diff --git a/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch b/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch new file mode 100644 index 0000000..1ebf6d4 --- /dev/null +++ b/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch @@ -0,0 +1,33 @@ +From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 13 Nov 2020 21:04:39 +0100 +Subject: [PATCH] libxtables: Drop leftover variable in + xtables_numeric_to_ip6addr() + +Variable 'err' was only used in removed debug code, so drop it as well. + +Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code") +Signed-off-by: Phil Sutter +(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc) +--- + libxtables/xtables.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index bc42ba8221f3a..6947441fec659 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) + struct in6_addr *xtables_numeric_to_ip6addr(const char *num) + { + static struct in6_addr ap; +- int err; + +- if ((err = inet_pton(AF_INET6, num, &ap)) == 1) ++ if (inet_pton(AF_INET6, num, &ap) == 1) + return ≈ + + return NULL; +-- +2.31.1 + diff --git a/0006-extensions-libebt_ip6-Drop-unused-variables.patch b/0006-extensions-libebt_ip6-Drop-unused-variables.patch new file mode 100644 index 0000000..f32c329 --- /dev/null +++ b/0006-extensions-libebt_ip6-Drop-unused-variables.patch @@ -0,0 +1,49 @@ +From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 13 Nov 2020 21:13:50 +0100 +Subject: [PATCH] extensions: libebt_ip6: Drop unused variables + +They are being assigned to but never read. + +Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") +Signed-off-by: Phil Sutter +(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc) +--- + extensions/libebt_ip6.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c +index b8a5a5d8c3a92..301bed9aadefd 100644 +--- a/extensions/libebt_ip6.c ++++ b/extensions/libebt_ip6.c +@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match) + static struct in6_addr *numeric_to_addr(const char *num) + { + static struct in6_addr ap; +- int err; + +- if ((err=inet_pton(AF_INET6, num, &ap)) == 1) ++ if (inet_pton(AF_INET6, num, &ap) == 1) + return ≈ + return (struct in6_addr *)NULL; + } +@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i + char buf[256]; + char *p; + int i; +- int err; + + strncpy(buf, address, sizeof(buf) - 1); + /* first the mask */ +@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i + if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) + strcpy(buf, "::"); + +- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) { ++ if (inet_pton(AF_INET6, buf, addr) < 1) { + xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); + return; + } +-- +2.31.1 + diff --git a/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch b/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch new file mode 100644 index 0000000..f1a7336 --- /dev/null +++ b/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch @@ -0,0 +1,29 @@ +From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 11:04:30 +0200 +Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask() + +The allocated hostmask duplicate needs to be freed again. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +Signed-off-by: Phil Sutter +(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e) +--- + libxtables/xtoptions.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index d329f2ff7979e..0dcdf607f4678 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) + cb->arg = p; + xtopt_parse_plenmask(cb); + cb->arg = orig_arg; ++ free(work); + } + + static void xtopt_parse_ethermac(struct xt_option_call *cb) +-- +2.31.1 + diff --git a/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch b/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch new file mode 100644 index 0000000..ee25117 --- /dev/null +++ b/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch @@ -0,0 +1,34 @@ +From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 11:55:20 +0200 +Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new() + +If rule allocation fails, free the allocated 'cmd' before returning to +caller. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3) +--- + iptables/nft-cmd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index 5d33f1f00f574..9b0c964847615 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + + if (state) { + rule = nft_rule_new(h, chain, table, state); +- if (!rule) ++ if (!rule) { ++ nft_cmd_free(cmd); + return NULL; ++ } + + cmd->obj.rule = rule; + +-- +2.31.1 + diff --git a/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch b/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch new file mode 100644 index 0000000..6d30b3f --- /dev/null +++ b/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch @@ -0,0 +1,56 @@ +From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 11:58:06 +0200 +Subject: [PATCH] nft: Avoid buffer size warnings copying iface names + +The call to strncpy() is actually not needed: source buffer is only +IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to +avoid compiler warnings due to size parameter matching the destination +buffer size by performing the copy using (dumb) memcpy() instead. + +Signed-off-by: Phil Sutter +(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff) +--- + iptables/nft-ipv4.c | 4 ++-- + iptables/nft-ipv6.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c +index a5b835b1f681d..34f94bd8cc24a 100644 +--- a/iptables/nft-ipv4.c ++++ b/iptables/nft-ipv4.c +@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command, + */ + cs->fw.ip.invflags = args->invflags; + +- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); ++ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->fw.ip.iniface_mask, + args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); + +- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); ++ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->fw.ip.outiface_mask, + args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); + +diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c +index 46008fc5e762a..d9c9400ad7dc3 100644 +--- a/iptables/nft-ipv6.c ++++ b/iptables/nft-ipv6.c +@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, + */ + cs->fw6.ipv6.invflags = args->invflags; + +- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); ++ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->fw6.ipv6.iniface_mask, + args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); + +- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); ++ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->fw6.ipv6.outiface_mask, + args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); + +-- +2.31.1 + diff --git a/0010-iptables-apply-Drop-unused-variable.patch b/0010-iptables-apply-Drop-unused-variable.patch new file mode 100644 index 0000000..e28558f --- /dev/null +++ b/0010-iptables-apply-Drop-unused-variable.patch @@ -0,0 +1,29 @@ +From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 12:50:57 +0200 +Subject: [PATCH] iptables-apply: Drop unused variable + +It was assigned to but never read. + +Fixes: b45b4e3903414 ("iptables-apply: script and manpage update") +Signed-off-by: Phil Sutter +(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764) +--- + iptables/iptables-apply | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/iptables/iptables-apply b/iptables/iptables-apply +index 4683b1b402d08..3a7df5e3cbc1f 100755 +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -231,7 +231,6 @@ case "$MODE" in + "$RUNCMD" & + CMD_PID=$! + ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & +- CMDTIMEOUT_PID=$! + if ! wait "$CMD_PID"; then + echo "failed." + echo "Error: unknown error running command: $RUNCMD" >&2 +-- +2.31.1 + diff --git a/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch b/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch new file mode 100644 index 0000000..17c5ea6 --- /dev/null +++ b/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch @@ -0,0 +1,109 @@ +From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 14:04:43 +0200 +Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any() + +The code was almost identical and suffered from the same problem as +fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory +corruption bugs"). + +The only functional change this involves is ebt_parse_ip6_address() will +now accept hostnames as well. + +Signed-off-by: Phil Sutter +(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4) +--- + extensions/libebt_ip6.c | 74 ++++++----------------------------------- + 1 file changed, 10 insertions(+), 64 deletions(-) + +diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c +index 301bed9aadefd..3cc39271d4658 100644 +--- a/extensions/libebt_ip6.c ++++ b/extensions/libebt_ip6.c +@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match) + memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); + } + +-static struct in6_addr *numeric_to_addr(const char *num) ++/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */ ++static void ebt_parse_ip6_address(char *address, ++ struct in6_addr *addr, struct in6_addr *msk) + { +- static struct in6_addr ap; +- +- if (inet_pton(AF_INET6, num, &ap) == 1) +- return ≈ +- return (struct in6_addr *)NULL; +-} +- +-static struct in6_addr *parse_ip6_mask(char *mask) +-{ +- static struct in6_addr maskaddr; + struct in6_addr *addrp; +- unsigned int bits; +- +- if (mask == NULL) { +- /* no mask at all defaults to 128 bits */ +- memset(&maskaddr, 0xff, sizeof maskaddr); +- return &maskaddr; +- } +- if ((addrp = numeric_to_addr(mask)) != NULL) +- return addrp; +- if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) +- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask); +- if (bits != 0) { +- char *p = (char *)&maskaddr; +- memset(p, 0xff, bits / 8); +- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); +- p[bits / 8] = 0xff << (8 - (bits & 7)); +- return &maskaddr; +- } ++ unsigned int naddrs; + +- memset(&maskaddr, 0, sizeof maskaddr); +- return &maskaddr; +-} +- +-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0]. +- * The string pointed to by address can be altered. */ +-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk) +-{ +- struct in6_addr *tmp_addr; +- char buf[256]; +- char *p; +- int i; +- +- strncpy(buf, address, sizeof(buf) - 1); +- /* first the mask */ +- buf[sizeof(buf) - 1] = '\0'; +- if ((p = strrchr(buf, '/')) != NULL) { +- *p = '\0'; +- tmp_addr = parse_ip6_mask(p + 1); +- } else +- tmp_addr = parse_ip6_mask(NULL); +- +- *msk = *tmp_addr; +- +- /* if a null mask is given, the name is ignored, like in "any/0" */ +- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) +- strcpy(buf, "::"); +- +- if (inet_pton(AF_INET6, buf, addr) < 1) { +- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); +- return; +- } +- +- for (i = 0; i < 4; i++) +- addr->s6_addr32[i] &= msk->s6_addr32[i]; ++ xtables_ip6parse_any(address, &addrp, msk, &naddrs); ++ if (naddrs != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "Invalid IPv6 Address '%s' specified", address); ++ memcpy(addr, addrp, sizeof(*addr)); ++ free(addrp); + } + + #define OPT_SOURCE 0x01 +-- +2.31.1 + diff --git a/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch b/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch new file mode 100644 index 0000000..70d05fe --- /dev/null +++ b/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch @@ -0,0 +1,554 @@ +From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 12:56:06 +0200 +Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere + +This wraps strdup(), checking for errors. + +Signed-off-by: Phil Sutter +(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a) +--- + extensions/libebt_ip.c | 3 ++- + extensions/libebt_ip6.c | 2 +- + extensions/libebt_stp.c | 3 ++- + extensions/libip6t_DNAT.c | 4 +--- + extensions/libip6t_SNAT.c | 4 +--- + extensions/libip6t_dst.c | 8 +++----- + extensions/libip6t_hbh.c | 7 +++---- + extensions/libip6t_ipv6header.c | 2 +- + extensions/libip6t_mh.c | 2 +- + extensions/libip6t_rt.c | 7 +++---- + extensions/libipt_DNAT.c | 8 ++------ + extensions/libipt_SNAT.c | 4 +--- + extensions/libxt_dccp.c | 2 +- + extensions/libxt_hashlimit.c | 5 +---- + extensions/libxt_iprange.c | 4 +--- + extensions/libxt_multiport.c | 6 ++---- + extensions/libxt_sctp.c | 4 ++-- + extensions/libxt_set.h | 4 ++-- + extensions/libxt_tcp.c | 4 ++-- + include/xtables.h | 1 + + iptables/iptables-xml.c | 4 ++-- + iptables/nft-cache.c | 4 ++-- + iptables/nft-cmd.c | 13 +++++++------ + iptables/xshared.c | 2 +- + libxtables/xtables.c | 12 ++++++++++++ + libxtables/xtoptions.c | 14 +++----------- + 26 files changed, 60 insertions(+), 73 deletions(-) + +diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c +index acb9bfcdbbd9f..51649ffb3c305 100644 +--- a/extensions/libebt_ip.c ++++ b/extensions/libebt_ip.c +@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) + char *buffer; + char *cp; + +- buffer = strdup(portstring); ++ buffer = xtables_strdup(portstring); ++ + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, NULL); + else { +diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c +index 3cc39271d4658..a686a285c3cb8 100644 +--- a/extensions/libebt_ip6.c ++++ b/extensions/libebt_ip6.c +@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) + char *buffer; + char *cp; + +- buffer = strdup(portstring); ++ buffer = xtables_strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, NULL); + else { +diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c +index 81ba572c33c1a..3e9e24474eb61 100644 +--- a/extensions/libebt_stp.c ++++ b/extensions/libebt_stp.c +@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper, + uint32_t low_nr, upp_nr; + int ret = 0; + +- buffer = strdup(portstring); ++ buffer = xtables_strdup(portstring); ++ + if ((cp = strchr(buffer, ':')) == NULL) { + low_nr = strtoul(buffer, &end, 10); + if (*end || low_nr < min || low_nr > max) { +diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c +index 89c5ceb153250..f1ad81436316b 100644 +--- a/extensions/libip6t_DNAT.c ++++ b/extensions/libip6t_DNAT.c +@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev) + char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; + const struct in6_addr *ip; + +- arg = strdup(orig_arg); +- if (arg == NULL) +- xtables_error(RESOURCE_PROBLEM, "strdup"); ++ arg = xtables_strdup(orig_arg); + + start = strchr(arg, '['); + if (start == NULL) { +diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c +index 7d74b3d76a93c..6d19614c7c708 100644 +--- a/extensions/libip6t_SNAT.c ++++ b/extensions/libip6t_SNAT.c +@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) + char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; + const struct in6_addr *ip; + +- arg = strdup(orig_arg); +- if (arg == NULL) +- xtables_error(RESOURCE_PROBLEM, "strdup"); ++ arg = xtables_strdup(orig_arg); + + start = strchr(arg, '['); + if (start == NULL) { +diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c +index fe7e3403468ce..bf0e3e436665d 100644 +--- a/extensions/libip6t_dst.c ++++ b/extensions/libip6t_dst.c +@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) + { + char *buffer, *cp, *next, *range; + unsigned int i; +- +- buffer = strdup(optsstr); +- if (!buffer) +- xtables_error(OTHER_PROBLEM, "strdup failed"); +- ++ ++ buffer = xtables_strdup(optsstr); ++ + for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++) + { + next = strchr(cp, ','); +diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c +index 4cebecfd3d2f5..74e87cda7eea1 100644 +--- a/extensions/libip6t_hbh.c ++++ b/extensions/libip6t_hbh.c +@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) + { + char *buffer, *cp, *next, *range; + unsigned int i; +- +- buffer = strdup(optsstr); +- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); +- ++ ++ buffer = xtables_strdup(optsstr); ++ + for (cp=buffer, i=0; cp && ipflags[i] = 0; +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 140de2653b1ef..59b34684cc7f7 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring, + char *buffer; + char *cp; + +- buffer = strdup(portstring); ++ buffer = xtables_strdup(portstring); + DEBUGP("%s\n", portstring); + if ((cp = strchr(buffer, ':')) == NULL) { + ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); +@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo, + int found = 0; + char *chunk_flags; + +- buffer = strdup(chunks); ++ buffer = xtables_strdup(chunks); + DEBUGP("Buffer: %s\n", buffer); + + SCTP_CHUNKMAP_RESET(einfo->chunkmap); +diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h +index 41dfbd30fc7c1..ad895a7504d9d 100644 +--- a/extensions/libxt_set.h ++++ b/extensions/libxt_set.h +@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info) + static void + parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) + { +- char *saved = strdup(opt_arg); ++ char *saved = xtables_strdup(opt_arg); + char *ptr, *tmp = saved; + int i = 0; + +@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) + static void + parse_dirs(const char *opt_arg, struct xt_set_info *info) + { +- char *saved = strdup(opt_arg); ++ char *saved = xtables_strdup(opt_arg); + char *ptr, *tmp = saved; + + while (info->dim < IPSET_DIM_MAX && tmp != NULL) { +diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c +index 58f3c0a0c3c28..383e4db5b5e23 100644 +--- a/extensions/libxt_tcp.c ++++ b/extensions/libxt_tcp.c +@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports) + char *buffer; + char *cp; + +- buffer = strdup(portstring); ++ buffer = xtables_strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, "tcp"); + else { +@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags) + char *ptr; + char *buffer; + +- buffer = strdup(flags); ++ buffer = xtables_strdup(flags); + + for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { + unsigned int i; +diff --git a/include/xtables.h b/include/xtables.h +index df1eaee326643..107ad7d65e6fc 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t); + extern void *xtables_calloc(size_t, size_t); + extern void *xtables_malloc(size_t); + extern void *xtables_realloc(void *, size_t); ++char *xtables_strdup(const char *); + + extern int xtables_insmod(const char *, const char *, bool); + extern int xtables_load_ko(const char *, bool); +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 98d03dda98d2b..6cf059fb67292 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr) + "%s: line %u chain name invalid\n", + prog_name, line); + +- chains[nextChain].chain = strdup(chain); +- chains[nextChain].policy = strdup(policy); ++ chains[nextChain].chain = xtables_strdup(chain); ++ chains[nextChain].policy = xtables_strdup(policy); + chains[nextChain].count = *ctr; + chains[nextChain].created = 0; + nextChain++; +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 6b6e6da40a826..7fd78654b280a 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name) + } + + new = xtables_malloc(sizeof(*new)); +- new->name = strdup(name); ++ new->name = xtables_strdup(name); + list_add_tail(&new->head, pos ? &pos->head : list); + } + +@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level, + return; + + if (!req->table) +- req->table = strdup(cmd->table); ++ req->table = xtables_strdup(cmd->table); + else + assert(!strcmp(req->table, cmd->table)); + +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index 9b0c964847615..8dccdd734b156 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + #include "nft.h" + #include "nft-cmd.h" + +@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + return NULL; + + cmd->command = command; +- cmd->table = strdup(table); ++ cmd->table = xtables_strdup(table); + if (chain) +- cmd->chain = strdup(chain); ++ cmd->chain = xtables_strdup(chain); + cmd->rulenum = rulenum; + cmd->verbose = verbose; + +@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + cmd->obj.rule = rule; + + if (!state->target && strlen(state->jumpto) > 0) +- cmd->jumpto = strdup(state->jumpto); ++ cmd->jumpto = xtables_strdup(state->jumpto); + } + + list_add_tail(&cmd->head, &h->cmd_list); +@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain, + if (!cmd) + return 0; + +- cmd->rename = strdup(newname); ++ cmd->rename = xtables_strdup(newname); + + nft_cache_level_set(h, NFT_CL_CHAINS, cmd); + +@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table, + if (!cmd) + return 0; + +- cmd->policy = strdup(policy); ++ cmd->policy = xtables_strdup(policy); + if (counters) + cmd->counters = *counters; + +@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table, + if (!cmd) + return 0; + +- cmd->policy = strdup(policy); ++ cmd->policy = xtables_strdup(policy); + + nft_cache_level_set(h, NFT_CL_RULES, cmd); + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 9a1f465a5a6d3..4027d9240215e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted) + xtables_error(PARAMETER_PROBLEM, + "Trying to store NULL argument\n"); + +- store->argv[store->argc] = strdup(what); ++ store->argv[store->argc] = xtables_strdup(what); + store->argvattr[store->argc] = quoted; + store->argv[++store->argc] = NULL; + } +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 6947441fec659..1931e3896262a 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size) + return p; + } + ++char *xtables_strdup(const char *s) ++{ ++ char *dup = strdup(s); ++ ++ if (!dup) { ++ perror("ip[6]tables: strdup failed"); ++ exit(1); ++ } ++ ++ return dup; ++} ++ + static char *get_modprobe(void) + { + int procfile; +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 0dcdf607f4678..9d3ac5c8066cb 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb) + unsigned int maxiter; + int value; + +- wp_arg = lo_arg = strdup(cb->arg); +- if (lo_arg == NULL) +- xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); ++ wp_arg = lo_arg = xtables_strdup(cb->arg); + + maxiter = entry->size / esize; + if (maxiter == 0) +@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) + xtopt_parse_host(cb); + return; + } +- work = strdup(orig_arg); +- if (work == NULL) +- xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); ++ work = xtables_strdup(orig_arg); + p = strchr(work, '/'); /* by def this can't be NULL now */ + *p++ = '\0'; + /* +@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file) + goto out; + } + lmap_this->id = id; +- lmap_this->name = strdup(cur); +- if (lmap_this->name == NULL) { +- free(lmap_this); +- goto out; +- } ++ lmap_this->name = xtables_strdup(cur); + lmap_this->next = NULL; + + if (lmap_prev != NULL) +-- +2.31.1 + diff --git a/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch b/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch new file mode 100644 index 0000000..f2ee196 --- /dev/null +++ b/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch @@ -0,0 +1,31 @@ +From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 15:15:37 +0200 +Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for + strncpy() + +If the target buffer does not need to be null-terminated, one may simply +use memcpy() and thereby avoid any compiler warnings. + +Signed-off-by: Phil Sutter +(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb) +--- + extensions/libxt_string.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c +index 7c6366cbbf1b3..739a8e7fd66b6 100644 +--- a/extensions/libxt_string.c ++++ b/extensions/libxt_string.c +@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info) + { + /* xt_string does not need \0 at the end of the pattern */ + if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { +- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); ++ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); + info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE); + return; + } +-- +2.31.1 + diff --git a/arptables-nft-helper b/arptables-nft-helper index 7380abf..913298d 100644 --- a/arptables-nft-helper +++ b/arptables-nft-helper @@ -5,12 +5,12 @@ ARPTABLES_CONFIG=/etc/sysconfig/arptables # compat for removed initscripts dependency success() { - echo -n "[ OK ]" + echo "[ OK ]" return 0 } failure() { - echo -n "[FAILED]" + echo "[FAILED]" return 1 } @@ -21,31 +21,28 @@ start() { # don't do squat if we don't have the config file if [ -f $ARPTABLES_CONFIG ]; then - echo -n $"Applying arptables firewall rules: " + printf "Applying arptables firewall rules: " /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ success || \ failure - echo touch /var/lock/subsys/arptables else failure - echo - echo $"Configuration file /etc/sysconfig/arptables missing" + echo "Configuration file /etc/sysconfig/arptables missing" exit 6 fi } stop() { - echo -n $"Removing user defined chains:" + printf "Removing user defined chains: " arptables -X && success || failure - echo -n $"Flushing all chains:" + printf "Flushing all chains: " arptables -F && success || failure - echo -n $"Resetting built-in chains to the default ACCEPT policy:" + printf "Resetting built-in chains to the default ACCEPT policy: " arptables -P INPUT ACCEPT && \ arptables -P OUTPUT ACCEPT && \ success || \ failure - echo rm -f /var/lock/subsys/arptables } diff --git a/ebtables-helper b/ebtables-helper index f1dee08..4773a73 100644 --- a/ebtables-helper +++ b/ebtables-helper @@ -23,7 +23,6 @@ VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables # ebtables-config defaults EBTABLES_SAVE_ON_STOP="no" -EBTABLES_SAVE_ON_RESTART="no" EBTABLES_SAVE_COUNTER="no" # load config if existing @@ -49,7 +48,7 @@ sanitize_dump() { local table="${line#\*}" local found=false for t in $EBTABLES_TABLES; do - if [[ $t == $table ]]; then + if [[ $t == "$table" ]]; then found=true break fi diff --git a/iptables.spec b/iptables.spec index 3f1cbec..c09ffb9 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 11%{?dist} +Release: 12%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -28,6 +28,15 @@ Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch +Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch +Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch +Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch +Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch +Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch +Patch10: 0010-iptables-apply-Drop-unused-variable.patch +Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch +Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch +Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -423,6 +432,19 @@ fi %changelog +* Thu Jun 10 2021 Phil Sutter - 1.8.7-12 +- arptables-nft-helper: Remove bashisms +- ebtables-helper: Drop unused variable, add a missing quote +- extensions: libxt_string: Avoid buffer size warning for strncpy() +- libxtables: Introduce xtables_strdup() and use it everywhere +- extensions: libebt_ip6: Use xtables_ip6parse_any() +- iptables-apply: Drop unused variable +- nft: Avoid buffer size warnings copying iface names +- nft: Avoid memleak in error path of nft_cmd_new() +- libxtables: Fix memleak in xtopt_parse_hostmask() +- extensions: libebt_ip6: Drop unused variables +- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() + * Wed May 12 2021 Phil Sutter - 1.8.7-11 - Fix License name in spec file - Eliminate inet_aton() and inet_ntoa()