Rebase to 0^20241121.g238c69f-1.el10
Resolves: RHEL-67556
This commit is contained in:
Stefano Brivio
parent
31b2574899
commit
f4d5f31af9
1
.gitignore
vendored
1
.gitignore
vendored
@ -37,3 +37,4 @@
|
||||
/passt-1ee2ecade3f41e2a3e51c1e580b08cba977a7c8d.tar.xz
|
||||
/passt-57a21d2df1467302dee71ee9d5683a8b96e6ce7f.tar.xz
|
||||
/passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz
|
||||
/passt-238c69f9af458e41dea5ad8c988dbf65b05b5172.tar.xz
|
||||
|
||||
@ -1,64 +0,0 @@
|
||||
From 002b2a23380d4df552bac7665d462ac4c7bced0b Mon Sep 17 00:00:00 2001
|
||||
From: David Gibson <david@gibson.dropbear.id.au>
|
||||
Date: Wed, 14 Aug 2024 20:03:33 +1000
|
||||
Subject: [PATCH] flow: Don't crash if guest attempts to connect to port 0
|
||||
|
||||
Using a zero port on TCP or UDP is dubious, and we can't really deal with
|
||||
forwarding such a flow within the constraints of the socket API. Hence
|
||||
we ASSERT()ed that we had non-zero ports in flow_hash().
|
||||
|
||||
The intention was to make sure that the protocol code sanitizes such ports
|
||||
before completing a flow entry. Unfortunately, flow_hash() is also called
|
||||
on new packets to see if they have an existing flow, so the unsanitized
|
||||
guest packet can crash passt with the assert.
|
||||
|
||||
Correct this by moving the assert from flow_hash() to flow_sidx_hash()
|
||||
which is only used on entries already in the table, not on unsanitized
|
||||
data.
|
||||
|
||||
Reported-by: Reported-by: Matt Hamilton <matt@thmail.io>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
---
|
||||
flow.c | 18 ++++++++++--------
|
||||
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/flow.c b/flow.c
|
||||
index 687e9fd..93b687d 100644
|
||||
--- a/flow.c
|
||||
+++ b/flow.c
|
||||
@@ -561,12 +561,6 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
|
||||
{
|
||||
struct siphash_state state = SIPHASH_INIT(c->hash_secret);
|
||||
|
||||
- /* For the hash table to work, we need complete endpoint information,
|
||||
- * and at least a forwarding port.
|
||||
- */
|
||||
- ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
|
||||
- side->eport != 0 && side->fport != 0);
|
||||
-
|
||||
inany_siphash_feed(&state, &side->faddr);
|
||||
inany_siphash_feed(&state, &side->eaddr);
|
||||
|
||||
@@ -586,8 +580,16 @@ static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
|
||||
static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx)
|
||||
{
|
||||
const struct flow_common *f = &flow_at_sidx(sidx)->f;
|
||||
- return flow_hash(c, FLOW_PROTO(f),
|
||||
- f->pif[sidx.sidei], &f->side[sidx.sidei]);
|
||||
+ const struct flowside *side = &f->side[sidx.sidei];
|
||||
+ uint8_t pif = f->pif[sidx.sidei];
|
||||
+
|
||||
+ /* For the hash table to work, entries must have complete endpoint
|
||||
+ * information, and at least a forwarding port.
|
||||
+ */
|
||||
+ ASSERT(pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) &&
|
||||
+ side->eport != 0 && side->fport != 0);
|
||||
+
|
||||
+ return flow_hash(c, FLOW_PROTO(f), pif, side);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.43.0
|
||||
|
||||
11
passt.spec
11
passt.spec
@ -7,20 +7,18 @@
|
||||
# Copyright (c) 2022 Red Hat GmbH
|
||||
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||
|
||||
%global git_hash ee36266a55478672ad2c5f4efbd6ca0bef3d37cd
|
||||
%global git_hash 238c69f9af458e41dea5ad8c988dbf65b05b5172
|
||||
%global selinuxtype targeted
|
||||
|
||||
Name: passt
|
||||
Version: 0^20240806.gee36266
|
||||
Release: 3%{?dist}
|
||||
Version: 0^20241121.g238c69f
|
||||
Release: 1%{?dist}
|
||||
Summary: User-mode networking daemons for virtual machines and namespaces
|
||||
License: GPL-2.0-or-later AND BSD-3-Clause
|
||||
Group: System Environment/Daemons
|
||||
URL: https://passt.top/
|
||||
Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
|
||||
|
||||
Patch1: 0001-flow-Don-t-crash-if-guest-attempts-to-connect-to-por.patch
|
||||
|
||||
BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel
|
||||
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
|
||||
|
||||
@ -126,6 +124,9 @@ fi
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
|
||||
|
||||
%changelog
|
||||
* Thu Nov 21 2024 Stefano Brivio <sbrivio@redhat.com> - 0^20241121.g238c69f-1
|
||||
- Resolves: RHEL-67556
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0^20240806.gee36266-3
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (passt-ee36266a55478672ad2c5f4efbd6ca0bef3d37cd.tar.xz) = f3d6b8155ffdd58f7bf291c78ec0607e1acbc879880fc69aaa1a29d6ba96f80fef5a0c8bca6f0ddd3916eeae823d2d3a006f4598fce9f9a3b489413561c72727
|
||||
SHA512 (passt-238c69f9af458e41dea5ad8c988dbf65b05b5172.tar.xz) = c170bdeabe6d9752f5750a11f3292ea8f96562f9d971a3fdedcddb036334fda44b8491be362bbb0892312de8da575ab4ef1842232253ad66edcadae10ac8cd49
|
||||
|
||||
Loading…
Reference in New Issue
Block a user