diff -Nru libslirp-4.1.0/debian/changelog libslirp-4.1.0/debian/changelog --- libslirp-4.1.0/debian/changelog 2020-07-23 18:09:04.000000000 +0000 +++ libslirp-4.1.0/debian/changelog 2021-06-21 12:43:06.000000000 +0000 @@ -1,3 +1,36 @@ +libslirp (4.1.0-2ubuntu2.2) focal-security; urgency=medium + + * SECURITY UPDATE: DoS via buffer overread + - debian/patches/CVE-2020-29129_30.patch: check pkt_len before reading + protocol header in src/ncsi.c, src/slirp.c. + - CVE-2020-29129 + - CVE-2020-29130 + * SECURITY UPDATE: data leak in bootp_input() + - debian/patches/CVE-2021-3592-1.patch: add mtod_check() to src/mbuf.*. + - debian/patches/CVE-2021-3592-2.patch: limit vendor-specific area to + input packet memory buffer in src/bootp.*, src/mbuf.*. + - debian/patches/CVE-2021-3592-3.patch: check bootp_input buffer size + in src/bootp.c. + - debian/patches/CVE-2021-3592-4.patch: fix regression in dhcp in + src/bootp.c. + - CVE-2021-3592 + * SECURITY UPDATE: data leak in udp6_input() + - debian/patches/CVE-2021-3593.patch: check udp6_input buffer size in + src/udp6.c. + - CVE-2021-3593 + * SECURITY UPDATE: data leak in udp_input() + - debian/patches/CVE-2021-3594.patch: check upd_input buffer size in + src/udp.c. + - CVE-2021-3594 + * SECURITY UPDATE: data leak in tftp_input() + - debian/patches/CVE-2021-3595-1.patch: check tftp_input buffer size in + src/tftp.c. + - debian/patches/CVE-2021-3595-2.patch: introduce a header structure in + src/tftp.*. + - CVE-2021-3595 + + -- Marc Deslauriers Mon, 21 Jun 2021 08:43:06 -0400 + libslirp (4.1.0-2ubuntu2.1) focal-security; urgency=medium * SECURITY UPDATE: OOB read in icmp6_send_echoreply() diff -Nru libslirp-4.1.0/debian/patches/CVE-2020-29129_30.patch libslirp-4.1.0/debian/patches/CVE-2020-29129_30.patch --- libslirp-4.1.0/debian/patches/CVE-2020-29129_30.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2020-29129_30.patch 2021-06-21 12:35:49.000000000 +0000 @@ -0,0 +1,52 @@ +From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 26 Nov 2020 19:27:06 +0530 +Subject: [PATCH] slirp: check pkt_len before reading protocol header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' +routines, ensure that pkt_len is large enough to accommodate the +respective protocol headers, lest it should do an OOB access. +Add check to avoid it. + +CVE-2020-29129 CVE-2020-29130 + QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets + -> https://www.openwall.com/lists/oss-security/2020/11/27/1 + +Reported-by: Qiuhao Li +Signed-off-by: Prasad J Pandit +Message-Id: <20201126135706.273950-1-ppandit@redhat.com> +Reviewed-by: Marc-André Lureau +--- + src/ncsi.c | 4 ++++ + src/slirp.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/src/ncsi.c ++++ b/src/ncsi.c +@@ -147,6 +147,10 @@ void ncsi_input(Slirp *slirp, const uint + uint32_t checksum; + uint32_t *pchecksum; + ++ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { ++ return; /* packet too short */ ++ } ++ + memset(ncsi_reply, 0, sizeof(ncsi_reply)); + + memset(reh->h_dest, 0xff, ETH_ALEN); +--- a/src/slirp.c ++++ b/src/slirp.c +@@ -739,6 +739,10 @@ static void arp_input(Slirp *slirp, cons + return; + } + ++ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { ++ return; /* packet too short */ ++ } ++ + ar_op = ntohs(ah->ar_op); + switch (ar_op) { + case ARPOP_REQUEST: diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3592-1.patch libslirp-4.1.0/debian/patches/CVE-2021-3592-1.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3592-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3592-1.patch 2021-06-21 12:35:55.000000000 +0000 @@ -0,0 +1,46 @@ +From 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau +--- + src/mbuf.c | 11 +++++++++++ + src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *da + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++ if (m->m_len >= len) { ++ return m->m_data; ++ } ++ ++ DEBUG_ERROR("mtod failed"); ++ ++ return NULL; ++} +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3592-2.patch libslirp-4.1.0/debian/patches/CVE-2021-3592-2.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3592-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3592-2.patch 2021-06-21 12:36:41.000000000 +0000 @@ -0,0 +1,151 @@ +Backport of: + +From f13cad45b25d92760bb0ad67bec0300a4d7d5275 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH] bootp: limit vendor-specific area to input packet memory + buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +--- + src/bootp.c | 26 +++++++++++++++----------- + src/bootp.h | 2 +- + src/mbuf.c | 5 +++++ + src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++ const uint8_t *bp_end, ++ int *pmsg_type, + struct in_addr *preq_addr) + { +- const uint8_t *p, *p_end; ++ const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L); + + p = bp->bp_vend; +- p_end = p + DHCP_OPT_LEN; + if (memcmp(p, rfc1533_cookie, 4) != 0) + return; + p += 4; +- while (p < p_end) { ++ while (p < bp_end) { + tag = p[0]; + if (tag == RFC1533_PAD) { + p++; +@@ -114,10 +115,10 @@ static void dhcp_decode(const struct boo + break; + } else { + p++; +- if (p >= p_end) ++ if (p >= bp_end) + break; + len = *p++; +- if (p + len > p_end) { ++ if (p + len > bp_end) { + break; + } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); +@@ -144,7 +145,9 @@ static void dhcp_decode(const struct boo + } + } + +-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) ++static void bootp_reply(Slirp *slirp, ++ const struct bootp_t *bp, ++ const uint8_t *bp_end) + { + BOOTPClient *bc = NULL; + struct mbuf *m; +@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, co + uint8_t client_ethaddr[ETH_ALEN]; + + /* extract exact DHCP msg type */ +- dhcp_decode(bp, &dhcp_msg_type, &preq_addr); ++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr); + DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type); + if (preq_addr.s_addr != htonl(0L)) + DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr)); +@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, co + return; + } + m->m_data += IF_MAXLINKHDR; ++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN); + rbp = (struct bootp_t *)m->m_data; + m->m_data += sizeof(struct udpiphdr); +- memset(rbp, 0, sizeof(struct bootp_t)); ++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN); + + if (dhcp_msg_type == DHCPDISCOVER) { + if (preq_addr.s_addr != htonl(0L)) { +@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, co + rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ + + q = rbp->bp_vend; +- end = (uint8_t *)&rbp[1]; ++ end = rbp->bp_vend + DHCP_OPT_LEN; + memcpy(q, rfc1533_cookie, 4); + q += 4; + +@@ -363,6 +367,6 @@ void bootp_input(struct mbuf *m) + struct bootp_t *bp = mtod(m, struct bootp_t *); + + if (bp->bp_op == BOOTP_REQUEST) { +- bootp_reply(m->slirp, bp); ++ bootp_reply(m->slirp, bp, m_end(m)); + } + } +--- a/src/bootp.h ++++ b/src/bootp.h +@@ -114,7 +114,7 @@ struct bootp_t { + uint8_t bp_hwaddr[16]; + uint8_t bp_sname[64]; + uint8_t bp_file[128]; +- uint8_t bp_vend[DHCP_OPT_LEN]; ++ uint8_t bp_vend[]; + }; + + typedef struct { +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t + + return NULL; + } ++ ++void *m_end(struct mbuf *m) ++{ ++ return m->m_data + m->m_len; ++} +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); + void *mtod_check(struct mbuf *, size_t len); ++void *m_end(struct mbuf *); + + static inline void ifs_init(struct mbuf *ifm) + { diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3592-3.patch libslirp-4.1.0/debian/patches/CVE-2021-3592-3.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3592-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3592-3.patch 2021-06-21 12:36:52.000000000 +0000 @@ -0,0 +1,30 @@ +From 2eca0838eee1da96204545e22cdaed860d9d7c6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:15:14 +0400 +Subject: [PATCH] bootp: check bootp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3592 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +--- + src/bootp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -364,9 +364,9 @@ static void bootp_reply(Slirp *slirp, + + void bootp_input(struct mbuf *m) + { +- struct bootp_t *bp = mtod(m, struct bootp_t *); ++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t)); + +- if (bp->bp_op == BOOTP_REQUEST) { ++ if (bp && bp->bp_op == BOOTP_REQUEST) { + bootp_reply(m->slirp, bp, m_end(m)); + } + } diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3592-4.patch libslirp-4.1.0/debian/patches/CVE-2021-3592-4.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3592-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3592-4.patch 2021-06-21 12:36:58.000000000 +0000 @@ -0,0 +1,25 @@ +From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Thu, 17 Jun 2021 18:01:32 +0900 +Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0" + +Fix issue 48 + +Signed-off-by: Akihiro Suda +--- + src/bootp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -358,7 +358,9 @@ static void bootp_reply(Slirp *slirp, + + daddr.sin_addr.s_addr = 0xffffffffu; + +- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr); ++ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN); ++ ++ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr); + udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); + } + diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3593.patch libslirp-4.1.0/debian/patches/CVE-2021-3593.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3593.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3593.patch 2021-06-21 12:37:03.000000000 +0000 @@ -0,0 +1,30 @@ +From de71c15de66ba9350bf62c45b05f8fbff166517b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau +--- + src/udp6.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/udp6.c ++++ b/src/udp6.c +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +- uh = mtod(m, struct udphdr *); ++ uh = mtod_check(m, sizeof(struct udphdr)); ++ if (uh == NULL) { ++ goto bad; ++ } + m->m_len += iphlen; + m->m_data -= iphlen; + diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3594.patch libslirp-4.1.0/debian/patches/CVE-2021-3594.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3594.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3594.patch 2021-06-21 12:37:10.000000000 +0000 @@ -0,0 +1,30 @@ +From 74572be49247c8c5feae7c6e0b50c4f569ca9824 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau +--- + src/udp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/udp.c ++++ b/src/udp.c +@@ -90,7 +90,10 @@ void udp_input(register struct mbuf *m, + /* + * Get IP and UDP header together in first mbuf. + */ +- ip = mtod(m, struct ip *); ++ ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++ if (ip == NULL) { ++ goto bad; ++ } + uh = (struct udphdr *)((char *)ip + iphlen); + + /* diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3595-1.patch libslirp-4.1.0/debian/patches/CVE-2021-3595-1.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3595-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3595-1.patch 2021-06-21 12:37:16.000000000 +0000 @@ -0,0 +1,31 @@ +From 3f17948137155f025f7809fdc38576d5d2451c3d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau +--- + src/tftp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -444,7 +444,11 @@ static void tftp_handle_error(Slirp *sli + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = (struct tftp_t *)m->m_data; ++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++ if (tp == NULL) { ++ return; ++ } + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: diff -Nru libslirp-4.1.0/debian/patches/CVE-2021-3595-2.patch libslirp-4.1.0/debian/patches/CVE-2021-3595-2.patch --- libslirp-4.1.0/debian/patches/CVE-2021-3595-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/CVE-2021-3595-2.patch 2021-06-21 12:43:00.000000000 +0000 @@ -0,0 +1,246 @@ +Backport of: + +From 990163cf3ac86b7875559f49602c4d76f46f6f30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau +--- + src/tftp.c | 60 ++++++++++++++++++++++++++++-------------------------- + src/tftp.h | 6 +++++- + 2 files changed, 36 insertions(+), 30 deletions(-) + +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struc + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +- spt->client_port = tp->udp.uh_sport; ++ spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slir + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(&spt->client_addr, srcsas)) { +- if (spt->client_port == tp->udp.uh_sport) { ++ if (spt->client_port == hdr->udp.uh_sport) { + return k; + } + } +@@ -146,13 +146,13 @@ static struct tftp_t *tftp_prep_mbuf_dat + } + + static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + if (spt->client_addr.ss_family == AF_INET6) { + struct sockaddr_in6 sa6, da6; + + sa6.sin6_addr = spt->slirp->vhost_addr6; +- sa6.sin6_port = recv_tp->udp.uh_dport; ++ sa6.sin6_port = hdr->udp.uh_dport; + da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr; + da6.sin6_port = spt->client_port; + +@@ -161,7 +161,7 @@ static void tftp_udp_output(struct tftp_ + struct sockaddr_in sa4, da4; + + sa4.sin_addr = spt->slirp->vhost_addr; +- sa4.sin_port = recv_tp->udp.uh_dport; ++ sa4.sin_port = hdr->udp.uh_dport; + da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr; + da4.sin_port = spt->client_port; + +@@ -183,7 +183,7 @@ static int tftp_send_oack(struct tftp_se + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_OACK); ++ tp->hdr.tp_op = htons(TFTP_OACK); + for (i = 0; i < nb; i++) { + n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", + keys[i]) + +@@ -193,9 +193,8 @@ static int tftp_send_oack(struct tftp_se + 1; + } + +- m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + n - +- sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n; ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + return 0; + } +@@ -216,21 +215,21 @@ static void tftp_send_error(struct tftp_ + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_ERROR); ++ tp->hdr.tp_op = htons(TFTP_ERROR); + tp->x.tp_error.tp_error_code = htons(errorcode); + slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), + msg); + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 + + strlen(msg) - sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + out: + tftp_session_terminate(spt); + } + + static void tftp_send_next_block(struct tftp_session *spt, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + struct mbuf *m; + struct tftp_t *tp; +@@ -244,7 +243,7 @@ static void tftp_send_next_block(struct + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_DATA); ++ tp->hdr.tp_op = htons(TFTP_DATA); + tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff); + + nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, +@@ -262,7 +261,7 @@ static void tftp_send_next_block(struct + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) - + sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, hdr); + + if (nobytes == spt->block_size) { + tftp_session_update(spt); +@@ -285,12 +284,12 @@ static void tftp_handle_rrq(Slirp *slirp + int nb_options = 0; + + /* check if a session already exists and if so terminate it */ +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, &tp->hdr); + if (s >= 0) { + tftp_session_terminate(&slirp->tftp_sessions[s]); + } + +- s = tftp_session_allocate(slirp, srcsas, tp); ++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr); + + if (s < 0) { + return; +@@ -411,29 +410,29 @@ static void tftp_handle_rrq(Slirp *slirp + } + + spt->block_nr = 0; +- tftp_send_next_block(spt, tp); ++ tftp_send_next_block(spt, &tp->hdr); + } + + static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; + } + +- tftp_send_next_block(&slirp->tftp_sessions[s], tp); ++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr); + } + + static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; +@@ -444,23 +443,25 @@ static void tftp_handle_error(Slirp *sli + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr)); + +- if (tp == NULL) { ++ if (hdr == NULL) { + return; + } + +- switch (ntohs(tp->tp_op)) { ++ switch (ntohs(hdr->tp_op)) { + case TFTP_RRQ: +- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_rrq(m->slirp, srcsas, ++ mtod(m, struct tftp_t *), ++ m->m_len); + break; + + case TFTP_ACK: +- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_ack(m->slirp, srcsas, hdr); + break; + + case TFTP_ERROR: +- tftp_handle_error(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_error(m->slirp, srcsas, hdr); + break; + } + } +--- a/src/tftp.h ++++ b/src/tftp.h +@@ -18,9 +18,13 @@ + #define TFTP_FILENAME_MAX 512 + #define TFTP_BLOCKSIZE_MAX 1428 + +-struct tftp_t { ++struct tftphdr { + struct udphdr udp; + uint16_t tp_op; ++} SLIRP_PACKED; ++ ++struct tftp_t { ++ struct tftphdr hdr; + union { + struct { + uint16_t tp_block_nr; diff -Nru libslirp-4.1.0/debian/patches/series libslirp-4.1.0/debian/patches/series --- libslirp-4.1.0/debian/patches/series 2020-07-23 18:09:00.000000000 +0000 +++ libslirp-4.1.0/debian/patches/series 2021-06-21 12:37:19.000000000 +0000 @@ -5,3 +5,12 @@ CVE-2020-8608-2.patch CVE-2020-1983.patch CVE-2020-10756.patch +CVE-2020-29129_30.patch +CVE-2021-3592-1.patch +CVE-2021-3592-2.patch +CVE-2021-3592-3.patch +CVE-2021-3592-4.patch +CVE-2021-3593.patch +CVE-2021-3594.patch +CVE-2021-3595-1.patch +CVE-2021-3595-2.patch