From 627143b6f9e088afe41730d2350404218bb1821b7e6ec2fcf5527554acbd7f9a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 7 May 2020 11:41:38 +0000 Subject: [PATCH] - Add anonset-crashfix.patch [boo#1171321] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/nftables?expand=0&rev=50 --- anonset-crashfix.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ nftables.changes | 5 +++++ nftables.spec | 3 ++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 anonset-crashfix.patch diff --git a/anonset-crashfix.patch b/anonset-crashfix.patch new file mode 100644 index 0000000..ed51b5a --- /dev/null +++ b/anonset-crashfix.patch @@ -0,0 +1,42 @@ +From pablo@netfilter.org Thu May 7 13:29:26 2020 +Date: Thu, 7 May 2020 13:29:19 +From: Pablo Neira Ayuso +To: netfilter-devel@vger.kernel.org +Cc: jengelh@inai.de +Subject: [PATCH nft] mnl: fix error rule reporting with missing table/chain and anonymous sets + +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff7f64f1e in erec_print (octx=0x55555555d2c0, erec=0x55555555fcf0, debug_mask=0) at erec.c:95 +95 switch (indesc->type) { +(gdb) bt + buf=0x55555555db20 "add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept") at libnftables.c:459 +(gdb) p indesc +$1 = (const struct input_descriptor *) 0x0 + +Closes: http://bugzilla.opensuse.org/show_bug.cgi?id=1171321 +Fixes: 086ec6f30c96 ("mnl: extended error support for create command") +Reported-by: Jan Engelhardt +Signed-off-by: Pablo Neira Ayuso +--- + src/mnl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/mnl.c b/src/mnl.c +index 94e80261afb7..9ce4072859b1 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -1048,7 +1048,10 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, + + cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location); + mnl_attr_put_strz(nlh, NFTA_SET_TABLE, h->table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->set.location); ++ if (set_is_anonymous(set->flags)) ++ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->location); ++ else ++ cmd_add_loc(cmd, nlh->nlmsg_len, &h->set.location); + mnl_attr_put_strz(nlh, NFTA_SET_NAME, h->set.name); + + nftnl_set_nlmsg_build_payload(nlh, nls); +-- +2.20.1 + diff --git a/nftables.changes b/nftables.changes index a15c3f9..a489b94 100644 --- a/nftables.changes +++ b/nftables.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu May 7 11:41:07 UTC 2020 - Jan Engelhardt + +- Add anonset-crashfix.patch [boo#1171321] + ------------------------------------------------------------------- Wed Apr 1 18:48:56 UTC 2020 - Jan Engelhardt diff --git a/nftables.spec b/nftables.spec index e75b9c0..9ac12c8 100644 --- a/nftables.spec +++ b/nftables.spec @@ -28,6 +28,7 @@ URL: https://netfilter.org/projects/nftables/ Source: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2 Source2: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2.sig Source3: %name.keyring +Patch1: anonset-crashfix.patch BuildRequires: asciidoc BuildRequires: bison BuildRequires: flex @@ -78,7 +79,7 @@ Group: Development/Languages/Python A Python module for nftables. %prep -%setup -q +%autosetup -p1 %build mkdir bin