diff --git a/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch b/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea1bb050ae73dfac99f4187b07651c15d2b4926b --- /dev/null +++ b/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch @@ -0,0 +1,51 @@ +From b51aef061378b34fa9544b1af34021d89a76547a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 26 Jan 2023 03:27:16 +0100 +Subject: [PATCH] ebtables-translate: Print flush command after parsing is + finished + +Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong +output instead of an error message. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=b51aef061378b34fa9544b1af34021d89a76547a + +Signed-off-by: Phil Sutter +--- + iptables/xtables-eb-translate.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c +index 99347c0c..da7e5e3d 100644 +--- a/iptables/xtables-eb-translate.c ++++ b/iptables/xtables-eb-translate.c +@@ -247,13 +247,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char + ret = 1; + break; + case 'F': /* Flush */ +- if (p.chain) { +- printf("flush chain bridge %s %s\n", p.table, p.chain); +- } else { +- printf("flush table bridge %s\n", p.table); +- } +- ret = 1; +- break; + case 'Z': /* Zero counters */ + if (c == 'Z') { + if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L')) +@@ -506,6 +499,13 @@ print_zero: + + if (command == 'P') { + return 0; ++ } else if (command == 'F') { ++ if (p.chain) { ++ printf("flush chain bridge %s %s\n", p.table, p.chain); ++ } else { ++ printf("flush table bridge %s\n", p.table); ++ } ++ ret = 1; + } else if (command == 'A') { + ret = nft_rule_eb_xlate_add(h, &p, &cs, true); + if (!ret) +-- +2.23.0 diff --git a/backport-extensions-among-Fix-for-use-with-ebtables-restore.patch b/backport-extensions-among-Fix-for-use-with-ebtables-restore.patch new file mode 100644 index 0000000000000000000000000000000000000000..d0145de805ef2a95f99a75a540445c1d9861deb5 --- /dev/null +++ b/backport-extensions-among-Fix-for-use-with-ebtables-restore.patch @@ -0,0 +1,58 @@ +From fca04aa7a53252464c289997e71de10189971da6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 30 Sep 2022 17:51:55 +0200 +Subject: [PATCH] extensions: among: Fix for use with ebtables-restore + +When restoring multiple rules which use among match, new size may be +smaller than the old one which caused invalid writes by the memcpy() +call. Expect this and realloc the match only if it needs to grow. Also +use realloc instead of freeing and allocating from scratch. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=fca04aa7a53252464c289997e71de10189971da6 + +Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support") +Signed-off-by: Phil Sutter +--- + extensions/libebt_among.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c +index c607a775..1eab2019 100644 +--- a/extensions/libebt_among.c ++++ b/extensions/libebt_among.c +@@ -119,7 +119,6 @@ static int bramong_parse(int c, char **argv, int invert, + struct xt_entry_match **match) + { + struct nft_among_data *data = (struct nft_among_data *)(*match)->data; +- struct xt_entry_match *new_match; + bool have_ip, dst = false; + size_t new_size, cnt; + struct stat stats; +@@ -170,18 +169,17 @@ static int bramong_parse(int c, char **argv, int invert, + new_size *= sizeof(struct nft_among_pair); + new_size += XT_ALIGN(sizeof(struct xt_entry_match)) + + sizeof(struct nft_among_data); +- new_match = xtables_calloc(1, new_size); +- memcpy(new_match, *match, (*match)->u.match_size); +- new_match->u.match_size = new_size; + +- data = (struct nft_among_data *)new_match->data; ++ if (new_size > (*match)->u.match_size) { ++ *match = xtables_realloc(*match, new_size); ++ (*match)->u.match_size = new_size; ++ data = (struct nft_among_data *)(*match)->data; ++ } ++ + have_ip = nft_among_pairs_have_ip(optarg); + poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip); + parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip); + +- free(*match); +- *match = new_match; +- + if (c == AMONG_DST_F || c == AMONG_SRC_F) { + munmap(argv, flen); + close(fd); +-- +2.23.0 diff --git a/backport-extensions-libebt_redirect-Fix-xlate-return-code.patch b/backport-extensions-libebt_redirect-Fix-xlate-return-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae177986940ae22cf4f8532d53145bc701bc5121 --- /dev/null +++ b/backport-extensions-libebt_redirect-Fix-xlate-return-code.patch @@ -0,0 +1,31 @@ +From 8543b6f2f4a3a15a5ece7dd1b320b477ce36a8d5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 16 Nov 2022 13:03:05 +0100 +Subject: [PATCH] extensions: libebt_redirect: Fix xlate return code + +The callback is supposed to return 1 on success, not 0. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=8543b6f2f4a3a15a5ece7dd1b320b477ce36a8d5 + +Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") +Signed-off-by: Phil Sutter +--- + extensions/libebt_redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c +index 6e653997..4d4c7a02 100644 +--- a/extensions/libebt_redirect.c ++++ b/extensions/libebt_redirect.c +@@ -86,7 +86,7 @@ static int brredir_xlate(struct xt_xlate *xl, + xt_xlate_add(xl, "meta set pkttype host"); + if (red->target != EBT_ACCEPT) + xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); +- return 0; ++ return 1; + } + + static struct xtables_target brredirect_target = { +-- +2.23.0 diff --git a/backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch b/backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9ca5f4de8d34036a2b14cb290d5a209e266948e --- /dev/null +++ b/backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch @@ -0,0 +1,40 @@ +From 800bed28b2b7bbd931166c7426640ae619f03342 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 16 Nov 2022 13:09:16 +0100 +Subject: [PATCH] extensions: libipt_ttl: Sanitize xlate callback + +Catch unexpected values in info->mode, also fix indenting. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=800bed28b2b7bbd931166c7426640ae619f03342 + +Fixes: 1b320a1a1dc1f ("extensions: libipt_ttl: Add translation to nft") +Signed-off-by: Phil Sutter +--- + extensions/libipt_ttl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c +index 6bdd2196..86ba554e 100644 +--- a/extensions/libipt_ttl.c ++++ b/extensions/libipt_ttl.c +@@ -106,7 +106,7 @@ static int ttl_xlate(struct xt_xlate *xl, + const struct ipt_ttl_info *info = + (struct ipt_ttl_info *) params->match->data; + +- switch (info->mode) { ++ switch (info->mode) { + case IPT_TTL_EQ: + xt_xlate_add(xl, "ip ttl"); + break; +@@ -121,7 +121,7 @@ static int ttl_xlate(struct xt_xlate *xl, + break; + default: + /* Should not happen. */ +- break; ++ return 0; + } + + xt_xlate_add(xl, " %u", info->ttl); +-- +2.23.0 diff --git a/backport-iptables-Plug-memleaks-in-print_firewall.patch b/backport-iptables-Plug-memleaks-in-print_firewall.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b7187596d92599fcf83c9e361de070ced1d0019 --- /dev/null +++ b/backport-iptables-Plug-memleaks-in-print_firewall.patch @@ -0,0 +1,92 @@ +From fb63f8b7337aa11a667537e6a3b399062ede2eb5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Nov 2022 21:35:28 +0100 +Subject: [PATCH] iptables: Plug memleaks in print_firewall() + +When adding a rule in verbose mode, valgrind prints: + +192 bytes in 1 blocks are definitely lost in loss record 1 of 2 + at 0x48417E5: malloc (vg_replace_malloc.c:381) + by 0x486B158: xtables_malloc (xtables.c:446) + by 0x486C1F6: xtables_find_match (xtables.c:826) + by 0x10E684: print_match (iptables.c:115) + by 0x10E684: print_firewall (iptables.c:169) + by 0x10FC0C: print_firewall_line (iptables.c:196) + by 0x10FC0C: append_entry (iptables.c:221) + by 0x10FC0C: do_command4 (iptables.c:776) + by 0x10E45B: iptables_main (iptables-standalone.c:59) + by 0x49A2349: (below main) (in /lib64/libc.so.6) + +200 bytes in 1 blocks are definitely lost in loss record 2 of 2 + at 0x48417E5: malloc (vg_replace_malloc.c:381) + by 0x486B158: xtables_malloc (xtables.c:446) + by 0x486BBD6: xtables_find_target (xtables.c:956) + by 0x10E579: print_firewall (iptables.c:145) + by 0x10FC0C: print_firewall_line (iptables.c:196) + by 0x10FC0C: append_entry (iptables.c:221) + by 0x10FC0C: do_command4 (iptables.c:776) + by 0x10E45B: iptables_main (iptables-standalone.c:59) + by 0x49A2349: (below main) (in /lib64/libc.so.6) + +If the match/target was cloned, it needs to be freed. Basically a bug since +day 1. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=fb63f8b7337aa11a667537e6a3b399062ede2eb5 + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables.c | 6 ++++++ + iptables/iptables.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 062b2b15..1d232657 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m, + printf("%s%s ", match->name, unsupported_rev); + else + printf("%s ", match->name); ++ ++ if (match->next == match) ++ free(match); + } else { + if (name[0]) + printf("UNKNOWN match `%s' ", name); +@@ -179,6 +182,9 @@ print_firewall(const struct ip6t_entry *fw, + tg->print(&fw->ipv6, t, format & FMT_NUMERIC); + else if (target->print) + printf(" %s%s", target->name, unsupported_rev); ++ ++ if (target->next == target) ++ free(target); + } else if (t->u.target_size != sizeof(*t)) + printf("[%u bytes of unknown target data] ", + (unsigned int)(t->u.target_size - sizeof(*t))); +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 0351b39f..d246198f 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m, + printf("%s%s ", match->name, unsupported_rev); + else + printf("%s ", match->name); ++ ++ if (match->next == match) ++ free(match); + } else { + if (name[0]) + printf("UNKNOWN match `%s' ", name); +@@ -178,6 +181,9 @@ print_firewall(const struct ipt_entry *fw, + tg->print(&fw->ip, t, format & FMT_NUMERIC); + else if (target->print) + printf(" %s%s", target->name, unsupported_rev); ++ ++ if (target->next == target) ++ free(target); + } else if (t->u.target_size != sizeof(*t)) + printf("[%u bytes of unknown target data] ", + (unsigned int)(t->u.target_size - sizeof(*t))); +-- +2.23.0 diff --git a/backport-iptables-restore-Free-handle-with-test-also.patch b/backport-iptables-restore-Free-handle-with-test-also.patch new file mode 100644 index 0000000000000000000000000000000000000000..c753ec2f5a84093ecf50661537d47ebfecba044d --- /dev/null +++ b/backport-iptables-restore-Free-handle-with-test-also.patch @@ -0,0 +1,48 @@ +From 18880dbde615449d00a3e38f3713a19d4566258e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Nov 2022 19:24:38 +0100 +Subject: [PATCH] iptables-restore: Free handle with --test also + +When running 'iptables-restore -t', valgrind reports: + +1,496 (160 direct, 1,336 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 + at 0x48417E5: malloc (vg_replace_malloc.c:381) + by 0x4857A46: alloc_handle (libiptc.c:1279) + by 0x4857A46: iptc_init (libiptc.c:1342) + by 0x1167CE: create_handle (iptables-restore.c:72) + by 0x1167CE: ip46tables_restore_main (iptables-restore.c:229) + by 0x116DAE: iptables_restore_main (iptables-restore.c:388) + by 0x49A2349: (below main) (in /lib64/libc.so.6) + +Free the handle pointer before parsing the next table. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=18880dbde615449d00a3e38f3713a19d4566258e + +Fixes: 1c9015b2cb483 ("libiptc: remove indirections") +Signed-off-by: Phil Sutter +--- + iptables/iptables-restore.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 05661bf6..6f7ddf93 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -185,12 +185,12 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, + if (!testing) { + DEBUGP("Calling commit\n"); + ret = cb->ops->commit(handle); +- cb->ops->free(handle); +- handle = NULL; + } else { + DEBUGP("Not calling commit, testing\n"); + ret = 1; + } ++ cb->ops->free(handle); ++ handle = NULL; + + /* Done with the current table, release the lock. */ + if (lock >= 0) { +-- +2.23.0 diff --git a/backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch b/backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch new file mode 100644 index 0000000000000000000000000000000000000000..8081963b98ca5e6030597f131765cb48cee7e8dd --- /dev/null +++ b/backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch @@ -0,0 +1,52 @@ +From aa0c54030300441e9fd66c7016d0090f6736d449 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 25 Nov 2022 21:21:22 +0100 +Subject: [PATCH] nft: Plug memleak in nft_rule_zero_counters() + +When zeroing a specific rule, valgrind reports: + +40 bytes in 1 blocks are definitely lost in loss record 1 of 1 + at 0x484659F: calloc (vg_replace_malloc.c:1328) + by 0x48DE128: xtables_calloc (xtables.c:434) + by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071) + by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236) + by 0x119AF5: nft_rule_zero_counters (nft.c:2877) + by 0x11A3CA: nft_prepare (nft.c:3445) + by 0x11A7A8: nft_commit (nft.c:3479) + by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94) + by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118) + by 0x49F2349: (below main) (in /lib64/libc.so.6) + +Have to free the matches/target in populated iptables_command_state object +again. While being at it, call the proper family_ops callbacks since this is +family-agnostic code. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=aa0c54030300441e9fd66c7016d0090f6736d449 + +Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 67c5877c..430888e8 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -2874,10 +2874,11 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, + goto error; + } + +- nft_rule_to_iptables_command_state(h, r, &cs); +- ++ h->ops->rule_to_cs(h, r, &cs); + cs.counters.pcnt = cs.counters.bcnt = 0; + new_rule = nft_rule_new(h, chain, table, &cs); ++ h->ops->clear_cs(&cs); ++ + if (!new_rule) + return 1; + +-- +2.23.0 diff --git a/iptables.spec b/iptables.spec index 663c3eba22cf0d9358f4b622ef5885c04783a4cf..4a2667ee6594d4071b0afdd3d0f4fb617c7fb78f 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 -Release: 11 +Release: 12 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -23,6 +23,14 @@ Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.pa Patch7: backport-xtables-restore-Extend-failure-error-message.patch Patch8: enabled-makecheck-in-extensions.patch +Patch9: backport-extensions-among-Fix-for-use-with-ebtables-restore.patch +Patch10: backport-extensions-libebt_redirect-Fix-xlate-return-code.patch +Patch11: backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch +Patch12: backport-iptables-restore-Free-handle-with-test-also.patch +Patch13: backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch +Patch14: backport-iptables-Plug-memleaks-in-print_firewall.patch +Patch15: backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch + BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel BuildRequires: autogen autoconf automake libtool @@ -330,6 +338,18 @@ fi %{_mandir}/man8/xtables-legacy* %changelog +* Tue Mar 21 2023 zhanghao - 1.8.7-12 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:extensions among Fix for use with ebtables restore +extensions libebt redirect Fix xlate return code +extensions libipt ttl Sanitize xlate callback +iptables restore Free handle with test also +nft Plug memleak in nft rule zero counters +iptables Plug memleaks in print firewall +ebtables translate Print flush command after parsing is finished + * Wed Nov 30 2022 huangyu - 1.8.7-11 - Type:feature - ID:NA