diff --git a/SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch b/SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch new file mode 100644 index 0000000..ad8d2b3 --- /dev/null +++ b/SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch @@ -0,0 +1,38 @@ +From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 20 Mar 2019 08:19:18 +0100 +Subject: [PATCH] conntrackd: use strncpy() to unix path + +Make sure we don't go over the buffer boundary. + +Reported-by: Rijnard van Tonder +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74) +--- + src/read_config_yy.y | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 6de8c6c734389..1d510ed20ec8f 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "conntrackd.h" + #include "bitops.h" + #include "cidr.h" +@@ -650,7 +651,7 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- strcpy(conf.local.path, $2); ++ strncpy(conf.local.path, $2, PATH_MAX); + }; + + unix_option : T_BACKLOG T_NUMBER +-- +2.34.1 + diff --git a/SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch b/SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch new file mode 100644 index 0000000..abca62f --- /dev/null +++ b/SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch @@ -0,0 +1,445 @@ +From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001 +From: Ash Hughes +Date: Thu, 30 May 2019 21:49:56 +0100 +Subject: [PATCH] conntrackd: Use strdup in lexer + +Use strdup in the config file lexer to copy strings to yylval.string. This +should solve the "[ERROR] unknown layer 3 protocol" problem here: +https://www.spinics.net/lists/netfilter/msg58628.html. + +Signed-off-by: Ash Hughes +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164) +--- + src/read_config_lex.l | 8 +++--- + src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 66 insertions(+), 4 deletions(-) + +diff --git a/src/read_config_lex.l b/src/read_config_lex.l +index 120bc009295a8..b0d9e61e0e4b9 100644 +--- a/src/read_config_lex.l ++++ b/src/read_config_lex.l +@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + {is_off} { return T_OFF; } + {integer} { yylval.val = atoi(yytext); return T_NUMBER; } + {signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; } +-{ip4} { yylval.string = yytext; return T_IP; } +-{ip6} { yylval.string = yytext; return T_IP; } +-{path} { yylval.string = yytext; return T_PATH_VAL; } ++{ip4} { yylval.string = strdup(yytext); return T_IP; } ++{ip6} { yylval.string = strdup(yytext); return T_IP; } ++{path} { yylval.string = strdup(yytext); return T_PATH_VAL; } + {alarm} { return T_ALARM; } + {persistent} { dlog(LOG_WARNING, "Now `persistent' mode " + "is called `alarm'. Please, update " +@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + "your conntrackd.conf file.\n"); + return T_FTFW; } + {notrack} { return T_NOTRACK; } +-{string} { yylval.string = yytext; return T_STRING; } ++{string} { yylval.string = strdup(yytext); return T_STRING; } + + {comment} ; + {ws} ; +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 1d510ed20ec8f..ceba6fc0d2426 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF + logfile_path : T_LOG T_PATH_VAL + { + strncpy(conf.logfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + syslog_bool : T_SYSLOG T_ON +@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING + else { + dlog(LOG_WARNING, "'%s' is not a known syslog facility, " + "ignoring", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.stats.syslog_facility != -1 && + conf.syslog_facility != conf.stats.syslog_facility) +@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING + lock : T_LOCK T_PATH_VAL + { + strncpy(conf.lockfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + refreshtime : T_REFRESH T_NUMBER +@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } + +@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP + break; + } + ++ free($2); + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; + }; + +@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.mcast.in); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); +@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP + dlog(LOG_WARNING, "your multicast address is IPv6 but " + "is binded to an IPv4 interface? " + "Surely this is not what you want"); ++ free($2); + break; + } + +@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } ++ free($2); + }; + + multicast_option : T_IPV4_IFACE T_IP +@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { + dlog(LOG_WARNING, "your multicast interface is IPv4 but " +@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP + multicast_option : T_IPV6_IFACE T_IP + { + dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring"); ++ free($2); + } + + multicast_option : T_IFACE T_STRING +@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + +@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } ++ ++ free($2); + }; + + multicast_option : T_GROUP T_NUMBER +@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; + }; + +@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.udp.server.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; + }; + +@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; + }; + +@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP + &conf.channel[conf.channel_num].u.udp.client); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; + }; + +@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx; ++ ++ free($2); + }; + + udp_option : T_PORT T_NUMBER +@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; + }; + +@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.tcp.server.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; + }; + +@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; + }; + +@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP + &conf.channel[conf.channel_num].u.tcp.client); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; + }; + +@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx; ++ ++ free($2); + }; + + tcp_option : T_PORT T_NUMBER +@@ -652,6 +690,7 @@ unix_options: + unix_option : T_PATH T_PATH_VAL + { + strncpy(conf.local.path, $2, PATH_MAX); ++ free($2); + }; + + unix_option : T_BACKLOG T_NUMBER +@@ -739,6 +778,7 @@ expect_list: + expect_item: T_STRING + { + exp_filter_add(STATE(exp_filter), $1); ++ free($1); + } + + sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' +@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING + conf.sched.type = SCHED_FIFO; + } else { + dlog(LOG_ERR, "unknown scheduler `%s'", $2); ++ free($2); + exit(EXIT_FAILURE); + } ++ ++ free($2); + }; + + scheduler_line : T_PRIO T_NUMBER +@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING + if (pent == NULL) { + dlog(LOG_WARNING, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols", $1); ++ free($1); + break; + } ++ free($1); + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); +@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP + if (cidr > 32) { + dlog(LOG_WARNING, "%s/%d is not a valid network, " + "ignoring", $2, cidr); ++ free($2); + break; + } + } + + if (!inet_aton($2, &ip.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); ++ free($2); + break; + } + +@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP + "ignore pool!"); + } + } ++ free($2); + __kernel_filter_start(); + + /* host byte order */ +@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP + if (cidr > 128) { + dlog(LOG_WARNING, "%s/%d is not a valid network, " + "ignoring", $2, cidr); ++ free($2); + break; + } + } +@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP + err = inet_pton(AF_INET6, $2, &ip.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); +@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP + "ignore pool!"); + } + } ++ free($2); + __kernel_filter_start(); + + /* host byte order */ +@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF + stat_logfile_path : T_LOG T_PATH_VAL + { + strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + stat_syslog_bool : T_SYSLOG T_ON +@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING + else { + dlog(LOG_WARNING, "'%s' is not a known syslog facility, " + "ignoring.", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.syslog_facility != -1 && + conf.stats.syslog_facility != conf.syslog_facility) +@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' + l3proto = AF_INET6; + else { + dlog(LOG_ERR, "unknown layer 3 protocol"); ++ free($3); + exit(EXIT_FAILURE); + } ++ free($3); + + if (strcmp($4, "tcp") == 0) + l4proto = IPPROTO_TCP; +@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' + l4proto = IPPROTO_UDP; + else { + dlog(LOG_ERR, "unknown layer 4 protocol"); ++ free($4); + exit(EXIT_FAILURE); + } ++ free($4); + + #ifdef BUILD_CTHELPER + helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW); + if (helper == NULL) { + dlog(LOG_ERR, "Unknown `%s' helper", $2); ++ free($2); + exit(EXIT_FAILURE); + } + #else + dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd"); + exit(EXIT_FAILURE); + #endif ++ free($2); + + helper_inst = calloc(1, sizeof(struct ctd_helper_instance)); + if (helper_inst == NULL) +@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' + if (e == NULL) { + dlog(LOG_ERR, "Helper policy configuration empty, fix your " + "configuration file, please"); ++ free($2); + exit(EXIT_FAILURE); + break; + } + + policy = (struct ctd_helper_policy *) &e->data; + strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); ++ free($2); + policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; + /* Now object is complete. */ + e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; +-- +2.34.1 + diff --git a/SOURCES/0008-conntrackd-use-correct-max-unix-path-length.patch b/SOURCES/0008-conntrackd-use-correct-max-unix-path-length.patch new file mode 100644 index 0000000..7f9e269 --- /dev/null +++ b/SOURCES/0008-conntrackd-use-correct-max-unix-path-length.patch @@ -0,0 +1,40 @@ +From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001 +From: Michal Kubecek +Date: Mon, 15 Jul 2019 08:46:23 +0200 +Subject: [PATCH] conntrackd: use correct max unix path length + +When copying value of "Path" option for unix socket, target buffer size is +UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure +that the path is null terminated and bail out if user provided path is too +long rather than silently truncate it. + +Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path") +Signed-off-by: Michal Kubecek +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d) +--- + src/read_config_yy.y | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index ceba6fc0d2426..4311cd6c9a2f5 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -689,8 +689,13 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- strncpy(conf.local.path, $2, PATH_MAX); ++ strncpy(conf.local.path, $2, UNIX_PATH_MAX); + free($2); ++ if (conf.local.path[UNIX_PATH_MAX - 1]) { ++ dlog(LOG_ERR, "UNIX Path is longer than %u characters", ++ UNIX_PATH_MAX - 1); ++ exit(EXIT_FAILURE); ++ } + }; + + unix_option : T_BACKLOG T_NUMBER +-- +2.34.1 + diff --git a/SOURCES/0009-hash-Flush-tables-when-destroying.patch b/SOURCES/0009-hash-Flush-tables-when-destroying.patch new file mode 100644 index 0000000..84d9be8 --- /dev/null +++ b/SOURCES/0009-hash-Flush-tables-when-destroying.patch @@ -0,0 +1,29 @@ +From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 24 Mar 2022 18:06:39 +0100 +Subject: [PATCH] hash: Flush tables when destroying + +This is cosmetics only, but stops valgrind from complaining about +definitely lost memory. + +Signed-off-by: Phil Sutter +(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba) +--- + src/hash.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/hash.c b/src/hash.c +index fe6a047fcebe0..a0f240c21fa82 100644 +--- a/src/hash.c ++++ b/src/hash.c +@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit, + + void hashtable_destroy(struct hashtable *h) + { ++ hashtable_flush(h); + free(h); + } + +-- +2.34.1 + diff --git a/SOURCES/0010-cache-Fix-features-array-allocation.patch b/SOURCES/0010-cache-Fix-features-array-allocation.patch new file mode 100644 index 0000000..8d19715 --- /dev/null +++ b/SOURCES/0010-cache-Fix-features-array-allocation.patch @@ -0,0 +1,37 @@ +From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 24 Mar 2022 18:07:51 +0100 +Subject: [PATCH] cache: Fix features array allocation + +struct cache::features is of type struct cache_feature **, allocate and +populate accordingly. + +Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN") +Signed-off-by: Phil Sutter +(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56) +--- + src/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cache.c b/src/cache.c +index 79a024f8b6bb0..9bc8d0f5bf34a 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type, + + memcpy(c->feature_type, feature_type, sizeof(feature_type)); + +- c->features = malloc(sizeof(struct cache_feature) * j); ++ c->features = malloc(sizeof(struct cache_feature *) * j); + if (!c->features) { + free(c); + return NULL; + } +- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j); ++ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j); + c->num_features = j; + + c->extra_offset = size; +-- +2.34.1 + diff --git a/SOURCES/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch b/SOURCES/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch new file mode 100644 index 0000000..3a1a66d --- /dev/null +++ b/SOURCES/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch @@ -0,0 +1,50 @@ +From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 24 Mar 2022 18:14:50 +0100 +Subject: [PATCH] Fix potential buffer overrun in snprintf() calls + +When consecutively printing into the same buffer at increasing offset, +reduce buffer size passed to snprintf() to not defeat its size checking. + +Signed-off-by: Phil Sutter +(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891) +--- + src/process.c | 2 +- + src/queue.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/process.c b/src/process.c +index 3ddad5ffa7959..08598eeae84de 100644 +--- a/src/process.c ++++ b/src/process.c +@@ -84,7 +84,7 @@ void fork_process_dump(int fd) + int size = 0; + + list_for_each_entry(this, &process_list, head) { +- size += snprintf(buf+size, sizeof(buf), ++ size += snprintf(buf + size, sizeof(buf) - size, + "PID=%u type=%s\n", + this->pid, + this->type < CTD_PROC_MAX ? +diff --git a/src/queue.c b/src/queue.c +index 76425b18495b5..e94dc7c45d1fd 100644 +--- a/src/queue.c ++++ b/src/queue.c +@@ -69,12 +69,12 @@ void queue_stats_show(int fd) + int size = 0; + char buf[512]; + +- size += snprintf(buf+size, sizeof(buf), ++ size += snprintf(buf + size, sizeof(buf) - size, + "allocated queue nodes:\t\t%12u\n\n", + qobjects_num); + + list_for_each_entry(this, &queue_list, list) { +- size += snprintf(buf+size, sizeof(buf), ++ size += snprintf(buf + size, sizeof(buf) - size, + "queue %s:\n" + "current elements:\t\t%12u\n" + "maximum elements:\t\t%12u\n" +-- +2.34.1 + diff --git a/SOURCES/0012-helpers-ftp-Avoid-ugly-casts.patch b/SOURCES/0012-helpers-ftp-Avoid-ugly-casts.patch new file mode 100644 index 0000000..c2482f5 --- /dev/null +++ b/SOURCES/0012-helpers-ftp-Avoid-ugly-casts.patch @@ -0,0 +1,55 @@ +From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 24 Mar 2022 18:27:56 +0100 +Subject: [PATCH] helpers: ftp: Avoid ugly casts + +Coverity tool complains about accessing a local variable at non-zero +offset. Avoid this by using a helper union. This should silence the +checker, although the code is still probably not Big Endian-safe. + +Signed-off-by: Phil Sutter +(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe) +--- + src/helpers/ftp.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c +index bd3f11788cc24..0694d38c6ea13 100644 +--- a/src/helpers/ftp.c ++++ b/src/helpers/ftp.c +@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type, + char *buffer, size_t buflen, + uint32_t addr, uint16_t port) + { ++ union { ++ unsigned char c[4]; ++ uint32_t d; ++ } tmp; ++ ++ tmp.d = addr; + switch (type) { + case NF_CT_FTP_PORT: + case NF_CT_FTP_PASV: + return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u", +- ((unsigned char *)&addr)[0], +- ((unsigned char *)&addr)[1], +- ((unsigned char *)&addr)[2], +- ((unsigned char *)&addr)[3], +- port >> 8, +- port & 0xFF); ++ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], ++ port >> 8, port & 0xFF); + case NF_CT_FTP_EPRT: + return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|", +- ((unsigned char *)&addr)[0], +- ((unsigned char *)&addr)[1], +- ((unsigned char *)&addr)[2], +- ((unsigned char *)&addr)[3], +- port); ++ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port); + case NF_CT_FTP_EPSV: + return snprintf(buffer, buflen, "|||%u|", port); + } +-- +2.34.1 + diff --git a/SOURCES/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch b/SOURCES/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch new file mode 100644 index 0000000..b7e4e3a --- /dev/null +++ b/SOURCES/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch @@ -0,0 +1,30 @@ +From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 24 Mar 2022 19:09:22 +0100 +Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call + +False priority value was never printed. + +Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file") +Signed-off-by: Phil Sutter +(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64) +--- + src/read_config_yy.y | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 4311cd6c9a2f5..6aee67623953b 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER + { + conf.sched.prio = $2; + if (conf.sched.prio < 0 || conf.sched.prio > 99) { +- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2); ++ dlog(LOG_ERR, "`Priority' must be [0, 99]\n"); + exit(EXIT_FAILURE); + } + }; +-- +2.34.1 + diff --git a/SOURCES/0014-Don-t-call-exit-from-signal-handler.patch b/SOURCES/0014-Don-t-call-exit-from-signal-handler.patch new file mode 100644 index 0000000..bda2cfa --- /dev/null +++ b/SOURCES/0014-Don-t-call-exit-from-signal-handler.patch @@ -0,0 +1,30 @@ +From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Mar 2022 09:50:18 +0100 +Subject: [PATCH] Don't call exit() from signal handler + +Coverity tool complains that exit() is not signal-safe and therefore +should not be called from within a signal handler. Call _exit() instead. + +Signed-off-by: Phil Sutter +(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399) +--- + src/run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/run.c b/src/run.c +index f11a5327fe5e6..37a0eb1c6b957 100644 +--- a/src/run.c ++++ b/src/run.c +@@ -67,7 +67,7 @@ void killer(int signo) + close_log(); + + sd_ct_stop(); +- exit(0); ++ _exit(0); + } + + static void child(int foo) +-- +2.34.1 + diff --git a/SOURCES/0015-Drop-pointless-assignments.patch b/SOURCES/0015-Drop-pointless-assignments.patch new file mode 100644 index 0000000..71d5d49 --- /dev/null +++ b/SOURCES/0015-Drop-pointless-assignments.patch @@ -0,0 +1,43 @@ +From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Mar 2022 10:15:13 +0100 +Subject: [PATCH] Drop pointless assignments + +These variables are not referred to after assigning within their scope +(or until they're overwritten). + +Signed-off-by: Phil Sutter +(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6) +--- + src/helpers/ssdp.c | 1 - + src/main.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c +index 58658e39d0a21..41a637a9ce720 100644 +--- a/src/helpers/ssdp.c ++++ b/src/helpers/ssdp.c +@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len, + data += i+2; + } + +- data_len -= name_len; + data += name_len; + if (pos) + *pos = data; +diff --git a/src/main.c b/src/main.c +index 7062e12085f11..8c3fa1c943a96 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -320,7 +320,7 @@ int main(int argc, char *argv[]) + + umask(0177); + +- if ((ret = init_config(config_file)) == -1) { ++ if (init_config(config_file) == -1) { + dlog(LOG_ERR, "can't open config file `%s'", config_file); + exit(EXIT_FAILURE); + } +-- +2.34.1 + diff --git a/SOURCES/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch b/SOURCES/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch new file mode 100644 index 0000000..8f4c849 --- /dev/null +++ b/SOURCES/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch @@ -0,0 +1,30 @@ +From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Mar 2022 10:30:29 +0100 +Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg + +Have to free the strings allocated by split_address_and_port(). + +Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT") +Signed-off-by: Phil Sutter +(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad) +--- + src/conntrack.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/conntrack.c b/src/conntrack.c +index 06f60e85fa1ed..eea5fd339c831 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[]) + nfct_set_nat_details(c, tmpl.ct, &ad, + port_str, family); + } ++ free(port_str); ++ free(nat_address); + } + break; + case 'w': +-- +2.34.1 + diff --git a/SOURCES/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch b/SOURCES/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch new file mode 100644 index 0000000..f3168ce --- /dev/null +++ b/SOURCES/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch @@ -0,0 +1,225 @@ +From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001 +From: "Jose M. Guisado Gomez" +Date: Fri, 16 Aug 2019 11:25:11 +0200 +Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +-Wstringop-truncation warning was introduced in GCC-8 as truncation +checker for strncpy and strncat. + +Systems using gcc version >= 8 would receive the following warnings: + +read_config_yy.c: In function ‘yyparse’: +read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] + 1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] + 1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation] + 692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] + 169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] + 119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +main.c: In function ‘main’: +main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation] + 168 | strncpy(config_file, argv[i], PATH_MAX); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fix the issue by checking for string length first. Also using +snprintf instead. + +In addition, correct an off-by-one when warning about maximum config +file path length. + +Signed-off-by: Jose M. Guisado Gomez +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d) +--- + include/conntrackd.h | 6 +++--- + include/helper.h | 2 +- + include/local.h | 4 ++-- + src/main.c | 7 +++---- + src/read_config_yy.y | 39 +++++++++++++++++++++++++++++---------- + 5 files changed, 38 insertions(+), 20 deletions(-) + +diff --git a/include/conntrackd.h b/include/conntrackd.h +index 81dff221e96de..fe9ec1854a7d2 100644 +--- a/include/conntrackd.h ++++ b/include/conntrackd.h +@@ -85,9 +85,9 @@ union inet_address { + #define CONFIG(x) conf.x + + struct ct_conf { +- char logfile[FILENAME_MAXLEN]; ++ char logfile[FILENAME_MAXLEN + 1]; + int syslog_facility; +- char lockfile[FILENAME_MAXLEN]; ++ char lockfile[FILENAME_MAXLEN + 1]; + int hashsize; /* hashtable size */ + int channel_num; + int channel_default; +@@ -132,7 +132,7 @@ struct ct_conf { + int prio; + } sched; + struct { +- char logfile[FILENAME_MAXLEN]; ++ char logfile[FILENAME_MAXLEN + 1]; + int syslog_facility; + size_t buffer_size; + } stats; +diff --git a/include/helper.h b/include/helper.h +index 7353dfa9b2073..08d4cf4642802 100644 +--- a/include/helper.h ++++ b/include/helper.h +@@ -13,7 +13,7 @@ struct pkt_buff; + #define CTD_HELPER_POLICY_MAX 4 + + struct ctd_helper_policy { +- char name[CTD_HELPER_NAME_LEN]; ++ char name[CTD_HELPER_NAME_LEN + 1]; + uint32_t expect_timeout; + uint32_t expect_max; + }; +diff --git a/include/local.h b/include/local.h +index 22859d7ab60aa..9379446732eed 100644 +--- a/include/local.h ++++ b/include/local.h +@@ -7,12 +7,12 @@ + + struct local_conf { + int reuseaddr; +- char path[UNIX_PATH_MAX]; ++ char path[UNIX_PATH_MAX + 1]; + }; + + struct local_server { + int fd; +- char path[UNIX_PATH_MAX]; ++ char path[UNIX_PATH_MAX + 1]; + }; + + /* callback return values */ +diff --git a/src/main.c b/src/main.c +index 8c3fa1c943a96..de4773df8a204 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -120,8 +120,8 @@ do_chdir(const char *d) + + int main(int argc, char *argv[]) + { ++ char config_file[PATH_MAX + 1] = {}; + int ret, i, action = -1; +- char config_file[PATH_MAX] = {}; + int type = 0; + struct utsname u; + int version, major, minor; +@@ -165,13 +165,12 @@ int main(int argc, char *argv[]) + break; + case 'C': + if (++i < argc) { +- strncpy(config_file, argv[i], PATH_MAX); +- if (strlen(argv[i]) >= PATH_MAX){ +- config_file[PATH_MAX-1]='\0'; ++ if (strlen(argv[i]) > PATH_MAX) { + dlog(LOG_WARNING, "Path to config file" + " to long. Cutting it down to %d" + " characters", PATH_MAX); + } ++ snprintf(config_file, PATH_MAX, "%s", argv[i]); + break; + } + show_usage(argv[0]); +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 6aee67623953b..d963c494be1fc 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF + + logfile_path : T_LOG T_PATH_VAL + { +- strncpy(conf.logfile, $2, FILENAME_MAXLEN); ++ if (strlen($2) > FILENAME_MAXLEN) { ++ dlog(LOG_ERR, "LogFile path is longer than %u characters", ++ FILENAME_MAXLEN); ++ exit(EXIT_FAILURE); ++ } ++ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); + free($2); + }; + +@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING + + lock : T_LOCK T_PATH_VAL + { +- strncpy(conf.lockfile, $2, FILENAME_MAXLEN); ++ if (strlen($2) > FILENAME_MAXLEN) { ++ dlog(LOG_ERR, "LockFile path is longer than %u characters", ++ FILENAME_MAXLEN); ++ exit(EXIT_FAILURE); ++ } ++ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); + free($2); + }; + +@@ -689,13 +699,13 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- strncpy(conf.local.path, $2, UNIX_PATH_MAX); +- free($2); +- if (conf.local.path[UNIX_PATH_MAX - 1]) { +- dlog(LOG_ERR, "UNIX Path is longer than %u characters", +- UNIX_PATH_MAX - 1); ++ if (strlen($2) > UNIX_PATH_MAX) { ++ dlog(LOG_ERR, "Path is longer than %u characters", ++ UNIX_PATH_MAX); + exit(EXIT_FAILURE); + } ++ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); ++ free($2); + }; + + unix_option : T_BACKLOG T_NUMBER +@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF + + stat_logfile_path : T_LOG T_PATH_VAL + { +- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); ++ if (strlen($2) > FILENAME_MAXLEN) { ++ dlog(LOG_ERR, "stats LogFile path is longer than %u characters", ++ FILENAME_MAXLEN); ++ exit(EXIT_FAILURE); ++ } ++ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); + free($2); + }; + +@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' + exit(EXIT_FAILURE); + break; + } ++ if (strlen($2) > CTD_HELPER_NAME_LEN) { ++ dlog(LOG_ERR, "Helper Policy is longer than %u characters", ++ CTD_HELPER_NAME_LEN); ++ exit(EXIT_FAILURE); ++ } + + policy = (struct ctd_helper_policy *) &e->data; +- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); ++ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); + free($2); +- policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; + /* Now object is complete. */ + e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; + stack_item_push(&symbol_stack, e); +-- +2.34.1 + diff --git a/SOURCES/0018-conntrack-fix-compiler-warnings.patch b/SOURCES/0018-conntrack-fix-compiler-warnings.patch new file mode 100644 index 0000000..2c77396 --- /dev/null +++ b/SOURCES/0018-conntrack-fix-compiler-warnings.patch @@ -0,0 +1,101 @@ +From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 17 Jan 2022 16:42:52 +0100 +Subject: [PATCH] conntrack: fix compiler warnings + +.... those do not indicate bugs, but they are distracting. + +'exp_filter_add' at filter.c:513:2: +__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation] + +This warning is because the size argument passed to strncpy() is +identical to buffer size, i.e. if hit the resulting string is not +0-terminated. + +read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=] + 1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); +read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ... + 1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); +read_config_yy.y:707: warning: '__builtin_snprintf' output may be ... + 707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); +read_config_yy.y:179: warning: '__builtin_snprintf' output may be ... + 179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); +read_config_yy.y:124: warning: '__builtin_snprintf' output may be ... + 124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); + +... its because the _MAXLEN constants are one less than the output +buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses +sizeof(). + +Signed-off-by: Florian Westphal +(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2) +--- + src/filter.c | 2 +- + src/read_config_yy.y | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/filter.c b/src/filter.c +index 00a5e96ecc248..9f961b1fe5b1b 100644 +--- a/src/filter.c ++++ b/src/filter.c +@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void) + + struct exp_filter_item { + struct list_head head; +- char helper_name[NFCT_HELPER_NAME_MAX]; ++ char helper_name[NFCT_HELPER_NAME_MAX + 1]; + }; + + /* this is ugly, but it simplifies read_config_yy.y */ +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index d963c494be1fc..401a1575014d0 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL + FILENAME_MAXLEN); + exit(EXIT_FAILURE); + } +- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); ++ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2); + free($2); + }; + +@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL + FILENAME_MAXLEN); + exit(EXIT_FAILURE); + } +- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); ++ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2); + free($2); + }; + +@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL + UNIX_PATH_MAX); + exit(EXIT_FAILURE); + } +- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); ++ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2); + free($2); + }; + +@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL + FILENAME_MAXLEN); + exit(EXIT_FAILURE); + } +- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); ++ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2); + free($2); + }; + +@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' + } + + policy = (struct ctd_helper_policy *) &e->data; +- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); ++ snprintf(policy->name, sizeof(policy->name), "%s", $2); + free($2); + /* Now object is complete. */ + e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; +-- +2.34.1 + diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec index e1a757e..b5f22f1 100644 --- a/SPECS/conntrack-tools.spec +++ b/SPECS/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.5 -Release: 10%{?dist} +Release: 15%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -13,6 +13,19 @@ Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch Patch04: 0004-Makefile.am-Use-instead-of.patch Patch05: 0005-nfct-remove-lazy-binding.patch +Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch +Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch +Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch +Patch09: 0009-hash-Flush-tables-when-destroying.patch +Patch10: 0010-cache-Fix-features-array-allocation.patch +Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch +Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch +Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch +Patch14: 0014-Don-t-call-exit-from-signal-handler.patch +Patch15: 0015-Drop-pointless-assignments.patch +Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch +Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch +Patch18: 0018-conntrack-fix-compiler-warnings.patch BuildRequires: gcc BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 @@ -93,11 +106,34 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Mon Aug 15 2022 Phil Sutter - 1.4.5-15 +- conntrack: fix compiler warnings +- src: fix strncpy -Wstringop-truncation warnings +- connntrack: Fix for memleak when parsing -j arg +- Drop pointless assignments +- Don't call exit() from signal handler +- read_config_yy: Drop extra argument from dlog() call +- helpers: ftp: Avoid ugly casts +- Fix potential buffer overrun in snprintf() calls +- cache: Fix features array allocation +- hash: Flush tables when destroying + +* Mon Mar 28 2022 Phil Sutter - 1.4.5-14 +- conntrackd: use correct max unix path length + +* Thu Mar 24 2022 Phil Sutter - 1.4.5-13 +- conntrackd: Use strdup in lexer +- conntrackd: use strncpy() to unix path + +* Tue Mar 15 2022 Phil Sutter - 1.4.5-12 +- Fix source compile in tests.yml + +* Tue Mar 15 2022 Phil Sutter - 1.4.5-11 +- Enable hardened builds again. + * Tue Jan 25 2022 Phil Sutter - 1.4.5-10 - Drop lazy binding via patch from upstream - Add patches to fix for failing RPC header search -- Enable hardened builds again -- Fix source compile in tests.yml * Mon Aug 09 2021 Mohan Boddu - 1.4.5-9 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags