From ca3c1234a7899519a9da4273fd625290e9ee1012 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 28 Mar 2024 10:48:04 +0000
Subject: [PATCH] import CS libnftnl-1.2.6-2.el9

---
 .gitignore                                    |  2 +-
 .libnftnl.metadata                            |  2 +-
 ...e-free-d-expr_list-elements-in-place.patch | 77 +++++++++++++++++++
 SPECS/libnftnl.spec                           | 43 ++++++-----
 4 files changed, 104 insertions(+), 20 deletions(-)
 create mode 100644 SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch

diff --git a/.gitignore b/.gitignore
index 7eb7ab6..852d249 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libnftnl-1.2.2.tar.bz2
+SOURCES/libnftnl-1.2.6.tar.xz
diff --git a/.libnftnl.metadata b/.libnftnl.metadata
index 816807c..211f019 100644
--- a/.libnftnl.metadata
+++ b/.libnftnl.metadata
@@ -1 +1 @@
-a43773c5569d6a80cd94add256bef4dd63dd7571 SOURCES/libnftnl-1.2.2.tar.bz2
+aba10d5003a851fe08685df1d4ff7b60500122d0 SOURCES/libnftnl-1.2.6.tar.xz
diff --git a/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch b/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
new file mode 100644
index 0000000..de444b8
--- /dev/null
+++ b/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
@@ -0,0 +1,77 @@
+From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 26 Oct 2023 18:05:02 +0200
+Subject: [PATCH] set: Do not leave free'd expr_list elements in place
+
+JIRA: https://issues.redhat.com/browse/RHEL-14149
+Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
+
+commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed May 31 14:09:09 2023 +0200
+
+    set: Do not leave free'd expr_list elements in place
+
+    When freeing elements, remove them also to prevent a potential UAF.
+
+    Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
+    Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/set.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/set.c b/src/set.c
+index c46f827..719e596 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s)
+ 	if (s->flags & (1 << NFTNL_SET_USERDATA))
+ 		xfree(s->user.data);
+ 
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
+ 		list_del(&elem->head);
+@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
+ 		break;
+ 	case NFTNL_SET_EXPR:
+ 	case NFTNL_SET_EXPRESSIONS:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 		break;
+ 	default:
+ 		return;
+@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
+ 		s->user.len = data_len;
+ 		break;
+ 	case NFTNL_SET_EXPR:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 
+ 		expr = (void *)data;
+ 		list_add(&expr->head, &s->expr_list);
+@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
+ 
+ 	return 0;
+ out_set_expr:
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	return -1;
+ }
diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
index af42eca..5a82c23 100644
--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
@@ -1,20 +1,21 @@
-Name:           libnftnl
-Version:        1.2.2
-Release:        1%{?dist}
-Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
+%define libnftnl_rpmversion 1.2.6
+%define libnftnl_specrelease 2
 
+Name:           libnftnl
+Version:        %{libnftnl_rpmversion}
+Release:        %{libnftnl_specrelease}%{?dist}%{?buildid}
+Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
 License:        GPLv2+
 URL:            https://netfilter.org/projects/libnftnl/
-Source0:        https://www.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
+Source0:        %{url}/files/%{name}-%{version}.tar.xz
+
+Patch1:             0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
 
 BuildRequires:  libmnl-devel
-BuildRequires:  jansson-devel
 BuildRequires:  gcc
 BuildRequires:  make
-
-# replace old libnftables package
-Provides: libnftables = %{version}-%{release}
-Obsoletes: libnftables < 0-0.6
+#BuildRequires:  autoconf
+#BuildRequires:  automake
 
 %description
 A library for low-level interaction with nftables Netlink's API over libmnl.
@@ -22,9 +23,6 @@ A library for low-level interaction with nftables Netlink's API over libmnl.
 %package        devel
 Summary:        Development files for %{name}
 Requires:       %{name}%{_isa} = %{version}-%{release}
-# replace old libnftables-devel package
-Provides: libnftables-devel = %{version}-%{release}
-Obsoletes: libnftables-devel < 0-0.6
 
 %description    devel
 The %{name}-devel package contains libraries and header files for
@@ -34,15 +32,17 @@ developing applications that use %{name}.
 %autosetup -p1
 
 %build
-%configure --disable-static --disable-silent-rules --with-json-parsing
+# This is what autogen.sh (only in git repo) does - without it, patches changing
+# Makefile.am cause the build system to regenerate Makefile.in and trying to use
+# automake-1.14 for that which is not available in RHEL.
+#autoreconf -fi
+#rm -rf autom4te*.cache
+
+%configure --disable-static --disable-silent-rules
 %make_build
 
 %check
 %make_build check
-# JSON parsing is broken on big endian, causing tests to fail. Fixes awaiting
-# upstream acceptance: https://marc.info/?l=netfilter-devel&m=152968610931720&w=2
-#cd tests
-#sh ./test-script.sh
 
 %install
 %make_install
@@ -58,6 +58,13 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %{_includedir}/libnftnl
 
 %changelog
+* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.2.6-2.el9]
+- spec: Avoid variable name clash, add missing dist tag (Phil Sutter) [RHEL-14149]
+
+* Thu Oct 26 2023 Phil Sutter <psutter@redhat.com> [1.2.6-1.el9]
+- set: Do not leave free'd expr_list elements in place (Phil Sutter) [RHEL-14149]
+- Rebase onto version 1.2.6 (Phil Sutter) [RHEL-14149]
+
 * Tue Jun 07 2022 Phil Sutter <psutter@redhat.com> - 1.2.2-1
 - New version 1.2.2