From c7950fb3f3c710a70ac1411b894bed854628a5e1 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 31 May 2018 21:24:19 +0200
Subject: [PATCH 1/5] slirp: Fix spurious error report when sending directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move check to where it actually is useful, and reduce scope of 'len'
variable along the way.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 slirp/socket.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/slirp/socket.c b/slirp/socket.c
index e2a71c9b04..08fe98907d 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -340,7 +340,7 @@ sosendoob(struct socket *so)
 	struct sbuf *sb = &so->so_rcv;
 	char buff[2048]; /* XXX Shouldn't be sending more oob data than this */
 
-	int n, len;
+	int n;
 
 	DEBUG_CALL("sosendoob");
 	DEBUG_ARG("so = %p", so);
@@ -359,7 +359,7 @@ sosendoob(struct socket *so)
 		 * send it all
 		 */
 		uint32_t urgc = so->so_urgc;
-		len = (sb->sb_data + sb->sb_datalen) - sb->sb_rptr;
+		int len = (sb->sb_data + sb->sb_datalen) - sb->sb_rptr;
 		if (len > urgc) {
 			len = urgc;
 		}
@@ -374,13 +374,13 @@ sosendoob(struct socket *so)
 			len += n;
 		}
 		n = slirp_send(so, buff, len, (MSG_OOB)); /* |MSG_DONTWAIT)); */
+#ifdef DEBUG
+		if (n != len) {
+			DEBUG_ERROR((dfd, "Didn't send all data urgently XXXXX\n"));
+		}
+#endif
 	}
 
-#ifdef DEBUG
-	if (n != len) {
-		DEBUG_ERROR((dfd, "Didn't send all data urgently XXXXX\n"));
-	}
-#endif
 	if (n < 0) {
 		return n;
 	}

From 02cffe24a28dafb63b80f67c6fb0f91ef7d89ef2 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 31 May 2018 21:45:10 +0200
Subject: [PATCH 2/5] slirp: Add Samuel Thibault's staging tree for slirp

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Acked-by: Thomas Huth <thuth@redhat.com>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 41cd3736a9..4c73c16fee 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1675,6 +1675,7 @@ S: Maintained
 F: slirp/
 F: net/slirp.c
 F: include/net/slirp.h
+T: git https://people.debian.org/~sthibault/qemu.git slirp
 T: git git://git.kiszka.org/qemu.git queues/slirp
 
 Stubs

From 3835c310bd13662d5fb3f50f3dd62605dfd40cf9 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 31 May 2018 21:51:02 +0200
Subject: [PATCH 3/5] slirp: fix domainname version availability

The change missed the 2.12 deadline.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
 qapi/net.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qapi/net.json b/qapi/net.json
index 32681a1af7..6b7d93cb59 100644
--- a/qapi/net.json
+++ b/qapi/net.json
@@ -161,7 +161,7 @@
 #             to the guest
 #
 # @domainname: guest-visible domain name of the virtual nameserver
-#              (since 2.12)
+#              (since 3.0)
 #
 # @ipv6-prefix: IPv6 network prefix (default is fec0::) (since
 #               2.6). The network prefix is given in the usual

From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 5 Jun 2018 23:38:35 +0530
Subject: [PATCH 4/5] slirp: correct size computation while concatenating mbuf

While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.

Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
 slirp/mbuf.c | 11 +++++------
 slirp/mbuf.h |  8 +++-----
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..18cbf759a7 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
 	 * If there's no room, realloc
 	 */
 	if (M_FREEROOM(m) < n->m_len)
-		m_inc(m,m->m_size+MINCSIZE);
+		m_inc(m, m->m_len + n->m_len);
 
 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
 	m->m_len += n->m_len;
@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
 }
 
 
-/* make m size bytes large */
+/* make m 'size' bytes large from m_data */
 void
 m_inc(struct mbuf *m, int size)
 {
@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
 
         if (m->m_flags & M_EXT) {
 	  datasize = m->m_data - m->m_ext;
-          m->m_ext = g_realloc(m->m_ext, size);
+	  m->m_ext = g_realloc(m->m_ext, size + datasize);
 	  m->m_data = m->m_ext + datasize;
         } else {
 	  char *dat;
 	  datasize = m->m_data - m->m_dat;
-          dat = g_malloc(size);
+	  dat = g_malloc(size + datasize);
 	  memcpy(dat, m->m_dat, m->m_size);
 
 	  m->m_ext = dat;
@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
 	  m->m_flags |= M_EXT;
         }
 
-        m->m_size = size;
-
+        m->m_size = size + datasize;
 }
 
 
diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 893601ff9d..33b84485d6 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -33,8 +33,6 @@
 #ifndef MBUF_H
 #define MBUF_H
 
-#define MINCSIZE 4096	/* Amount to increase mbuf if too small */
-
 /*
  * Macros for type conversion
  * mtod(m,t) -	convert mbuf pointer to data pointer of correct type
@@ -72,11 +70,11 @@ struct mbuf {
 	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
 	int	m_flags;		/* Misc flags */
 
-	int	m_size;			/* Size of data */
+	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
 	struct	socket *m_so;
 
-	caddr_t	m_data;			/* Location of data */
-	int	m_len;			/* Amount of data in this mbuf */
+	caddr_t	m_data;			/* Current location of data */
+	int	m_len;			/* Amount of data in this mbuf, from m_data */
 
 	Slirp *slirp;
 	bool	resolution_requested;

From c22098c74a09164797fae6511c5eaf68f32c4dd8 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 5 Jun 2018 23:38:35 +0530
Subject: [PATCH 5/5] slirp: reformat m_inc routine

Coding style changes to the m_inc routine and minor refactoring.

Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
 slirp/mbuf.c | 34 ++++++++++++++++------------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 18cbf759a7..0c189e1a7b 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -151,27 +151,25 @@ m_cat(struct mbuf *m, struct mbuf *n)
 void
 m_inc(struct mbuf *m, int size)
 {
-	int datasize;
+    int datasize;
 
-	/* some compiles throw up on gotos.  This one we can fake. */
-        if(m->m_size>size) return;
+    /* some compilers throw up on gotos.  This one we can fake. */
+    if (m->m_size > size) {
+        return;
+    }
 
-        if (m->m_flags & M_EXT) {
-	  datasize = m->m_data - m->m_ext;
-	  m->m_ext = g_realloc(m->m_ext, size + datasize);
-	  m->m_data = m->m_ext + datasize;
-        } else {
-	  char *dat;
-	  datasize = m->m_data - m->m_dat;
-	  dat = g_malloc(size + datasize);
-	  memcpy(dat, m->m_dat, m->m_size);
+    if (m->m_flags & M_EXT) {
+        datasize = m->m_data - m->m_ext;
+        m->m_ext = g_realloc(m->m_ext, size + datasize);
+    } else {
+        datasize = m->m_data - m->m_dat;
+        m->m_ext = g_malloc(size + datasize);
+        memcpy(m->m_ext, m->m_dat, m->m_size);
+        m->m_flags |= M_EXT;
+    }
 
-	  m->m_ext = dat;
-	  m->m_data = m->m_ext + datasize;
-	  m->m_flags |= M_EXT;
-        }
-
-        m->m_size = size + datasize;
+    m->m_data = m->m_ext + datasize;
+    m->m_size = size + datasize;
 }