diff --git a/SOURCES/radvd-crash_if_config_removed.patch b/SOURCES/radvd-crash_if_config_removed.patch new file mode 100644 index 0000000..1c75ccc --- /dev/null +++ b/SOURCES/radvd-crash_if_config_removed.patch @@ -0,0 +1,65 @@ +From 57295ef0e85640adcc3b85f08b12f09d54aad2d2 Mon Sep 17 00:00:00 2001 +From: Tomi Salminen +Date: Tue, 16 Apr 2019 13:55:39 +0300 +Subject: [PATCH] Crash on SIGHUP when config file removed. + +Reading config zeroed the returnable configuration only when the +config file was opened successfully. If not, the previously read +in configuration was returned, which was already freed. + +Moved configuration zeroing to start of readin_config and added +unit test to test zero return. +--- + gram.y | 2 +- + test/util.c | 15 +++++++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/gram.y b/gram.y +index 20af2f3..4115390 100644 +--- a/gram.y ++++ b/gram.y +@@ -947,10 +947,10 @@ static void cleanup(void) + + struct Interface * readin_config(char const *path) + { ++ IfaceList = 0; + FILE * in = fopen(path, "r"); + if (in) { + filename = path; +- IfaceList = 0; + num_lines = 1; + iface = 0; + +diff --git a/test/util.c b/test/util.c +index b74b301..7124475 100644 +--- a/test/util.c ++++ b/test/util.c +@@ -259,6 +259,20 @@ START_TEST(test_rand_between) + } + END_TEST + ++START_TEST(test_cfg_removal_with_sighup) ++{ ++ struct Interface *tmpIface = NULL; ++ ++ tmpIface = readin_config("test/test1.conf"); ++ ck_assert(tmpIface); ++ ++ free_ifaces(tmpIface); ++ ++ tmpIface = readin_config("test/file_that_should_not_exists.conf"); ++ ck_assert(!tmpIface); ++} ++END_TEST ++ + Suite *util_suite(void) + { + TCase *tc_safe_buffer = tcase_create("safe_buffer"); +@@ -288,6 +302,7 @@ Suite *util_suite(void) + + TCase *tc_misc = tcase_create("misc"); + tcase_add_test(tc_misc, test_rand_between); ++ tcase_add_test(tc_misc, test_cfg_removal_with_sighup); + + Suite *s = suite_create("util"); + suite_add_tcase(s, tc_safe_buffer); diff --git a/SOURCES/radvd-double_free_dupiface.patch b/SOURCES/radvd-double_free_dupiface.patch new file mode 100644 index 0000000..16c59b8 --- /dev/null +++ b/SOURCES/radvd-double_free_dupiface.patch @@ -0,0 +1,23 @@ +From fb1529d0573d3d9744a0e9fea8dd0becfc91ad85 Mon Sep 17 00:00:00 2001 +From: Pavel Zhukov +Date: Thu, 24 Jan 2019 13:21:55 +0100 +Subject: [PATCH] Fix double-free scenario in case if duplicate interface was + specified (Fixes #100). + +Signed-off-by: Pavel Zhukov +--- + gram.y | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/gram.y b/gram.y +index 5db3bde..20af2f3 100644 +--- a/gram.y ++++ b/gram.y +@@ -958,6 +958,7 @@ struct Interface * readin_config(char const *path) + if (yyparse() != 0) { + free_ifaces(iface); + iface = 0; ++ IfaceList = 0; + } else { + dlog(LOG_DEBUG, 1, "config file, %s, syntax ok", path); + } diff --git a/SPECS/radvd.spec b/SPECS/radvd.spec index e553c4c..198a43d 100644 --- a/SPECS/radvd.spec +++ b/SPECS/radvd.spec @@ -1,7 +1,7 @@ Summary: A Router Advertisement daemon Name: radvd Version: 2.17 -Release: 14%{?dist} +Release: 15%{?dist} # The code includes the advertising clause, so it's GPL-incompatible License: BSD with advertising Group: System Environment/Daemons @@ -21,6 +21,8 @@ Requires(pre): shadow-utils Patch0: radvd_add_ra_memleak.patch Patch1: radvd_tmpfiles.patch +Patch2: radvd-double_free_dupiface.patch +Patch3: radvd-crash_if_config_removed.patch %description radvd is the router advertisement daemon for IPv6. It listens to router @@ -97,6 +99,9 @@ exit 0 %{_sbindir}/radvdump %changelog +* Wed Apr 15 2020 Pavel Zhukov - 2.17-15 +- Fix double-free scenario (#1669177) + * Fri Oct 25 2019 Pavel Zhukov - 2.17-14 - Resolves: #1710787 - Change location of tmpfiles - Use tmpfile config from tarball