import conntrack-tools-1.4.5-10.el9_0.1
This commit is contained in:
parent
4d9736e80c
commit
b41bf4f813
38
SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch
Normal file
38
SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 2c020e89fbf2f3c9d18fbd691c7e6785e195defc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Wed, 20 Mar 2019 08:19:18 +0100
|
||||||
|
Subject: [PATCH] conntrackd: use strncpy() to unix path
|
||||||
|
|
||||||
|
Make sure we don't go over the buffer boundary.
|
||||||
|
|
||||||
|
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
|
||||||
|
---
|
||||||
|
src/read_config_yy.y | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||||
|
index 6de8c6c734389..1d510ed20ec8f 100644
|
||||||
|
--- a/src/read_config_yy.y
|
||||||
|
+++ b/src/read_config_yy.y
|
||||||
|
@@ -25,6 +25,7 @@
|
||||||
|
#include <netdb.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
#include "conntrackd.h"
|
||||||
|
#include "bitops.h"
|
||||||
|
#include "cidr.h"
|
||||||
|
@@ -650,7 +651,7 @@ unix_options:
|
||||||
|
|
||||||
|
unix_option : T_PATH T_PATH_VAL
|
||||||
|
{
|
||||||
|
- strcpy(conf.local.path, $2);
|
||||||
|
+ strncpy(conf.local.path, $2, PATH_MAX);
|
||||||
|
};
|
||||||
|
|
||||||
|
unix_option : T_BACKLOG T_NUMBER
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
445
SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch
Normal file
445
SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch
Normal file
@ -0,0 +1,445 @@
|
|||||||
|
From a5edeb0b5fe0b6ac819bff1f29a2baf472cef755 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||||
|
Date: Thu, 30 May 2019 21:49:56 +0100
|
||||||
|
Subject: [PATCH] conntrackd: Use strdup in lexer
|
||||||
|
|
||||||
|
Use strdup in the config file lexer to copy strings to yylval.string. This
|
||||||
|
should solve the "[ERROR] unknown layer 3 protocol" problem here:
|
||||||
|
https://www.spinics.net/lists/netfilter/msg58628.html.
|
||||||
|
|
||||||
|
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
|
||||||
|
---
|
||||||
|
src/read_config_lex.l | 8 +++---
|
||||||
|
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 66 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
|
||||||
|
index 120bc009295a8..b0d9e61e0e4b9 100644
|
||||||
|
--- a/src/read_config_lex.l
|
||||||
|
+++ b/src/read_config_lex.l
|
||||||
|
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||||
|
{is_off} { return T_OFF; }
|
||||||
|
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
|
||||||
|
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
|
||||||
|
-{ip4} { yylval.string = yytext; return T_IP; }
|
||||||
|
-{ip6} { yylval.string = yytext; return T_IP; }
|
||||||
|
-{path} { yylval.string = yytext; return T_PATH_VAL; }
|
||||||
|
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
|
||||||
|
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
|
||||||
|
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
|
||||||
|
{alarm} { return T_ALARM; }
|
||||||
|
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
|
||||||
|
"is called `alarm'. Please, update "
|
||||||
|
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||||
|
"your conntrackd.conf file.\n");
|
||||||
|
return T_FTFW; }
|
||||||
|
{notrack} { return T_NOTRACK; }
|
||||||
|
-{string} { yylval.string = yytext; return T_STRING; }
|
||||||
|
+{string} { yylval.string = strdup(yytext); return T_STRING; }
|
||||||
|
|
||||||
|
{comment} ;
|
||||||
|
{ws} ;
|
||||||
|
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||||
|
index 1d510ed20ec8f..ceba6fc0d2426 100644
|
||||||
|
--- a/src/read_config_yy.y
|
||||||
|
+++ b/src/read_config_yy.y
|
||||||
|
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
|
||||||
|
logfile_path : T_LOG T_PATH_VAL
|
||||||
|
{
|
||||||
|
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
syslog_bool : T_SYSLOG T_ON
|
||||||
|
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
|
||||||
|
else {
|
||||||
|
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||||
|
"ignoring", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
|
||||||
|
if (conf.stats.syslog_facility != -1 &&
|
||||||
|
conf.syslog_facility != conf.stats.syslog_facility)
|
||||||
|
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
|
||||||
|
lock : T_LOCK T_PATH_VAL
|
||||||
|
{
|
||||||
|
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
refreshtime : T_REFRESH T_NUMBER
|
||||||
|
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||||
|
&conf.channel[conf.channel_num].u.mcast.in);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else if (err < 0) {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||||
|
dlog(LOG_WARNING, "your multicast address is IPv6 but "
|
||||||
|
"is binded to an IPv4 interface? "
|
||||||
|
"Surely this is not what you want");
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||||
|
idx = if_nametoindex($2);
|
||||||
|
if (!idx) {
|
||||||
|
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||||
|
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
multicast_option : T_IPV4_IFACE T_IP
|
||||||
|
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
|
||||||
|
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
|
||||||
|
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
|
||||||
|
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||||
|
multicast_option : T_IPV6_IFACE T_IP
|
||||||
|
{
|
||||||
|
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
|
||||||
|
+ free($2);
|
||||||
|
}
|
||||||
|
|
||||||
|
multicast_option : T_IFACE T_STRING
|
||||||
|
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
|
||||||
|
idx = if_nametoindex($2);
|
||||||
|
if (!idx) {
|
||||||
|
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
|
||||||
|
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||||
|
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
multicast_option : T_GROUP T_NUMBER
|
||||||
|
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
|
||||||
|
&conf.channel[conf.channel_num].u.udp.server.ipv6);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else if (err < 0) {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
|
||||||
|
&conf.channel[conf.channel_num].u.udp.client);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
|
||||||
|
idx = if_nametoindex($2);
|
||||||
|
if (!idx) {
|
||||||
|
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
|
||||||
|
+
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
udp_option : T_PORT T_NUMBER
|
||||||
|
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
|
||||||
|
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else if (err < 0) {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
|
||||||
|
|
||||||
|
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
|
||||||
|
&conf.channel[conf.channel_num].u.tcp.client);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else if (err < 0) {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ free($2);
|
||||||
|
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
|
||||||
|
idx = if_nametoindex($2);
|
||||||
|
if (!idx) {
|
||||||
|
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
|
||||||
|
+
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
tcp_option : T_PORT T_NUMBER
|
||||||
|
@@ -652,6 +690,7 @@ unix_options:
|
||||||
|
unix_option : T_PATH T_PATH_VAL
|
||||||
|
{
|
||||||
|
strncpy(conf.local.path, $2, PATH_MAX);
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
unix_option : T_BACKLOG T_NUMBER
|
||||||
|
@@ -739,6 +778,7 @@ expect_list:
|
||||||
|
expect_item: T_STRING
|
||||||
|
{
|
||||||
|
exp_filter_add(STATE(exp_filter), $1);
|
||||||
|
+ free($1);
|
||||||
|
}
|
||||||
|
|
||||||
|
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
|
||||||
|
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
|
||||||
|
conf.sched.type = SCHED_FIFO;
|
||||||
|
} else {
|
||||||
|
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
|
||||||
|
+ free($2);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
scheduler_line : T_PRIO T_NUMBER
|
||||||
|
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
|
||||||
|
if (pent == NULL) {
|
||||||
|
dlog(LOG_WARNING, "getprotobyname() cannot find "
|
||||||
|
"protocol `%s' in /etc/protocols", $1);
|
||||||
|
+ free($1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($1);
|
||||||
|
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
|
||||||
|
|
||||||
|
__kernel_filter_start();
|
||||||
|
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||||
|
if (cidr > 32) {
|
||||||
|
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||||
|
"ignoring", $2, cidr);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!inet_aton($2, &ip.ipv4)) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||||
|
"ignore pool!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
__kernel_filter_start();
|
||||||
|
|
||||||
|
/* host byte order */
|
||||||
|
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||||
|
if (cidr > 128) {
|
||||||
|
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||||
|
"ignoring", $2, cidr);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||||
|
err = inet_pton(AF_INET6, $2, &ip.ipv6);
|
||||||
|
if (err == 0) {
|
||||||
|
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
} else if (err < 0) {
|
||||||
|
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||||
|
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||||
|
"ignore pool!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
__kernel_filter_start();
|
||||||
|
|
||||||
|
/* host byte order */
|
||||||
|
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
|
||||||
|
stat_logfile_path : T_LOG T_PATH_VAL
|
||||||
|
{
|
||||||
|
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||||
|
+ free($2);
|
||||||
|
};
|
||||||
|
|
||||||
|
stat_syslog_bool : T_SYSLOG T_ON
|
||||||
|
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
|
||||||
|
else {
|
||||||
|
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||||
|
"ignoring.", $2);
|
||||||
|
+ free($2);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free($2);
|
||||||
|
|
||||||
|
if (conf.syslog_facility != -1 &&
|
||||||
|
conf.stats.syslog_facility != conf.syslog_facility)
|
||||||
|
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||||
|
l3proto = AF_INET6;
|
||||||
|
else {
|
||||||
|
dlog(LOG_ERR, "unknown layer 3 protocol");
|
||||||
|
+ free($3);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+ free($3);
|
||||||
|
|
||||||
|
if (strcmp($4, "tcp") == 0)
|
||||||
|
l4proto = IPPROTO_TCP;
|
||||||
|
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||||
|
l4proto = IPPROTO_UDP;
|
||||||
|
else {
|
||||||
|
dlog(LOG_ERR, "unknown layer 4 protocol");
|
||||||
|
+ free($4);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+ free($4);
|
||||||
|
|
||||||
|
#ifdef BUILD_CTHELPER
|
||||||
|
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
|
||||||
|
if (helper == NULL) {
|
||||||
|
dlog(LOG_ERR, "Unknown `%s' helper", $2);
|
||||||
|
+ free($2);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
#endif
|
||||||
|
+ free($2);
|
||||||
|
|
||||||
|
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
|
||||||
|
if (helper_inst == NULL)
|
||||||
|
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||||
|
if (e == NULL) {
|
||||||
|
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
|
||||||
|
"configuration file, please");
|
||||||
|
+ free($2);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
policy = (struct ctd_helper_policy *) &e->data;
|
||||||
|
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||||
|
+ free($2);
|
||||||
|
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
|
||||||
|
/* Now object is complete. */
|
||||||
|
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From 22c53808b5ced8580f2826ca6c268018345fac47 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Kubecek <mkubecek@suse.cz>
|
||||||
|
Date: Mon, 15 Jul 2019 08:46:23 +0200
|
||||||
|
Subject: [PATCH] conntrackd: use correct max unix path length
|
||||||
|
|
||||||
|
When copying value of "Path" option for unix socket, target buffer size is
|
||||||
|
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
|
||||||
|
that the path is null terminated and bail out if user provided path is too
|
||||||
|
long rather than silently truncate it.
|
||||||
|
|
||||||
|
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
|
||||||
|
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
|
||||||
|
---
|
||||||
|
src/read_config_yy.y | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||||
|
index ceba6fc0d2426..4311cd6c9a2f5 100644
|
||||||
|
--- a/src/read_config_yy.y
|
||||||
|
+++ b/src/read_config_yy.y
|
||||||
|
@@ -689,8 +689,13 @@ unix_options:
|
||||||
|
|
||||||
|
unix_option : T_PATH T_PATH_VAL
|
||||||
|
{
|
||||||
|
- strncpy(conf.local.path, $2, PATH_MAX);
|
||||||
|
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||||
|
free($2);
|
||||||
|
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
|
||||||
|
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
|
||||||
|
+ UNIX_PATH_MAX - 1);
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
};
|
||||||
|
|
||||||
|
unix_option : T_BACKLOG T_NUMBER
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: conntrack-tools
|
Name: conntrack-tools
|
||||||
Version: 1.4.5
|
Version: 1.4.5
|
||||||
Release: 10%{?dist}
|
Release: 10%{?dist}.1
|
||||||
Summary: Manipulate netfilter connection tracking table and run High Availability
|
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: http://conntrack-tools.netfilter.org/
|
URL: http://conntrack-tools.netfilter.org/
|
||||||
@ -13,6 +13,9 @@ Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
|
|||||||
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
|
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
|
||||||
Patch04: 0004-Makefile.am-Use-instead-of.patch
|
Patch04: 0004-Makefile.am-Use-instead-of.patch
|
||||||
Patch05: 0005-nfct-remove-lazy-binding.patch
|
Patch05: 0005-nfct-remove-lazy-binding.patch
|
||||||
|
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
|
||||||
|
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
|
||||||
|
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
||||||
@ -93,6 +96,11 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
|
|||||||
%systemd_postun conntrackd.service
|
%systemd_postun conntrackd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10.1
|
||||||
|
- conntrackd: use correct max unix path length
|
||||||
|
- conntrackd: Use strdup in lexer
|
||||||
|
- conntrackd: use strncpy() to unix path
|
||||||
|
|
||||||
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
|
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
|
||||||
- Drop lazy binding via patch from upstream
|
- Drop lazy binding via patch from upstream
|
||||||
- Add patches to fix for failing RPC header search
|
- Add patches to fix for failing RPC header search
|
||||||
|
Loading…
Reference in New Issue
Block a user