import libnetfilter_cthelper-1.0.0-15.el8

This commit is contained in:
CentOS Sources 2020-01-21 16:31:53 -05:00 committed by Stepan Oksanichenko
parent db9cfb7591
commit 5eaa6787f5
10 changed files with 800 additions and 2 deletions

View File

@ -0,0 +1,31 @@
From a6dbba81630db3f647d341c80c9ffa69f80eb869 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 8 Oct 2012 14:54:27 +0200
Subject: [PATCH] build: resolve automake-1.12 warnings
/usr/share/automake-1.12/am/ltlibrary.am: warning:
'libnetfilter_cthelper.la': linking libtool libraries using a non-POSIX
archiver requires 'AM_PROG_AR' in 'configure.ac'
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
(cherry picked from commit af9ae9053e35f2861b9fcdf175500bdce42e597d)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
configure.ac | 1 +
1 file changed, 1 insertion(+)
diff --git a/configure.ac b/configure.ac
index d9b0118ef0332..d52b1ce3841c2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,6 +8,7 @@ AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([-Wall foreign tar-pax no-dist-gzip dist-bzip2
1.6 subdir-objects])
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
dnl kernel style compile messages
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
--
2.23.0

View File

@ -0,0 +1,40 @@
From 490757aa64308c49611ae50e75470d9fd87ec6d2 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 8 Oct 2012 14:55:39 +0200
Subject: [PATCH] Update .gitignore
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
(cherry picked from commit c9753bf8e2bcc6510ca88133eaa79da1d9616550)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.gitignore | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 .gitignore
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000..a83525b35be2b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,18 @@
+.deps/
+.libs/
+Makefile
+Makefile.in
+*.o
+*.la
+*.lo
+
+/aclocal.m4
+/autom4te.cache/
+/build-aux/
+/config.*
+/configure
+/libtool
+
+/doxygen.cfg
+/*.pc
+/stamp-h1
--
2.23.0

View File

@ -0,0 +1,29 @@
From c69ddc73c814ecc2f9c68c68a0effb8bf7d6725b Mon Sep 17 00:00:00 2001
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Tue, 10 Sep 2013 16:23:32 -0300
Subject: [PATCH] configure: uclinux is also linux
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 0c52422eb236b16bc663a7f22df3e30fb9c8bf71)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index d52b1ce3841c2..9389b70ebb4de 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ AC_DISABLE_STATIC
LT_INIT
CHECK_GCC_FVISIBILITY
case "$host" in
-*-*-linux*) ;;
+*-*-linux* | *-*-uclinux*) ;;
*) AC_MSG_ERROR([Linux only, dude!]);;
esac
--
2.23.0

View File

@ -0,0 +1,35 @@
From 9fe9ae5010f159539b4fc51890b9f218422ee8d8 Mon Sep 17 00:00:00 2001
From: Christopher Horler <cshorler@googlemail.com>
Date: Mon, 8 Dec 2014 20:04:31 +0000
Subject: [PATCH] src: fix use after free
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=990
Signed-off-by: Christopher Horler <cshorler@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit d48012fa7718195e3f897b01a36e4ba249aa6dfc)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/libnetfilter_cthelper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
index 297887040b20c..f8f58e6c9c5e8 100644
--- a/src/libnetfilter_cthelper.c
+++ b/src/libnetfilter_cthelper.c
@@ -113,11 +113,11 @@ void nfct_helper_free(struct nfct_helper *h)
{
int i;
- free(h);
for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
if (h->expect_policy[i])
free(h->expect_policy[i]);
}
+ free(h);
}
EXPORT_SYMBOL(nfct_helper_free);
--
2.23.0

View File

@ -0,0 +1,85 @@
From 68637125ac6842f20ac3898c0d0d252be882a017 Mon Sep 17 00:00:00 2001
From: Felix Janda <felix.janda@posteo.de>
Date: Sat, 16 May 2015 13:35:14 +0200
Subject: [PATCH] include: Sync with kernel headers
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 7d55aff4686a5910f84b9045c98d6f01e1daa297)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/linux/netfilter/nfnetlink.h | 52 ++++++-----------------------
1 file changed, 11 insertions(+), 41 deletions(-)
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index f1b546e85d590..c755646752011 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -18,6 +18,10 @@ enum nfnetlink_groups {
#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
NFNLGRP_CONNTRACK_EXP_DESTROY,
#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
+ NFNLGRP_NFTABLES,
+#define NFNLGRP_NFTABLES NFNLGRP_NFTABLES
+ NFNLGRP_ACCT_QUOTA,
+#define NFNLGRP_ACCT_QUOTA NFNLGRP_ACCT_QUOTA
__NFNLGRP_MAX,
};
#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
@@ -51,46 +55,12 @@ struct nfgenmsg {
#define NFNL_SUBSYS_ACCT 7
#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
#define NFNL_SUBSYS_CTHELPER 9
-#define NFNL_SUBSYS_COUNT 10
+#define NFNL_SUBSYS_NFTABLES 10
+#define NFNL_SUBSYS_NFT_COMPAT 11
+#define NFNL_SUBSYS_COUNT 12
-#ifdef __KERNEL__
+/* Reserved control nfnetlink messages */
+#define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE
+#define NFNL_MSG_BATCH_END NLMSG_MIN_TYPE+1
-#include <linux/netlink.h>
-#include <linux/capability.h>
-#include <net/netlink.h>
-
-struct nfnl_callback {
- int (*call)(struct sock *nl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const cda[]);
- int (*call_rcu)(struct sock *nl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const cda[]);
- const struct nla_policy *policy; /* netlink attribute policy */
- const u_int16_t attr_count; /* number of nlattr's */
-};
-
-struct nfnetlink_subsystem {
- const char *name;
- __u8 subsys_id; /* nfnetlink subsystem ID */
- __u8 cb_count; /* number of callbacks */
- const struct nfnl_callback *cb; /* callback for individual types */
-};
-
-extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
-extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
-
-extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
-extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group,
- int echo, gfp_t flags);
-extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
-extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
-
-extern void nfnl_lock(void);
-extern void nfnl_unlock(void);
-
-#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
- MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
-
-#endif /* __KERNEL__ */
-#endif /* _NFNETLINK_H */
+#endif /* _NFNETLINK_H */
--
2.23.0

View File

@ -0,0 +1,387 @@
From 06e046b30fe8d849c9e3425543661310c06797c7 Mon Sep 17 00:00:00 2001
From: Kevin Cernekee <cernekee@chromium.org>
Date: Wed, 4 Jan 2017 14:30:26 -0800
Subject: [PATCH] Use __EXPORTED rather than EXPORT_SYMBOL
clang is sensitive to the ordering of
__attribute__((visibility("default"))) relative to the function
body. gcc is not. So if we try to re-declare an existing function
with default visibility, clang prints a warning and generates
a broken .so file in which nfct_helper_* are not exported to library
callers.
Move the attribute up into the function definition to make clang happy.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f58c5b09fb59baf07c942d373fc4d522b27e73c6)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
doxygen.cfg.in | 2 +-
src/internal.h | 5 +--
src/libnetfilter_cthelper.c | 83 +++++++++++++++----------------------
3 files changed, 36 insertions(+), 54 deletions(-)
diff --git a/doxygen.cfg.in b/doxygen.cfg.in
index cac9b0510b4d7..190b7cd6e716e 100644
--- a/doxygen.cfg.in
+++ b/doxygen.cfg.in
@@ -72,7 +72,7 @@ RECURSIVE = YES
EXCLUDE =
EXCLUDE_SYMLINKS = NO
EXCLUDE_PATTERNS = */.git/* .*.d
-EXCLUDE_SYMBOLS = EXPORT_SYMBOL
+EXCLUDE_SYMBOLS =
EXAMPLE_PATH =
EXAMPLE_PATTERNS =
EXAMPLE_RECURSIVE = NO
diff --git a/src/internal.h b/src/internal.h
index 3a88d1a1f7d8b..5d781718ddadc 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -3,10 +3,9 @@
#include "config.h"
#ifdef HAVE_VISIBILITY_HIDDEN
-# define __visible __attribute__((visibility("default")))
-# define EXPORT_SYMBOL(x) typeof(x) (x) __visible
+# define __EXPORTED __attribute__((visibility("default")))
#else
-# define EXPORT_SYMBOL
+# define __EXPORTED
#endif
#endif
diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
index f8f58e6c9c5e8..af543a17fafa8 100644
--- a/src/libnetfilter_cthelper.c
+++ b/src/libnetfilter_cthelper.c
@@ -99,17 +99,16 @@ struct nfct_helper {
* In case of success, this function returns a valid pointer, otherwise NULL
* s returned and errno is appropriately set.
*/
-struct nfct_helper *nfct_helper_alloc(void)
+struct nfct_helper __EXPORTED *nfct_helper_alloc(void)
{
return calloc(1, sizeof(struct nfct_helper));
}
-EXPORT_SYMBOL(nfct_helper_alloc);
/**
* nfct_helper_free - release one helper object
* \param nfct_helper pointer to the helper object
*/
-void nfct_helper_free(struct nfct_helper *h)
+void __EXPORTED nfct_helper_free(struct nfct_helper *h)
{
int i;
@@ -119,7 +118,6 @@ void nfct_helper_free(struct nfct_helper *h)
}
free(h);
}
-EXPORT_SYMBOL(nfct_helper_free);
/**
* nfct_helper_policy_alloc - allocate a new helper policy object
@@ -127,21 +125,19 @@ EXPORT_SYMBOL(nfct_helper_free);
* In case of success, this function returns a valid pointer, otherwise NULL
* s returned and errno is appropriately set.
*/
-struct nfct_helper_policy *nfct_helper_policy_alloc(void)
+struct nfct_helper_policy __EXPORTED *nfct_helper_policy_alloc(void)
{
return calloc(1, sizeof(struct nfct_helper_policy));
}
-EXPORT_SYMBOL(nfct_helper_policy_alloc);
/**
* nfct_helper_free - release one helper policy object
* \param nfct_helper pointer to the helper object
*/
-void nfct_helper_policy_free(struct nfct_helper_policy *p)
+void __EXPORTED nfct_helper_policy_free(struct nfct_helper_policy *p)
{
free(p);
}
-EXPORT_SYMBOL(nfct_helper_policy_free);
/**
* nfct_helper_policy_attr_set - set one attribute of the helper object
@@ -149,7 +145,7 @@ EXPORT_SYMBOL(nfct_helper_policy_free);
* \param type attribute type you want to set
* \param data pointer to data that will be used to set this attribute
*/
-void
+void __EXPORTED
nfct_helper_policy_attr_set(struct nfct_helper_policy *p,
enum nfct_helper_policy_attr_type type,
const void *data)
@@ -170,7 +166,6 @@ nfct_helper_policy_attr_set(struct nfct_helper_policy *p,
break;
}
}
-EXPORT_SYMBOL(nfct_helper_policy_attr_set);
/**
* nfct_helper_attr_set_str - set one attribute the helper object
@@ -178,23 +173,21 @@ EXPORT_SYMBOL(nfct_helper_policy_attr_set);
* \param type attribute type you want to set
* \param name string that will be used to set this attribute
*/
-void
+void __EXPORTED
nfct_helper_policy_attr_set_str(struct nfct_helper_policy *p,
enum nfct_helper_policy_attr_type type,
const char *name)
{
nfct_helper_policy_attr_set(p, type, name);
}
-EXPORT_SYMBOL(nfct_helper_policy_attr_set_str);
-void
+void __EXPORTED
nfct_helper_policy_attr_set_u32(struct nfct_helper_policy *p,
enum nfct_helper_policy_attr_type type,
uint32_t value)
{
nfct_helper_policy_attr_set(p, type, &value);
}
-EXPORT_SYMBOL(nfct_helper_policy_attr_set_u32);
/**
* nfct_helper_attr_set - set one attribute of the helper object
@@ -202,7 +195,7 @@ EXPORT_SYMBOL(nfct_helper_policy_attr_set_u32);
* \param type attribute type you want to set
* \param data pointer to data that will be used to set this attribute
*/
-void
+void __EXPORTED
nfct_helper_attr_set(struct nfct_helper *h,
enum nfct_helper_attr_type type, const void *data)
{
@@ -250,7 +243,6 @@ nfct_helper_attr_set(struct nfct_helper *h,
break;
}
}
-EXPORT_SYMBOL(nfct_helper_attr_set);
/**
* nfct_helper_attr_set_str - set one attribute the helper object
@@ -258,44 +250,40 @@ EXPORT_SYMBOL(nfct_helper_attr_set);
* \param type attribute type you want to set
* \param name string that will be used to set this attribute
*/
-void
+void __EXPORTED
nfct_helper_attr_set_str(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type,
const char *name)
{
nfct_helper_attr_set(nfct_helper, type, name);
}
-EXPORT_SYMBOL(nfct_helper_attr_set_str);
-void
+void __EXPORTED
nfct_helper_attr_set_u8(struct nfct_helper *nfct_helper,
enum nfct_helper_attr_type type, uint8_t value)
{
nfct_helper_attr_set(nfct_helper, type, &value);
}
-EXPORT_SYMBOL(nfct_helper_attr_set_u8);
-void
+void __EXPORTED
nfct_helper_attr_set_u16(struct nfct_helper *nfct_helper,
enum nfct_helper_attr_type type, uint16_t value)
{
nfct_helper_attr_set(nfct_helper, type, &value);
}
-EXPORT_SYMBOL(nfct_helper_attr_set_u16);
-void
+void __EXPORTED
nfct_helper_attr_set_u32(struct nfct_helper *nfct_helper,
enum nfct_helper_attr_type type, uint32_t value)
{
nfct_helper_attr_set(nfct_helper, type, &value);
}
-EXPORT_SYMBOL(nfct_helper_attr_set_u32);
/**
* nfct_helper_attr_unset - unset one attribute the helper object
* \param nfct_helper pointer to the helper object
* \param type attribute type you want to set
*/
-void
+void __EXPORTED
nfct_helper_attr_unset(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type)
{
switch(type) {
@@ -307,7 +295,6 @@ nfct_helper_attr_unset(struct nfct_helper *nfct_helper, enum nfct_helper_attr_ty
break;
}
}
-EXPORT_SYMBOL(nfct_helper_attr_unset);
/**
* nfct_helper_attr_get - get one attribute the helper object
@@ -317,8 +304,9 @@ EXPORT_SYMBOL(nfct_helper_attr_unset);
* This function returns a valid pointer to the attribute data. If a
* unsupported attribute is used, this returns NULL.
*/
-const void *nfct_helper_attr_get(struct nfct_helper *helper,
- enum nfct_helper_attr_type type)
+const void __EXPORTED *
+nfct_helper_attr_get(struct nfct_helper *helper,
+ enum nfct_helper_attr_type type)
{
const void *ret = NULL;
@@ -358,7 +346,6 @@ const void *nfct_helper_attr_get(struct nfct_helper *helper,
}
return ret;
}
-EXPORT_SYMBOL(nfct_helper_attr_get);
/**
* nfct_helper_attr_get_str - get one attribute the helper object
@@ -368,13 +355,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get);
* This function returns a valid pointer to the beginning of the string.
* If the attribute is unsupported, this returns NULL.
*/
-const char *
+const char __EXPORTED *
nfct_helper_attr_get_str(struct nfct_helper *nfct_helper,
enum nfct_helper_attr_type type)
{
return (const char *)nfct_helper_attr_get(nfct_helper, type);
}
-EXPORT_SYMBOL(nfct_helper_attr_get_str);
/**
* nfct_helper_attr_get_u8 - get one attribute the helper object
@@ -384,12 +370,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_str);
* This function returns a unsigned 8-bits integer. If the attribute is
* unsupported, this returns NULL.
*/
-uint8_t nfct_helper_attr_get_u8(struct nfct_helper *nfct_helper,
- enum nfct_helper_attr_type type)
+uint8_t __EXPORTED
+nfct_helper_attr_get_u8(struct nfct_helper *nfct_helper,
+ enum nfct_helper_attr_type type)
{
return *((uint8_t *)nfct_helper_attr_get(nfct_helper, type));
}
-EXPORT_SYMBOL(nfct_helper_attr_get_u8);
/**
* nfct_helper_attr_get_u16 - get one attribute the helper object
@@ -399,12 +385,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u8);
* This function returns a unsigned 16-bits integer. If the attribute is
* unsupported, this returns NULL.
*/
-uint16_t nfct_helper_attr_get_u16(struct nfct_helper *nfct_helper,
- enum nfct_helper_attr_type type)
+uint16_t __EXPORTED
+nfct_helper_attr_get_u16(struct nfct_helper *nfct_helper,
+ enum nfct_helper_attr_type type)
{
return *((uint16_t *)nfct_helper_attr_get(nfct_helper, type));
}
-EXPORT_SYMBOL(nfct_helper_attr_get_u16);
/**
* nfct_helper_attr_get_u32 - get one attribute the helper object
@@ -414,12 +400,12 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u16);
* This function returns a unsigned 32-bits integer. If the attribute is
* unsupported, this returns NULL.
*/
-uint32_t nfct_helper_attr_get_u32(struct nfct_helper *nfct_helper,
- enum nfct_helper_attr_type type)
+uint32_t __EXPORTED
+nfct_helper_attr_get_u32(struct nfct_helper *nfct_helper,
+ enum nfct_helper_attr_type type)
{
return *((uint32_t *)nfct_helper_attr_get(nfct_helper, type));
}
-EXPORT_SYMBOL(nfct_helper_attr_get_u32);
/**
* nfct_helper_snprintf - print helper object into one buffer
@@ -431,9 +417,10 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u32);
* This function returns -1 in case that some mandatory attributes are
* missing. On sucess, it returns 0.
*/
-int nfct_helper_snprintf(char *buf, size_t size,
- struct nfct_helper *helper,
- unsigned int type, unsigned int flags)
+int __EXPORTED
+nfct_helper_snprintf(char *buf, size_t size,
+ struct nfct_helper *helper,
+ unsigned int type, unsigned int flags)
{
int ret;
@@ -454,7 +441,6 @@ int nfct_helper_snprintf(char *buf, size_t size,
return ret;
}
-EXPORT_SYMBOL(nfct_helper_snprintf);
/**
* @}
@@ -490,7 +476,7 @@ EXPORT_SYMBOL(nfct_helper_snprintf);
* - Command NFNL_MSG_ACCT_DEL, to delete one specific nfct_helper object (if
* unused, otherwise you hit EBUSY).
*/
-struct nlmsghdr *
+struct nlmsghdr __EXPORTED *
nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd,
uint16_t flags, uint32_t seq)
{
@@ -509,7 +495,6 @@ nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd,
return nlh;
}
-EXPORT_SYMBOL(nfct_helper_nlmsg_build_hdr);
static void
nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh,
@@ -530,7 +515,7 @@ nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh,
* \param nlh: netlink message that you want to use to add the payload.
* \param nfct_helper: pointer to a helper object
*/
-void
+void __EXPORTED
nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h)
{
struct nlattr *nest;
@@ -593,7 +578,6 @@ nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h)
if (h->bitset & (1 << NFCTH_ATTR_STATUS))
mnl_attr_put_u32(nlh, NFCTH_STATUS, ntohl(h->status));
}
-EXPORT_SYMBOL(nfct_helper_nlmsg_build_payload);
static int
nfct_helper_nlmsg_parse_tuple_cb(const struct nlattr *attr, void *data)
@@ -795,7 +779,7 @@ nfct_helper_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data)
* This function returns -1 in case that some mandatory attributes are
* missing. On sucess, it returns 0.
*/
-int
+int __EXPORTED
nfct_helper_nlmsg_parse_payload(const struct nlmsghdr *nlh,
struct nfct_helper *h)
{
@@ -832,7 +816,6 @@ nfct_helper_nlmsg_parse_payload(const struct nlmsghdr *nlh,
}
return 0;
}
-EXPORT_SYMBOL(nfct_helper_nlmsg_parse_payload);
/**
* @}
--
2.23.0

View File

@ -0,0 +1,51 @@
From e155035446b39f6cda9c74c079e0b71cc408bb0b Mon Sep 17 00:00:00 2001
From: Liping Zhang <zlpnobody@gmail.com>
Date: Sun, 19 Mar 2017 22:01:10 +0800
Subject: [PATCH] examples: fix double free in nftc-helper-add
After inputting the following test command, core dump happened:
# ./examples/nfct-helper-add test 1
*** Error in
`.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add':
double free or corruption (fasttop): 0x0000000001f3c070 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x77de5)[0x7fd9ebe88de5]
/lib64/libc.so.6(+0x8022a)[0x7fd9ebe9122a]
/lib64/libc.so.6(cfree+0x4c)[0x7fd9ebe9478c]
[...]
Because "struct nfct_helper_policy *p" had been freed by nfct_helper_free,
so there's no need to invoke nfct_helper_policy_free again, otherwise
double free error will happen.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 9f223e612d3b0be6e4dca84e1db8042dbec64e93)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
examples/nfct-helper-add.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c
index 6c476261b75e8..cb7291e8ec4b0 100644
--- a/examples/nfct-helper-add.c
+++ b/examples/nfct-helper-add.c
@@ -32,6 +32,7 @@ int main(int argc, char *argv[])
nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET);
nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, IPPROTO_TCP);
+ /* Will be freed by nfct_helper_free. */
p = nfct_helper_policy_alloc();
if (p == NULL) {
perror("OOM");
@@ -49,7 +50,6 @@ int main(int argc, char *argv[])
nfct_helper_nlmsg_build_payload(nlh, nfct_helper);
nfct_helper_free(nfct_helper);
- nfct_helper_policy_free(p);
nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
--
2.23.0

View File

@ -0,0 +1,32 @@
From 5edc15389bb0b9d9a1c87eedb17edb58a28cebae Mon Sep 17 00:00:00 2001
From: Liping Zhang <zlpnobody@gmail.com>
Date: Wed, 22 Mar 2017 21:00:47 +0800
Subject: [PATCH] examples: kill the "invalid argument" error in
nftc-helper-add
NFCTH_PRIV_DATA_LEN is a must attribute required by the kernel when
creating the cthelper, add it now. Otherwise -EINVAL will be returned.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 5fec728cf69d137450e230a88793b1251176c035)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
examples/nfct-helper-add.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c
index cb7291e8ec4b0..79e09637415d3 100644
--- a/examples/nfct-helper-add.c
+++ b/examples/nfct-helper-add.c
@@ -31,6 +31,7 @@ int main(int argc, char *argv[])
nfct_helper_attr_set_u32(nfct_helper, NFCTH_ATTR_QUEUE_NUM, atoi(argv[2]));
nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET);
nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, IPPROTO_TCP);
+ nfct_helper_attr_set_u32(nfct_helper, NFCTH_ATTR_PRIV_DATA_LEN, 0);
/* Will be freed by nfct_helper_free. */
p = nfct_helper_policy_alloc();
--
2.23.0

View File

@ -0,0 +1,92 @@
From 4dcb3ad120ba11bf62fd880f028339b41c6fbeb5 Mon Sep 17 00:00:00 2001
From: Liping Zhang <zlpnobody@gmail.com>
Date: Mon, 20 Mar 2017 22:35:22 +0800
Subject: [PATCH] src: fix incorrect building and parsing of the
NFCTH_POLICY_SETX attribute
In nfct_helper_nlmsg_build_policy(), we always set the attribute type to
NFCTH_POLICY_SET, so we cannot add more than one nfct_helper_policy to
the kernel.
Also: in nfct_helper_nlmsg_parse_policy(), we will increase the
helper->policy_num for each nfct_helper_policy, but we mistakenly set it
to the total number of nfct_helper_policy. So when the total number is
more than 3, later out of bound access will happen.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 5ed4ddea21f30e8829def3603b2d112766a756f2)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/libnetfilter_cthelper.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
index af543a17fafa8..7ed1f6457eb5f 100644
--- a/src/libnetfilter_cthelper.c
+++ b/src/libnetfilter_cthelper.c
@@ -497,12 +497,12 @@ nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd,
}
static void
-nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh,
+nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh, uint16_t type,
struct nfct_helper_policy *p)
{
struct nlattr *nest;
- nest = mnl_attr_nest_start(nlh, NFCTH_POLICY_SET);
+ nest = mnl_attr_nest_start(nlh, type);
mnl_attr_put_strz(nlh, NFCTH_POLICY_NAME, p->name);
mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_MAX, htonl(p->expect_max));
mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_TIMEOUT,
@@ -549,22 +549,22 @@ nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h)
int policy_set_num = 0;
if (h->bitset & (1 << NFCTH_ATTR_POLICY1)) {
- nfct_helper_nlmsg_build_policy(nlh,
+ nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET1,
h->expect_policy[0]);
policy_set_num++;
}
if (h->bitset & (1 << NFCTH_ATTR_POLICY2)) {
- nfct_helper_nlmsg_build_policy(nlh,
+ nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET2,
h->expect_policy[1]);
policy_set_num++;
}
if (h->bitset & (1 << NFCTH_ATTR_POLICY3)) {
- nfct_helper_nlmsg_build_policy(nlh,
+ nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET3,
h->expect_policy[2]);
policy_set_num++;
}
if (h->bitset & (1 << NFCTH_ATTR_POLICY4)) {
- nfct_helper_nlmsg_build_policy(nlh,
+ nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET4,
h->expect_policy[3]);
policy_set_num++;
}
@@ -717,14 +717,13 @@ nfct_helper_nlmsg_parse_policy_set(const struct nlattr *attr,
struct nfct_helper *helper)
{
struct nlattr *tb[NFCTH_POLICY_SET_MAX+1] = {};
- int i;
+ int i, policy_num = 0;
mnl_attr_parse_nested(attr, nfct_helper_nlmsg_parse_policy_set_cb, tb);
- if (tb[NFCTH_POLICY_SET_NUM]) {
- helper->policy_num =
- ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM]));
- }
- for (i=0; i<helper->policy_num; i++) {
+ if (tb[NFCTH_POLICY_SET_NUM])
+ policy_num = ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM]));
+
+ for (i=0; i<policy_num; i++) {
if (tb[NFCTH_POLICY_SET+i]) {
nfct_helper_nlmsg_parse_policy(tb[NFCTH_POLICY_SET+i],
helper);
--
2.23.0

View File

@ -1,6 +1,6 @@
Name: libnetfilter_cthelper
Version: 1.0.0
Release: 13%{?dist}
Release: 15%{?dist}
Summary: User-space infrastructure for connection tracking helpers
Group: System Environment/Libraries
License: GPLv2
@ -9,6 +9,16 @@ Source0: http://www.netfilter.org/projects/libnetfilter_cthelper/files/li
BuildRequires: libmnl-devel >= 1.0.0, pkgconfig, kernel-headers
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: 0001-build-resolve-automake-1.12-warnings.patch
Patch2: 0002-Update-.gitignore.patch
Patch3: 0003-configure-uclinux-is-also-linux.patch
Patch4: 0004-src-fix-use-after-free.patch
Patch5: 0005-include-Sync-with-kernel-headers.patch
Patch6: 0006-Use-__EXPORTED-rather-than-EXPORT_SYMBOL.patch
Patch7: 0007-examples-fix-double-free-in-nftc-helper-add.patch
Patch8: 0008-examples-kill-the-invalid-argument-error-in-nftc-hel.patch
Patch9: 0009-src-fix-incorrect-building-and-parsing-of-the-NFCTH_.patch
%description
This library provides the infrastructure for the user-space helper
infrastructure available since the Linux kernel 3.6.
@ -25,7 +35,7 @@ The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
%setup -q
%autosetup -p1
%build
%configure --disable-static
@ -51,6 +61,12 @@ find $RPM_BUILD_ROOT -type f -name '*.la' -exec rm -f {} ';'
%{_libdir}/*.so
%changelog
* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> - 1.0.0-15
- Rebuild for added CI tests
* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> - 1.0.0-14
- Add missing backports from upstream
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild