rpms/conntrack-tools
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import conntrack-tools-1.4.5-17.el9_1

Browse Source
This commit is contained in:
CentOS Sources 2023-01-23 09:31:57 -05:00 committed by Stepan Oksanichenko
parent c077432b1f
commit 9f283c1cf1
3 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch Normal file
View File

@ -0,0 +1,60 @@
From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 31 Aug 2022 13:00:52 +0200
Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
according to unix(7), it should hold a null-terminated string. So adjust
config reader to reject paths of length UNIX_PATH_MAX and above and
adjust the internal arrays to aid the compiler.
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a)
---
include/local.h | 4 ++--
src/read_config_yy.y | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/local.h b/include/local.h
index 9379446732eed..22859d7ab60aa 100644
--- a/include/local.h
+++ b/include/local.h
@@ -7,12 +7,12 @@
struct local_conf {
int reuseaddr;
- char path[UNIX_PATH_MAX + 1];
+ char path[UNIX_PATH_MAX];
};
struct local_server {
int fd;
- char path[UNIX_PATH_MAX + 1];
+ char path[UNIX_PATH_MAX];
};
/* callback return values */
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 401a1575014d0..d208a6a0617cf 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -699,12 +699,12 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- if (strlen($2) > UNIX_PATH_MAX) {
+ if (strlen($2) >= UNIX_PATH_MAX) {
dlog(LOG_ERR, "Path is longer than %u characters",
- UNIX_PATH_MAX);
+ UNIX_PATH_MAX - 1);
exit(EXIT_FAILURE);
}
- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
+ strcpy(conf.local.path, $2);
free($2);
};
--
2.34.1

38
SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch Normal file
View File

@ -0,0 +1,38 @@
From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 8 Mar 2021 16:29:25 +0100
Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
not specified
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
---
src/read_config_yy.y | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index d208a6a0617cf..dc67d11952901 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1780,5 +1780,11 @@ init_config(char *filename)
NF_NETLINK_CONNTRACK_DESTROY;
}
+ /* default hashtable buckets and maximum number of entries */
+ if (!CONFIG(hashsize))
+ CONFIG(hashsize) = 65536;
+ if (!CONFIG(limit))
+ CONFIG(limit) = 262144;
+
return 0;
}
--
2.38.0

10
SPECS/conntrack-tools.spec
View File

@ -1,6 +1,6 @@
Name: conntrack-tools Name: conntrack-tools
Version: 1.4.5 Version: 1.4.5
Release: 15%{?dist} Release: 17%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPLv2 License: GPLv2
URL: http://conntrack-tools.netfilter.org/ URL: http://conntrack-tools.netfilter.org/
@ -26,6 +26,8 @@ Patch15: 0015-Drop-pointless-assignments.patch
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
Patch18: 0018-conntrack-fix-compiler-warnings.patch Patch18: 0018-conntrack-fix-compiler-warnings.patch
Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
@ -106,6 +108,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service %systemd_postun conntrackd.service
%changelog %changelog
* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
- conntrackd: set default hashtable buckets and max entries if not specified
* Tue Sep 06 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-16
- local: Avoid sockaddr_un::sun_path buffer overflow
* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15 * Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
- conntrack: fix compiler warnings - conntrack: fix compiler warnings
- src: fix strncpy -Wstringop-truncation warnings - src: fix strncpy -Wstringop-truncation warnings