From bc6e22628c1eddd624dc367ac292dda6a3b40ff6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 23 2023 14:31:57 +0000
Subject: import conntrack-tools-1.4.5-17.el9_1


---

diff --git a/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch b/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
new file mode 100644
index 0000000..7ce229a
--- /dev/null
+++ b/SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
@@ -0,0 +1,60 @@
+From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 31 Aug 2022 13:00:52 +0200
+Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow
+
+The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
+according to unix(7), it should hold a null-terminated string. So adjust
+config reader to reject paths of length UNIX_PATH_MAX and above and
+adjust the internal arrays to aid the compiler.
+
+Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a)
+---
+ include/local.h      | 4 ++--
+ src/read_config_yy.y | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/local.h b/include/local.h
+index 9379446732eed..22859d7ab60aa 100644
+--- a/include/local.h
++++ b/include/local.h
+@@ -7,12 +7,12 @@
+ 
+ struct local_conf {
+ 	int reuseaddr;
+-	char path[UNIX_PATH_MAX + 1];
++	char path[UNIX_PATH_MAX];
+ };
+ 
+ struct local_server {
+ 	int fd;
+-	char path[UNIX_PATH_MAX + 1];
++	char path[UNIX_PATH_MAX];
+ };
+ 
+ /* callback return values */
+diff --git a/src/read_config_yy.y b/src/read_config_yy.y
+index 401a1575014d0..d208a6a0617cf 100644
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -699,12 +699,12 @@ unix_options:
+ 
+ unix_option : T_PATH T_PATH_VAL
+ {
+-	if (strlen($2) > UNIX_PATH_MAX) {
++	if (strlen($2) >= UNIX_PATH_MAX) {
+ 		dlog(LOG_ERR, "Path is longer than %u characters",
+-		     UNIX_PATH_MAX);
++		     UNIX_PATH_MAX - 1);
+ 		exit(EXIT_FAILURE);
+ 	}
+-	snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
++	strcpy(conf.local.path, $2);
+ 	free($2);
+ };
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch b/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
new file mode 100644
index 0000000..5dcd006
--- /dev/null
+++ b/SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
@@ -0,0 +1,38 @@
+From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 8 Mar 2021 16:29:25 +0100
+Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
+ not specified
+
+Fall back to 65536 buckets and 262144 entries.
+
+It would be probably good to add code to autoadjust by reading
+/proc/sys/net/netfilter/nf_conntrack_buckets and
+/proc/sys/net/nf_conntrack_max.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
+---
+ src/read_config_yy.y | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/read_config_yy.y b/src/read_config_yy.y
+index d208a6a0617cf..dc67d11952901 100644
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -1780,5 +1780,11 @@ init_config(char *filename)
+ 					 NF_NETLINK_CONNTRACK_DESTROY;
+ 	}
+ 
++	/* default hashtable buckets and maximum number of entries */
++	if (!CONFIG(hashsize))
++		CONFIG(hashsize) = 65536;
++	if (!CONFIG(limit))
++		CONFIG(limit) = 262144;
++
+ 	return 0;
+ }
+-- 
+2.38.0
+
diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec
index b5f22f1..c6744ef 100644
--- a/SPECS/conntrack-tools.spec
+++ b/SPECS/conntrack-tools.spec
@@ -1,6 +1,6 @@
 Name:           conntrack-tools
 Version:        1.4.5
-Release:        15%{?dist}
+Release:        17%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
 License:        GPLv2
 URL:            http://conntrack-tools.netfilter.org/
@@ -26,6 +26,8 @@ Patch15:        0015-Drop-pointless-assignments.patch
 Patch16:        0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
 Patch17:        0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
 Patch18:        0018-conntrack-fix-compiler-warnings.patch
+Patch19:        0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
+Patch20:        0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
 
 BuildRequires:  gcc
 BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
@@ -106,6 +108,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service 
 
 %changelog
+* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
+- conntrackd: set default hashtable buckets and max entries if not specified
+
+* Tue Sep 06 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-16
+- local: Avoid sockaddr_un::sun_path buffer overflow
+
 * Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
 - conntrack: fix compiler warnings
 - src: fix strncpy -Wstringop-truncation warnings