slirp: Add sanity check for str option length

When user provides a long domainname or hostname that doesn't fit in the DHCP packet, we mustn't overflow the response packet buffer. Instead, report errors, following the g_warning() in the slirp->vdnssearch branch. Also check the strlen against 256 when initializing slirp, which limit is also from the protocol where one byte represents the string length. This gives an early error before the warning which is harder to notice or diagnose. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2025-08-04 08:13:54 -06:00 · 2018-09-14 15:26:15 +08:00 · 2018-09-14 15:26:15 +08:00 · 6e157a0339
commit 6e157a0339
parent b312532fd0
2 changed files with 31 additions and 10 deletions
--- a/net/slirp.c
+++ b/net/slirp.c
@ -350,6 +350,15 @@ static int net_slirp_init(NetClientState *peer, const char *model,
        return -1;
    }

+    if (vdomainname && strlen(vdomainname) > 255) {
+        error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
+        return -1;
+    }
+
+    if (vhostname && strlen(vhostname) > 255) {
+        error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
+        return -1;
+    }

    nc = qemu_new_net_client(&net_slirp_info, peer, model, name);