From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39944) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNHUb-00080u-Bo for qemu-devel@nongnu.org; Thu, 15 Nov 2018 08:15:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gNHUY-0002cQ-3p for qemu-devel@nongnu.org; Thu, 15 Nov 2018 08:15:33 -0500 Received: from mail-wr1-f65.google.com ([209.85.221.65]:40688) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gNHUX-0002bW-Rz for qemu-devel@nongnu.org; Thu, 15 Nov 2018 08:15:30 -0500 Received: by mail-wr1-f65.google.com with SMTP id p4so12005029wrt.7 for ; Thu, 15 Nov 2018 05:15:29 -0800 (PST) References: <20181110134548.14741-1-marcandre.lureau@redhat.com> <20181110134548.14741-6-marcandre.lureau@redhat.com> From: Paolo Bonzini Message-ID: <325629ab-47c3-5de3-e01c-d0a20c18be21@redhat.com> Date: Thu, 15 Nov 2018 14:15:25 +0100 MIME-Version: 1.0 In-Reply-To: <20181110134548.14741-6-marcandre.lureau@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [Qemu-devel] [PATCH for-3.2 05/13] slirp: remove unused EMU_RSH List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , qemu-devel@nongnu.org Cc: Jan Kiszka , Jason Wang , Samuel Thibault On 10/11/2018 14:45, Marc-André Lureau wrote: > EMU_RSH handling was dropped in commit > 0d62c4cfe21752df4c1d6e2c2398f15d5eaa794a. > > The assignment, and subsequent free() of ex_ptr->ex_exec to so->extra > looks unsafe (double free is likely to occur). > > Signed-off-by: Marc-André Lureau > --- > slirp/misc.h | 1 - > slirp/slirp.c | 2 -- > slirp/socket.c | 4 ---- > slirp/tcp_subr.c | 1 - > 4 files changed, 8 deletions(-) > > diff --git a/slirp/misc.h b/slirp/misc.h > index 64ca88c3b7..94829722cd 100644 > --- a/slirp/misc.h > +++ b/slirp/misc.h > @@ -26,7 +26,6 @@ struct ex_list { > #define EMU_REALAUDIO 0x5 > #define EMU_RLOGIN 0x6 > #define EMU_IDENT 0x7 > -#define EMU_RSH 0x8 > > #define EMU_NOCONNECT 0x10 /* Don't connect */ > > diff --git a/slirp/slirp.c b/slirp/slirp.c > index 58d1ef64e9..daa0d5d4bd 100644 > --- a/slirp/slirp.c > +++ b/slirp/slirp.c > @@ -1491,8 +1491,6 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id) > } > if (!ex_ptr) > return -EINVAL; > - > - so->extra = (void *)ex_ptr->ex_exec; > } > > return vmstate_load_state(f, &vmstate_slirp, slirp, version_id); > diff --git a/slirp/socket.c b/slirp/socket.c > index 322383a1f9..ff6ef1e334 100644 > --- a/slirp/socket.c > +++ b/slirp/socket.c > @@ -91,10 +91,6 @@ sofree(struct socket *so) > soqfree(so, &slirp->if_fastq); > soqfree(so, &slirp->if_batchq); > > - if (so->so_emu==EMU_RSH && so->extra) { > - sofree(so->extra); > - so->extra=NULL; > - } > if (so == slirp->tcp_last_so) { > slirp->tcp_last_so = &slirp->tcb; > } else if (so == slirp->udp_last_so) { > diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c > index e0bf7ad070..eb894b6527 100644 > --- a/slirp/tcp_subr.c > +++ b/slirp/tcp_subr.c > @@ -546,7 +546,6 @@ static const struct tos_t tcptos[] = { > {0, 23, IPTOS_LOWDELAY, 0}, /* telnet */ > {0, 80, IPTOS_THROUGHPUT, 0}, /* WWW */ > {0, 513, IPTOS_LOWDELAY, EMU_RLOGIN|EMU_NOCONNECT}, /* rlogin */ > - {0, 514, IPTOS_LOWDELAY, EMU_RSH|EMU_NOCONNECT}, /* shell */ > {0, 544, IPTOS_LOWDELAY, EMU_KSH}, /* kshell */ > {0, 543, IPTOS_LOWDELAY, 0}, /* klogin */ > {0, 6667, IPTOS_THROUGHPUT, EMU_IRC}, /* IRC */ > Ouch, do we really want to have a stateful firewall in QEMU? I would say burn all of tcp_emu with fire... Paolo