diff --git a/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch b/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch new file mode 100644 index 0000000..2e533ff --- /dev/null +++ b/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch @@ -0,0 +1,72 @@ +From 48aca2de80a7dd73f8f3a461c7f7ed47b6082766 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 3 Dec 2021 17:07:55 +0100 +Subject: iptopt: fix crash with invalid field/type combo + +% nft describe ip option rr value +segmentation fault + +after this fix, this exits with 'Error: unknown ip option type/field'. + +Problem is that 'rr' doesn't have a value template, so the template +struct is +all-zeroes, so we crash when trying to use tmpl->dtype (its NULL). + +Furthermore, expr_describe tries to print expr->identifier but expr is +exthdr, not symbol: ->identifier contains garbage. + +Signed-off-by: Florian Westphal +--- + src/expression.c | 5 ++++- + src/ipopt.c | 3 +++ + src/parser_bison.y | 4 ++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/expression.c b/src/expression.c +index a6bde70..ccc4d92 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -138,7 +138,10 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx) + } else { + nft_print(octx, "%s expression, datatype %s (%s)", + expr_name(expr), dtype->name, dtype->desc); +- } ++ ++ if (dtype == &invalid_type) ++ return; ++ } + + if (dtype->basetype != NULL) { + nft_print(octx, " (basetype "); +diff --git a/src/ipopt.c b/src/ipopt.c +index b3d0279..b851f2b 100644 +--- a/src/ipopt.c ++++ b/src/ipopt.c +@@ -97,6 +97,9 @@ struct expr *ipopt_expr_alloc(const struct location *loc, uint8_t type, + if (!tmpl) + return NULL; + ++ if (!tmpl->len) ++ return NULL; ++ + expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype, + BYTEORDER_BIG_ENDIAN, tmpl->len); + expr->exthdr.desc = desc; +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 8af5c7e..71fb2d2 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -4726,6 +4726,10 @@ ip_hdr_expr : IP ip_hdr_field + | IP OPTION ip_option_type ip_option_field + { + $$ = ipopt_expr_alloc(&@$, $3, $4, 0); ++ if (!$$) { ++ erec_queue(error(&@1, "unknown ip option type/field"), state->msgs); ++ YYERROR; ++ } + } + | IP OPTION ip_option_type + { +-- +2.23.0 + diff --git a/nftables.spec b/nftables.spec index 5720070..6698d25 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 0.9.6 -Release: 5 +Release: 7 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -20,9 +20,10 @@ Patch6007: backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch Patch6008: backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch Patch6009: backport-parser_json-fix-device-parsing-in-netdev-family.patch Patch6010: backport-src-Don-t-parse-string-as-verdict-in-map.patch +Patch6011: backport-iptopt-fix-crash-with-invalid-field-type-combo.patch BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd -BuildRequires: iptables-devel jansson-devel python3-devel +BuildRequires: iptables-devel jansson-devel python3-devel chrpath Requires: %{name}-help %description @@ -51,7 +52,7 @@ The nftables python module providing an interface to libnftables via ctypes. %build %configure --disable-silent-rules --with-xtables --with-json \ - --enable-python --with-python-bin=%{__python3} + --enable-python --with-python-bin=%{__python3} CFLAGS="%{optflags} -fPIE -pie" %make_build %check @@ -59,6 +60,8 @@ make check %install %make_install +chrpath -d %{buildroot}%{_sbindir}/nft + %delete_la chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* @@ -110,6 +113,18 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables %{python3_sitelib}/nftables/ %changelog +* Fri Dec 08 2023 zhanghao - 1:0.9.6-7 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix crash with invalid field type combo + +* Mon Nov 13 2023 zhangxianting - 1:0.9.6-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:enable fPIE and remove rpath + * Thu Dec 15 2022 huangyu - 1:0.9.6-5 - Type:bugfix - CVE:NA