- Resolves: rhbz#CVE-2015-6496, rhbz#1253757

- Fold in upstream patches since 1.4.2 release up to git 900d7e8
- Fold in upstream patch set of 2015-08-18 for coverity issues
This commit is contained in:
Paul Wouters 2015-08-18 14:10:17 -04:00
parent d8249d934a
commit 205ad0f585
3 changed files with 3945 additions and 1 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,217 @@
diff --git a/src/cache.c b/src/cache.c
index 7c41e54..79a024f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -34,7 +34,7 @@ struct cache_feature *cache_feature[CACHE_MAX_FEATURE] = {
};
struct cache *cache_create(const char *name, enum cache_type type,
- unsigned int features,
+ unsigned int features,
struct cache_extra *extra,
struct cache_ops *ops)
{
@@ -53,7 +53,8 @@ struct cache *cache_create(const char *name, enum cache_type type,
return NULL;
memset(c, 0, sizeof(struct cache));
- strcpy(c->name, name);
+ strncpy(c->name, name, CACHE_MAX_NAMELEN);
+ c->name[CACHE_MAX_NAMELEN - 1] = '\0';
c->type = type;
for (i = 0; i < CACHE_MAX_FEATURE; i++) {
diff --git a/src/cthelper.c b/src/cthelper.c
index 6537515..54eb830 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -277,11 +277,11 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
if (!attr[NFQA_PAYLOAD]) {
dlog(LOG_ERR, "packet with no payload");
- goto err;
+ goto err1;
}
if (!attr[NFQA_CT] || !attr[NFQA_CT_INFO]) {
dlog(LOG_ERR, "no CT attached to this packet");
- goto err;
+ goto err1;
}
pkt = mnl_attr_get_payload(attr[NFQA_PAYLOAD]);
@@ -292,22 +292,22 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
queue_num = ntohs(nfg->res_id);
if (pkt_get(pkt, pktlen, ntohs(ph->hw_protocol), &protoff))
- goto err;
+ goto err1;
ct = nfct_new();
if (ct == NULL)
- goto err;
+ goto err1;
if (nfct_payload_parse(mnl_attr_get_payload(attr[NFQA_CT]),
mnl_attr_get_payload_len(attr[NFQA_CT]),
l3num, ct) < 0) {
dlog(LOG_ERR, "cannot convert message to CT");
- goto err;
+ goto err2;
}
myct = calloc(1, sizeof(struct myct));
if (myct == NULL)
- goto err;
+ goto err2;
myct->ct = ct;
ctinfo = ntohl(mnl_attr_get_u32(attr[NFQA_CT_INFO]));
@@ -315,15 +315,15 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
/* XXX: 256 bytes enough for possible NAT mangling in helpers? */
pktb = pktb_alloc(AF_INET, pkt, pktlen, 256);
if (pktb == NULL)
- goto err;
+ goto err3;
/* Misconfiguration: if no helper found, accept the packet. */
helper = helper_run(pktb, protoff, myct, ctinfo, queue_num, &verdict);
if (!helper)
- goto err_pktb;
+ goto err4;
if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
- goto err_pktb;
+ goto err4;
nfct_destroy(ct);
if (myct->exp != NULL)
@@ -333,18 +333,19 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
free(myct);
return MNL_CB_OK;
-err_pktb:
+err4:
pktb_free(pktb);
-err:
+err3:
+ free(myct);
+err2:
+ nfct_destroy(ct);
+err1:
/* In case of error, we don't want to disrupt traffic. We accept all.
* This is connection tracking after all. The policy is not to drop
* packet unless we enter some inconsistent state.
*/
pkt_verdict_error(queue_num, id);
- if (ct != NULL)
- nfct_destroy(ct);
-
return MNL_CB_OK;
}
diff --git a/src/local.c b/src/local.c
index 453799a..3395b4c 100644
--- a/src/local.c
+++ b/src/local.c
@@ -77,7 +77,7 @@ int do_local_server_step(struct local_server *server, void *data,
int rfd;
struct sockaddr_un local;
socklen_t sin_size = sizeof(struct sockaddr_un);
-
+
rfd = accept(server->fd, (struct sockaddr *) &local, &sin_size);
if (rfd == -1)
return -1;
@@ -147,11 +147,14 @@ int do_local_request(int request,
ret = send(fd, &request, sizeof(int), 0);
if (ret == -1)
- return -1;
+ goto err1;
do_local_client_step(fd, step);
local_client_destroy(fd);
-
+
return 0;
+err1:
+ local_client_destroy(fd);
+ return -1;
}
diff --git a/src/parse.c b/src/parse.c
index f3ec6ac..919d36c 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -297,7 +297,7 @@ int msg2ct(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
return -1;
if (attr->nta_len < NTA_LENGTH(0))
return -1;
- if (attr->nta_attr > NTA_MAX)
+ if (attr->nta_attr >= NTA_MAX)
return -1;
if (h[attr->nta_attr].size &&
attr->nta_len != h[attr->nta_attr].size)
@@ -510,7 +510,7 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain)
ATTR_NETWORK2HOST(attr);
if (attr->nta_len > len)
goto err;
- if (attr->nta_attr > NTA_MAX)
+ if (attr->nta_attr >= NTA_EXP_MAX)
goto err;
if (attr->nta_len < NTA_LENGTH(0))
goto err;
@@ -524,13 +524,15 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain)
attr = NTA_NEXT(attr, len);
continue;
}
- switch(exp_h[attr->nta_attr].exp_attr) {
+ switch (exp_h[attr->nta_attr].exp_attr) {
case ATTR_EXP_MASTER:
exp_h[attr->nta_attr].parse(master, attr->nta_attr,
NTA_DATA(attr));
+ break;
case ATTR_EXP_EXPECTED:
exp_h[attr->nta_attr].parse(expected, attr->nta_attr,
NTA_DATA(attr));
+ break;
case ATTR_EXP_MASK:
exp_h[attr->nta_attr].parse(mask, attr->nta_attr,
NTA_DATA(attr));
diff --git a/src/process.c b/src/process.c
index 7f0a395..3ddad5f 100644
--- a/src/process.c
+++ b/src/process.c
@@ -48,6 +48,8 @@ int fork_process_new(int type, int flags, void (*cb)(void *data), void *data)
if (c->pid > 0)
list_add(&c->head, &process_list);
+ else
+ free(c);
return pid;
}
diff --git a/src/tcp.c b/src/tcp.c
index af27c46..e570880 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -247,13 +247,11 @@ int tcp_accept(struct tcp_sock *m)
/* the other peer wants to connect ... */
ret = accept(m->fd, NULL, NULL);
if (ret == -1) {
- if (errno != EAGAIN) {
- /* unexpected error. Give us another try. */
- m->state = TCP_SERVER_ACCEPTING;
- } else {
- /* waiting for new connections. */
- m->state = TCP_SERVER_ACCEPTING;
- }
+ /* unexpected error: Give us another try. Or we have hit
+ * -EAGAIN, in that case we remain in the accepting connections
+ * state.
+ */
+ m->state = TCP_SERVER_ACCEPTING;
} else {
/* the peer finally got connected. */
if (fcntl(ret, F_SETFL, O_NONBLOCK) == -1) {

View File

@ -1,6 +1,6 @@
Name: conntrack-tools
Version: 1.4.2
Release: 8%{?dist}
Release: 9%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability
Group: System Environment/Base
License: GPLv2
@ -8,6 +8,8 @@ URL: http://netfilter.org
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
Source1: conntrackd.service
Source2: conntrackd.conf
Patch1: conntrack-tools-20150818.patch
Patch2: conntrack-tools-coverity20150818.patch
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.4
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
@ -40,6 +42,8 @@ show an event message (one line) per newly established connection.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%build
%configure --disable-static
@ -77,6 +81,11 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service
%changelog
* Tue Aug 18 2015 Paul Wouters <pwouters@redhat.com> - 1.4.2-9
- Resolves: rhbz#CVE-2015-6496, rhbz#1253757
- Fold in upstream patches since 1.4.2 release up to git 900d7e8
- Fold in upstream patch set of 2015-08-18 for coverity issues
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild