From 6576cc81da2e0c0c688e19635e87b76e7b4f7524 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Mon, 12 Jan 2009 10:04:48 +0000 Subject: [PATCH] =?UTF-8?q?-=20475130=20-=20Negative=20preferred=20lifetim?= =?UTF-8?q?es=20of=20IPv6=20prefixes/addresses=20=20=20=20=20displayed=20i?= =?UTF-8?q?ncorrectly=20-=20472878=20-=20=E2=80=9Cip=20maddr=20show?= =?UTF-8?q?=E2=80=9D=20in=20IB=20interface=20causes=20a=20stack=20corrupti?= =?UTF-8?q?on=20-=20both=20patches=20will=20be=20probably=20in=20iproute?= =?UTF-8?q?=20v2.6.28?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ip-maddr-show.patch | 87 +++++++++++++++++++++++++++++++++++++++++++ iproute.spec | 12 +++++- prefix-assigned.patch | 67 +++++++++++++++++++++++++++++++++ 3 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 ip-maddr-show.patch create mode 100644 prefix-assigned.patch diff --git a/ip-maddr-show.patch b/ip-maddr-show.patch new file mode 100644 index 0000000..c83dbd5 --- /dev/null +++ b/ip-maddr-show.patch @@ -0,0 +1,87 @@ +From 7f71c0cae2db61890474e04ba3a26e40219e5561 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 25 Nov 2008 12:36:22 +0000 +Subject: [PATCH] =?utf-8?q?ip=20maddr=20show=E2=80=9D=20on=20an=20infiniband=20address=20causes=20a=20stack=20corruption?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: 8bit + +“ip maddr show” on an infiniband address causes a stack corruption +because the length of the address for Infiniband (20 bytes, as +described in kernel doc Documentation/infiniband/ipoib.txt) does not +fit on the 16 bytes of the field in which it gets stored. + +The proposed patch increases the size of the hardware address from 4 +__u32 to 8 and also adds a check to avoid overriding the available +size while parsing the hardware address. + +This bug affects current upstream code AFAICT. + +Hope this helps, +Cheers, +Olivier. + +“ip maddr show ib0” causes a stack corruption because the length of the address +for Infiniband (20 see kernel doc Documentation/infiniband/ipoib.txt) does not +fit on the 16 bytes of the field in which it gets stored. + +The proposed patch increases the size of the hardware address from 4 u32 to 8 +and adds a check to avoid overriding the available size while parsing the +hardware address. +--- + include/utils.h | 2 +- + ip/ipmaddr.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git iproute-2.6.27/iproute2-2.6.27/include/utils.h iproute-2.6.27/iproute2-2.6.27/include/utils.h +index 5daed6b..f7ef939 100644 +--- iproute-2.6.27/iproute2-2.6.27/include/utils.h ++++ iproute-2.6.27/iproute2-2.6.27/include/utils.h +@@ -46,7 +46,7 @@ typedef struct + __u8 bytelen; + __s16 bitlen; + __u32 flags; +- __u32 data[4]; ++ __u32 data[8]; + } inet_prefix; + + #define PREFIXLEN_SPECIFIED 1 +diff --git iproute-2.6.27/iproute2-2.6.27/ip/ipmaddr.c iproute-2.6.27/iproute2-2.6.27/ip/ipmaddr.c +index 1014f83..44ffdfc 100644 +--- iproute-2.6.27/iproute2-2.6.27/ip/ipmaddr.c ++++ iproute-2.6.27/iproute2-2.6.27/ip/ipmaddr.c +@@ -43,11 +43,11 @@ static void usage(void) + exit(-1); + } + +-static int parse_hex(char *str, unsigned char *addr) ++static int parse_hex(char *str, unsigned char *addr, size_t size) + { + int len=0; + +- while (*str) { ++ while (*str && (len < 2 * size)) { + int tmp; + if (str[1] == 0) + return -1; +@@ -104,7 +104,7 @@ void read_dev_mcast(struct ma_info **result_p) + + m.addr.family = AF_PACKET; + +- len = parse_hex(hexa, (unsigned char*)&m.addr.data); ++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data)); + if (len >= 0) { + struct ma_info *ma = malloc(sizeof(m)); + +@@ -176,7 +176,7 @@ void read_igmp6(struct ma_info **result_p) + + m.addr.family = AF_INET6; + +- len = parse_hex(hexa, (unsigned char*)&m.addr.data); ++ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data)); + if (len >= 0) { + struct ma_info *ma = malloc(sizeof(m)); + +-- +1.6.0.6 + diff --git a/iproute.spec b/iproute.spec index 5ccc475..ca05d11 100644 --- a/iproute.spec +++ b/iproute.spec @@ -4,7 +4,7 @@ Summary: Advanced IP routing and network device configuration tools Name: iproute Version: 2.6.27 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Source: http://developer.osdl.org/dev/iproute2/download/iproute2-%{version}.tar.gz #Source1: iproute-doc-2.6.22.tar.gz @@ -13,6 +13,8 @@ Patch1: iproute2-2.6.9-kernel.patch Patch2: iproute2-ss050901-opt_flags.patch Patch3: iproute-ip-man.patch Patch4: iproute2-2.6.25-segfault.patch +Patch5: prefix-assigned.patch +Patch6: ip-maddr-show.patch License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -30,6 +32,8 @@ capabilities of the Linux 2.4.x and 2.6.x kernel. %patch2 -p1 -b .opt_flags %patch3 -p1 %patch4 -p1 -b .seg +%patch5 -p1 -b .prefix +%patch6 -p1 -b .maddr %build export LIBDIR=%{_libdir} @@ -105,6 +109,12 @@ EOF %config(noreplace) %{_sysconfdir}/sysconfig/cbq/* %changelog +* Mon Jan 12 2009 Marcela Mašláňová - 2.6.27-2 +- 475130 - Negative preferred lifetimes of IPv6 prefixes/addresses + displayed incorrectly +- 472878 - “ip maddr show” in IB interface causes a stack corruption +- both patches will be probably in iproute v2.6.28 + * Thu Dec 4 2008 Marcela Maslanova - 2.6.27-1 - aead support was included into upstream version - patch for moving libs is now deprecated diff --git a/prefix-assigned.patch b/prefix-assigned.patch new file mode 100644 index 0000000..37be5eb --- /dev/null +++ b/prefix-assigned.patch @@ -0,0 +1,67 @@ +From 037d950bceed6d5053758dea601e0d018f5f22d7 Mon Sep 17 00:00:00 2001 +From: Benedikt Gollatz +Date: Tue, 6 Jan 2009 19:36:56 -0800 +Subject: [PATCH] When the preferred lifetime of a prefix assigned by IPv6 autoconfiguration + (router solicitation) becomes negative + +How reproducible: + +Always. + +Steps to Reproduce: +1. Configure an IPv6 router to advertise a prefix with a short preferred +lifetime, e.g. 0. +2. Wait for the IPv6 autoconfiguration process to complete for an interface + connected to a link where that router advertises. +3. Run ip -6 show dev . + +Actual results: + +The preferred lifetime will have become negative, but it is printed as an +unsigned integer. The preferred lifetime to be displayed will therefore be +close to UINT_MAX. +--- + ip/ipaddress.c | 13 ++++++++++--- + 1 files changed, 10 insertions(+), 3 deletions(-) + +diff --git iproute-2.6.27/iproute2-2.6.27/ip/ipaddress.c iproute-2.6.27/iproute2-2.6.27/ip/ipaddress.c +index 51471e8..a732d80 100644 +--- iproute-2.6.27/iproute2-2.6.27/ip/ipaddress.c ++++ iproute-2.6.27/iproute2-2.6.27/ip/ipaddress.c +@@ -359,6 +359,7 @@ int print_addrinfo(const struct sockaddr_nl *who, struct nlmsghdr *n, + FILE *fp = (FILE*)arg; + struct ifaddrmsg *ifa = NLMSG_DATA(n); + int len = n->nlmsg_len; ++ int deprecated = 0; + struct rtattr * rta_tb[IFA_MAX+1]; + char abuf[256]; + SPRINT_BUF(b1); +@@ -488,6 +489,7 @@ int print_addrinfo(const struct sockaddr_nl *who, struct nlmsghdr *n, + } + if (ifa->ifa_flags&IFA_F_DEPRECATED) { + ifa->ifa_flags &= ~IFA_F_DEPRECATED; ++ deprecated = 1; + fprintf(fp, "deprecated "); + } + if (ifa->ifa_flags&IFA_F_HOMEADDRESS) { +@@ -516,9 +518,14 @@ int print_addrinfo(const struct sockaddr_nl *who, struct nlmsghdr *n, + sprintf(buf, "valid_lft %usec", ci->ifa_valid); + if (ci->ifa_prefered == INFINITY_LIFE_TIME) + sprintf(buf+strlen(buf), " preferred_lft forever"); +- else +- sprintf(buf+strlen(buf), " preferred_lft %usec", +- ci->ifa_prefered); ++ else { ++ if (deprecated) ++ sprintf(buf+strlen(buf), " preferred_lft %dsec", ++ ci->ifa_prefered); ++ else ++ sprintf(buf+strlen(buf), " preferred_lft %usec", ++ ci->ifa_prefered); ++ } + fprintf(fp, " %s", buf); + } + fprintf(fp, "\n"); +-- +1.6.0.6 +