From c7990a26480032ad129f8c4ddad7d9a132c934ca Mon Sep 17 00:00:00 2001 From: Tao Wu Date: Sat, 29 Apr 2017 19:20:56 +0200 Subject: [PATCH 1/3] slirp: Fix wrong mss bug. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This bug was introduced by https://github.com/qemu/qemu/commit/98c6305 Signed-off-by: Tao Wu Reviewed-by: Philippe Mathieu-Daudé Signed-off-bu: Samuel Thibault --- slirp/tcp_input.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c index edb98f06f3..07bcbdb2dd 100644 --- a/slirp/tcp_input.c +++ b/slirp/tcp_input.c @@ -1587,11 +1587,11 @@ tcp_mss(struct tcpcb *tp, u_int offer) switch (so->so_ffamily) { case AF_INET: mss = MIN(IF_MTU, IF_MRU) - sizeof(struct tcphdr) - + sizeof(struct ip); + - sizeof(struct ip); break; case AF_INET6: mss = MIN(IF_MTU, IF_MRU) - sizeof(struct tcphdr) - + sizeof(struct ip6); + - sizeof(struct ip6); break; default: g_assert_not_reached(); From 7d8246960e03dabf37726c01d231e89dfde9b229 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 4 May 2017 02:38:45 +0400 Subject: [PATCH 2/3] slirp: fix leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Spotted by ASAN: /x86_64/hmp/pc-0.12: ================================================================= ==22538==ERROR: LeakSanitizer: detected memory leaks Direct leak of 224 byte(s) in 1 object(s) allocated from: #0 0x7f0f63cdee60 in malloc (/lib64/libasan.so.3+0xc6e60) #1 0x556f11ff32d7 in tcp_newtcpcb /home/elmarco/src/qemu/slirp/tcp_subr.c:250 #2 0x556f11fdb1d1 in tcp_listen /home/elmarco/src/qemu/slirp/socket.c:688 #3 0x556f11fca9d5 in slirp_add_hostfwd /home/elmarco/src/qemu/slirp/slirp.c:1052 #4 0x556f11f8db41 in slirp_hostfwd /home/elmarco/src/qemu/net/slirp.c:506 #5 0x556f11f8dd83 in hmp_hostfwd_add /home/elmarco/src/qemu/net/slirp.c:535 There might be a better way to fix this, but calling slirp tcp_close() doesn't work. Signed-off-by: Marc-André Lureau Signed-off-by: Samuel Thibault --- slirp/socket.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/slirp/socket.c b/slirp/socket.c index 86927722e1..3b49a69a93 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -100,6 +100,9 @@ sofree(struct socket *so) if(so->so_next && so->so_prev) remque(so); /* crashes if so is not in a queue */ + if (so->so_tcpcb) { + free(so->so_tcpcb); + } free(so); } From 2e30230aa95a2d6cfaadac015bd96c3db19c45e4 Mon Sep 17 00:00:00 2001 From: Sjors Gielen Date: Wed, 24 May 2017 17:51:12 +0000 Subject: [PATCH 3/3] Fix total IP header length in forwarded TCP packets When forwarding TCP packets, the internal tcpiphdr struct length was wrongly used inside the IP header. This commit changes the behaviour to what is used by tcp_output.c, using the correct full IP header + payload length. Signed-off-by: Sjors Gielen Signed-off-by: Samuel Thibault --- slirp/tcp_subr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index ed16e1807f..dc8b4bbb50 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -204,7 +204,7 @@ tcp_respond(struct tcpcb *tp, struct tcpiphdr *ti, struct mbuf *m, m->m_len -= sizeof(struct tcpiphdr) - sizeof(struct tcphdr) - sizeof(struct ip); ip = mtod(m, struct ip *); - ip->ip_len = tlen; + ip->ip_len = m->m_len; ip->ip_dst = tcpiph_save.ti_dst; ip->ip_src = tcpiph_save.ti_src; ip->ip_p = tcpiph_save.ti_pr; @@ -224,7 +224,7 @@ tcp_respond(struct tcpcb *tp, struct tcpiphdr *ti, struct mbuf *m, m->m_len -= sizeof(struct tcpiphdr) - sizeof(struct tcphdr) - sizeof(struct ip6); ip6 = mtod(m, struct ip6 *); - ip6->ip_pl = tlen; + ip6->ip_pl = tcpiph_save.ti_len; ip6->ip_dst = tcpiph_save.ti_dst6; ip6->ip_src = tcpiph_save.ti_src6; ip6->ip_nh = tcpiph_save.ti_nh6;