import conntrack-tools-1.4.5-15.el9

This commit is contained in:
CentOS Sources 2022-09-27 07:21:26 -04:00 committed by Stepan Oksanichenko
parent 04ebf7c7f5
commit f72375c52f
14 changed files with 1192 additions and 3 deletions

View File

@ -0,0 +1,38 @@
From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Mar 2019 08:19:18 +0100
Subject: [PATCH] conntrackd: use strncpy() to unix path
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
---
src/read_config_yy.y | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6de8c6c734389..1d510ed20ec8f 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -25,6 +25,7 @@
#include <netdb.h>
#include <errno.h>
#include <stdarg.h>
+#include <limits.h>
#include "conntrackd.h"
#include "bitops.h"
#include "cidr.h"
@@ -650,7 +651,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strcpy(conf.local.path, $2);
+ strncpy(conf.local.path, $2, PATH_MAX);
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

View File

@ -0,0 +1,445 @@
From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Thu, 30 May 2019 21:49:56 +0100
Subject: [PATCH] conntrackd: Use strdup in lexer
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
---
src/read_config_lex.l | 8 +++---
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 120bc009295a8..b0d9e61e0e4b9 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
{is_off} { return T_OFF; }
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
-{ip4} { yylval.string = yytext; return T_IP; }
-{ip6} { yylval.string = yytext; return T_IP; }
-{path} { yylval.string = yytext; return T_PATH_VAL; }
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
{alarm} { return T_ALARM; }
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
"is called `alarm'. Please, update "
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"your conntrackd.conf file.\n");
return T_FTFW; }
{notrack} { return T_NOTRACK; }
-{string} { yylval.string = yytext; return T_STRING; }
+{string} { yylval.string = strdup(yytext); return T_STRING; }
{comment} ;
{ws} ;
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 1d510ed20ec8f..ceba6fc0d2426 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
syslog_bool : T_SYSLOG T_ON
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring", $2);
+ free($2);
break;
}
+ free($2);
if (conf.stats.syslog_facility != -1 &&
conf.syslog_facility != conf.stats.syslog_facility)
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ free($2);
};
refreshtime : T_REFRESH T_NUMBER
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
break;
}
+ free($2);
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
};
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.mcast.in);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
dlog(LOG_WARNING, "your multicast address is IPv6 but "
"is binded to an IPv4 interface? "
"Surely this is not what you want");
+ free($2);
break;
}
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+ free($2);
};
multicast_option : T_IPV4_IFACE T_IP
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
multicast_option : T_IPV6_IFACE T_IP
{
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
+ free($2);
}
multicast_option : T_IFACE T_STRING
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+
+ free($2);
};
multicast_option : T_GROUP T_NUMBER
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
+
+ free($2);
};
udp_option : T_PORT T_NUMBER
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
+
+ free($2);
};
tcp_option : T_PORT T_NUMBER
@@ -652,6 +690,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
strncpy(conf.local.path, $2, PATH_MAX);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -739,6 +778,7 @@ expect_list:
expect_item: T_STRING
{
exp_filter_add(STATE(exp_filter), $1);
+ free($1);
}
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
conf.sched.type = SCHED_FIFO;
} else {
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
+ free($2);
exit(EXIT_FAILURE);
}
+
+ free($2);
};
scheduler_line : T_PRIO T_NUMBER
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
if (pent == NULL) {
dlog(LOG_WARNING, "getprotobyname() cannot find "
"protocol `%s' in /etc/protocols", $1);
+ free($1);
break;
}
+ free($1);
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
__kernel_filter_start();
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
if (cidr > 32) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
if (!inet_aton($2, &ip.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
+ free($2);
break;
}
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
if (cidr > 128) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
err = inet_pton(AF_INET6, $2, &ip.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
stat_syslog_bool : T_SYSLOG T_ON
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring.", $2);
+ free($2);
break;
}
+ free($2);
if (conf.syslog_facility != -1 &&
conf.stats.syslog_facility != conf.syslog_facility)
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l3proto = AF_INET6;
else {
dlog(LOG_ERR, "unknown layer 3 protocol");
+ free($3);
exit(EXIT_FAILURE);
}
+ free($3);
if (strcmp($4, "tcp") == 0)
l4proto = IPPROTO_TCP;
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l4proto = IPPROTO_UDP;
else {
dlog(LOG_ERR, "unknown layer 4 protocol");
+ free($4);
exit(EXIT_FAILURE);
}
+ free($4);
#ifdef BUILD_CTHELPER
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
if (helper == NULL) {
dlog(LOG_ERR, "Unknown `%s' helper", $2);
+ free($2);
exit(EXIT_FAILURE);
}
#else
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
exit(EXIT_FAILURE);
#endif
+ free($2);
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
if (helper_inst == NULL)
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
if (e == NULL) {
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
"configuration file, please");
+ free($2);
exit(EXIT_FAILURE);
break;
}
policy = (struct ctd_helper_policy *) &e->data;
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ free($2);
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--
2.34.1

View File

@ -0,0 +1,40 @@
From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001
From: Michal Kubecek <mkubecek@suse.cz>
Date: Mon, 15 Jul 2019 08:46:23 +0200
Subject: [PATCH] conntrackd: use correct max unix path length
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
---
src/read_config_yy.y | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index ceba6fc0d2426..4311cd6c9a2f5 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -689,8 +689,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, PATH_MAX);
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
free($2);
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
+ UNIX_PATH_MAX - 1);
+ exit(EXIT_FAILURE);
+ }
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

View File

@ -0,0 +1,29 @@
From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:06:39 +0100
Subject: [PATCH] hash: Flush tables when destroying
This is cosmetics only, but stops valgrind from complaining about
definitely lost memory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba)
---
src/hash.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/hash.c b/src/hash.c
index fe6a047fcebe0..a0f240c21fa82 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit,
void hashtable_destroy(struct hashtable *h)
{
+ hashtable_flush(h);
free(h);
}
--
2.34.1

View File

@ -0,0 +1,37 @@
From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:07:51 +0100
Subject: [PATCH] cache: Fix features array allocation
struct cache::features is of type struct cache_feature **, allocate and
populate accordingly.
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56)
---
src/cache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 79a024f8b6bb0..9bc8d0f5bf34a 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type,
memcpy(c->feature_type, feature_type, sizeof(feature_type));
- c->features = malloc(sizeof(struct cache_feature) * j);
+ c->features = malloc(sizeof(struct cache_feature *) * j);
if (!c->features) {
free(c);
return NULL;
}
- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j);
+ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j);
c->num_features = j;
c->extra_offset = size;
--
2.34.1

View File

@ -0,0 +1,50 @@
From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:14:50 +0100
Subject: [PATCH] Fix potential buffer overrun in snprintf() calls
When consecutively printing into the same buffer at increasing offset,
reduce buffer size passed to snprintf() to not defeat its size checking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)
---
src/process.c | 2 +-
src/queue.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/process.c b/src/process.c
index 3ddad5ffa7959..08598eeae84de 100644
--- a/src/process.c
+++ b/src/process.c
@@ -84,7 +84,7 @@ void fork_process_dump(int fd)
int size = 0;
list_for_each_entry(this, &process_list, head) {
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"PID=%u type=%s\n",
this->pid,
this->type < CTD_PROC_MAX ?
diff --git a/src/queue.c b/src/queue.c
index 76425b18495b5..e94dc7c45d1fd 100644
--- a/src/queue.c
+++ b/src/queue.c
@@ -69,12 +69,12 @@ void queue_stats_show(int fd)
int size = 0;
char buf[512];
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"allocated queue nodes:\t\t%12u\n\n",
qobjects_num);
list_for_each_entry(this, &queue_list, list) {
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"queue %s:\n"
"current elements:\t\t%12u\n"
"maximum elements:\t\t%12u\n"
--
2.34.1

View File

@ -0,0 +1,55 @@
From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:27:56 +0100
Subject: [PATCH] helpers: ftp: Avoid ugly casts
Coverity tool complains about accessing a local variable at non-zero
offset. Avoid this by using a helper union. This should silence the
checker, although the code is still probably not Big Endian-safe.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe)
---
src/helpers/ftp.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
index bd3f11788cc24..0694d38c6ea13 100644
--- a/src/helpers/ftp.c
+++ b/src/helpers/ftp.c
@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
char *buffer, size_t buflen,
uint32_t addr, uint16_t port)
{
+ union {
+ unsigned char c[4];
+ uint32_t d;
+ } tmp;
+
+ tmp.d = addr;
switch (type) {
case NF_CT_FTP_PORT:
case NF_CT_FTP_PASV:
return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
- ((unsigned char *)&addr)[0],
- ((unsigned char *)&addr)[1],
- ((unsigned char *)&addr)[2],
- ((unsigned char *)&addr)[3],
- port >> 8,
- port & 0xFF);
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3],
+ port >> 8, port & 0xFF);
case NF_CT_FTP_EPRT:
return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|",
- ((unsigned char *)&addr)[0],
- ((unsigned char *)&addr)[1],
- ((unsigned char *)&addr)[2],
- ((unsigned char *)&addr)[3],
- port);
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port);
case NF_CT_FTP_EPSV:
return snprintf(buffer, buflen, "|||%u|", port);
}
--
2.34.1

View File

@ -0,0 +1,30 @@
From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 19:09:22 +0100
Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call
False priority value was never printed.
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64)
---
src/read_config_yy.y | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 4311cd6c9a2f5..6aee67623953b 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER
{
conf.sched.prio = $2;
if (conf.sched.prio < 0 || conf.sched.prio > 99) {
- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2);
+ dlog(LOG_ERR, "`Priority' must be [0, 99]\n");
exit(EXIT_FAILURE);
}
};
--
2.34.1

View File

@ -0,0 +1,30 @@
From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 09:50:18 +0100
Subject: [PATCH] Don't call exit() from signal handler
Coverity tool complains that exit() is not signal-safe and therefore
should not be called from within a signal handler. Call _exit() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399)
---
src/run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/run.c b/src/run.c
index f11a5327fe5e6..37a0eb1c6b957 100644
--- a/src/run.c
+++ b/src/run.c
@@ -67,7 +67,7 @@ void killer(int signo)
close_log();
sd_ct_stop();
- exit(0);
+ _exit(0);
}
static void child(int foo)
--
2.34.1

View File

@ -0,0 +1,43 @@
From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 10:15:13 +0100
Subject: [PATCH] Drop pointless assignments
These variables are not referred to after assigning within their scope
(or until they're overwritten).
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6)
---
src/helpers/ssdp.c | 1 -
src/main.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c
index 58658e39d0a21..41a637a9ce720 100644
--- a/src/helpers/ssdp.c
+++ b/src/helpers/ssdp.c
@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len,
data += i+2;
}
- data_len -= name_len;
data += name_len;
if (pos)
*pos = data;
diff --git a/src/main.c b/src/main.c
index 7062e12085f11..8c3fa1c943a96 100644
--- a/src/main.c
+++ b/src/main.c
@@ -320,7 +320,7 @@ int main(int argc, char *argv[])
umask(0177);
- if ((ret = init_config(config_file)) == -1) {
+ if (init_config(config_file) == -1) {
dlog(LOG_ERR, "can't open config file `%s'", config_file);
exit(EXIT_FAILURE);
}
--
2.34.1

View File

@ -0,0 +1,30 @@
From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 10:30:29 +0100
Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg
Have to free the strings allocated by split_address_and_port().
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad)
---
src/conntrack.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/conntrack.c b/src/conntrack.c
index 06f60e85fa1ed..eea5fd339c831 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[])
nfct_set_nat_details(c, tmpl.ct, &ad,
port_str, family);
}
+ free(port_str);
+ free(nat_address);
}
break;
case 'w':
--
2.34.1

View File

@ -0,0 +1,225 @@
From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001
From: "Jose M. Guisado Gomez" <guigom@riseup.net>
Date: Fri, 16 Aug 2019 11:25:11 +0200
Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function yyparse:
read_config_yy.y:1594:2: warning: strncpy specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: strncpy specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function main:
main.c:168:5: warning: strncpy specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d)
---
include/conntrackd.h | 6 +++---
include/helper.h | 2 +-
include/local.h | 4 ++--
src/main.c | 7 +++----
src/read_config_yy.y | 39 +++++++++++++++++++++++++++++----------
5 files changed, 38 insertions(+), 20 deletions(-)
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 81dff221e96de..fe9ec1854a7d2 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -85,9 +85,9 @@ union inet_address {
#define CONFIG(x) conf.x
struct ct_conf {
- char logfile[FILENAME_MAXLEN];
+ char logfile[FILENAME_MAXLEN + 1];
int syslog_facility;
- char lockfile[FILENAME_MAXLEN];
+ char lockfile[FILENAME_MAXLEN + 1];
int hashsize; /* hashtable size */
int channel_num;
int channel_default;
@@ -132,7 +132,7 @@ struct ct_conf {
int prio;
} sched;
struct {
- char logfile[FILENAME_MAXLEN];
+ char logfile[FILENAME_MAXLEN + 1];
int syslog_facility;
size_t buffer_size;
} stats;
diff --git a/include/helper.h b/include/helper.h
index 7353dfa9b2073..08d4cf4642802 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -13,7 +13,7 @@ struct pkt_buff;
#define CTD_HELPER_POLICY_MAX 4
struct ctd_helper_policy {
- char name[CTD_HELPER_NAME_LEN];
+ char name[CTD_HELPER_NAME_LEN + 1];
uint32_t expect_timeout;
uint32_t expect_max;
};
diff --git a/include/local.h b/include/local.h
index 22859d7ab60aa..9379446732eed 100644
--- a/include/local.h
+++ b/include/local.h
@@ -7,12 +7,12 @@
struct local_conf {
int reuseaddr;
- char path[UNIX_PATH_MAX];
+ char path[UNIX_PATH_MAX + 1];
};
struct local_server {
int fd;
- char path[UNIX_PATH_MAX];
+ char path[UNIX_PATH_MAX + 1];
};
/* callback return values */
diff --git a/src/main.c b/src/main.c
index 8c3fa1c943a96..de4773df8a204 100644
--- a/src/main.c
+++ b/src/main.c
@@ -120,8 +120,8 @@ do_chdir(const char *d)
int main(int argc, char *argv[])
{
+ char config_file[PATH_MAX + 1] = {};
int ret, i, action = -1;
- char config_file[PATH_MAX] = {};
int type = 0;
struct utsname u;
int version, major, minor;
@@ -165,13 +165,12 @@ int main(int argc, char *argv[])
break;
case 'C':
if (++i < argc) {
- strncpy(config_file, argv[i], PATH_MAX);
- if (strlen(argv[i]) >= PATH_MAX){
- config_file[PATH_MAX-1]='\0';
+ if (strlen(argv[i]) > PATH_MAX) {
dlog(LOG_WARNING, "Path to config file"
" to long. Cutting it down to %d"
" characters", PATH_MAX);
}
+ snprintf(config_file, PATH_MAX, "%s", argv[i]);
break;
}
show_usage(argv[0]);
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6aee67623953b..d963c494be1fc 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
- strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "LogFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
- strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "LockFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -689,13 +699,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, UNIX_PATH_MAX);
- free($2);
- if (conf.local.path[UNIX_PATH_MAX - 1]) {
- dlog(LOG_ERR, "UNIX Path is longer than %u characters",
- UNIX_PATH_MAX - 1);
+ if (strlen($2) > UNIX_PATH_MAX) {
+ dlog(LOG_ERR, "Path is longer than %u characters",
+ UNIX_PATH_MAX);
exit(EXIT_FAILURE);
}
+ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "stats LogFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
exit(EXIT_FAILURE);
break;
}
+ if (strlen($2) > CTD_HELPER_NAME_LEN) {
+ dlog(LOG_ERR, "Helper Policy is longer than %u characters",
+ CTD_HELPER_NAME_LEN);
+ exit(EXIT_FAILURE);
+ }
policy = (struct ctd_helper_policy *) &e->data;
- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
free($2);
- policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
stack_item_push(&symbol_stack, e);
--
2.34.1

View File

@ -0,0 +1,101 @@
From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 17 Jan 2022 16:42:52 +0100
Subject: [PATCH] conntrack: fix compiler warnings
.... those do not indicate bugs, but they are distracting.
'exp_filter_add' at filter.c:513:2:
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
This warning is because the size argument passed to strncpy() is
identical to buffer size, i.e. if hit the resulting string is not
0-terminated.
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
... its because the _MAXLEN constants are one less than the output
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
sizeof().
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2)
---
src/filter.c | 2 +-
src/read_config_yy.y | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/filter.c b/src/filter.c
index 00a5e96ecc248..9f961b1fe5b1b 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void)
struct exp_filter_item {
struct list_head head;
- char helper_name[NFCT_HELPER_NAME_MAX];
+ char helper_name[NFCT_HELPER_NAME_MAX + 1];
};
/* this is ugly, but it simplifies read_config_yy.y */
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index d963c494be1fc..401a1575014d0 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2);
free($2);
};
@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2);
free($2);
};
@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL
UNIX_PATH_MAX);
exit(EXIT_FAILURE);
}
- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
+ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
free($2);
};
@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2);
free($2);
};
@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
}
policy = (struct ctd_helper_policy *) &e->data;
- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
+ snprintf(policy->name, sizeof(policy->name), "%s", $2);
free($2);
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--
2.34.1

View File

@ -1,6 +1,6 @@
Name: conntrack-tools
Version: 1.4.5
Release: 10%{?dist}
Release: 15%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPLv2
URL: http://conntrack-tools.netfilter.org/
@ -13,6 +13,19 @@ Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
Patch04: 0004-Makefile.am-Use-instead-of.patch
Patch05: 0005-nfct-remove-lazy-binding.patch
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
Patch09: 0009-hash-Flush-tables-when-destroying.patch
Patch10: 0010-cache-Fix-features-array-allocation.patch
Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch
Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch
Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch
Patch14: 0014-Don-t-call-exit-from-signal-handler.patch
Patch15: 0015-Drop-pointless-assignments.patch
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
Patch18: 0018-conntrack-fix-compiler-warnings.patch
BuildRequires: gcc
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
@ -93,11 +106,34 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service
%changelog
* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
- conntrack: fix compiler warnings
- src: fix strncpy -Wstringop-truncation warnings
- connntrack: Fix for memleak when parsing -j arg
- Drop pointless assignments
- Don't call exit() from signal handler
- read_config_yy: Drop extra argument from dlog() call
- helpers: ftp: Avoid ugly casts
- Fix potential buffer overrun in snprintf() calls
- cache: Fix features array allocation
- hash: Flush tables when destroying
* Mon Mar 28 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-14
- conntrackd: use correct max unix path length
* Thu Mar 24 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-13
- conntrackd: Use strdup in lexer
- conntrackd: use strncpy() to unix path
* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-12
- Fix source compile in tests.yml
* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-11
- Enable hardened builds again.
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
- Drop lazy binding via patch from upstream
- Add patches to fix for failing RPC header search
- Enable hardened builds again
- Fix source compile in tests.yml
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags