rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables-1.8.10-11.el9

Browse Source 
* Mon Dec 23 2024 Phil Sutter <psutter@redhat.com> [1.8.10-11.el9]
- libxtables: Attenuate effects of functions' internal static buffers (Phil Sutter) [RHEL-72027]
Resolves: RHEL-72027
This commit is contained in:
Phil Sutter 2024-12-23 17:33:28 +01:00
parent 1ce1b2c12f
commit 47d06c7f84
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
0017-libxtables-Attenuate-effects-of-functions-internal-s.patch Normal file
View File

@ -0,0 +1,100 @@
From 12006541787f7428bb9ca2f0b539c5bf87be27d2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 23 Dec 2024 17:31:39 +0100
Subject: [PATCH] libxtables: Attenuate effects of functions' internal static
buffers
JIRA: https://issues.redhat.com/browse/RHEL-72027
Upstream Status: iptables commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
commit 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Apr 9 15:38:14 2024 +0200
libxtables: Attenuate effects of functions' internal static buffers
While functions returning pointers to internal static buffers have
obvious limitations, users are likely unaware how they call each other
internally and thus won't notice unsafe use. One such case is calling
both xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as
parameters for a single printf() call.
Defuse this trap by avoiding the internal calls to
xtables_ip{,6}addr_to_numeric() which is easily doable since callers
keep their own static buffers already.
While being at it, make use of inet_ntop() everywhere and also use
INET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated)
static buffer sizes.
Reported-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ba9ceae..a5e31f6 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1505,11 +1505,9 @@ void xtables_param_act(unsigned int status, const char *p1, ...)
const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp)
{
- static char buf[16];
- const unsigned char *bytep = (const void *)&addrp->s_addr;
+ static char buf[INET_ADDRSTRLEN];
- sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
- return buf;
+ return inet_ntop(AF_INET, addrp, buf, sizeof(buf));
}
static const char *ipaddr_to_host(const struct in_addr *addr)
@@ -1569,13 +1567,14 @@ int xtables_ipmask_to_cidr(const struct in_addr *mask)
const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
{
- static char buf[20];
+ static char buf[INET_ADDRSTRLEN + 1];
uint32_t cidr;
cidr = xtables_ipmask_to_cidr(mask);
if (cidr == (unsigned int)-1) {
/* mask was not a decent combination of 1's and 0's */
- sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
+ buf[0] = '/';
+ inet_ntop(AF_INET, mask, buf + 1, sizeof(buf) - 1);
return buf;
} else if (cidr == 32) {
/* we don't want to see "/32" */
@@ -1855,9 +1854,8 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp)
{
- /* 0000:0000:0000:0000:0000:0000:000.000.000.000
- * 0000:0000:0000:0000:0000:0000:0000:0000 */
- static char buf[50+1];
+ static char buf[INET6_ADDRSTRLEN];
+
return inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
}
@@ -1915,12 +1913,12 @@ int xtables_ip6mask_to_cidr(const struct in6_addr *k)
const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
{
- static char buf[50+2];
+ static char buf[INET6_ADDRSTRLEN + 1];
int l = xtables_ip6mask_to_cidr(addrp);
if (l == -1) {
strcpy(buf, "/");
- strcat(buf, xtables_ip6addr_to_numeric(addrp));
+ inet_ntop(AF_INET6, addrp, buf + 1, sizeof(buf) - 1);
return buf;
}
/* we don't want to see "/128" */

6
iptables.spec
View File

@ -1,5 +1,5 @@
%define iptables_rpmversion 1.8.10 %define iptables_rpmversion 1.8.10
%define iptables_specrelease 10 %define iptables_specrelease 11
# install init scripts to /usr/libexec with systemd # install init scripts to /usr/libexec with systemd
%global script_path %{_libexecdir}/iptables %global script_path %{_libexecdir}/iptables
@ -47,6 +47,7 @@ Patch13: 0013-tests-shell-New-xtables-monitor-test.patch
Patch14: 0014-xtables-monitor-Fix-for-ebtables-rule-events.patch Patch14: 0014-xtables-monitor-Fix-for-ebtables-rule-events.patch
Patch15: 0015-xtables-monitor-Ignore-ebtables-policy-rules-unless-.patch Patch15: 0015-xtables-monitor-Ignore-ebtables-policy-rules-unless-.patch
Patch16: 0016-Revert-xshared-Print-protocol-numbers-if-numeric-was.patch Patch16: 0016-Revert-xshared-Print-protocol-numbers-if-numeric-was.patch
Patch17: 0017-libxtables-Attenuate-effects-of-functions-internal-s.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -500,6 +501,9 @@ fi
%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz %ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
%changelog %changelog
* Mon Dec 23 2024 Phil Sutter <psutter@redhat.com> [1.8.10-11.el9]
- libxtables: Attenuate effects of functions' internal static buffers (Phil Sutter) [RHEL-72027]
* Sun Dec 22 2024 Phil Sutter <psutter@redhat.com> [1.8.10-10.el9] * Sun Dec 22 2024 Phil Sutter <psutter@redhat.com> [1.8.10-10.el9]
- spec: Fix build on c9s (Phil Sutter) [RHEL-72005] - spec: Fix build on c9s (Phil Sutter) [RHEL-72005]