Re: [Qemu-devel] [PATCH for-3.2 05/13] slirp: remove unused EMU_RSH

[Paolo Bonzini <pbonzini@redhat.com>]

On 10/11/2018 14:45, Marc-André Lureau wrote:
> EMU_RSH handling was dropped in commit
> 0d62c4cfe21752df4c1d6e2c2398f15d5eaa794a.
> 
> The assignment, and subsequent free() of ex_ptr->ex_exec to so->extra
> looks unsafe (double free is likely to occur).
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
>  slirp/misc.h     | 1 -
>  slirp/slirp.c    | 2 --
>  slirp/socket.c   | 4 ----
>  slirp/tcp_subr.c | 1 -
>  4 files changed, 8 deletions(-)
> 
> diff --git a/slirp/misc.h b/slirp/misc.h
> index 64ca88c3b7..94829722cd 100644
> --- a/slirp/misc.h
> +++ b/slirp/misc.h
> @@ -26,7 +26,6 @@ struct ex_list {
>  #define EMU_REALAUDIO 0x5
>  #define EMU_RLOGIN 0x6
>  #define EMU_IDENT 0x7
> -#define EMU_RSH 0x8
>  
>  #define EMU_NOCONNECT 0x10	/* Don't connect */
>  
> diff --git a/slirp/slirp.c b/slirp/slirp.c
> index 58d1ef64e9..daa0d5d4bd 100644
> --- a/slirp/slirp.c
> +++ b/slirp/slirp.c
> @@ -1491,8 +1491,6 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id)
>          }
>          if (!ex_ptr)
>              return -EINVAL;
> -
> -        so->extra = (void *)ex_ptr->ex_exec;
>      }
>  
>      return vmstate_load_state(f, &vmstate_slirp, slirp, version_id);
> diff --git a/slirp/socket.c b/slirp/socket.c
> index 322383a1f9..ff6ef1e334 100644
> --- a/slirp/socket.c
> +++ b/slirp/socket.c
> @@ -91,10 +91,6 @@ sofree(struct socket *so)
>    soqfree(so, &slirp->if_fastq);
>    soqfree(so, &slirp->if_batchq);
>  
> -  if (so->so_emu==EMU_RSH && so->extra) {
> -	sofree(so->extra);
> -	so->extra=NULL;
> -  }
>    if (so == slirp->tcp_last_so) {
>        slirp->tcp_last_so = &slirp->tcb;
>    } else if (so == slirp->udp_last_so) {
> diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
> index e0bf7ad070..eb894b6527 100644
> --- a/slirp/tcp_subr.c
> +++ b/slirp/tcp_subr.c
> @@ -546,7 +546,6 @@ static const struct tos_t tcptos[] = {
>  	  {0, 23, IPTOS_LOWDELAY, 0},	/* telnet */
>  	  {0, 80, IPTOS_THROUGHPUT, 0},	/* WWW */
>  	  {0, 513, IPTOS_LOWDELAY, EMU_RLOGIN|EMU_NOCONNECT},	/* rlogin */
> -	  {0, 514, IPTOS_LOWDELAY, EMU_RSH|EMU_NOCONNECT},	/* shell */
>  	  {0, 544, IPTOS_LOWDELAY, EMU_KSH},		/* kshell */
>  	  {0, 543, IPTOS_LOWDELAY, 0},	/* klogin */
>  	  {0, 6667, IPTOS_THROUGHPUT, EMU_IRC},	/* IRC */
> 

Ouch, do we really want to have a stateful firewall in QEMU?  I would
say burn all of tcp_emu with fire...

Paolo