From 9f283c1cf1db31cb61036b3a7d0c9f689c9e7677 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 23 Jan 2023 09:31:57 -0500 Subject: [PATCH] import conntrack-tools-1.4.5-17.el9_1 --- ...sockaddr_un-sun_path-buffer-overflow.patch | 60 +++++++++++++++++++ ...efault-hashtable-buckets-and-max-ent.patch | 38 ++++++++++++ SPECS/conntrack-tools.spec | 10 +++- 3 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch create mode 100644 SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch diff --git a/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch b/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch new file mode 100644 index 0000000..7ce229a --- /dev/null +++ b/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch @@ -0,0 +1,60 @@ +From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 31 Aug 2022 13:00:52 +0200 +Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow + +The array's size in struct sockaddr_un is only UNIX_PATH_MAX and +according to unix(7), it should hold a null-terminated string. So adjust +config reader to reject paths of length UNIX_PATH_MAX and above and +adjust the internal arrays to aid the compiler. + +Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings") +Signed-off-by: Phil Sutter +(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a) +--- + include/local.h | 4 ++-- + src/read_config_yy.y | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/local.h b/include/local.h +index 9379446732eed..22859d7ab60aa 100644 +--- a/include/local.h ++++ b/include/local.h +@@ -7,12 +7,12 @@ + + struct local_conf { + int reuseaddr; +- char path[UNIX_PATH_MAX + 1]; ++ char path[UNIX_PATH_MAX]; + }; + + struct local_server { + int fd; +- char path[UNIX_PATH_MAX + 1]; ++ char path[UNIX_PATH_MAX]; + }; + + /* callback return values */ +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 401a1575014d0..d208a6a0617cf 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -699,12 +699,12 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- if (strlen($2) > UNIX_PATH_MAX) { ++ if (strlen($2) >= UNIX_PATH_MAX) { + dlog(LOG_ERR, "Path is longer than %u characters", +- UNIX_PATH_MAX); ++ UNIX_PATH_MAX - 1); + exit(EXIT_FAILURE); + } +- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2); ++ strcpy(conf.local.path, $2); + free($2); + }; + +-- +2.34.1 + diff --git a/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch b/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch new file mode 100644 index 0000000..5dcd006 --- /dev/null +++ b/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch @@ -0,0 +1,38 @@ +From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 8 Mar 2021 16:29:25 +0100 +Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if + not specified + +Fall back to 65536 buckets and 262144 entries. + +It would be probably good to add code to autoadjust by reading +/proc/sys/net/netfilter/nf_conntrack_buckets and +/proc/sys/net/nf_conntrack_max. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45) +--- + src/read_config_yy.y | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index d208a6a0617cf..dc67d11952901 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -1780,5 +1780,11 @@ init_config(char *filename) + NF_NETLINK_CONNTRACK_DESTROY; + } + ++ /* default hashtable buckets and maximum number of entries */ ++ if (!CONFIG(hashsize)) ++ CONFIG(hashsize) = 65536; ++ if (!CONFIG(limit)) ++ CONFIG(limit) = 262144; ++ + return 0; + } +-- +2.38.0 + diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec index b5f22f1..c6744ef 100644 --- a/SPECS/conntrack-tools.spec +++ b/SPECS/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.5 -Release: 15%{?dist} +Release: 17%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -26,6 +26,8 @@ Patch15: 0015-Drop-pointless-assignments.patch Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch Patch18: 0018-conntrack-fix-compiler-warnings.patch +Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch +Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch BuildRequires: gcc BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 @@ -106,6 +108,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Tue Nov 29 2022 Phil Sutter - 1.4.5-17 +- conntrackd: set default hashtable buckets and max entries if not specified + +* Tue Sep 06 2022 Phil Sutter - 1.4.5-16 +- local: Avoid sockaddr_un::sun_path buffer overflow + * Mon Aug 15 2022 Phil Sutter - 1.4.5-15 - conntrack: fix compiler warnings - src: fix strncpy -Wstringop-truncation warnings