Backport: Add _FORTIFY_SOURCE support for inet_pton

- Backport: debug: Re-flow and sort routines variable in Makefile
  (RHEL-44920)
- Backport: inet: Rearrange and sort Makefile variables (RHEL-44920)
- Backport: Prepare inet_ntop to be fortified (RHEL-44920)
- Backport: Add missing guards in include/arpa/inet.h (RHEL-44920)
- Backport: Add _FORTIFY_SOURCE support for inet_ntop (RHEL-44920)
- Backport: Prepare inet_pton to be fortified (RHEL-44920)
- Backport: Add _FORTIFY_SOURCE support for inet_pton (RHEL-44920)

Resolves: RHEL-44920

glibc-RHEL-44920-1.patch

@@ -0,0 +1,135 @@
+commit 4e4641164d2722d622a1bf3b5e4583538d9c7227
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Apr 17 15:41:08 2023 +0200
+
+    debug: Re-flow and sort routines variable in Makefile
+    
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+Conflicts:
+	debug/Makefile (fixed context)
+
+diff --git a/debug/Makefile b/debug/Makefile
+index 63395fc626610a53..c19c76e2b8564bd2 100644
+--- a/debug/Makefile
++++ b/debug/Makefile
+@@ -28,31 +28,94 @@ headers	:= execinfo.h
+ # Note that ptsname_r_chk and getlogin_r are not here, but in
+ # login/Makefile instead.  If that subdir is omitted from the
+ # build, its _FORTIFY_SOURCE support will be too.
+-routines  = backtrace backtracesyms backtracesymsfd noophooks \
+-	    memcpy_chk memmove_chk mempcpy_chk memset_chk stpcpy_chk \
+-	    strcat_chk strcpy_chk strncat_chk strncpy_chk stpncpy_chk \
+-	    sprintf_chk vsprintf_chk snprintf_chk vsnprintf_chk \
+-	    printf_chk fprintf_chk vprintf_chk vfprintf_chk \
+-	    gets_chk chk_fail readonly-area fgets_chk fgets_u_chk \
+-	    read_chk pread_chk pread64_chk recv_chk recvfrom_chk \
+-	    readlink_chk readlinkat_chk getwd_chk getcwd_chk \
+-	    realpath_chk fread_chk fread_u_chk \
+-	    wctomb_chk wcscpy_chk wmemcpy_chk wmemmove_chk wmempcpy_chk \
+-	    wcpcpy_chk wcsncpy_chk wcscat_chk wcsncat_chk wmemset_chk \
+-	    wcpncpy_chk \
+-	    swprintf_chk vswprintf_chk wprintf_chk fwprintf_chk \
+-	    vwprintf_chk vfwprintf_chk fgetws_chk fgetws_u_chk \
+-	    confstr_chk getgroups_chk ttyname_r_chk \
+-	    gethostname_chk getdomainname_chk wcrtomb_chk mbsnrtowcs_chk \
+-	    wcsnrtombs_chk mbsrtowcs_chk wcsrtombs_chk mbstowcs_chk \
+-	    wcstombs_chk asprintf_chk vasprintf_chk dprintf_chk \
+-	    vdprintf_chk obprintf_chk vobprintf_chk \
+-	    longjmp_chk ____longjmp_chk \
+-	    fdelt_chk poll_chk ppoll_chk \
+-	    explicit_bzero_chk \
+-	    stack_chk_fail fortify_fail \
+-	    readonly-area-fallback \
+-	    $(static-only-routines)
++routines  = \
++  ____longjmp_chk \
++  asprintf_chk \
++  backtrace \
++  backtracesyms \
++  backtracesymsfd \
++  chk_fail \
++  confstr_chk \
++  dprintf_chk \
++  explicit_bzero_chk \
++  fdelt_chk \
++  fgets_chk \
++  fgets_u_chk \
++  fgetws_chk \
++  fgetws_u_chk \
++  fortify_fail \
++  fprintf_chk \
++  fread_chk \
++  fread_u_chk \
++  fwprintf_chk \
++  getcwd_chk \
++  getdomainname_chk \
++  getgroups_chk \
++  gethostname_chk \
++  gets_chk \
++  getwd_chk \
++  longjmp_chk \
++  mbsnrtowcs_chk \
++  mbsrtowcs_chk \
++  mbstowcs_chk \
++  memcpy_chk \
++  memmove_chk \
++  mempcpy_chk \
++  memset_chk \
++  noophooks \
++  obprintf_chk \
++  poll_chk \
++  ppoll_chk \
++  pread64_chk \
++  pread_chk \
++  printf_chk \
++  read_chk \
++  readlink_chk \
++  readlinkat_chk \
++  readonly-area \
++  readonly-area-fallback \
++  realpath_chk \
++  recv_chk \
++  recvfrom_chk \
++  snprintf_chk \
++  sprintf_chk \
++  stack_chk_fail \
++  stpcpy_chk \
++  stpncpy_chk \
++  strcat_chk \
++  strcpy_chk \
++  strncat_chk \
++  strncpy_chk \
++  swprintf_chk \
++  ttyname_r_chk \
++  vasprintf_chk \
++  vdprintf_chk \
++  vfprintf_chk \
++  vfwprintf_chk \
++  vobprintf_chk \
++  vprintf_chk \
++  vsnprintf_chk \
++  vsprintf_chk \
++  vswprintf_chk \
++  vwprintf_chk \
++  wcpcpy_chk \
++  wcpncpy_chk \
++  wcrtomb_chk \
++  wcscat_chk \
++  wcscpy_chk \
++  wcsncat_chk \
++  wcsncpy_chk \
++  wcsnrtombs_chk \
++  wcsrtombs_chk \
++  wcstombs_chk \
++  wctomb_chk \
++  wmemcpy_chk \
++  wmemmove_chk \
++  wmempcpy_chk \
++  wmemset_chk \
++  wprintf_chk \
++  $(static-only-routines)
++  # routines
+ static-only-routines := stack_chk_fail_local
+ 
+ # Don't add stack_chk_fail_local.o to libc.a since __stack_chk_fail_local

glibc-RHEL-44920-2.patch

@@ -0,0 +1,168 @@
+commit b6b8a88cf59a00d7716e9dd2e5ba92eedfec69ce
+Author: Arjun Shankar <arjun@redhat.com>
+Date:   Mon Oct 2 14:55:13 2023 +0200
+
+    inet: Rearrange and sort Makefile variables
+    
+    Rearrange lists of routines, tests, etc. into one-per-line in
+    inet/Makefile and sort them using scripts/sort-makefile-lines.py.
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/inet/Makefile b/inet/Makefile
+index cf4cf5cf8ae6732f..b7d6e40fb319f52d 100644
+--- a/inet/Makefile
++++ b/inet/Makefile
+@@ -22,41 +22,123 @@ subdir	:= inet
+ 
+ include ../Makeconfig
+ 
+-headers	:= netinet/ether.h netinet/in.h netinet/in_systm.h \
+-	   netinet/if_ether.h netinet/igmp.h \
+-	   netinet/tcp.h netinet/ip.h $(wildcard arpa/*.h protocols/*.h) \
+-	   aliases.h ifaddrs.h netinet/ip6.h netinet/icmp6.h bits/in.h \
+-	   rpc/netdb.h
+-
+-routines := htonl htons		\
+-	    inet_lnaof inet_mkadr	\
+-	    inet_netof inet_ntoa inet_net herrno herrno-loc \
+-	    gethstbyad gethstbyad_r gethstbynm gethstbynm2 gethstbynm2_r \
+-	    gethstbynm_r gethstent gethstent_r \
+-	    getnetbyad getnetbyad_r getnetbynm getnetent getnetent_r \
+-	    getnetbynm_r \
+-	    getproto getproto_r getprtent getprtent_r getprtname getprtname_r \
+-	    getsrvbynm getsrvbynm_r getsrvbypt getsrvbypt_r getservent \
+-	    getservent_r getrpcent getrpcbyname getrpcbynumber \
+-	    getrpcent_r getrpcbyname_r getrpcbynumber_r \
+-	    ether_aton ether_aton_r ether_hton ether_line \
+-	    ether_ntoa ether_ntoa_r ether_ntoh \
+-	    rcmd rexec ruserpass bindresvport \
+-	    getnetgrent_r getnetgrent \
+-	    getaliasent_r getaliasent getaliasname getaliasname_r \
+-	    in6_addr getnameinfo if_index ifaddrs inet6_option \
+-	    getipv4sourcefilter setipv4sourcefilter \
+-	    getsourcefilter setsourcefilter inet6_opt inet6_rth \
+-	    inet6_scopeid_pton deadline idna idna_name_classify
++headers := \
++  $(wildcard arpa/*.h protocols/*.h) \
++  aliases.h \
++  bits/in.h \
++  ifaddrs.h \
++  netinet/ether.h \
++  netinet/icmp6.h \
++  netinet/if_ether.h \
++  netinet/igmp.h \
++  netinet/in.h \
++  netinet/in_systm.h \
++  netinet/ip.h \
++  netinet/ip6.h \
++  netinet/tcp.h \
++  rpc/netdb.h \
++  # headers
++
++routines := \
++  bindresvport \
++  deadline \
++  ether_aton \
++  ether_aton_r \
++  ether_hton \
++  ether_line \
++  ether_ntoa \
++  ether_ntoa_r \
++  ether_ntoh \
++  getaliasent \
++  getaliasent_r \
++  getaliasname \
++  getaliasname_r \
++  gethstbyad \
++  gethstbyad_r \
++  gethstbynm \
++  gethstbynm2 \
++  gethstbynm2_r \
++  gethstbynm_r \
++  gethstent \
++  gethstent_r \
++  getipv4sourcefilter \
++  getnameinfo \
++  getnetbyad \
++  getnetbyad_r \
++  getnetbynm \
++  getnetbynm_r \
++  getnetent \
++  getnetent_r \
++  getnetgrent \
++  getnetgrent_r \
++  getproto \
++  getproto_r \
++  getprtent \
++  getprtent_r \
++  getprtname \
++  getprtname_r \
++  getrpcbyname \
++  getrpcbyname_r \
++  getrpcbynumber \
++  getrpcbynumber_r \
++  getrpcent \
++  getrpcent_r \
++  getservent \
++  getservent_r \
++  getsourcefilter \
++  getsrvbynm \
++  getsrvbynm_r \
++  getsrvbypt \
++  getsrvbypt_r \
++  herrno \
++  herrno-loc \
++  htonl \
++  htons \
++  idna \
++  idna_name_classify \
++  if_index \
++  ifaddrs \
++  in6_addr \
++  inet6_opt \
++  inet6_option \
++  inet6_rth \
++  inet6_scopeid_pton \
++  inet_lnaof \
++  inet_mkadr \
++  inet_net \
++  inet_netof \
++  inet_ntoa \
++  rcmd \
++  rexec \
++  ruserpass \
++  setipv4sourcefilter \
++  setsourcefilter \
++  # routines
+ 
+ install-others = $(inst_sysconfdir)/rpc
+ 
+ aux := check_pf check_native ifreq
+ 
+-tests := htontest test_ifindex tst-ntoa tst-ether_aton tst-network \
+-	 tst-gethnm test-ifaddrs bug-if1 test-inet6_opt tst-ether_line \
+-	 tst-getni1 tst-getni2 tst-inet6_rth tst-checks tst-checks-posix \
+-	 tst-sockaddr test-hnto-types tst-if_index-long
++tests := \
++  bug-if1 \
++  htontest \
++  test-hnto-types \
++  test-ifaddrs \
++  test-inet6_opt \
++  test_ifindex \
++  tst-checks \
++  tst-checks-posix \
++  tst-ether_aton \
++  tst-ether_line \
++  tst-gethnm \
++  tst-getni1 \
++  tst-getni2 \
++  tst-if_index-long \
++  tst-inet6_rth \
++  tst-network \
++  tst-ntoa \
++  tst-sockaddr \
++  # tests
+ 
+ # tst-deadline must be linked statically so that we can access
+ # internal functions.

glibc-RHEL-44920-3.patch

@@ -0,0 +1,81 @@
+commit 84373ef7b72c9c8ab61ce1fdfd798777715a1a52
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Fri Mar 7 14:42:26 2025 +0100
+
+    Prepare inet_ntop to be fortified
+    
+    Rename inet_ntop to __inet_ntop and create the inet_ntop weak alias
+    based on it in order to prepare for disabling fortification when
+    available.
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index df9472ba3bc52689..d1ea13bb19d4a497 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -5,7 +5,9 @@
+ extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp);
+ libc_hidden_proto (__inet_aton_exact)
+ 
+-libc_hidden_proto (inet_ntop)
++extern __typeof (inet_ntop) __inet_ntop;
++libc_hidden_proto (__inet_ntop)
++
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+ libc_hidden_proto (__inet_pton)
+diff --git a/inet/getnameinfo.c b/inet/getnameinfo.c
+index 8380d8578361b289..d0c6de6ba12b6298 100644
+--- a/inet/getnameinfo.c
++++ b/inet/getnameinfo.c
+@@ -323,7 +323,7 @@ gni_host_inet_numeric (struct scratch_buffer *tmpbuf,
+   if (sa->sa_family == AF_INET6)
+     {
+       const struct sockaddr_in6 *sin6p = (const struct sockaddr_in6 *) sa;
+-      if (inet_ntop (AF_INET6, &sin6p->sin6_addr, host, hostlen) == NULL)
++      if (__inet_ntop (AF_INET6, &sin6p->sin6_addr, host, hostlen) == NULL)
+ 	return EAI_OVERFLOW;
+ 
+       uint32_t scopeid = sin6p->sin6_scope_id;
+@@ -350,7 +350,7 @@ gni_host_inet_numeric (struct scratch_buffer *tmpbuf,
+   else
+     {
+       const struct sockaddr_in *sinp = (const struct sockaddr_in *) sa;
+-      if (inet_ntop (AF_INET, &sinp->sin_addr, host, hostlen) == NULL)
++      if (__inet_ntop (AF_INET, &sinp->sin_addr, host, hostlen) == NULL)
+ 	return EAI_OVERFLOW;
+     }
+   return 0;
+diff --git a/resolv/inet_ntop.c b/resolv/inet_ntop.c
+index c4d38c0f951013e5..acf5f3cb885e2e47 100644
+--- a/resolv/inet_ntop.c
++++ b/resolv/inet_ntop.c
+@@ -42,7 +42,7 @@ static const char *inet_ntop4 (const u_char *src, char *dst, socklen_t size);
+ static const char *inet_ntop6 (const u_char *src, char *dst, socklen_t size);
+ 
+ /* char *
+- * inet_ntop(af, src, dst, size)
++ * __inet_ntop(af, src, dst, size)
+  *	convert a network format address to presentation format.
+  * return:
+  *	pointer to presentation format address (`dst'), or NULL (see errno).
+@@ -50,7 +50,7 @@ static const char *inet_ntop6 (const u_char *src, char *dst, socklen_t size);
+  *	Paul Vixie, 1996.
+  */
+ const char *
+-inet_ntop (int af, const void *src, char *dst, socklen_t size)
++__inet_ntop (int af, const void *src, char *dst, socklen_t size)
+ {
+ 	switch (af) {
+ 	case AF_INET:
+@@ -63,7 +63,8 @@ inet_ntop (int af, const void *src, char *dst, socklen_t size)
+ 	}
+ 	/* NOTREACHED */
+ }
+-libc_hidden_def (inet_ntop)
++libc_hidden_def (__inet_ntop)
++weak_alias (__inet_ntop, inet_ntop)
+ 
+ /* const char *
+  * inet_ntop4(src, dst, size)

glibc-RHEL-44920-4.patch

@@ -0,0 +1,26 @@
+commit 3cdb99d8bb9d0008b2b297080e61d6c10dd66cc8
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Tue Mar 11 10:40:11 2025 +0100
+
+    Add missing guards in include/arpa/inet.h
+    
+    Add the missing guards in the header, similarly to other headers at the
+    same level
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index d1ea13bb19d4a497..d9e55a3c7f2db9f2 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -1,3 +1,5 @@
++#ifndef _ARPA_INET_H
++/* Note: _ARPA_INET_H is defined by inet/arpa/inet.h below.  */
+ #include <inet/arpa/inet.h>
+ 
+ #ifndef _ISOMAC
+@@ -17,3 +19,4 @@ libc_hidden_proto (inet_netof)
+ extern __typeof (inet_network) __inet_network;
+ libc_hidden_proto (__inet_network)
+ #endif
++#endif

glibc-RHEL-44920-5.patch

@@ -0,0 +1,277 @@
+commit 090dfa40a5e46f7c0e4d6e8369bcbbd51267625f
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Fri Mar 7 18:16:30 2025 +0100
+
+    Add _FORTIFY_SOURCE support for inet_ntop
+    
+    - Create the __inet_ntop_chk routine that verifies that the builtin size
+    of the destination buffer is at least as big as the size given by the
+    user.
+    - Redirect calls from inet_ntop to __inet_ntop_chk or __inet_ntop_warn
+    - Update the abilist for this new routine
+    - Update the manual to mention the new fortification
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+Conflicts:
+	debug/Makefile (New routine added to static-only-routines
+	instead of routines)
+	debug/Versions (Version not updated in the backport)
+	inet/Makefile (New headers)
+	manual/maint.texi (Not relevant in current Glibc Version)
+	*/libc.abilist (Not added in the backport)
+	inet/bits/inet-fortified-decl.h (Replace __REDIRECT_FORTIFY_NTH
+	with __REDIRECT_NTH)
+	inet/bits/inet-fortified.h (removed attribute_overloadable and
+	clang specific handling)
+
+Note on the changes:
+- Since we can't modify the ABI, __inet_ntop_chk has been added to
+  static-only-routines and `attribute_hidden` has been added to its definition.
+- __REDIRECT_FORTIFY* macros aren't available in the current version, since
+  the patch to enable foritfication on glibc itself hasn't be ported.
+- clang specific handling of foritifcation has not been ported, which means the
+  following had to be removed from the patch:
+  - use of __attribute_overloadable__
+  - use of __fortify_clang_* macros
+
+diff --git a/debug/Makefile b/debug/Makefile
+index c19c76e2b8564bd2..18be784e86bbaaab 100644
+--- a/debug/Makefile
++++ b/debug/Makefile
+@@ -116,7 +116,8 @@ routines  = \
+   wprintf_chk \
+   $(static-only-routines)
+   # routines
+-static-only-routines := stack_chk_fail_local
++static-only-routines := stack_chk_fail_local \
++  inet_ntop_chk \
+ 
+ # Don't add stack_chk_fail_local.o to libc.a since __stack_chk_fail_local
+ # is an alias of __stack_chk_fail in stack_chk_fail.o.
+diff --git a/debug/inet_ntop_chk.c b/debug/inet_ntop_chk.c
+new file mode 100644
+index 0000000000000000..8a3994dd3fc9bfe4
+--- /dev/null
++++ b/debug/inet_ntop_chk.c
+@@ -0,0 +1,31 @@
++/* Copyright (C) 2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <arpa/inet.h>
++#include <stdio.h>
++
++attribute_hidden
++const char *
++__inet_ntop_chk (int af, const void *src, char *dst,
++		 socklen_t size, size_t dst_size)
++{
++  if (size > dst_size)
++    __chk_fail ();
++
++  return inet_ntop (af, src, dst, size);
++}
++libc_hidden_def (__inet_ntop_chk)
+diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
+index 01a8703de1e6e09a..50909d0af53da10e 100644
+--- a/debug/tst-fortify.c
++++ b/debug/tst-fortify.c
+@@ -24,6 +24,7 @@
+ 
+ #include <assert.h>
+ #include <fcntl.h>
++#include <arpa/inet.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <obstack.h>
+@@ -1762,6 +1763,26 @@ do_test (void)
+ # endif
+ #endif
+ 
++  struct in6_addr addr6 = {};
++  struct in_addr addr = {};
++  char addrstr6[INET6_ADDRSTRLEN];
++  char addrstr[INET_ADDRSTRLEN];
++
++  if (inet_ntop (AF_INET6, &addr6, addrstr6, sizeof (addrstr6)) == NULL)
++    FAIL ();
++  if (inet_ntop (AF_INET, &addr, addrstr, sizeof (addrstr)) == NULL)
++    FAIL ();
++
++#if __USE_FORTIFY_LEVEL >= 1
++  CHK_FAIL_START
++  inet_ntop (AF_INET6, &addr6, buf, INET6_ADDRSTRLEN);
++  CHK_FAIL_END
++
++  CHK_FAIL_START
++  inet_ntop (AF_INET, &addr, buf, INET_ADDRSTRLEN);
++  CHK_FAIL_END
++#endif
++
+   return ret;
+ }
+ 
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index d9e55a3c7f2db9f2..a02892f48a27454e 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -3,12 +3,18 @@
+ #include <inet/arpa/inet.h>
+ 
+ #ifndef _ISOMAC
++/* Declare functions with security checks.
++   This needs to be included unconditionally as these definition are needed even
++   when fortification is disabled in inet/arpa/inet.h.  */
++#include <bits/inet-fortified-decl.h>
++
+ /* Variant of inet_aton which rejects trailing garbage.  */
+ extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp);
+ libc_hidden_proto (__inet_aton_exact)
+ 
+ extern __typeof (inet_ntop) __inet_ntop;
+ libc_hidden_proto (__inet_ntop)
++libc_hidden_proto (__inet_ntop_chk)
+ 
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+diff --git a/include/bits/inet-fortified-decl.h b/include/bits/inet-fortified-decl.h
+new file mode 100644
+index 0000000000000000..e6ad4d4663c61a0d
+--- /dev/null
++++ b/include/bits/inet-fortified-decl.h
+@@ -0,0 +1 @@
++#include <inet/bits/inet-fortified-decl.h>
+diff --git a/include/bits/inet-fortified.h b/include/bits/inet-fortified.h
+new file mode 100644
+index 0000000000000000..abba7c57014c2a23
+--- /dev/null
++++ b/include/bits/inet-fortified.h
+@@ -0,0 +1 @@
++#include <inet/bits/inet-fortified.h>
+diff --git a/inet/Makefile b/inet/Makefile
+index b7d6e40fb319f52d..ef6b94ed0b519d6d 100644
+--- a/inet/Makefile
++++ b/inet/Makefile
+@@ -26,6 +26,8 @@ headers := \
+   $(wildcard arpa/*.h protocols/*.h) \
+   aliases.h \
+   bits/in.h \
++  bits/inet-fortified-decl.h \
++  bits/inet-fortified.h \
+   ifaddrs.h \
+   netinet/ether.h \
+   netinet/icmp6.h \
+diff --git a/inet/arpa/inet.h b/inet/arpa/inet.h
+index 54c9c6d468b66a2f..2ac498061a533a7b 100644
+--- a/inet/arpa/inet.h
++++ b/inet/arpa/inet.h
+@@ -101,6 +101,11 @@ extern char *inet_nsap_ntoa (int __len, const unsigned char *__cp,
+ 			     char *__buf) __THROW;
+ #endif
+ 
++#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function
++/* Include functions with security checks.  */
++#  include <bits/inet-fortified.h>
++#endif
++
+ __END_DECLS
+ 
+ #endif /* arpa/inet.h */
+diff --git a/inet/bits/inet-fortified-decl.h b/inet/bits/inet-fortified-decl.h
+new file mode 100644
+index 0000000000000000..229063ae7898ba2d
+--- /dev/null
++++ b/inet/bits/inet-fortified-decl.h
+@@ -0,0 +1,35 @@
++/* Declarations of checking macros for inet functions.
++   Copyright (C) 2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#ifndef _BITS_INET_FORTIFIED_DEC_H
++#define _BITS_INET_FORTIFIED_DEC_H 1
++
++#ifndef _ARPA_INET_H
++# error "Never include <bits/inet-fortified-decl.h> directly; use <arpa/inet.h> instead."
++#endif
++
++extern const char *__inet_ntop_chk (int, const void *, char *, socklen_t, size_t);
++
++extern const char *__REDIRECT_NTH (__inet_ntop_alias,
++				   (int, const void *, char *, socklen_t), inet_ntop);
++extern const char *__REDIRECT_NTH (__inet_ntop_chk_warn,
++				   (int, const void *, char *, socklen_t, size_t), __inet_ntop_chk)
++     __warnattr ("inet_ntop called with bigger length than "
++		 "size of destination buffer");
++
++#endif /* bits/inet-fortified-decl.h.  */
+diff --git a/inet/bits/inet-fortified.h b/inet/bits/inet-fortified.h
+new file mode 100644
+index 0000000000000000..af26f36ef6ae0533
+--- /dev/null
++++ b/inet/bits/inet-fortified.h
+@@ -0,0 +1,37 @@
++/* Checking macros for inet functions.
++   Copyright (C) 2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#ifndef _BITS_INET_FORTIFIED_H
++#define _BITS_INET_FORTIFIED_H 1
++
++#ifndef _ARPA_INET_H
++# error "Never include <bits/inet-fortified.h> directly; use <arpa/inet.h> instead."
++#endif
++
++#include <bits/inet-fortified-decl.h>
++
++__fortify_function const char *
++__NTH (inet_ntop (int __af, const void * __restrict __src,
++		  char *__restrict __dst, socklen_t __dst_size))
++{
++  return __glibc_fortify (inet_ntop, __dst_size, sizeof (char),
++			  __glibc_objsize (__dst),
++			  __af, __src, __dst, __dst_size);
++};
++
++#endif /* bits/inet-fortified.h.  */

glibc-RHEL-44920-6.patch

@@ -0,0 +1,23 @@
+commit 7f0d9e61f40c669fca3cfd1e342fa8236c7220b7
+Author: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date:   Sat May 20 13:37:47 2023 +0000
+
+    Fix all the remaining misspellings -- BZ 25337
+
+Note on the changes:
+- Partial backport, the only file modified is `resolv/inet_pton.c` to
+  ease further backport for RHEL-44920.
+
+diff --git a/resolv/inet_pton.c b/resolv/inet_pton.c
+index f1d5db75d0d47501..835f364794c1be96 100644
+--- a/resolv/inet_pton.c
++++ b/resolv/inet_pton.c
+@@ -121,7 +121,7 @@ inet_pton4 (const char *src, const char *end, unsigned char *dst)
+   return 1;
+ }
+ 
+-/* Return the value of CH as a hexademical digit, or -1 if it is a
++/* Return the value of CH as a hexadecimal digit, or -1 if it is a
+    different type of character.  */
+ static int
+ hex_digit_value (char ch)

glibc-RHEL-44920-7.patch

@@ -0,0 +1,471 @@
+commit a71db81ed1353edd00ca2901d2fefd98c53209d3
+Author: Aaron Merey <amerey@redhat.com>
+Date:   Thu Mar 20 11:07:05 2025 -0400
+
+    Prepare inet_pton to be fortified
+    
+    Split inet_pton internals such as __inet_pton_length from the
+    inet_pton entry point.
+    
+    This allows the internals to be built with fortification while
+    leaving the inet_pton entry point unchanged.
+    
+    Co-authored-by: Frédéric Bérat <fberat@redhat.com>
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+diff --git a/resolv/Makefile b/resolv/Makefile
+index e168a81d9e086df4..f3f5c260d0b7471f 100644
+--- a/resolv/Makefile
++++ b/resolv/Makefile
+@@ -38,6 +38,7 @@ routines := \
+   inet_addr \
+   inet_ntop \
+   inet_pton \
++  inet_pton_length \
+   ns_makecanon \
+   ns_name_compress \
+   ns_name_length_uncompressed \
+@@ -73,6 +74,11 @@ routines := \
+   resolv_context \
+   # routines
+ 
++# Exclude fortified routines from being built with _FORTIFY_SOURCE
++routines_no_fortify += \
++  inet_pton \
++  # routines_no_fortify
++
+ tests = tst-aton tst-leaks tst-inet_ntop
+ tests-container = tst-leaks2
+ 
+diff --git a/resolv/inet_pton.c b/resolv/inet_pton.c
+index 835f364794c1be96..cebccb2e1ee7bfd1 100644
+--- a/resolv/inet_pton.c
++++ b/resolv/inet_pton.c
+@@ -33,33 +33,7 @@
+  */
+ 
+ #include <arpa/inet.h>
+-#include <arpa/nameser.h>
+-#include <ctype.h>
+-#include <errno.h>
+-#include <netinet/in.h>
+ #include <resolv/resolv-internal.h>
+-#include <string.h>
+-#include <sys/socket.h>
+-#include <sys/types.h>
+-
+-static int inet_pton4 (const char *src, const char *src_end, u_char *dst);
+-static int inet_pton6 (const char *src, const char *src_end, u_char *dst);
+-
+-int
+-__inet_pton_length (int af, const char *src, size_t srclen, void *dst)
+-{
+-  switch (af)
+-    {
+-    case AF_INET:
+-      return inet_pton4 (src, src + srclen, dst);
+-    case AF_INET6:
+-      return inet_pton6 (src, src + srclen, dst);
+-    default:
+-      __set_errno (EAFNOSUPPORT);
+-      return -1;
+-    }
+-}
+-libc_hidden_def (__inet_pton_length)
+ 
+ /* Like __inet_pton_length, but use strlen (SRC) as the length of
+    SRC.  */
+@@ -71,164 +45,3 @@ __inet_pton (int af, const char *src, void *dst)
+ libc_hidden_def (__inet_pton)
+ weak_alias (__inet_pton, inet_pton)
+ libc_hidden_weak (inet_pton)
+-
+-/* Like inet_aton but without all the hexadecimal, octal and shorthand
+-   (and trailing garbage is not ignored).  Return 1 if SRC is a valid
+-   dotted quad, else 0.  This function does not touch DST unless it's
+-   returning 1.
+-   Author: Paul Vixie, 1996.  */
+-static int
+-inet_pton4 (const char *src, const char *end, unsigned char *dst)
+-{
+-  int saw_digit, octets, ch;
+-  unsigned char tmp[NS_INADDRSZ], *tp;
+-
+-  saw_digit = 0;
+-  octets = 0;
+-  *(tp = tmp) = 0;
+-  while (src < end)
+-    {
+-      ch = *src++;
+-      if (ch >= '0' && ch <= '9')
+-        {
+-          unsigned int new = *tp * 10 + (ch - '0');
+-
+-          if (saw_digit && *tp == 0)
+-            return 0;
+-          if (new > 255)
+-            return 0;
+-          *tp = new;
+-          if (! saw_digit)
+-            {
+-              if (++octets > 4)
+-                return 0;
+-              saw_digit = 1;
+-            }
+-        }
+-      else if (ch == '.' && saw_digit)
+-        {
+-          if (octets == 4)
+-            return 0;
+-          *++tp = 0;
+-          saw_digit = 0;
+-        }
+-      else
+-        return 0;
+-    }
+-  if (octets < 4)
+-    return 0;
+-  memcpy (dst, tmp, NS_INADDRSZ);
+-  return 1;
+-}
+-
+-/* Return the value of CH as a hexadecimal digit, or -1 if it is a
+-   different type of character.  */
+-static int
+-hex_digit_value (char ch)
+-{
+-  if ('0' <= ch && ch <= '9')
+-    return ch - '0';
+-  if ('a' <= ch && ch <= 'f')
+-    return ch - 'a' + 10;
+-  if ('A' <= ch && ch <= 'F')
+-    return ch - 'A' + 10;
+-  return -1;
+-}
+-
+-/* Convert presentation-level IPv6 address to network order binary
+-   form.  Return 1 if SRC is a valid [RFC1884 2.2] address, else 0.
+-   This function does not touch DST unless it's returning 1.
+-   Author: Paul Vixie, 1996.  Inspired by Mark Andrews.  */
+-static int
+-inet_pton6 (const char *src, const char *src_endp, unsigned char *dst)
+-{
+-  unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+-  const char *curtok;
+-  int ch;
+-  size_t xdigits_seen;	/* Number of hex digits since colon.  */
+-  unsigned int val;
+-
+-  tp = memset (tmp, '\0', NS_IN6ADDRSZ);
+-  endp = tp + NS_IN6ADDRSZ;
+-  colonp = NULL;
+-
+-  /* Leading :: requires some special handling.  */
+-  if (src == src_endp)
+-    return 0;
+-  if (*src == ':')
+-    {
+-      ++src;
+-      if (src == src_endp || *src != ':')
+-        return 0;
+-    }
+-
+-  curtok = src;
+-  xdigits_seen = 0;
+-  val = 0;
+-  while (src < src_endp)
+-    {
+-      ch = *src++;
+-      int digit = hex_digit_value (ch);
+-      if (digit >= 0)
+-	{
+-	  if (xdigits_seen == 4)
+-	    return 0;
+-	  val <<= 4;
+-	  val |= digit;
+-	  if (val > 0xffff)
+-	    return 0;
+-	  ++xdigits_seen;
+-	  continue;
+-	}
+-      if (ch == ':')
+-	{
+-	  curtok = src;
+-	  if (xdigits_seen == 0)
+-	    {
+-	      if (colonp)
+-		return 0;
+-	      colonp = tp;
+-	      continue;
+-	    }
+-	  else if (src == src_endp)
+-            return 0;
+-	  if (tp + NS_INT16SZ > endp)
+-	    return 0;
+-	  *tp++ = (unsigned char) (val >> 8) & 0xff;
+-	  *tp++ = (unsigned char) val & 0xff;
+-	  xdigits_seen = 0;
+-	  val = 0;
+-	  continue;
+-	}
+-      if (ch == '.' && ((tp + NS_INADDRSZ) <= endp)
+-          && inet_pton4 (curtok, src_endp, tp) > 0)
+-	{
+-	  tp += NS_INADDRSZ;
+-	  xdigits_seen = 0;
+-	  break;  /* '\0' was seen by inet_pton4.  */
+-	}
+-      return 0;
+-    }
+-  if (xdigits_seen > 0)
+-    {
+-      if (tp + NS_INT16SZ > endp)
+-	return 0;
+-      *tp++ = (unsigned char) (val >> 8) & 0xff;
+-      *tp++ = (unsigned char) val & 0xff;
+-    }
+-  if (colonp != NULL)
+-    {
+-      /* Replace :: with zeros.  */
+-      if (tp == endp)
+-        /* :: would expand to a zero-width field.  */
+-        return 0;
+-      size_t n = tp - colonp;
+-      memmove (endp - n, colonp, n);
+-      memset (colonp, 0, endp - n - colonp);
+-      tp = endp;
+-    }
+-  if (tp != endp)
+-    return 0;
+-  memcpy (dst, tmp, NS_IN6ADDRSZ);
+-  return 1;
+-}
+diff --git a/resolv/inet_pton_length.c b/resolv/inet_pton_length.c
+new file mode 100644
+index 0000000000000000..c3614074a47140c1
+--- /dev/null
++++ b/resolv/inet_pton_length.c
+@@ -0,0 +1,223 @@
++/* Copyright (C) 1996-2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++/*
++ * Copyright (c) 1996,1999 by Internet Software Consortium.
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
++ * SOFTWARE.
++ */
++
++#include <arpa/inet.h>
++#include <arpa/nameser.h>
++#include <ctype.h>
++#include <errno.h>
++#include <netinet/in.h>
++#include <resolv/resolv-internal.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <sys/types.h>
++
++static int inet_pton4 (const char *src, const char *src_end, u_char *dst);
++static int inet_pton6 (const char *src, const char *src_end, u_char *dst);
++
++int
++__inet_pton_length (int af, const char *src, size_t srclen, void *dst)
++{
++  switch (af)
++    {
++    case AF_INET:
++      return inet_pton4 (src, src + srclen, dst);
++    case AF_INET6:
++      return inet_pton6 (src, src + srclen, dst);
++    default:
++      __set_errno (EAFNOSUPPORT);
++      return -1;
++    }
++}
++libc_hidden_def (__inet_pton_length)
++
++/* Like inet_aton but without all the hexadecimal, octal and shorthand
++   (and trailing garbage is not ignored).  Return 1 if SRC is a valid
++   dotted quad, else 0.  This function does not touch DST unless it's
++   returning 1.
++   Author: Paul Vixie, 1996.  */
++static int
++inet_pton4 (const char *src, const char *end, unsigned char *dst)
++{
++  int saw_digit, octets, ch;
++  unsigned char tmp[NS_INADDRSZ], *tp;
++
++  saw_digit = 0;
++  octets = 0;
++  *(tp = tmp) = 0;
++  while (src < end)
++    {
++      ch = *src++;
++      if (ch >= '0' && ch <= '9')
++        {
++          unsigned int new = *tp * 10 + (ch - '0');
++
++          if (saw_digit && *tp == 0)
++            return 0;
++          if (new > 255)
++            return 0;
++          *tp = new;
++          if (! saw_digit)
++            {
++              if (++octets > 4)
++                return 0;
++              saw_digit = 1;
++            }
++        }
++      else if (ch == '.' && saw_digit)
++        {
++          if (octets == 4)
++            return 0;
++          *++tp = 0;
++          saw_digit = 0;
++        }
++      else
++        return 0;
++    }
++  if (octets < 4)
++    return 0;
++  memcpy (dst, tmp, NS_INADDRSZ);
++  return 1;
++}
++
++/* Return the value of CH as a hexadecimal digit, or -1 if it is a
++   different type of character.  */
++static int
++hex_digit_value (char ch)
++{
++  if ('0' <= ch && ch <= '9')
++    return ch - '0';
++  if ('a' <= ch && ch <= 'f')
++    return ch - 'a' + 10;
++  if ('A' <= ch && ch <= 'F')
++    return ch - 'A' + 10;
++  return -1;
++}
++
++/* Convert presentation-level IPv6 address to network order binary
++   form.  Return 1 if SRC is a valid [RFC1884 2.2] address, else 0.
++   This function does not touch DST unless it's returning 1.
++   Author: Paul Vixie, 1996.  Inspired by Mark Andrews.  */
++static int
++inet_pton6 (const char *src, const char *src_endp, unsigned char *dst)
++{
++  unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
++  const char *curtok;
++  int ch;
++  size_t xdigits_seen;	/* Number of hex digits since colon.  */
++  unsigned int val;
++
++  tp = memset (tmp, '\0', NS_IN6ADDRSZ);
++  endp = tp + NS_IN6ADDRSZ;
++  colonp = NULL;
++
++  /* Leading :: requires some special handling.  */
++  if (src == src_endp)
++    return 0;
++  if (*src == ':')
++    {
++      ++src;
++      if (src == src_endp || *src != ':')
++        return 0;
++    }
++
++  curtok = src;
++  xdigits_seen = 0;
++  val = 0;
++  while (src < src_endp)
++    {
++      ch = *src++;
++      int digit = hex_digit_value (ch);
++      if (digit >= 0)
++	{
++	  if (xdigits_seen == 4)
++	    return 0;
++	  val <<= 4;
++	  val |= digit;
++	  if (val > 0xffff)
++	    return 0;
++	  ++xdigits_seen;
++	  continue;
++	}
++      if (ch == ':')
++	{
++	  curtok = src;
++	  if (xdigits_seen == 0)
++	    {
++	      if (colonp)
++		return 0;
++	      colonp = tp;
++	      continue;
++	    }
++	  else if (src == src_endp)
++            return 0;
++	  if (tp + NS_INT16SZ > endp)
++	    return 0;
++	  *tp++ = (unsigned char) (val >> 8) & 0xff;
++	  *tp++ = (unsigned char) val & 0xff;
++	  xdigits_seen = 0;
++	  val = 0;
++	  continue;
++	}
++      if (ch == '.' && ((tp + NS_INADDRSZ) <= endp)
++          && inet_pton4 (curtok, src_endp, tp) > 0)
++	{
++	  tp += NS_INADDRSZ;
++	  xdigits_seen = 0;
++	  break;  /* '\0' was seen by inet_pton4.  */
++	}
++      return 0;
++    }
++  if (xdigits_seen > 0)
++    {
++      if (tp + NS_INT16SZ > endp)
++	return 0;
++      *tp++ = (unsigned char) (val >> 8) & 0xff;
++      *tp++ = (unsigned char) val & 0xff;
++    }
++  if (colonp != NULL)
++    {
++      /* Replace :: with zeros.  */
++      if (tp == endp)
++        /* :: would expand to a zero-width field.  */
++        return 0;
++      size_t n = tp - colonp;
++      memmove (endp - n, colonp, n);
++      memset (colonp, 0, endp - n - colonp);
++      tp = endp;
++    }
++  if (tp != endp)
++    return 0;
++  memcpy (dst, tmp, NS_IN6ADDRSZ);
++  return 1;
++}

glibc-RHEL-44920-8.patch

@@ -0,0 +1,176 @@
+commit e3a6e85d67f1a48dec3e2557a83d6ce1544a58cb
+Author: Aaron Merey <amerey@redhat.com>
+Date:   Thu Mar 20 13:13:33 2025 -0400
+
+    Add _FORTIFY_SOURCE support for inet_pton
+    
+    Add function __inet_pton_chk which calls __chk_fail when the size of
+    argument dst is too small.   inet_pton is redirected to __inet_pton_chk
+    or __inet_pton_warn when _FORTIFY_SOURCE is > 0.
+    
+    Also add tests to debug/tst-fortify.c, update the abilist with
+    __inet_pton_chk and mention inet_pton fortification in maint.texi.
+    
+    Co-authored-by: Frédéric Bérat <fberat@redhat.com>
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+Conflicts:
+	debug/Makefile (New routine added to static-only-routines
+	instead of routines)
+	debug/Versions (Not added in the backport)
+	manual/maint.texi (Not relevant for this version)
+	*/libc.abilist (Not added in the backport)
+	inet/bits/inet-fortified-decl.h (Replace __REDIRECT_FORTIFY_NTH
+	with __REDIRECT_NTH)
+	inet/bits/inet-fortified.h (removed attribute_overloadable and
+	clang specific handling)
+
+Note on the changes:
+- Since we can't modify the ABI, __inet_pton_chk has been added to
+  static-only-routines and `attribute_hidden` has been added to its definition.
+- __REDIRECT_FORTIFY* macros aren't available in the current version, since
+  the patch to enable foritfication on glibc itself hasn't be ported.
+- clang specific handling of foritifcation has not been ported, which means the
+  following had to be removed from the patch:
+  - use of __attribute_overloadable__
+  - use of __fortify_clang_* macros
+
+diff --git a/debug/Makefile b/debug/Makefile
+index 18be784e86bbaaab..c6ca9946d5fb5d19 100644
+--- a/debug/Makefile
++++ b/debug/Makefile
+@@ -118,6 +118,7 @@ routines  = \
+   # routines
+ static-only-routines := stack_chk_fail_local \
+   inet_ntop_chk \
++  inet_pton_chk \
+ 
+ # Don't add stack_chk_fail_local.o to libc.a since __stack_chk_fail_local
+ # is an alias of __stack_chk_fail in stack_chk_fail.o.
+diff --git a/debug/inet_pton_chk.c b/debug/inet_pton_chk.c
+new file mode 100644
+index 0000000000000000..c9e4fd4683900141
+--- /dev/null
++++ b/debug/inet_pton_chk.c
+@@ -0,0 +1,31 @@
++/* Copyright (C) 2025 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <arpa/inet.h>
++#include <stdio.h>
++
++attribute_hidden
++int
++__inet_pton_chk (int af, const char *src, void *dst, size_t dst_size)
++{
++  if ((af == AF_INET && dst_size < 4)
++      || (af == AF_INET6 && dst_size < 16))
++    __chk_fail ();
++
++  return inet_pton (af, src, dst);
++}
++libc_hidden_def (__inet_pton_chk)
+diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
+index 50909d0af53da10e..a87793e44ee36363 100644
+--- a/debug/tst-fortify.c
++++ b/debug/tst-fortify.c
+@@ -1783,6 +1783,30 @@ do_test (void)
+   CHK_FAIL_END
+ #endif
+ 
++  const char *ipv4str = "127.0.0.1";
++  const char *ipv6str = "::1";
++
++  if (inet_pton (AF_INET, ipv4str, (void *) &addr) != 1)
++    FAIL ();
++  if (inet_pton (AF_INET6, ipv6str, (void *) &addr6) != 1)
++    FAIL ();
++
++#if __USE_FORTIFY_LEVEL >= 1
++  char smallbuf[2];
++
++  CHK_FAIL_START
++  inet_pton (AF_INET, ipv4str, (void *) smallbuf);
++  CHK_FAIL_END
++
++  CHK_FAIL_START
++  inet_pton (AF_INET6, ipv6str, (void *) smallbuf);
++  CHK_FAIL_END
++
++  CHK_FAIL_START
++  inet_pton (AF_INET6, ipv6str, (void *) &addr);
++  CHK_FAIL_END
++#endif
++
+   return ret;
+ }
+ 
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index a02892f48a27454e..3db8f1a96fdbd6fd 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -19,6 +19,8 @@ libc_hidden_proto (__inet_ntop_chk)
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+ libc_hidden_proto (__inet_pton)
++libc_hidden_proto (__inet_pton_chk)
++
+ extern __typeof (inet_makeaddr) __inet_makeaddr;
+ libc_hidden_proto (__inet_makeaddr)
+ libc_hidden_proto (inet_netof)
+diff --git a/inet/bits/inet-fortified-decl.h b/inet/bits/inet-fortified-decl.h
+index 229063ae7898ba2d..189d35aee8bacab1 100644
+--- a/inet/bits/inet-fortified-decl.h
++++ b/inet/bits/inet-fortified-decl.h
+@@ -32,4 +32,11 @@ extern const char *__REDIRECT_NTH (__inet_ntop_chk_warn,
+      __warnattr ("inet_ntop called with bigger length than "
+ 		 "size of destination buffer");
+ 
++extern int __inet_pton_chk (int, const char *, void *, size_t);
++
++extern int __REDIRECT_NTH (__inet_pton_alias,
++			   (int, const char *, void *), inet_pton);
++extern int __REDIRECT_NTH (__inet_pton_chk_warn,
++			   (int, const char *, void *, size_t), __inet_pton_chk)
++     __warnattr ("inet_pton called with a destination buffer size too small");
+ #endif /* bits/inet-fortified-decl.h.  */
+diff --git a/inet/bits/inet-fortified.h b/inet/bits/inet-fortified.h
+index af26f36ef6ae0533..8420a4b7fb41086f 100644
+--- a/inet/bits/inet-fortified.h
++++ b/inet/bits/inet-fortified.h
+@@ -34,4 +34,21 @@ __NTH (inet_ntop (int __af, const void * __restrict __src,
+ 			  __af, __src, __dst, __dst_size);
+ };
+ 
++__fortify_function int
++__NTH (inet_pton (int __af, const char *__restrict __src,
++		  void * __restrict __dst))
++{
++  size_t sz = 0;
++  if (__af == AF_INET)
++    sz = sizeof (struct in_addr);
++  else if (__af == AF_INET6)
++    sz = sizeof (struct in6_addr);
++  else
++    return __inet_pton_alias (__af, __src, __dst);
++
++  return __glibc_fortify (inet_pton, sz, sizeof (char),
++			  __glibc_objsize (__dst),
++			  __af, __src, __dst);
++};
++
+ #endif /* bits/inet-fortified.h.  */

glibc.spec

@@ -157,7 +157,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 182%{?dist}
+Release: 183%{?dist}
 
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@@ -1158,6 +1158,14 @@ Patch850: glibc-RHEL-80538-1.patch
 Patch851: glibc-RHEL-80538-2.patch
 Patch852: glibc-RHEL-80538-3.patch
 Patch853: glibc-RHEL-80538-4.patch
+Patch854: glibc-RHEL-44920-1.patch
+Patch855: glibc-RHEL-44920-2.patch
+Patch856: glibc-RHEL-44920-3.patch
+Patch857: glibc-RHEL-44920-4.patch
+Patch858: glibc-RHEL-44920-5.patch
+Patch859: glibc-RHEL-44920-6.patch
+Patch860: glibc-RHEL-44920-7.patch
+Patch861: glibc-RHEL-44920-8.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -3151,6 +3159,9 @@ update_gconv_modules_cache ()
 %endif
 
 %changelog
+* Mon Mar 31 2025 Frédéric Bérat <fberat@redhat.com> - 2.34-183
+- Fortify inet_ntop and inet_pton (RHEL-44920)
+
 * Thu Mar 27 2025 Arjun Shankar <arjun@redhat.com> - 2.34-182
 - Improve printf fortification against %n in writeable memory (RHEL-80538)