if (so->so_faddr.s_addr == slirp->vnameserver_addr.s_addr) {
-- if (get_dns_addr(&sin->sin_addr) < 0) {
-+ case AF_INET:
-+ if ((so->so_faddr.s_addr & slirp->vnetwork_mask.s_addr) ==
-+ slirp->vnetwork_addr.s_addr) {
-+ /* It's an alias */
-+ if (so->so_faddr.s_addr == slirp->vnameserver_addr.s_addr) {
-+ if (get_dns_addr(&sin->sin_addr) >= 0) {
-+ goto ret;
-+ }
-+ }
-+ if (slirp->disable_host_loopback) {
-+ rc = -1;
-+ errno = EPERM;
-+ goto ret;
-+ } else {
- sin->sin_addr = loopback_addr;
- }
-- } else {
-- sin->sin_addr = loopback_addr;
- }
-- }
--
-- DEBUG_MISC(" addr.sin_port=%d, addr.sin_addr.s_addr=%.16s",
-- ntohs(sin->sin_port), inet_ntoa(sin->sin_addr));
-- break;
--
-- case AF_INET6:
-- if (in6_equal_net(&so->so_faddr6, &slirp->vprefix_addr6,
-- slirp->vprefix_len)) {
-- if (in6_equal(&so->so_faddr6, &slirp->vnameserver_addr6)) {
-- uint32_t scope_id;
-- if (get_dns6_addr(&sin6->sin6_addr, &scope_id) >= 0) {
-- sin6->sin6_scope_id = scope_id;
-+ break;
-+ case AF_INET6:
-+ if (in6_equal_net(&so->so_faddr6, &slirp->vprefix_addr6,
-+ slirp->vprefix_len)) {
-+ if (in6_equal(&so->so_faddr6, &slirp->vnameserver_addr6)) {
-+ uint32_t scope_id;
-+ if (get_dns6_addr(&sin6->sin6_addr, &scope_id) >= 0) {
-+ sin6->sin6_scope_id = scope_id;
-+ goto ret;
-+ }
-+ }
-+ if (slirp->disable_host_loopback){
-+ rc = -1;
-+ errno = EPERM;
-+ goto ret;
- } else {
- sin6->sin6_addr = in6addr_loopback;
- }
-- } else {
-- sin6->sin6_addr = in6addr_loopback;
- }
-- }
-- break;
-+ break;
-
-- default:
-- break;
-+ default:
-+ break;
- }
-+ret:
-+ return rc;
- }
-
- void sotranslate_in(struct socket *so, struct sockaddr_storage *addr)
-diff --git a/slirp/src/socket.h b/slirp/src/socket.h
-index 25403898cd..791ae9482c 100644
---- a/slirp/src/socket.h
-+++ b/slirp/src/socket.h
-@@ -151,7 +151,7 @@ struct iovec; /* For win32 */
- size_t sopreprbuf(struct socket *so, struct iovec *iov, int *np);
- int soreadbuf(struct socket *so, const char *buf, int size);
-
--void sotranslate_out(struct socket *, struct sockaddr_storage *);
-+int sotranslate_out(struct socket *, struct sockaddr_storage *);
- void sotranslate_in(struct socket *, struct sockaddr_storage *);
- void sotranslate_accept(struct socket *);
- void sodrop(struct socket *, int num);
-diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
-index e88e51e39c..4224213c14 100644
---- a/slirp/src/tcp_subr.c
-+++ b/slirp/src/tcp_subr.c
-@@ -420,7 +420,9 @@ int tcp_fconnect(struct socket *so, unsigned short af)
-
- addr = so->fhost.ss;
- DEBUG_CALL(" connect()ing");
-- sotranslate_out(so, &addr);
-+ if (sotranslate_out(so, &addr) < 0) {
-+ return -1;
-+ }
-
- /* We don't care what port we get */
- ret = connect(s, (struct sockaddr *)&addr, sockaddr_size(&addr));
---
-2.20.1
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 05:48:23 +0000