libnetfilter_cthelper-1.0.0-22.el9

- src: fix incorrect building and parsing of the NFCTH_POLICY_SETX attribute
- examples: kill the "invalid argument" error in nftc-helper-add
- examples: fix double free in nftc-helper-add
- include: Sync with kernel headers
- src: fix use after free

Resolves: rhbz#1989936

0001-src-fix-use-after-free.patch

@@ -0,0 +1,34 @@
+From 28fd339a4de2fa383fd8a887e570be542f170ac2 Mon Sep 17 00:00:00 2001
+From: Christopher Horler <cshorler@googlemail.com>
+Date: Mon, 8 Dec 2014 20:04:31 +0000
+Subject: [PATCH] src: fix use after free
+
+Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=990
+
+Signed-off-by: Christopher Horler <cshorler@googlemail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit d48012fa7718195e3f897b01a36e4ba249aa6dfc)
+---
+ src/libnetfilter_cthelper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
+index 297887040b20c..f8f58e6c9c5e8 100644
+--- a/src/libnetfilter_cthelper.c
++++ b/src/libnetfilter_cthelper.c
+@@ -113,11 +113,11 @@ void nfct_helper_free(struct nfct_helper *h)
+ {
+ 	int i;
+ 
+-	free(h);
+ 	for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
+ 		if (h->expect_policy[i])
+ 			free(h->expect_policy[i]);
+ 	}
++	free(h);
+ }
+ EXPORT_SYMBOL(nfct_helper_free);
+ 
+-- 
+2.34.1
+

0002-include-Sync-with-kernel-headers.patch

@@ -0,0 +1,84 @@
+From fdedadd0dc934100a11c0a942c0b62193a4c0cf1 Mon Sep 17 00:00:00 2001
+From: Felix Janda <felix.janda@posteo.de>
+Date: Sat, 16 May 2015 13:35:14 +0200
+Subject: [PATCH] include: Sync with kernel headers
+
+Signed-off-by: Felix Janda <felix.janda@posteo.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 7d55aff4686a5910f84b9045c98d6f01e1daa297)
+---
+ include/linux/netfilter/nfnetlink.h | 52 ++++++-----------------------
+ 1 file changed, 11 insertions(+), 41 deletions(-)
+
+diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
+index f1b546e85d590..c755646752011 100644
+--- a/include/linux/netfilter/nfnetlink.h
++++ b/include/linux/netfilter/nfnetlink.h
+@@ -18,6 +18,10 @@ enum nfnetlink_groups {
+ #define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
+ 	NFNLGRP_CONNTRACK_EXP_DESTROY,
+ #define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
++	NFNLGRP_NFTABLES,
++#define NFNLGRP_NFTABLES                NFNLGRP_NFTABLES
++	NFNLGRP_ACCT_QUOTA,
++#define NFNLGRP_ACCT_QUOTA		NFNLGRP_ACCT_QUOTA
+ 	__NFNLGRP_MAX,
+ };
+ #define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
+@@ -51,46 +55,12 @@ struct nfgenmsg {
+ #define NFNL_SUBSYS_ACCT		7
+ #define NFNL_SUBSYS_CTNETLINK_TIMEOUT	8
+ #define NFNL_SUBSYS_CTHELPER		9
+-#define NFNL_SUBSYS_COUNT		10
++#define NFNL_SUBSYS_NFTABLES		10
++#define NFNL_SUBSYS_NFT_COMPAT		11
++#define NFNL_SUBSYS_COUNT		12
+ 
+-#ifdef __KERNEL__
++/* Reserved control nfnetlink messages */
++#define NFNL_MSG_BATCH_BEGIN		NLMSG_MIN_TYPE
++#define NFNL_MSG_BATCH_END		NLMSG_MIN_TYPE+1
+ 
+-#include <linux/netlink.h>
+-#include <linux/capability.h>
+-#include <net/netlink.h>
+-
+-struct nfnl_callback {
+-	int (*call)(struct sock *nl, struct sk_buff *skb, 
+-		    const struct nlmsghdr *nlh,
+-		    const struct nlattr * const cda[]);
+-	int (*call_rcu)(struct sock *nl, struct sk_buff *skb, 
+-		    const struct nlmsghdr *nlh,
+-		    const struct nlattr * const cda[]);
+-	const struct nla_policy *policy;	/* netlink attribute policy */
+-	const u_int16_t attr_count;		/* number of nlattr's */
+-};
+-
+-struct nfnetlink_subsystem {
+-	const char *name;
+-	__u8 subsys_id;			/* nfnetlink subsystem ID */
+-	__u8 cb_count;			/* number of callbacks */
+-	const struct nfnl_callback *cb;	/* callback for individual types */
+-};
+-
+-extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
+-extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
+-
+-extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
+-extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group,
+-			  int echo, gfp_t flags);
+-extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
+-extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
+-
+-extern void nfnl_lock(void);
+-extern void nfnl_unlock(void);
+-
+-#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
+-	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
+-
+-#endif	/* __KERNEL__ */
+-#endif	/* _NFNETLINK_H */
++#endif /* _NFNETLINK_H */
+-- 
+2.34.1
+

0003-examples-fix-double-free-in-nftc-helper-add.patch

@@ -0,0 +1,50 @@
+From 110713ae423173168a417f1dde6af1c322cb958a Mon Sep 17 00:00:00 2001
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 19 Mar 2017 22:01:10 +0800
+Subject: [PATCH] examples: fix double free in nftc-helper-add
+
+After inputting the following test command, core dump happened:
+  # ./examples/nfct-helper-add test 1
+  *** Error in
+ `.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add':
+  double free or corruption (fasttop): 0x0000000001f3c070 ***
+  ======= Backtrace: =========
+  /lib64/libc.so.6(+0x77de5)[0x7fd9ebe88de5]
+  /lib64/libc.so.6(+0x8022a)[0x7fd9ebe9122a]
+  /lib64/libc.so.6(cfree+0x4c)[0x7fd9ebe9478c]
+  [...]
+
+Because "struct nfct_helper_policy *p" had been freed by nfct_helper_free,
+so there's no need to invoke nfct_helper_policy_free again, otherwise
+double free error will happen.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 9f223e612d3b0be6e4dca84e1db8042dbec64e93)
+---
+ examples/nfct-helper-add.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c
+index 6c476261b75e8..cb7291e8ec4b0 100644
+--- a/examples/nfct-helper-add.c
++++ b/examples/nfct-helper-add.c
+@@ -32,6 +32,7 @@ int main(int argc, char *argv[])
+ 	nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET);
+ 	nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, IPPROTO_TCP);
+ 
++	/* Will be freed by nfct_helper_free. */
+ 	p = nfct_helper_policy_alloc();
+ 	if (p == NULL) {
+ 		perror("OOM");
+@@ -49,7 +50,6 @@ int main(int argc, char *argv[])
+ 	nfct_helper_nlmsg_build_payload(nlh, nfct_helper);
+ 
+ 	nfct_helper_free(nfct_helper);
+-	nfct_helper_policy_free(p);
+ 
+ 	nl = mnl_socket_open(NETLINK_NETFILTER);
+ 	if (nl == NULL) {
+-- 
+2.34.1
+

0004-examples-kill-the-invalid-argument-error-in-nftc-hel.patch

@@ -0,0 +1,31 @@
+From 61c5a2b5cf1632d118ffff96edf30862b873b021 Mon Sep 17 00:00:00 2001
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Wed, 22 Mar 2017 21:00:47 +0800
+Subject: [PATCH] examples: kill the "invalid argument" error in
+ nftc-helper-add
+
+NFCTH_PRIV_DATA_LEN is a must attribute required by the kernel when
+creating the cthelper, add it now. Otherwise -EINVAL will be returned.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 5fec728cf69d137450e230a88793b1251176c035)
+---
+ examples/nfct-helper-add.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c
+index cb7291e8ec4b0..79e09637415d3 100644
+--- a/examples/nfct-helper-add.c
++++ b/examples/nfct-helper-add.c
+@@ -31,6 +31,7 @@ int main(int argc, char *argv[])
+ 	nfct_helper_attr_set_u32(nfct_helper, NFCTH_ATTR_QUEUE_NUM, atoi(argv[2]));
+ 	nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET);
+ 	nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, IPPROTO_TCP);
++	nfct_helper_attr_set_u32(nfct_helper, NFCTH_ATTR_PRIV_DATA_LEN, 0);
+ 
+ 	/* Will be freed by nfct_helper_free. */
+ 	p = nfct_helper_policy_alloc();
+-- 
+2.34.1
+

0005-src-fix-incorrect-building-and-parsing-of-the-NFCTH_.patch

@@ -0,0 +1,91 @@
+From adc96d86c74882c154a37b27424f0caf7b9f5a8a Mon Sep 17 00:00:00 2001
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Mon, 20 Mar 2017 22:35:22 +0800
+Subject: [PATCH] src: fix incorrect building and parsing of the
+ NFCTH_POLICY_SETX attribute
+
+In nfct_helper_nlmsg_build_policy(), we always set the attribute type to
+NFCTH_POLICY_SET, so we cannot add more than one nfct_helper_policy to
+the kernel.
+
+Also: in nfct_helper_nlmsg_parse_policy(), we will increase the
+helper->policy_num for each nfct_helper_policy, but we mistakenly set it
+to the total number of nfct_helper_policy. So when the total number is
+more than 3, later out of bound access will happen.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 5ed4ddea21f30e8829def3603b2d112766a756f2)
+---
+ src/libnetfilter_cthelper.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
+index f8f58e6c9c5e8..b3271a6bf01fb 100644
+--- a/src/libnetfilter_cthelper.c
++++ b/src/libnetfilter_cthelper.c
+@@ -512,12 +512,12 @@ nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd,
+ EXPORT_SYMBOL(nfct_helper_nlmsg_build_hdr);
+ 
+ static void
+-nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh,
++nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh, uint16_t type,
+ 				struct nfct_helper_policy *p)
+ {
+ 	struct nlattr *nest;
+ 
+-	nest = mnl_attr_nest_start(nlh, NFCTH_POLICY_SET);
++	nest = mnl_attr_nest_start(nlh, type);
+ 	mnl_attr_put_strz(nlh, NFCTH_POLICY_NAME, p->name);
+ 	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_MAX, htonl(p->expect_max));
+ 	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_TIMEOUT,
+@@ -564,22 +564,22 @@ nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h)
+ 		int policy_set_num = 0;
+ 
+ 		if (h->bitset & (1 << NFCTH_ATTR_POLICY1)) {
+-			nfct_helper_nlmsg_build_policy(nlh,
++			nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET1,
+ 							h->expect_policy[0]);
+ 			policy_set_num++;
+ 		}
+ 		if (h->bitset & (1 << NFCTH_ATTR_POLICY2)) {
+-			nfct_helper_nlmsg_build_policy(nlh,
++			nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET2,
+ 							h->expect_policy[1]);
+ 			policy_set_num++;
+ 		}
+ 		if (h->bitset & (1 << NFCTH_ATTR_POLICY3)) {
+-			nfct_helper_nlmsg_build_policy(nlh,
++			nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET3,
+ 							h->expect_policy[2]);
+ 			policy_set_num++;
+ 		}
+ 		if (h->bitset & (1 << NFCTH_ATTR_POLICY4)) {
+-			nfct_helper_nlmsg_build_policy(nlh,
++			nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET4,
+ 							h->expect_policy[3]);
+ 			policy_set_num++;
+ 		}
+@@ -733,14 +733,13 @@ nfct_helper_nlmsg_parse_policy_set(const struct nlattr *attr,
+ 				   struct nfct_helper *helper)
+ {
+ 	struct nlattr *tb[NFCTH_POLICY_SET_MAX+1] = {};
+-	int i;
++	int i, policy_num = 0;
+ 
+ 	mnl_attr_parse_nested(attr, nfct_helper_nlmsg_parse_policy_set_cb, tb);
+-	if (tb[NFCTH_POLICY_SET_NUM]) {
+-		helper->policy_num =
+-			ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM]));
+-	}
+-	for (i=0; i<helper->policy_num; i++) {
++	if (tb[NFCTH_POLICY_SET_NUM])
++		policy_num = ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM]));
++
++	for (i=0; i<policy_num; i++) {
+ 		if (tb[NFCTH_POLICY_SET+i]) {
+ 			nfct_helper_nlmsg_parse_policy(tb[NFCTH_POLICY_SET+i],
+ 						       helper);
+-- 
+2.34.1
+

libnetfilter_cthelper.spec

@@ -1,6 +1,6 @@
 Name:           libnetfilter_cthelper
 Version:        1.0.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 Summary:        User-space infrastructure for connection tracking helpers
 License:        GPLv2
 URL:            http://www.netfilter.org/projects/libnetfilter_cthelper/index.html
@@ -9,6 +9,12 @@ BuildRequires:  gcc
 BuildRequires:  libmnl-devel >= 1.0.0, pkgconfig, kernel-headers
 BuildRequires: make
 
+Patch1: 0001-src-fix-use-after-free.patch
+Patch2: 0002-include-Sync-with-kernel-headers.patch
+Patch3: 0003-examples-fix-double-free-in-nftc-helper-add.patch
+Patch4: 0004-examples-kill-the-invalid-argument-error-in-nftc-hel.patch
+Patch5: 0005-src-fix-incorrect-building-and-parsing-of-the-NFCTH_.patch
+
 %description
 This library provides the infrastructure for the user-space helper
 infrastructure available since the Linux kernel 3.6.
@@ -24,7 +30,7 @@ The %{name}-devel package contains libraries and header files for
 developing applications that use %{name}.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure --disable-static
@@ -49,6 +55,13 @@ find $RPM_BUILD_ROOT -type f -name '*.la' -exec rm -f {} ';'
 %{_libdir}/*.so
 
 %changelog
+* Wed Dec 22 2021 Phil Sutter <psutter@redhat.com> - 1.0.0-22
+- src: fix incorrect building and parsing of the NFCTH_POLICY_SETX attribute
+- examples: kill the "invalid argument" error in nftc-helper-add
+- examples: fix double free in nftc-helper-add
+- include: Sync with kernel headers
+- src: fix use after free
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-21
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688