import conntrack-tools-1.4.5-17.el9_1
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
c077432b1f
commit
9f283c1cf1
|
|
@ -0,0 +1,60 @@
|
|||
From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 31 Aug 2022 13:00:52 +0200
|
||||
Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow
|
||||
|
||||
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
|
||||
according to unix(7), it should hold a null-terminated string. So adjust
|
||||
config reader to reject paths of length UNIX_PATH_MAX and above and
|
||||
adjust the internal arrays to aid the compiler.
|
||||
|
||||
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a)
|
||||
---
|
||||
include/local.h | 4 ++--
|
||||
src/read_config_yy.y | 6 +++---
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/include/local.h b/include/local.h
|
||||
index 9379446732eed..22859d7ab60aa 100644
|
||||
--- a/include/local.h
|
||||
+++ b/include/local.h
|
||||
@@ -7,12 +7,12 @@
|
||||
|
||||
struct local_conf {
|
||||
int reuseaddr;
|
||||
- char path[UNIX_PATH_MAX + 1];
|
||||
+ char path[UNIX_PATH_MAX];
|
||||
};
|
||||
|
||||
struct local_server {
|
||||
int fd;
|
||||
- char path[UNIX_PATH_MAX + 1];
|
||||
+ char path[UNIX_PATH_MAX];
|
||||
};
|
||||
|
||||
/* callback return values */
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 401a1575014d0..d208a6a0617cf 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -699,12 +699,12 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- if (strlen($2) > UNIX_PATH_MAX) {
|
||||
+ if (strlen($2) >= UNIX_PATH_MAX) {
|
||||
dlog(LOG_ERR, "Path is longer than %u characters",
|
||||
- UNIX_PATH_MAX);
|
||||
+ UNIX_PATH_MAX - 1);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
|
||||
+ strcpy(conf.local.path, $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Mon, 8 Mar 2021 16:29:25 +0100
|
||||
Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
|
||||
not specified
|
||||
|
||||
Fall back to 65536 buckets and 262144 entries.
|
||||
|
||||
It would be probably good to add code to autoadjust by reading
|
||||
/proc/sys/net/netfilter/nf_conntrack_buckets and
|
||||
/proc/sys/net/nf_conntrack_max.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
|
||||
---
|
||||
src/read_config_yy.y | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index d208a6a0617cf..dc67d11952901 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -1780,5 +1780,11 @@ init_config(char *filename)
|
||||
NF_NETLINK_CONNTRACK_DESTROY;
|
||||
}
|
||||
|
||||
+ /* default hashtable buckets and maximum number of entries */
|
||||
+ if (!CONFIG(hashsize))
|
||||
+ CONFIG(hashsize) = 65536;
|
||||
+ if (!CONFIG(limit))
|
||||
+ CONFIG(limit) = 262144;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.38.0
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: conntrack-tools
|
||||
Version: 1.4.5
|
||||
Release: 15%{?dist}
|
||||
Release: 17%{?dist}
|
||||
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||
License: GPLv2
|
||||
URL: http://conntrack-tools.netfilter.org/
|
||||
|
|
@ -26,6 +26,8 @@ Patch15: 0015-Drop-pointless-assignments.patch
|
|||
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
|
||||
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
|
||||
Patch18: 0018-conntrack-fix-compiler-warnings.patch
|
||||
Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
|
||||
Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
||||
|
|
@ -106,6 +108,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
|
|||
%systemd_postun conntrackd.service
|
||||
|
||||
%changelog
|
||||
* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
|
||||
- conntrackd: set default hashtable buckets and max entries if not specified
|
||||
|
||||
* Tue Sep 06 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-16
|
||||
- local: Avoid sockaddr_un::sun_path buffer overflow
|
||||
|
||||
* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
|
||||
- conntrack: fix compiler warnings
|
||||
- src: fix strncpy -Wstringop-truncation warnings
|
||||
|
|
|
|||
Loading…
Reference in New Issue