From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52327)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<SRS0=q4bp=2F=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org>)
	id 1WiA7T-0006tY-FZ
	for qemu-devel@nongnu.org; Wed, 07 May 2014 18:15:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from
	<SRS0=q4bp=2F=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org>)
	id 1WiA7N-0001ID-CT
	for qemu-devel@nongnu.org; Wed, 07 May 2014 18:15:19 -0400
Received: from toccata.ens-lyon.org ([140.77.166.68]:44294)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from
	<SRS0=q4bp=2F=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org>)
	id 1WiA7N-0001I1-53
	for qemu-devel@nongnu.org; Wed, 07 May 2014 18:15:13 -0400
Received: from localhost (localhost [127.0.0.1])
	by toccata.ens-lyon.org (Postfix) with ESMTP id 3C46184096
	for <qemu-devel@nongnu.org>; Thu,  8 May 2014 00:15:11 +0200 (CEST)
Received: from toccata.ens-lyon.org ([127.0.0.1])
	by localhost (toccata.ens-lyon.org [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id YMO8x-VvI1bp for <qemu-devel@nongnu.org>;
	Thu,  8 May 2014 00:15:11 +0200 (CEST)
Received: from type.ipv6 (youpi.perso.aquilenet.fr [80.67.176.89])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by toccata.ens-lyon.org (Postfix) with ESMTPSA id E735C84080
	for <qemu-devel@nongnu.org>; Thu,  8 May 2014 00:15:10 +0200 (CEST)
Received: from samy by type.ipv6 with local (Exim 4.82)
	(envelope-from <samuel.thibault@ens-lyon.org>) id 1WiA7J-0001OK-Nv
	for qemu-devel@nongnu.org; Thu, 08 May 2014 00:15:09 +0200
Date: Thu, 8 May 2014 00:15:09 +0200
From: Samuel Thibault <samuel.thibault@gnu.org>
Message-ID: <20140507221509.GA3302@type.youpi.perso.aquilenet.fr>
References: <1396218189-14422-1-git-send-email-samuel.thibault@ens-lyon.org>
	<1396218189-14422-2-git-send-email-samuel.thibault@ens-lyon.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1396218189-14422-2-git-send-email-samuel.thibault@ens-lyon.org>
Subject: [Qemu-devel] [PATCH,
	DoS] slirp (arp): do not special-case bogus IP addresses
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Do not special-case addresses with zero host part, as we do not
necessarily know how big it is, and the guest can fake them anyway.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---

This is particularly bad actually, one can for instance simply do this
inside a Linux guest

ip addr add 192.0.0.0/1 dev eth0

and crash qemu (thus a DoS) by just emitting a packet (thus from
192.0.0.0), getting:

qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed.

so it should probably go to all stable maintained versions.

 arp_table.c |    8 --------
 1 file changed, 8 deletions(-)

diff --git a/slirp/arp_table.c b/slirp/arp_table.c
index ecdb0ba..243cbbc 100644
--- a/slirp/arp_table.c
+++ b/slirp/arp_table.c
@@ -37,11 +37,6 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN])
                 ethaddr[0], ethaddr[1], ethaddr[2],
                 ethaddr[3], ethaddr[4], ethaddr[5]));
 
-    /* Check 0.0.0.0/8 invalid source-only addresses */
-    if ((ip_addr & htonl(~(0xfU << 28))) == 0) {
-        return;
-    }
-
     if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
         /* Do not register broadcast addresses */
         return;
@@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
     DEBUG_CALL("arp_table_search");
     DEBUG_ARG("ip = 0x%x", ip_addr);
 
-    /* Check 0.0.0.0/8 invalid source-only addresses */
-    assert((ip_addr & htonl(~(0xfU << 28))) != 0);
-
     /* If broadcast address */
     if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
         /* return Ethernet broadcast address */