diff --git a/0017-libxtables-Attenuate-effects-of-functions-internal-s.patch b/0017-libxtables-Attenuate-effects-of-functions-internal-s.patch new file mode 100644 index 0000000..ac55199 --- /dev/null +++ b/0017-libxtables-Attenuate-effects-of-functions-internal-s.patch @@ -0,0 +1,100 @@ +From 12006541787f7428bb9ca2f0b539c5bf87be27d2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 23 Dec 2024 17:31:39 +0100 +Subject: [PATCH] libxtables: Attenuate effects of functions' internal static + buffers + +JIRA: https://issues.redhat.com/browse/RHEL-72027 +Upstream Status: iptables commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101 + +commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101 +Author: Phil Sutter +Date: Tue Apr 9 15:38:14 2024 +0200 + + libxtables: Attenuate effects of functions' internal static buffers + + While functions returning pointers to internal static buffers have + obvious limitations, users are likely unaware how they call each other + internally and thus won't notice unsafe use. One such case is calling + both xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as + parameters for a single printf() call. + + Defuse this trap by avoiding the internal calls to + xtables_ip{,6}addr_to_numeric() which is easily doable since callers + keep their own static buffers already. + + While being at it, make use of inet_ntop() everywhere and also use + INET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated) + static buffer sizes. + + Reported-by: Vitaly Chikunov + Signed-off-by: Phil Sutter + Reviewed-by: Vitaly Chikunov + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index ba9ceae..a5e31f6 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1505,11 +1505,9 @@ void xtables_param_act(unsigned int status, const char *p1, ...) + + const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp) + { +- static char buf[16]; +- const unsigned char *bytep = (const void *)&addrp->s_addr; ++ static char buf[INET_ADDRSTRLEN]; + +- sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]); +- return buf; ++ return inet_ntop(AF_INET, addrp, buf, sizeof(buf)); + } + + static const char *ipaddr_to_host(const struct in_addr *addr) +@@ -1569,13 +1567,14 @@ int xtables_ipmask_to_cidr(const struct in_addr *mask) + + const char *xtables_ipmask_to_numeric(const struct in_addr *mask) + { +- static char buf[20]; ++ static char buf[INET_ADDRSTRLEN + 1]; + uint32_t cidr; + + cidr = xtables_ipmask_to_cidr(mask); + if (cidr == (unsigned int)-1) { + /* mask was not a decent combination of 1's and 0's */ +- sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); ++ buf[0] = '/'; ++ inet_ntop(AF_INET, mask, buf + 1, sizeof(buf) - 1); + return buf; + } else if (cidr == 32) { + /* we don't want to see "/32" */ +@@ -1855,9 +1854,8 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp, + + const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp) + { +- /* 0000:0000:0000:0000:0000:0000:000.000.000.000 +- * 0000:0000:0000:0000:0000:0000:0000:0000 */ +- static char buf[50+1]; ++ static char buf[INET6_ADDRSTRLEN]; ++ + return inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); + } + +@@ -1915,12 +1913,12 @@ int xtables_ip6mask_to_cidr(const struct in6_addr *k) + + const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) + { +- static char buf[50+2]; ++ static char buf[INET6_ADDRSTRLEN + 1]; + int l = xtables_ip6mask_to_cidr(addrp); + + if (l == -1) { + strcpy(buf, "/"); +- strcat(buf, xtables_ip6addr_to_numeric(addrp)); ++ inet_ntop(AF_INET6, addrp, buf + 1, sizeof(buf) - 1); + return buf; + } + /* we don't want to see "/128" */ diff --git a/iptables.spec b/iptables.spec index 8737de6..7e6b0e5 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,5 +1,5 @@ %define iptables_rpmversion 1.8.10 -%define iptables_specrelease 10 +%define iptables_specrelease 11 # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -47,6 +47,7 @@ Patch13: 0013-tests-shell-New-xtables-monitor-test.patch Patch14: 0014-xtables-monitor-Fix-for-ebtables-rule-events.patch Patch15: 0015-xtables-monitor-Ignore-ebtables-policy-rules-unless-.patch Patch16: 0016-Revert-xshared-Print-protocol-numbers-if-numeric-was.patch +Patch17: 0017-libxtables-Attenuate-effects-of-functions-internal-s.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -500,6 +501,9 @@ fi %ghost %{_mandir}/man8/ebtables{,-translate}.8.gz %changelog +* Mon Dec 23 2024 Phil Sutter [1.8.10-11.el9] +- libxtables: Attenuate effects of functions' internal static buffers (Phil Sutter) [RHEL-72027] + * Sun Dec 22 2024 Phil Sutter [1.8.10-10.el9] - spec: Fix build on c9s (Phil Sutter) [RHEL-72005]