From a553d5bd8da0116cb4c46e1334fc0575c60c3ec8 Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Fri, 20 Sep 2024 22:36:47 +0800
Subject: [PATCH] fix-CVE-2024-41184

---
 0013-fix-CVE-2024-41184.patch | 92 +++++++++++++++++++++++++++++++++++
 keepalived.spec               |  9 +++-
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 0013-fix-CVE-2024-41184.patch

diff --git a/0013-fix-CVE-2024-41184.patch b/0013-fix-CVE-2024-41184.patch
new file mode 100644
index 0000000..27af7ec
--- /dev/null
+++ b/0013-fix-CVE-2024-41184.patch
@@ -0,0 +1,92 @@
+From e78513fe0ce5d83c226ea2c0bd222f375c2438e7 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 20 Sep 2024 22:27:56 +0800
+Subject: [PATCH] fix CVE-2024-41184  Handle empty ipset names with vrrp_ipsets keyword
+We now handle empty ipset names and return a config error.
+
+---
+ keepalived/core/global_parser.c | 35 ++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index d011f10..49fe3b5 100644
+--- a/keepalived/core/global_parser.c
++++ b/keepalived/core/global_parser.c
+@@ -834,6 +834,22 @@ vrrp_iptables_handler(const vector_t *strvec)
+ 	}
+ }
+ #ifdef _HAVE_LIBIPSET_
++static bool
++check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
++{
++	if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
++		return false;
++	}
++
++	if (strlen(strvec_slot(strvec, entry)) == 0) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
++		return false;
++	}
++
++	return true;
++}
++
+ static void
+ vrrp_ipsets_handler(const vector_t *strvec)
+ {
+@@ -851,11 +867,12 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		return;
+ 	}
+ 
++	if (!check_valid_ipset_name(strvec, 1, "address"))
++		return;
++
+ 	if (vector_size(strvec) >= 3) {
+-		if (strlen(strvec_slot(strvec,2)) >= sizeof(global_data->vrrp_ipset_address6)-1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
+ 			return;
+-		}
+ 		strcpy(global_data->vrrp_ipset_address6, strvec_slot(strvec,2));
+ 	}
+ 	else {
+@@ -865,10 +882,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		strcat(global_data->vrrp_ipset_address6, "6");
+ 	}
+ 	if (vector_size(strvec) >= 4) {
+-		if (strlen(strvec_slot(strvec,3)) >= sizeof(global_data->vrrp_ipset_address_iface6)-1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
+ 			return;
+-		}
+ 		strcpy(global_data->vrrp_ipset_address_iface6, strvec_slot(strvec,3));
+ 	}
+ 	else {
+@@ -881,10 +896,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		strcat(global_data->vrrp_ipset_address_iface6, "_if6");
+ 	}
+ 	if (vector_size(strvec) >= 5) {
+-		if (strlen(strvec_slot(strvec,4)) >= sizeof(global_data->vrrp_ipset_igmp)-1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 4, "IGMP"))
+ 			return;
+-		}
+ 		strcpy(global_data->vrrp_ipset_igmp, strvec_slot(strvec,4));
+ 	}
+ 	else {
+@@ -894,10 +907,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		strcat(global_data->vrrp_ipset_igmp, "_igmp");
+ 	}
+ 	if (vector_size(strvec) >= 6) {
+-		if (strlen(strvec_slot(strvec,5)) >= sizeof(global_data->vrrp_ipset_mld)-1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 5, "MLD"))
+ 			return;
+-		}
+ 		strcpy(global_data->vrrp_ipset_mld, strvec_slot(strvec,5));
+ 	}
+ 	else {
+-- 
+2.43.0
+
diff --git a/keepalived.spec b/keepalived.spec
index 2f1970b..3e925e7 100644
--- a/keepalived.spec
+++ b/keepalived.spec
@@ -9,7 +9,7 @@
 
 Name:		keepalived
 Version:	2.0.20
-Release:	19
+Release:	20
 Summary:	High Availability monitor built upon LVS, VRRP and service pollers
 License:	GPLv2+
 URL:		http://www.keepalived.org/
@@ -28,6 +28,7 @@ Patch0009:	0009-core-Fix-a-file-descriptor-leak-when-reloading.patch
 Patch0010:	0010-vrrp-Don-t-segfault-when-a-VRID-is-changed-on-a-VMAC.patch
 Patch0011:	0011-vrrp-clear-old_vrrp_data-and-old_global_data-when-me.patch
 Patch0012:      CVE-2021-44225.patch
+Patch0013:      0013-fix-CVE-2024-41184.patch
 
 BuildRequires:	net-snmp-devel gcc systemd-units openssl-devel libnl3-devel
 BuildRequires:  ipset-devel iptables-devel libnfnetlink-devel libnftnl-devel
@@ -103,6 +104,12 @@ install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man*
 
 %changelog
+* Wed Sep 25 2024 changtao <changtao@kylinos.cn> -  2.0.20-20
+- Type:bugfix
+- ID:NA 
+- SUG:NA
+- DESC:fix-CVE-2024-41184
+
 * Thu Dec 23 2021 wangxp006 <wangxp006@163.com> -  2.0.20-19
 - Type:bugfix
 - ID:NA 
-- 
Gitee