import conntrack-tools-1.4.5-10.el9_0.1

This commit is contained in:
CentOS Sources 2022-09-20 07:46:09 -04:00 committed by Stepan Oksanichenko
parent 4d9736e80c
commit b41bf4f813
4 changed files with 532 additions and 1 deletions

View File

@ -0,0 +1,38 @@
From 2c020e89fbf2f3c9d18fbd691c7e6785e195defc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Mar 2019 08:19:18 +0100
Subject: [PATCH] conntrackd: use strncpy() to unix path
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
---
src/read_config_yy.y | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6de8c6c734389..1d510ed20ec8f 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -25,6 +25,7 @@
#include <netdb.h>
#include <errno.h>
#include <stdarg.h>
+#include <limits.h>
#include "conntrackd.h"
#include "bitops.h"
#include "cidr.h"
@@ -650,7 +651,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strcpy(conf.local.path, $2);
+ strncpy(conf.local.path, $2, PATH_MAX);
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

View File

@ -0,0 +1,445 @@
From a5edeb0b5fe0b6ac819bff1f29a2baf472cef755 Mon Sep 17 00:00:00 2001
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Thu, 30 May 2019 21:49:56 +0100
Subject: [PATCH] conntrackd: Use strdup in lexer
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
---
src/read_config_lex.l | 8 +++---
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 120bc009295a8..b0d9e61e0e4b9 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
{is_off} { return T_OFF; }
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
-{ip4} { yylval.string = yytext; return T_IP; }
-{ip6} { yylval.string = yytext; return T_IP; }
-{path} { yylval.string = yytext; return T_PATH_VAL; }
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
{alarm} { return T_ALARM; }
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
"is called `alarm'. Please, update "
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"your conntrackd.conf file.\n");
return T_FTFW; }
{notrack} { return T_NOTRACK; }
-{string} { yylval.string = yytext; return T_STRING; }
+{string} { yylval.string = strdup(yytext); return T_STRING; }
{comment} ;
{ws} ;
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 1d510ed20ec8f..ceba6fc0d2426 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
syslog_bool : T_SYSLOG T_ON
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring", $2);
+ free($2);
break;
}
+ free($2);
if (conf.stats.syslog_facility != -1 &&
conf.syslog_facility != conf.stats.syslog_facility)
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ free($2);
};
refreshtime : T_REFRESH T_NUMBER
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
break;
}
+ free($2);
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
};
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.mcast.in);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
dlog(LOG_WARNING, "your multicast address is IPv6 but "
"is binded to an IPv4 interface? "
"Surely this is not what you want");
+ free($2);
break;
}
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+ free($2);
};
multicast_option : T_IPV4_IFACE T_IP
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
multicast_option : T_IPV6_IFACE T_IP
{
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
+ free($2);
}
multicast_option : T_IFACE T_STRING
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+
+ free($2);
};
multicast_option : T_GROUP T_NUMBER
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
+
+ free($2);
};
udp_option : T_PORT T_NUMBER
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
+
+ free($2);
};
tcp_option : T_PORT T_NUMBER
@@ -652,6 +690,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
strncpy(conf.local.path, $2, PATH_MAX);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -739,6 +778,7 @@ expect_list:
expect_item: T_STRING
{
exp_filter_add(STATE(exp_filter), $1);
+ free($1);
}
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
conf.sched.type = SCHED_FIFO;
} else {
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
+ free($2);
exit(EXIT_FAILURE);
}
+
+ free($2);
};
scheduler_line : T_PRIO T_NUMBER
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
if (pent == NULL) {
dlog(LOG_WARNING, "getprotobyname() cannot find "
"protocol `%s' in /etc/protocols", $1);
+ free($1);
break;
}
+ free($1);
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
__kernel_filter_start();
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
if (cidr > 32) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
if (!inet_aton($2, &ip.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
+ free($2);
break;
}
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
if (cidr > 128) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
err = inet_pton(AF_INET6, $2, &ip.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
stat_syslog_bool : T_SYSLOG T_ON
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring.", $2);
+ free($2);
break;
}
+ free($2);
if (conf.syslog_facility != -1 &&
conf.stats.syslog_facility != conf.syslog_facility)
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l3proto = AF_INET6;
else {
dlog(LOG_ERR, "unknown layer 3 protocol");
+ free($3);
exit(EXIT_FAILURE);
}
+ free($3);
if (strcmp($4, "tcp") == 0)
l4proto = IPPROTO_TCP;
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l4proto = IPPROTO_UDP;
else {
dlog(LOG_ERR, "unknown layer 4 protocol");
+ free($4);
exit(EXIT_FAILURE);
}
+ free($4);
#ifdef BUILD_CTHELPER
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
if (helper == NULL) {
dlog(LOG_ERR, "Unknown `%s' helper", $2);
+ free($2);
exit(EXIT_FAILURE);
}
#else
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
exit(EXIT_FAILURE);
#endif
+ free($2);
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
if (helper_inst == NULL)
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
if (e == NULL) {
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
"configuration file, please");
+ free($2);
exit(EXIT_FAILURE);
break;
}
policy = (struct ctd_helper_policy *) &e->data;
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ free($2);
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--
2.34.1

View File

@ -0,0 +1,40 @@
From 22c53808b5ced8580f2826ca6c268018345fac47 Mon Sep 17 00:00:00 2001
From: Michal Kubecek <mkubecek@suse.cz>
Date: Mon, 15 Jul 2019 08:46:23 +0200
Subject: [PATCH] conntrackd: use correct max unix path length
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
---
src/read_config_yy.y | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index ceba6fc0d2426..4311cd6c9a2f5 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -689,8 +689,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, PATH_MAX);
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
free($2);
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
+ UNIX_PATH_MAX - 1);
+ exit(EXIT_FAILURE);
+ }
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

View File

@ -1,6 +1,6 @@
Name: conntrack-tools Name: conntrack-tools
Version: 1.4.5 Version: 1.4.5
Release: 10%{?dist} Release: 10%{?dist}.1
Summary: Manipulate netfilter connection tracking table and run High Availability Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPLv2 License: GPLv2
URL: http://conntrack-tools.netfilter.org/ URL: http://conntrack-tools.netfilter.org/
@ -13,6 +13,9 @@ Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
Patch04: 0004-Makefile.am-Use-instead-of.patch Patch04: 0004-Makefile.am-Use-instead-of.patch
Patch05: 0005-nfct-remove-lazy-binding.patch Patch05: 0005-nfct-remove-lazy-binding.patch
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
@ -93,6 +96,11 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service %systemd_postun conntrackd.service
%changelog %changelog
* Thu Sep 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10.1
- conntrackd: use correct max unix path length
- conntrackd: Use strdup in lexer
- conntrackd: use strncpy() to unix path
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10 * Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
- Drop lazy binding via patch from upstream - Drop lazy binding via patch from upstream
- Add patches to fix for failing RPC header search - Add patches to fix for failing RPC header search