slirp: Add sanity check for str option length

When user provides a long domainname or hostname that doesn't fit in the DHCP packet, we mustn't overflow the response packet buffer. Instead, report errors, following the g_warning() in the slirp->vdnssearch branch. Also check the strlen against 256 when initializing slirp, which limit is also from the protocol where one byte represents the string length. This gives an early error before the warning which is harder to notice or diagnose. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
author: Fam Zheng <famz@redhat.com> 2018-09-14 15:26:15 +0800
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2018-10-21 21:22:17 +0200
commit: 6e157a0339793bb081705f52318fc77afd10addf (patch)
tree: b28916158baccc6919994ab7cda862a04854e6f3 /net
parent: b312532fd03413d0e6ae6767ec793a3e30f487b8 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/net/slirp.c b/net/slirp.c
index 99884de204..da6c0a1a5c 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -350,6 +350,15 @@ static int net_slirp_init(NetClientState *peer, const char *model,
         return -1;
     }
 
+    if (vdomainname && strlen(vdomainname) > 255) {
+        error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
+        return -1;
+    }
+
+    if (vhostname && strlen(vhostname) > 255) {
+        error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
+        return -1;
+    }
 
     nc = qemu_new_net_client(&net_slirp_info, peer, model, name);
author	Fam Zheng <famz@redhat.com>	2018-09-14 15:26:15 +0800
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2018-10-21 21:22:17 +0200
commit	6e157a0339793bb081705f52318fc77afd10addf (patch)
tree	b28916158baccc6919994ab7cda862a04854e6f3 /net
parent	b312532fd03413d0e6ae6767ec793a3e30f487b8 (diff)