nftables-1.0.4-10.el9

* Tue Feb 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-10.el9]
- netlink_delinearize: Sanitize concat data element decoding (Phil Sutter) [2160049]
- optimize: Clarify chain_optimize() array allocations (Phil Sutter) [2160049]
- optimize: Do not return garbage from stack (Phil Sutter) [2160049]
- netlink: Fix for potential NULL-pointer deref (Phil Sutter) [2160049]
- meta: parse_iso_date() returns boolean (Phil Sutter) [2160049]
- mnl: dump_nf_hooks() leaks memory in error path (Phil Sutter) [2160049]
- owner: Fix potential array out of bounds access (Phil Sutter) [2160049]
Resolves: rhbz#2160049

0025-owner-Fix-potential-array-out-of-bounds-access.patch

@@ -0,0 +1,44 @@
+From d6087e02d9f25bba362db0af16355ee3be4e450a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:40 +0100
+Subject: [PATCH] owner: Fix potential array out of bounds access
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit 9967911e3dabb
+
+commit 9967911e3dabb32901617e81e56602af3b37287f
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date:   Wed Dec 21 17:37:46 2022 +0100
+
+    owner: Fix potential array out of bounds access
+
+    If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
+    return 'sizeof(tmp)'. Using this value as index is illegal.
+
+    Original update from Phil, for the conntrack-tools tree, which also has
+    a copy of this function.
+
+    Fixes: 6d085b22a8b5 ("table: support for the table owner flag")
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/owner.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/owner.c b/src/owner.c
+index 2d98a2e..20bed38 100644
+--- a/src/owner.c
++++ b/src/owner.c
+@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode)
+ 			continue;
+ 
+ 		rl = readlink(procname, tmp, sizeof(tmp));
+-		if (rl <= 0 || rl > (ssize_t)sizeof(tmp))
++		if (rl <= 0 || rl >= (ssize_t)sizeof(tmp))
+ 			continue;
+ 
+ 		tmp[rl] = 0;
+-- 
+2.39.2
+

0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch

@@ -0,0 +1,57 @@
+From 92f540141ca5aa1cc5070ea383c2eabf3206b86e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit ef66f321e49b3
+
+commit ef66f321e49b337c7e678bb90d6acb94f331dfc4
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Jan 11 12:28:15 2023 +0100
+
+    mnl: dump_nf_hooks() leaks memory in error path
+
+    Have to free the basehook object before returning to caller.
+
+    Fixes: 4694f7230195b ("src: add support for base hook dumping")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/mnl.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/mnl.c b/src/mnl.c
+index 7dd77be..269d3f1 100644
+--- a/src/mnl.c
++++ b/src/mnl.c
+@@ -2211,16 +2211,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data)
+ 		struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {};
+ 		uint32_t type;
+ 
+-		if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0)
++		if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO],
++					  dump_nf_chain_info_cb, nested) < 0) {
++			basehook_free(hook);
+ 			return -1;
++		}
+ 
+ 		type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE]));
+ 		if (type == NFNL_HOOK_TYPE_NFTABLES) {
+ 			struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {};
+ 			const char *tablename, *chainname;
+ 
+-			if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0)
++			if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC],
++						  dump_nf_attr_chain_cb,
++						  info) < 0) {
++				basehook_free(hook);
+ 				return -1;
++			}
+ 
+ 			tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]);
+ 			chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]);
+-- 
+2.39.2
+

0027-meta-parse_iso_date-returns-boolean.patch

@@ -0,0 +1,41 @@
+From dc8cd3f9cc5ad2eddba03bad86ce975d28513534 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] meta: parse_iso_date() returns boolean
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit db6e97bd667bf
+
+commit db6e97bd667bf205cee22049f9d0fd6550cb43a7
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Jan 11 11:26:41 2023 +0100
+
+    meta: parse_iso_date() returns boolean
+
+    Returning ts if 'ts == (time_t) -1' signals success to caller despite
+    failure.
+
+    Fixes: 4460b839b945a ("meta: fix compiler warning in date_type_parse()")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/meta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/meta.c b/src/meta.c
+index 80ace25..73bd1c4 100644
+--- a/src/meta.c
++++ b/src/meta.c
+@@ -433,7 +433,7 @@ success:
+ 	cur_tm = localtime(&ts);
+ 
+ 	if (ts == (time_t) -1 || cur_tm == NULL)
+-		return ts;
++		return false;
+ 
+ 	/* Substract tm_gmtoff to get the current time */
+ 	*tstamp = ts - cur_tm->tm_gmtoff;
+-- 
+2.39.2
+

0028-netlink-Fix-for-potential-NULL-pointer-deref.patch

@@ -0,0 +1,44 @@
+From 8bb864ad6586da7767cf4b90b75e62cd7324859d Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] netlink: Fix for potential NULL-pointer deref
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit 927d5674e7bf6
+
+commit 927d5674e7bf656428f97c54c9171006e8c3c75e
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Jan 10 22:36:58 2023 +0100
+
+    netlink: Fix for potential NULL-pointer deref
+
+    If memory allocation fails, calloc() returns NULL which was not checked
+    for. The code seems to expect zero array size though, so simply
+    replacing this call by one of the x*calloc() ones won't work. So guard
+    the call also by a check for 'len'.
+
+    Fixes: db0697ce7f602 ("src: support for flowtable listing")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index 799cf9b..dee1732 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -1700,7 +1700,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
+ 	while (dev_array[len])
+ 		len++;
+ 
+-	flowtable->dev_array = calloc(1, len * sizeof(char *));
++	if (len)
++		flowtable->dev_array = xmalloc(len * sizeof(char *));
+ 	for (i = 0; i < len; i++)
+ 		flowtable->dev_array[i] = xstrdup(dev_array[i]);
+ 
+-- 
+2.39.2
+

0029-optimize-Do-not-return-garbage-from-stack.patch

@@ -0,0 +1,42 @@
+From 9b3e5589c5e1b6ced176ce33f59774a3b1d28c36 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] optimize: Do not return garbage from stack
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit d4d47e5bdf943
+
+commit d4d47e5bdf943be494aeb5d5a29b8f5212acbddf
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Fri Jan 13 17:09:53 2023 +0100
+
+    optimize: Do not return garbage from stack
+
+    If input does not contain a single 'add' command (unusual, but
+    possible), 'ret' value was not initialized by nft_optimize() before
+    returning its value.
+
+    Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/optimize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/optimize.c b/src/optimize.c
+index 3a3049d..6514cbb 100644
+--- a/src/optimize.c
++++ b/src/optimize.c
+@@ -1017,7 +1017,7 @@ static int cmd_optimize(struct nft_ctx *nft, struct cmd *cmd)
+ int nft_optimize(struct nft_ctx *nft, struct list_head *cmds)
+ {
+ 	struct cmd *cmd;
+-	int ret;
++	int ret = 0;
+ 
+ 	list_for_each_entry(cmd, cmds, list) {
+ 		switch (cmd->op) {
+-- 
+2.39.2
+

0030-optimize-Clarify-chain_optimize-array-allocations.patch

@@ -0,0 +1,51 @@
+From 9a41628f4206efe645f5a058a7d71a4503b5869a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] optimize: Clarify chain_optimize() array allocations
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit b83a0416cdc88
+
+commit b83a0416cdc881c6ac35739cd858e4fe5fb2e04f
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Jan 10 22:13:44 2023 +0100
+
+    optimize: Clarify chain_optimize() array allocations
+
+    Arguments passed to sizeof() where deemed suspicious by covscan due to
+    the different type. Consistently specify size of an array 'a' using
+    'sizeof(*a) * nmemb'.
+
+    For the statement arrays in stmt_matrix, even use xzalloc_array() since
+    the item count is fixed and therefore can't be zero.
+
+    Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/optimize.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/optimize.c b/src/optimize.c
+index 6514cbb..baa6abc 100644
+--- a/src/optimize.c
++++ b/src/optimize.c
+@@ -918,10 +918,11 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules)
+ 		ctx->num_rules++;
+ 	}
+ 
+-	ctx->rule = xzalloc(sizeof(ctx->rule) * ctx->num_rules);
+-	ctx->stmt_matrix = xzalloc(sizeof(struct stmt *) * ctx->num_rules);
++	ctx->rule = xzalloc(sizeof(*ctx->rule) * ctx->num_rules);
++	ctx->stmt_matrix = xzalloc(sizeof(*ctx->stmt_matrix) * ctx->num_rules);
+ 	for (i = 0; i < ctx->num_rules; i++)
+-		ctx->stmt_matrix[i] = xzalloc(sizeof(struct stmt *) * MAX_STMTS);
++		ctx->stmt_matrix[i] = xzalloc_array(MAX_STMTS,
++						    sizeof(**ctx->stmt_matrix));
+ 
+ 	merge = xzalloc(sizeof(*merge) * ctx->num_rules);
+ 
+-- 
+2.39.2
+

0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch

@@ -0,0 +1,42 @@
+From 05407602f79391e89e57ef5c4a1a0aea720855e2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 21 Feb 2023 19:50:41 +0100
+Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049
+Upstream Status: nftables commit 1344d9e53ba4d
+
+commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Feb 21 18:36:01 2023 +0100
+
+    netlink_delinearize: Sanitize concat data element decoding
+
+    The call to netlink_get_register() might return NULL, catch this before
+    dereferencing the pointer.
+
+    Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Acked-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink_delinearize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index e9e0845..cadb8ec 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
+ 		sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
+ 		expr_data = netlink_get_register(ctx, loc, sreg_data);
+ 
+-		if (expr_data->len < set->data->len) {
++		if (expr_data && expr_data->len < set->data->len) {
+ 			expr_free(expr_data);
+ 			expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
+ 			if (expr_data == NULL)
+-- 
+2.39.2
+

nftables.spec

@@ -1,5 +1,5 @@
 %define rpmversion 1.0.4
-%define specrelease 9
+%define specrelease 10
 
 Name:           nftables
 Version:        %{rpmversion}
@@ -43,6 +43,13 @@ Patch21:            0021-monitor-Sanitize-startup-race-condition.patch
 Patch22:            0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
 Patch23:            0023-netlink_linearize-fix-timeout-with-map-updates.patch
 Patch24:            0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
+Patch25:            0025-owner-Fix-potential-array-out-of-bounds-access.patch
+Patch26:            0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
+Patch27:            0027-meta-parse_iso_date-returns-boolean.patch
+Patch28:            0028-netlink-Fix-for-potential-NULL-pointer-deref.patch
+Patch29:            0029-optimize-Do-not-return-garbage-from-stack.patch
+Patch30:            0030-optimize-Clarify-chain_optimize-array-allocations.patch
+Patch31:            0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -154,6 +161,15 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Tue Feb 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-10.el9]
+- netlink_delinearize: Sanitize concat data element decoding (Phil Sutter) [2160049]
+- optimize: Clarify chain_optimize() array allocations (Phil Sutter) [2160049]
+- optimize: Do not return garbage from stack (Phil Sutter) [2160049]
+- netlink: Fix for potential NULL-pointer deref (Phil Sutter) [2160049]
+- meta: parse_iso_date() returns boolean (Phil Sutter) [2160049]
+- mnl: dump_nf_hooks() leaks memory in error path (Phil Sutter) [2160049]
+- owner: Fix potential array out of bounds access (Phil Sutter) [2160049]
+
 * Fri Feb 17 2023 Phil Sutter <psutter@redhat.com> [1.0.4-9.el9]
 - tests: add a test case for map update from packet path with concat (Phil Sutter) [2094894]
 - netlink_linearize: fix timeout with map updates (Phil Sutter) [2094894]