Accepting request 790694 from security:netfilter

- Update to release 1.4.6

OBS-URL: https://build.opensuse.org/request/show/790694
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/conntrack-tools?expand=0&rev=33
This commit is contained in:
Dominique Leuenberger 2020-04-07 08:20:21 +00:00 committed by Git OBS Bridge
commit 66801d2572
10 changed files with 20 additions and 685 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462
size 479562

Binary file not shown.

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f
size 499806

Binary file not shown.

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Wed Apr 1 18:55:00 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 1.4.6
* conntrackd: fix UDP IPv6 destination address not being usable
* conntrack: Allow protocol number zero
* conntrackd: cthelper: Add new SLP helper
- Drop conntrackd-Use-strdup-in-lexer.patch,
conntrackd-use-strncpy-to-unix-path.patch,
conntrackd-cthelper-Add-new-SLP-helper.patch,
conntrackd-use-correct-max-unix-path-length.patch (merged)
- Drop require on systemd, since it can run in a namespace without.
-------------------------------------------------------------------
Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>

View File

@ -1,7 +1,7 @@
#
# spec file for package conntrack-tools
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,12 +22,12 @@
%endif
Name: conntrack-tools
Version: 1.4.5
Version: 1.4.6
Release: 0
Url: http://conntrack-tools.netfilter.org/
Summary: Userspace tools for interacting with the Connection Tracking System
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: http://conntrack-tools.netfilter.org/
#Git-Clone: git://git.netfilter.org/conntrack-tools
Source: ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2
@ -39,12 +39,6 @@ Source7: conntrackd.logrotate
Source8: conntrackd.sysconfig
Source9: conntrackd.conf
Patch1: conntrackd-use-strncpy-to-unix-path.patch
Patch2: conntrackd-Use-strdup-in-lexer.patch
Patch3: conntrackd-use-correct-max-unix-path-length.patch
Patch4: conntrackd-cthelper-Add-new-SLP-helper.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: automake
BuildRequires: bison
BuildRequires: flex >= 2.5.33
@ -53,7 +47,7 @@ BuildRequires: pkg-config >= 0.21
BuildRequires: systemd-rpm-macros
BuildRequires: xz
BuildRequires: pkgconfig(libmnl) >= 1.0.3
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.7
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.8
BuildRequires: pkgconfig(libnetfilter_cthelper) >= 1.0.0
BuildRequires: pkgconfig(libnetfilter_cttimeout) >= 1.0.0
BuildRequires: pkgconfig(libnetfilter_queue) >= 1.0.2
@ -77,7 +71,6 @@ Provides: conntrack-tools:/usr/sbin/conntrackd
Requires: conntrack-tools = %version-%release
Requires(post): fillup
Recommends: logrotate
%{?systemd_requires}
%description -n conntrackd
conntrackd is the user-space daemon for the Netfilter connection tracking
@ -86,10 +79,6 @@ replica firewalls.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
find doc -type f -name "*.orig" -delete
find doc -type f -exec chmod -x "{}" "+"

View File

@ -1,439 +0,0 @@
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Thu, 30 May 2019 21:49:56 +0100
Subject: conntrackd: Use strdup in lexer
Patch-mainline: conntrack-tools-1.4.6?
Git-commit: c12fa8df76752b0a011430f069677b52e4dad164
References: bsc#1141480
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/read_config_lex.l | 8 +++---
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 4 deletions(-)
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
{is_off} { return T_OFF; }
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
-{ip4} { yylval.string = yytext; return T_IP; }
-{ip6} { yylval.string = yytext; return T_IP; }
-{path} { yylval.string = yytext; return T_PATH_VAL; }
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
{alarm} { return T_ALARM; }
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
"is called `alarm'. Please, update "
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"your conntrackd.conf file.\n");
return T_FTFW; }
{notrack} { return T_NOTRACK; }
-{string} { yylval.string = yytext; return T_STRING; }
+{string} { yylval.string = strdup(yytext); return T_STRING; }
{comment} ;
{ws} ;
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
syslog_bool : T_SYSLOG T_ON
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring", $2);
+ free($2);
break;
}
+ free($2);
if (conf.stats.syslog_facility != -1 &&
conf.syslog_facility != conf.stats.syslog_facility)
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ free($2);
};
refreshtime : T_REFRESH T_NUMBER
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
break;
}
+ free($2);
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
};
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.mcast.in);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
dlog(LOG_WARNING, "your multicast address is IPv6 but "
"is binded to an IPv4 interface? "
"Surely this is not what you want");
+ free($2);
break;
}
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+ free($2);
};
multicast_option : T_IPV4_IFACE T_IP
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
multicast_option : T_IPV6_IFACE T_IP
{
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
+ free($2);
}
multicast_option : T_IFACE T_STRING
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+
+ free($2);
};
multicast_option : T_GROUP T_NUMBER
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
+
+ free($2);
};
udp_option : T_PORT T_NUMBER
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
+
+ free($2);
};
tcp_option : T_PORT T_NUMBER
@@ -652,6 +690,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
strncpy(conf.local.path, $2, PATH_MAX);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -739,6 +778,7 @@ expect_list:
expect_item: T_STRING
{
exp_filter_add(STATE(exp_filter), $1);
+ free($1);
}
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
conf.sched.type = SCHED_FIFO;
} else {
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
+ free($2);
exit(EXIT_FAILURE);
}
+
+ free($2);
};
scheduler_line : T_PRIO T_NUMBER
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
if (pent == NULL) {
dlog(LOG_WARNING, "getprotobyname() cannot find "
"protocol `%s' in /etc/protocols", $1);
+ free($1);
break;
}
+ free($1);
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
__kernel_filter_start();
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
if (cidr > 32) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
if (!inet_aton($2, &ip.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
+ free($2);
break;
}
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
if (cidr > 128) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
err = inet_pton(AF_INET6, $2, &ip.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
stat_syslog_bool : T_SYSLOG T_ON
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring.", $2);
+ free($2);
break;
}
+ free($2);
if (conf.syslog_facility != -1 &&
conf.stats.syslog_facility != conf.syslog_facility)
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l3proto = AF_INET6;
else {
dlog(LOG_ERR, "unknown layer 3 protocol");
+ free($3);
exit(EXIT_FAILURE);
}
+ free($3);
if (strcmp($4, "tcp") == 0)
l4proto = IPPROTO_TCP;
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l4proto = IPPROTO_UDP;
else {
dlog(LOG_ERR, "unknown layer 4 protocol");
+ free($4);
exit(EXIT_FAILURE);
}
+ free($4);
#ifdef BUILD_CTHELPER
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
if (helper == NULL) {
dlog(LOG_ERR, "Unknown `%s' helper", $2);
+ free($2);
exit(EXIT_FAILURE);
}
#else
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
exit(EXIT_FAILURE);
#endif
+ free($2);
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
if (helper_inst == NULL)
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
if (e == NULL) {
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
"configuration file, please");
+ free($2);
exit(EXIT_FAILURE);
break;
}
policy = (struct ctd_helper_policy *) &e->data;
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ free($2);
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;

View File

@ -1,158 +0,0 @@
From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri, 19 Jul 2019 09:31:24 +0200
Subject: conntrackd: cthelper: Add new SLP helper
Patch-mainline: conntrack-tools-1.4.6?
Git-commit: ee4991ea402ca61a9d1a46c83c4d4219b97d7da0
References: FATE#324143 bsc#1127886
Service Location Protocol (SLP) uses multicast requests for DA (Directory
agent) and SA (Service agent) discovery. Replies to these requests are
unicast and their source address does not match destination address of the
request so that we need a conntrack helper. A kernel helper was submitted
back in 2013 but was rejected as userspace helper infrastructure is
preferred. This adds an SLP helper to conntrackd.
As the function of SLP helper is the same as what existing mDNS helper
does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
except for the default timeout and example usage. As with mDNS helper,
there is no NAT support for the time being as that would probably require
kernel side changes and certainly further study (and could possibly work
only for source NAT).
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/helper/conntrackd.conf | 8 ++++
src/helpers/Makefile.am | 5 +++
src/helpers/slp.c | 87 ++++++++++++++++++++++++++++++++++++++
3 files changed, 100 insertions(+)
create mode 100644 src/helpers/slp.c
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -96,6 +96,14 @@ Helper {
ExpectTimeout 300
}
}
+ Type slp inet udp {
+ QueueNum 7
+ QueueLen 10240
+ Policy slp {
+ ExpectMax 8
+ ExpectTimeout 16
+ }
+ }
}
#
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_tftp.la \
ct_helper_tns.la \
ct_helper_sane.la \
+ ct_helper_slp.la \
ct_helper_ssdp.la
HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c
ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)
+ct_helper_slp_la_SOURCES = slp.c
+ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS)
+ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS)
+
ct_helper_ssdp_la_SOURCES = ssdp.c
ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
--- /dev/null
+++ b/src/helpers/slp.c
@@ -0,0 +1,87 @@
+/*
+ * This helper creates and expectation to allow unicast replies to multicast
+ * requests (RFC2608 section 6.1). While the destination address of the
+ * outcoming request is known, the reply can come from any unicast address so
+ * that we need to allow replies from any source address. Default expectation]
+ * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608
+ * section 13.
+ *
+ * Example usage:
+ *
+ * nfct add helper slp inet udp
+ * iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \
+ * -p udp --dport 427 -j CT --helper slp
+ * iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \
+ * -p udp --dport 427 -j CT --helper slp
+ * iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \
+ * -j ACCEPT
+ *
+ * Requires Linux 3.12 or higher. NAT is unsupported.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <linux/netfilter.h>
+
+static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ struct myct *myct, uint32_t ctinfo)
+{
+ struct nf_expect *exp;
+ int dir = CTINFO2DIR(ctinfo);
+ union nfct_attr_grp_addr saddr;
+ uint16_t sport, dport;
+
+ exp = nfexp_new();
+ if (!exp) {
+ pr_debug("conntrack_slp: failed to allocate expectation\n");
+ return NF_ACCEPT;
+ }
+
+ cthelper_get_addr_src(myct->ct, dir, &saddr);
+ cthelper_get_port_src(myct->ct, dir, &sport);
+ cthelper_get_port_src(myct->ct, !dir, &dport);
+
+ if (cthelper_expect_init(exp,
+ myct->ct,
+ 0 /* class */,
+ NULL /* saddr */,
+ &saddr /* daddr */,
+ IPPROTO_UDP,
+ &dport /* sport */,
+ &sport /* dport */,
+ NF_CT_EXPECT_PERMANENT)) {
+ pr_debug("conntrack_slp: failed to init expectation\n");
+ nfexp_destroy(exp);
+ return NF_ACCEPT;
+ }
+
+ myct->exp = exp;
+ return NF_ACCEPT;
+}
+
+static struct ctd_helper slp_helper = {
+ .name = "slp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .cb = slp_helper_cb,
+ .policy = {
+ [0] = {
+ .name = "slp",
+ .expect_max = 8,
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
+ },
+ },
+};
+
+static void __attribute__ ((constructor)) slp_init(void)
+{
+ helper_register(&slp_helper);
+}

View File

@ -1,36 +0,0 @@
From: Michal Kubecek <mkubecek@suse.cz>
Date: Mon, 15 Jul 2019 08:46:23 +0200
Subject: conntrackd: use correct max unix path length
Patch-mainline: conntrack-tools-1.4.6?
Git-commit: b47e00e8a579519b163cb4faed017463bf64c40d
References: bsc#1141480
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/read_config_yy.y | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -689,8 +689,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, PATH_MAX);
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
free($2);
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
+ UNIX_PATH_MAX - 1);
+ exit(EXIT_FAILURE);
+ }
};
unix_option : T_BACKLOG T_NUMBER

View File

@ -1,34 +0,0 @@
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Mar 2019 08:19:18 +0100
Subject: conntrackd: use strncpy() to unix path
Patch-mainline: conntrack-tools-1.4.6?
Git-commit: ce06fb6069065c3d68475356c0728a5fa0a4ab74
References: bsc#1141480
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/read_config_yy.y | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -25,6 +25,7 @@
#include <netdb.h>
#include <errno.h>
#include <stdarg.h>
+#include <limits.h>
#include "conntrackd.h"
#include "bitops.h"
#include "cidr.h"
@@ -650,7 +651,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strcpy(conf.local.path, $2);
+ strncpy(conf.local.path, $2, PATH_MAX);
};
unix_option : T_BACKLOG T_NUMBER