iptables-1.8.10-11.el9

* Mon Dec 23 2024 Phil Sutter <psutter@redhat.com> [1.8.10-11.el9] - libxtables: Attenuate effects of functions' internal static buffers (Phil Sutter) [RHEL-72027] Resolves: RHEL-72027
2024-12-23 17:33:28 +01:00 · 2024-12-23 17:33:28 +01:00 · 47d06c7f84
commit 47d06c7f84
parent 1ce1b2c12f
2 changed files with 105 additions and 1 deletions
--- a/0017-libxtables-Attenuate-effects-of-functions-internal-s.patch
+++ b/0017-libxtables-Attenuate-effects-of-functions-internal-s.patch
@ -0,0 +1,100 @@
+From 12006541787f7428bb9ca2f0b539c5bf87be27d2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Mon, 23 Dec 2024 17:31:39 +0100
+Subject: [PATCH] libxtables: Attenuate effects of functions' internal static
+ buffers
+
+JIRA: https://issues.redhat.com/browse/RHEL-72027
+Upstream Status: iptables commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
+
+commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Apr 9 15:38:14 2024 +0200
+
+    libxtables: Attenuate effects of functions' internal static buffers
+
+    While functions returning pointers to internal static buffers have
+    obvious limitations, users are likely unaware how they call each other
+    internally and thus won't notice unsafe use. One such case is calling
+    both xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as
+    parameters for a single printf() call.
+
+    Defuse this trap by avoiding the internal calls to
+    xtables_ip{,6}addr_to_numeric() which is easily doable since callers
+    keep their own static buffers already.
+
+    While being at it, make use of inet_ntop() everywhere and also use
+    INET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated)
+    static buffer sizes.
+
+    Reported-by: Vitaly Chikunov <vt@altlinux.org>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ libxtables/xtables.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index ba9ceae..a5e31f6 100644
+--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
+@@ -1505,11 +1505,9 @@ void xtables_param_act(unsigned int status, const char *p1, ...)
+ 
+ const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp)
+ {
+-	static char buf[16];
+-	const unsigned char *bytep = (const void *)&addrp->s_addr;
+	static char buf[INET_ADDRSTRLEN];
+ 
+-	sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
+-	return buf;
+	return inet_ntop(AF_INET, addrp, buf, sizeof(buf));
+ }
+ 
+ static const char *ipaddr_to_host(const struct in_addr *addr)
+@@ -1569,13 +1567,14 @@ int xtables_ipmask_to_cidr(const struct in_addr *mask)
+ 
+ const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
+ {
+-	static char buf[20];
+	static char buf[INET_ADDRSTRLEN + 1];
+ 	uint32_t cidr;
+ 
+ 	cidr = xtables_ipmask_to_cidr(mask);
+ 	if (cidr == (unsigned int)-1) {
+ 		/* mask was not a decent combination of 1's and 0's */
+-		sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
+		buf[0] = '/';
+		inet_ntop(AF_INET, mask, buf + 1, sizeof(buf) - 1);
+ 		return buf;
+ 	} else if (cidr == 32) {
+ 		/* we don't want to see "/32" */
+@@ -1855,9 +1854,8 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
+ 
+ const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp)
+ {
+-	/* 0000:0000:0000:0000:0000:0000:000.000.000.000
+-	 * 0000:0000:0000:0000:0000:0000:0000:0000 */
+-	static char buf[50+1];
+	static char buf[INET6_ADDRSTRLEN];
+
+ 	return inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+ }
+ 
+@@ -1915,12 +1913,12 @@ int xtables_ip6mask_to_cidr(const struct in6_addr *k)
+ 
+ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
+ {
+-	static char buf[50+2];
+	static char buf[INET6_ADDRSTRLEN + 1];
+ 	int l = xtables_ip6mask_to_cidr(addrp);
+ 
+ 	if (l == -1) {
+ 		strcpy(buf, "/");
+-		strcat(buf, xtables_ip6addr_to_numeric(addrp));
+		inet_ntop(AF_INET6, addrp, buf + 1, sizeof(buf) - 1);
+ 		return buf;
+ 	}
+ 	/* we don't want to see "/128" */
--- a/iptables.spec
+++ b/iptables.spec
@ -1,5 +1,5 @@
 %define iptables_rpmversion 1.8.10
-%define iptables_specrelease 10
+%define iptables_specrelease 11

 # install init scripts to /usr/libexec with systemd
 %global script_path %{_libexecdir}/iptables
@ -47,6 +47,7 @@ Patch13:            0013-tests-shell-New-xtables-monitor-test.patch
 Patch14:            0014-xtables-monitor-Fix-for-ebtables-rule-events.patch
 Patch15:            0015-xtables-monitor-Ignore-ebtables-policy-rules-unless-.patch
 Patch16:            0016-Revert-xshared-Print-protocol-numbers-if-numeric-was.patch
+Patch17:            0017-libxtables-Attenuate-effects-of-functions-internal-s.patch

 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@ -500,6 +501,9 @@ fi
 %ghost %{_mandir}/man8/ebtables{,-translate}.8.gz

 %changelog
+* Mon Dec 23 2024 Phil Sutter <psutter@redhat.com> [1.8.10-11.el9]
+- libxtables: Attenuate effects of functions' internal static buffers (Phil Sutter) [RHEL-72027]
+
 * Sun Dec 22 2024 Phil Sutter <psutter@redhat.com> [1.8.10-10.el9]
 - spec: Fix build on c9s (Phil Sutter) [RHEL-72005]