diff --git a/backport-bridge-fix-potential-snprintf-overflow.patch b/backport-bridge-fix-potential-snprintf-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e4a98f6b52a535846fa4be4582a13bc89a02873 --- /dev/null +++ b/backport-bridge-fix-potential-snprintf-overflow.patch @@ -0,0 +1,40 @@ +From 4d80122ae82aea86cb740b5202f6c3fde6183538 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Mon, 18 Sep 2023 11:34:42 -0700 +Subject: [PATCH] bridge: fix potential snprintf overflow + +There is a theoretical snprintf overflow in bridge slave bitmask +print code found by CodeQL scan. + +Signed-off-by: Stephen Hemminger +--- + ip/iplink_bridge_slave.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c +index dc73c8657..3821923b5 100644 +--- a/ip/iplink_bridge_slave.c ++++ b/ip/iplink_bridge_slave.c +@@ -100,13 +100,20 @@ static void _bitmask2str(__u16 bitmask, char *dst, size_t dst_size, + int len, i; + + for (i = 0, len = 0; bitmask; i++, bitmask >>= 1) { ++ int n; ++ + if (bitmask & 0x1) { + if (tbl[i]) +- len += snprintf(dst + len, dst_size - len, "%s,", ++ n = snprintf(dst + len, dst_size - len, "%s,", + tbl[i]); + else +- len += snprintf(dst + len, dst_size - len, "0x%x,", ++ n = snprintf(dst + len, dst_size - len, "0x%x,", + (1 << i)); ++ ++ if (n < 0 || n >= dst_size - len) ++ break; ++ ++ len += n; + } + } + diff --git a/backport-ctrl-Fix-fd-leak-in-ctrl_list.patch b/backport-ctrl-Fix-fd-leak-in-ctrl_list.patch new file mode 100644 index 0000000000000000000000000000000000000000..8be8a80e244dc583f4539ceaec33d5a6d55aec23 --- /dev/null +++ b/backport-ctrl-Fix-fd-leak-in-ctrl_list.patch @@ -0,0 +1,31 @@ +From 35c02157396c847e57f52b5d6d345af2b961a794 Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Wed, 7 Feb 2024 02:54:03 +0300 +Subject: [PATCH] ctrl: Fix fd leak in ctrl_list() + +if ctrl_list is called with get operation and wrong number +of parameters, it would forget to close the local netlink +handle. + +Conflict:no +Reference:https://github.com/iproute2/iproute2/commit/35c02157396c847e57f52b5d6d345af2b961a794 + +Signed-off-by: Maks Mishin +Signed-off-by: Stephen Hemminger +--- + genl/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/genl/ctrl.c b/genl/ctrl.c +index aff922a43..bae73a54b 100644 +--- a/genl/ctrl.c ++++ b/genl/ctrl.c +@@ -267,7 +267,7 @@ static int ctrl_list(int cmd, int argc, char **argv) + + if (argc != 2) { + fprintf(stderr, "Wrong number of params\n"); +- return -1; ++ goto ctrl_done; + } + + if (matches(*argv, "name") == 0) { diff --git a/backport-ctrl-Fix-fd-leak-in-ctrl_listen.patch b/backport-ctrl-Fix-fd-leak-in-ctrl_listen.patch new file mode 100644 index 0000000000000000000000000000000000000000..73d652b5188610632f34439739311934b531c73e --- /dev/null +++ b/backport-ctrl-Fix-fd-leak-in-ctrl_listen.patch @@ -0,0 +1,34 @@ +From f4dc6a784f6e2cee091027434f05a501f4cc1411 Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Wed, 7 Feb 2024 02:54:16 +0300 +Subject: [PATCH] ctrl: Fix fd leak in ctrl_listen() + +Use the same pattern for handling rtnl_listen() errors that +is used across other iproute2 commands. All other commands +exit with status of 2 if rtnl_listen fails. + +Conflict:no +Reference:https://github.com/iproute2/iproute2/commit/f4dc6a784f6e2cee091027434f05a501f4cc1411 + +Reported-off-by: Maks Mishin +Signed-off-by: Stephen Hemminger +--- + genl/ctrl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/genl/ctrl.c b/genl/ctrl.c +index bae73a54b..72a9b0130 100644 +--- a/genl/ctrl.c ++++ b/genl/ctrl.c +@@ -334,8 +334,9 @@ static int ctrl_listen(int argc, char **argv) + } + + if (rtnl_listen(&rth, print_ctrl, (void *) stdout) < 0) +- return -1; +- ++ exit(2); ++ ++ rtnl_close(&rth); + return 0; + } + diff --git a/backport-devlink-use-snprintf-instead-of-sprintf.patch b/backport-devlink-use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000000000000000000000000000000000..229772c1910ef633b2c4b11d22ca864a8e179187 --- /dev/null +++ b/backport-devlink-use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,72 @@ +From 8265b39f0c2563b57a610355c9ee9ede5381f013 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Tue, 7 Nov 2023 09:06:02 +0100 +Subject: [PATCH] devlink: use snprintf instead of sprintf + +Use snprintf instead of sprintf to ensure only valid memory is printed +to and the output string is properly terminated. + +Conflict:yes +due to upstream commit:700a8991,06cb288d + +Reference:https://github.com/iproute2/iproute2/commit/8265b39f0c2563b57a610355c9ee9ede5381f013 + +Signed-off-by: Jiri Pirko +Signed-off-by: David Ahern +--- + devlink/devlink.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/devlink/devlink.c b/devlink/devlink.c +index 3baad3557..b711e92ca 100644 +--- a/devlink/devlink.c ++++ b/devlink/devlink.c +@@ -2773,7 +2774,7 @@ static void __pr_out_handle_start(struct dl *dl, struct nlattr **tb, + const char *dev_name = mnl_attr_get_str(tb[DEVLINK_ATTR_DEV_NAME]); + char buf[64]; + +- sprintf(buf, "%s/%s", bus_name, dev_name); ++ snprintf(buf, sizeof(buf), "%s/%s", bus_name, dev_name); + + if (dl->json_output) { + if (array) { +@@ -2902,9 +2903,10 @@ static void __pr_out_port_handle_start(struct dl *dl, const char *bus_name, + if (dl->no_nice_names || !try_nice || + ifname_map_rev_lookup(dl, bus_name, dev_name, + port_index, &ifname) != 0) +- sprintf(buf, "%s/%s/%d", bus_name, dev_name, port_index); ++ snprintf(buf, sizeof(buf), "%s/%s/%d", ++ bus_name, dev_name, port_index); + else +- sprintf(buf, "%s", ifname); ++ snprintf(buf, sizeof(buf), "%s", ifname); + + if (dl->json_output) { + if (array) { +@@ -5230,7 +5232,7 @@ pr_out_port_rate_handle_start(struct dl *dl, struct nlattr **tb, bool try_nice) + bus_name = mnl_attr_get_str(tb[DEVLINK_ATTR_BUS_NAME]); + dev_name = mnl_attr_get_str(tb[DEVLINK_ATTR_DEV_NAME]); + node_name = mnl_attr_get_str(tb[DEVLINK_ATTR_RATE_NODE_NAME]); +- sprintf(buf, "%s/%s/%s", bus_name, dev_name, node_name); ++ snprintf(buf, sizeof(buf), "%s/%s/%s", bus_name, dev_name, node_name); + if (dl->json_output) + open_json_object(buf); + else +@@ -6305,7 +6307,7 @@ static void pr_out_json_occ_show_item_list(struct dl *dl, const char *label, + + open_json_object(label); + list_for_each_entry(occ_item, list, list) { +- sprintf(buf, "%u", occ_item->index); ++ snprintf(buf, sizeof(buf), "%u", occ_item->index); + open_json_object(buf); + if (bound_pool) + print_uint(PRINT_JSON, "bound_pool", NULL, +@@ -8674,7 +8676,7 @@ static void pr_out_region_handle_start(struct dl *dl, struct nlattr **tb) + const char *region_name = mnl_attr_get_str(tb[DEVLINK_ATTR_REGION_NAME]); + char buf[256]; + +- sprintf(buf, "%s/%s/%s", bus_name, dev_name, region_name); ++ snprintf(buf, sizeof(buf), "%s/%s/%s", bus_name, dev_name, region_name); + if (dl->json_output) + open_json_object(buf); + else diff --git a/backport-ila-fix-potential-snprintf-buffer-overflow.patch b/backport-ila-fix-potential-snprintf-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..eea28395a6b66fa5020611bad61ae8a36dbd416c --- /dev/null +++ b/backport-ila-fix-potential-snprintf-buffer-overflow.patch @@ -0,0 +1,27 @@ +From e8a3fca81cd4b8fee14cfb14a5ce9c1b3b63e797 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Mon, 18 Sep 2023 11:36:32 -0700 +Subject: [PATCH] ila: fix potential snprintf buffer overflow + +The code to print 64 bit address has a theoretical overflow +of snprintf buffer found by CodeQL scan. +Address by checking result. + +Signed-off-by: Stephen Hemminger +--- + ip/ipila.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ip/ipila.c b/ip/ipila.c +index 4f6d578f2..23b19a108 100644 +--- a/ip/ipila.c ++++ b/ip/ipila.c +@@ -60,6 +60,8 @@ static void print_addr64(__u64 addr, char *buff, size_t len) + sep = ""; + + ret = snprintf(&buff[written], len - written, "%x%s", v, sep); ++ if (ret < 0 || ret >= len - written) ++ break; + written += ret; + } + } diff --git a/backport-ip-fix-memory-leak-in-ip-maddr-show.patch b/backport-ip-fix-memory-leak-in-ip-maddr-show.patch new file mode 100644 index 0000000000000000000000000000000000000000..9289aa17ae5e9bb234561ee666c45f2023ab7079 --- /dev/null +++ b/backport-ip-fix-memory-leak-in-ip-maddr-show.patch @@ -0,0 +1,44 @@ +From 575322b09c3c6bc1806f2faa31edcfb64df302bb Mon Sep 17 00:00:00 2001 +From: Maxim Petrov +Date: Sun, 15 Oct 2023 16:32:12 +0200 +Subject: [PATCH] ip: fix memory leak in 'ip maddr show' + +In `read_dev_mcast`, the list of ma_info is allocated, but not cleared +after use. Free the list in the end to make valgrind happy. + +Detected by valgrind: "valgrind ./ip/ip maddr show" + +Signed-off-by: Maxim Petrov +--- + ip/ipmaddr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ip/ipmaddr.c b/ip/ipmaddr.c +index 176f6ab74..2418b3031 100644 +--- a/ip/ipmaddr.c ++++ b/ip/ipmaddr.c +@@ -79,6 +79,16 @@ static void maddr_ins(struct ma_info **lst, struct ma_info *m) + *lst = m; + } + ++static void maddr_clear(struct ma_info *lst) ++{ ++ struct ma_info *mp; ++ ++ while ((mp = lst) != NULL) { ++ lst = mp->next; ++ free(mp); ++ } ++} ++ + static void read_dev_mcast(struct ma_info **result_p) + { + char buf[256]; +@@ -286,6 +296,7 @@ static int multiaddr_list(int argc, char **argv) + if (!filter.family || filter.family == AF_INET6) + read_igmp6(&list); + print_mlist(stdout, list); ++ maddr_clear(list); + return 0; + } + diff --git a/backport-iproute2-prevent-memory-leak.patch b/backport-iproute2-prevent-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..473e58e31c2d44ee27e91fc1af3ab73ee2affcf2 --- /dev/null +++ b/backport-iproute2-prevent-memory-leak.patch @@ -0,0 +1,148 @@ +From 2c3ebb2ae08a634615e56303d784ddb366e47f04 Mon Sep 17 00:00:00 2001 +From: heminhong +Date: Thu, 16 Nov 2023 11:13:08 +0800 +Subject: [PATCH] iproute2: prevent memory leak + +When the return value of rtnl_talk() is not less than 0, +'answer' will be allocated. The 'answer' should be free +after using, otherwise it will cause memory leak. + +Fixes: a066cc6623e1 ("gre/gre6: Unify local/remote endpoint address parsing") +Signed-off-by: heminhong +Reviewed-by: Andrea Claudi +Signed-off-by: Stephen Hemminger +--- + ip/link_gre.c | 3 ++- + ip/link_gre6.c | 3 ++- + ip/link_ip6tnl.c | 3 ++- + ip/link_iptnl.c | 3 ++- + ip/link_vti.c | 3 ++- + ip/link_vti6.c | 3 ++- + 6 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/ip/link_gre.c b/ip/link_gre.c +index 74a5b5e96..6d71864c1 100644 +--- a/ip/link_gre.c ++++ b/ip/link_gre.c +@@ -76,7 +76,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *greinfo[IFLA_GRE_MAX + 1]; +@@ -113,6 +113,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + +diff --git a/ip/link_gre6.c b/ip/link_gre6.c +index b03bd65ad..4d1c65748 100644 +--- a/ip/link_gre6.c ++++ b/ip/link_gre6.c +@@ -79,7 +79,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *greinfo[IFLA_GRE_MAX + 1]; +@@ -115,6 +115,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + +diff --git a/ip/link_ip6tnl.c b/ip/link_ip6tnl.c +index b27d696f5..3a30dca93 100644 +--- a/ip/link_ip6tnl.c ++++ b/ip/link_ip6tnl.c +@@ -72,7 +72,7 @@ static int ip6tunnel_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *iptuninfo[IFLA_IPTUN_MAX + 1]; +@@ -101,6 +101,7 @@ static int ip6tunnel_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + +diff --git a/ip/link_iptnl.c b/ip/link_iptnl.c +index 1315aebe9..879202f71 100644 +--- a/ip/link_iptnl.c ++++ b/ip/link_iptnl.c +@@ -73,7 +73,7 @@ static int iptunnel_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *iptuninfo[IFLA_IPTUN_MAX + 1]; +@@ -105,6 +105,7 @@ static int iptunnel_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + +diff --git a/ip/link_vti.c b/ip/link_vti.c +index 509432543..7a95dc02d 100644 +--- a/ip/link_vti.c ++++ b/ip/link_vti.c +@@ -48,7 +48,7 @@ static int vti_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *vtiinfo[IFLA_VTI_MAX + 1]; +@@ -69,6 +69,7 @@ static int vti_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + +diff --git a/ip/link_vti6.c b/ip/link_vti6.c +index 5764221eb..aaf701d33 100644 +--- a/ip/link_vti6.c ++++ b/ip/link_vti6.c +@@ -50,7 +50,7 @@ static int vti6_parse_opt(struct link_util *lu, int argc, char **argv, + .i.ifi_family = preferred_family, + .i.ifi_index = ifi->ifi_index, + }; +- struct nlmsghdr *answer; ++ struct nlmsghdr *answer = NULL; + struct rtattr *tb[IFLA_MAX + 1]; + struct rtattr *linkinfo[IFLA_INFO_MAX+1]; + struct rtattr *vtiinfo[IFLA_VTI_MAX + 1]; +@@ -71,6 +71,7 @@ static int vti6_parse_opt(struct link_util *lu, int argc, char **argv, + get_failed: + fprintf(stderr, + "Failed to get existing tunnel info.\n"); ++ free(answer); + return -1; + } + diff --git a/backport-libnetlink-validate-nlmsg-header-length-first.patch b/backport-libnetlink-validate-nlmsg-header-length-first.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b532310fcee7307110a11189d728ad0281b2003 --- /dev/null +++ b/backport-libnetlink-validate-nlmsg-header-length-first.patch @@ -0,0 +1,39 @@ +From 78eebdbc7d2f96b01a18d7db33c1c99266efc4bc Mon Sep 17 00:00:00 2001 +From: Max Kunzelmann +Date: Tue, 7 Nov 2023 01:20:55 +0000 +Subject: [PATCH] libnetlink: validate nlmsg header length first + +Validate the nlmsg header length before accessing the nlmsg payload +length. + +Fixes: 892a25e286fb ("libnetlink: break up dump function") + +Signed-off-by: Max Kunzelmann +Reviewed-by: Benny Baumann +Reviewed-by: Robert Geislinger +Signed-off-by: Stephen Hemminger +--- + lib/libnetlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/libnetlink.c b/lib/libnetlink.c +index 7edcd2856..016482294 100644 +--- a/lib/libnetlink.c ++++ b/lib/libnetlink.c +@@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n) + static int rtnl_dump_done(struct nlmsghdr *h, + const struct rtnl_dump_filter_arg *a) + { +- int len = *(int *)NLMSG_DATA(h); ++ int len; + + if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) { + fprintf(stderr, "DONE truncated\n"); + return -1; + } + ++ len = *(int *)NLMSG_DATA(h); ++ + if (len < 0) { + errno = -len; + diff --git a/backport-lnstat-Fix-deref-of-null-in-print_json-function.patch b/backport-lnstat-Fix-deref-of-null-in-print_json-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..fab90963cedeb63cab5fd6b5eaf7e9d24961eadf --- /dev/null +++ b/backport-lnstat-Fix-deref-of-null-in-print_json-function.patch @@ -0,0 +1,32 @@ +From a193733b7a7ef1e65e1b88045c32f96ed16caeb9 Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Sat, 6 Jan 2024 22:04:23 +0300 +Subject: [PATCH] lnstat: Fix deref of null in print_json() function + +Now pointer `jw` is being checked for NULL before using +in function `jsonw_start_object`. +Added exit from function when `jw==NULL`. + +Found by RASU JSC + +Signed-off-by: Maks Mishin +Signed-off-by: Stephen Hemminger +--- + misc/lnstat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/misc/lnstat.c b/misc/lnstat.c +index c3f2999cc..f802a0f35 100644 +--- a/misc/lnstat.c ++++ b/misc/lnstat.c +@@ -112,6 +112,10 @@ static void print_json(FILE *of, const struct lnstat_file *lnstat_files, + json_writer_t *jw = jsonw_new(of); + int i; + ++ if (jw == NULL) { ++ fprintf(stderr, "Failed to create JSON writer\n"); ++ exit(1); ++ } + jsonw_start_object(jw); + for (i = 0; i < fp->num; i++) { + const struct lnstat_field *lf = fp->params[i].lf; diff --git a/backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch b/backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch new file mode 100644 index 0000000000000000000000000000000000000000..90ad01b28509f7fdbca3a70b8255778e7284a060 --- /dev/null +++ b/backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch @@ -0,0 +1,47 @@ +From 1a68525f4613b4e02e83d4b8004f22ac7ecbfedf Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 7 Dec 2023 13:53:51 +0100 +Subject: [PATCH] mnl_utils: sanitize incoming netlink payload size in + callbacks + +Don't trust the kernel to send payload of certain size. Sanitize that by +checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and +only access the payload if it is of required size. + +Note that for mnlu_cb_stop(), this is happening already for example +with devlink resource. Kernel sends NLMSG_DONE with zero size payload. + +Fixes: 049c58539f5d ("devlink: mnlg: Add support for extended ack") +Fixes: c934da8aaacb ("devlink: mnlg: Catch returned error value of dumpit commands") +Signed-off-by: Jiri Pirko +Signed-off-by: Stephen Hemminger +--- + lib/mnl_utils.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c +index 1c7822282..af5aa4f9e 100644 +--- a/lib/mnl_utils.c ++++ b/lib/mnl_utils.c +@@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) + { + const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh); + ++ if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err)) ++ return MNL_CB_STOP; + /* Netlink subsystems returns the errno value with different signess */ + if (err->error < 0) + errno = -err->error; +@@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data) + + static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data) + { +- int len = *(int *)NLMSG_DATA(nlh); ++ int len; + ++ if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len)) ++ return MNL_CB_STOP; ++ len = *(int *)mnl_nlmsg_get_payload(nlh); + if (len < 0) { + errno = -len; + nl_dump_ext_ack_done(nlh, len); diff --git a/backport-tc-remove-tcindex-classifier.patch b/backport-tc-remove-tcindex-classifier.patch new file mode 100644 index 0000000000000000000000000000000000000000..812b919275fc0777c21062c6c046e1a770c9eaa8 --- /dev/null +++ b/backport-tc-remove-tcindex-classifier.patch @@ -0,0 +1,336 @@ +From bc0c1661eb229b77a65f8c5f305fd6fa56e9667f Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Mon, 30 Oct 2023 11:26:33 -0700 +Subject: [PATCH] tc: remove tcindex classifier + +Support for tcindex classifier was removed by upstream commit +8c710f75256b (net/sched: Retire tcindex classifier, 2023-02-14) + +Signed-off-by: Stephen Hemminger +--- + bash-completion/tc | 7 +- + man/man8/tc-tcindex.8 | 58 ------------- + man/man8/tc.8 | 7 +- + tc/Makefile | 1 - + tc/f_tcindex.c | 185 ------------------------------------------ + 5 files changed, 2 insertions(+), 256 deletions(-) + delete mode 100644 man/man8/tc-tcindex.8 + delete mode 100644 tc/f_tcindex.c + +diff --git a/bash-completion/tc b/bash-completion/tc +index 6af3b7998..db5558ab6 100644 +--- a/bash-completion/tc ++++ b/bash-completion/tc +@@ -5,7 +5,7 @@ + QDISC_KIND=' choke codel bfifo pfifo pfifo_head_drop fq fq_codel gred hhf \ + mqprio multiq netem pfifo_fast pie fq_pie red rr sfb sfq tbf atm \ + cbq drr dsmark hfsc htb prio qfq ' +-FILTER_KIND=' basic bpf cgroup flow flower fw route rsvp tcindex u32 matchall ' ++FILTER_KIND=' basic bpf cgroup flow flower fw route rsvp u32 matchall ' + ACTION_KIND=' gact mirred bpf sample ' + + # Takes a list of words in argument; each one of them is added to COMPREPLY if +@@ -487,11 +487,6 @@ _tc_filter_options() + COMPREPLY+=( $( compgen -W 'at' -- "$cur" ) ) + return 0 + ;; +- tcindex) +- _tc_once_attr 'hash mask shift classid action' +- _tc_one_of_list 'pass_on fall_through' +- return 0 +- ;; + u32) + _tc_once_attr 'match link classid action offset ht hashkey sample' + COMPREPLY+=( $( compgen -W 'ip ip6 udp tcp icmp u8 u16 u32 mark \ +diff --git a/man/man8/tc-tcindex.8 b/man/man8/tc-tcindex.8 +deleted file mode 100644 +index ccf2c5e81..000000000 +--- a/man/man8/tc-tcindex.8 ++++ /dev/null +@@ -1,58 +0,0 @@ +-.TH "Traffic control index filter" 8 "21 Oct 2015" "iproute2" "Linux" +- +-.SH NAME +-tcindex \- traffic control index filter +-.SH SYNOPSIS +-.in +8 +-.ti -8 +-.BR tc " " filter " ... " tcindex " [ " hash +-.IR SIZE " ] [ " +-.B mask +-.IR MASK " ] [ " +-.B shift +-.IR SHIFT " ] [ " +-.BR pass_on " | " fall_through " ] [ " classid +-.IR CLASSID " ] [ " +-.B action +-.BR ACTION_SPEC " ]" +-.SH DESCRIPTION +-This filter allows to match packets based on their +-.B tcindex +-field value, i.e. the combination of the DSCP and ECN fields as present in IPv4 +-and IPv6 headers. +-.SH OPTIONS +-.TP +-.BI action " ACTION_SPEC" +-Apply an action from the generic actions framework on matching packets. +-.TP +-.BI classid " CLASSID" +-Push matching packets into the class identified by +-.IR CLASSID . +-.TP +-.BI hash " SIZE" +-Hash table size in entries to use. Defaults to 64. +-.TP +-.BI mask " MASK" +-An optional bitmask to binary +-.BR AND " to the packet's " tcindex +-field before use. +-.TP +-.BI shift " SHIFT" +-The number of bits to right-shift a packet's +-.B tcindex +-value before use. If a +-.B mask +-has been set, masking is done before shifting. +-.TP +-.B pass_on +-If this flag is set, failure to find a class for the resulting ID will make the +-filter fail and lead to the next filter being consulted. +-.TP +-.B fall_through +-This is the opposite of +-.B pass_on +-and the default. The filter will classify the packet even if there is no class +-present for the resulting class ID. +- +-.SH SEE ALSO +-.BR tc (8) +diff --git a/man/man8/tc.8 b/man/man8/tc.8 +index 59cc7b17d..ae6de397f 100644 +--- a/man/man8/tc.8 ++++ b/man/man8/tc.8 +@@ -244,10 +244,6 @@ for details. + rsvp + Match Resource Reservation Protocol (RSVP) packets. + .TP +-tcindex +-Filter packets based on traffic control index. See +-.BR tc-tcindex (8). +-.TP + u32 + Generic filtering on arbitrary packet data, assisted by syntax to abstract common operations. See + .BR tc-u32 (8) +@@ -906,8 +902,7 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2. + .BR tc-sfq (8), + .BR tc-stab (8), + .BR tc-tbf (8), +-.BR tc-tcindex (8), +-.BR tc-u32 (8), ++.BR tc-u32 (8) + .br + .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " + +diff --git a/tc/Makefile b/tc/Makefile +index 82e611257..ab6ad2f5d 100644 +--- a/tc/Makefile ++++ b/tc/Makefile +@@ -31,7 +31,6 @@ TCMODULES += f_cgroup.o + TCMODULES += f_flower.o + TCMODULES += q_dsmark.o + TCMODULES += q_gred.o +-TCMODULES += f_tcindex.o + TCMODULES += q_ingress.o + TCMODULES += q_hfsc.o + TCMODULES += q_htb.o +diff --git a/tc/f_tcindex.c b/tc/f_tcindex.c +deleted file mode 100644 +index ae4cbf118..000000000 +--- a/tc/f_tcindex.c ++++ /dev/null +@@ -1,185 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ +-/* +- * f_tcindex.c Traffic control index filter +- * +- * Written 1998,1999 by Werner Almesberger +- */ +- +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include "utils.h" +-#include "tc_util.h" +- +-static void explain(void) +-{ +- fprintf(stderr, +- " Usage: ... tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ]\n" +- " [ pass_on | fall_through ]\n" +- " [ classid CLASSID ] [ action ACTION_SPEC ]\n"); +-} +- +-static int tcindex_parse_opt(struct filter_util *qu, char *handle, int argc, +- char **argv, struct nlmsghdr *n) +-{ +- struct tcmsg *t = NLMSG_DATA(n); +- struct rtattr *tail; +- char *end; +- +- if (handle) { +- t->tcm_handle = strtoul(handle, &end, 0); +- if (*end) { +- fprintf(stderr, "Illegal filter ID\n"); +- return -1; +- } +- } +- if (!argc) return 0; +- tail = addattr_nest(n, 4096, TCA_OPTIONS); +- while (argc) { +- if (!strcmp(*argv, "hash")) { +- int hash; +- +- NEXT_ARG(); +- hash = strtoul(*argv, &end, 0); +- if (*end || !hash || hash > 0x10000) { +- explain(); +- return -1; +- } +- addattr_l(n, 4096, TCA_TCINDEX_HASH, &hash, +- sizeof(hash)); +- } else if (!strcmp(*argv,"mask")) { +- __u16 mask; +- +- NEXT_ARG(); +- mask = strtoul(*argv, &end, 0); +- if (*end) { +- explain(); +- return -1; +- } +- addattr_l(n, 4096, TCA_TCINDEX_MASK, &mask, +- sizeof(mask)); +- } else if (!strcmp(*argv,"shift")) { +- int shift; +- +- NEXT_ARG(); +- shift = strtoul(*argv, &end, 0); +- if (*end) { +- explain(); +- return -1; +- } +- addattr_l(n, 4096, TCA_TCINDEX_SHIFT, &shift, +- sizeof(shift)); +- } else if (!strcmp(*argv,"fall_through")) { +- int value = 1; +- +- addattr_l(n, 4096, TCA_TCINDEX_FALL_THROUGH, &value, +- sizeof(value)); +- } else if (!strcmp(*argv,"pass_on")) { +- int value = 0; +- +- addattr_l(n, 4096, TCA_TCINDEX_FALL_THROUGH, &value, +- sizeof(value)); +- } else if (!strcmp(*argv,"classid")) { +- __u32 handle; +- +- NEXT_ARG(); +- if (get_tc_classid(&handle, *argv)) { +- fprintf(stderr, "Illegal \"classid\"\n"); +- return -1; +- } +- addattr_l(n, 4096, TCA_TCINDEX_CLASSID, &handle, 4); +- } else if (!strcmp(*argv,"police")) { +- NEXT_ARG(); +- if (parse_police(&argc, &argv, TCA_TCINDEX_POLICE, n)) { +- fprintf(stderr, "Illegal \"police\"\n"); +- return -1; +- } +- continue; +- } else if (!strcmp(*argv,"action")) { +- NEXT_ARG(); +- if (parse_action(&argc, &argv, TCA_TCINDEX_ACT, n)) { +- fprintf(stderr, "Illegal \"action\"\n"); +- return -1; +- } +- continue; +- } else { +- explain(); +- return -1; +- } +- argc--; +- argv++; +- } +- addattr_nest_end(n, tail); +- return 0; +-} +- +- +-static int tcindex_print_opt(struct filter_util *qu, FILE *f, +- struct rtattr *opt, __u32 handle) +-{ +- struct rtattr *tb[TCA_TCINDEX_MAX+1]; +- +- if (opt == NULL) +- return 0; +- +- parse_rtattr_nested(tb, TCA_TCINDEX_MAX, opt); +- +- if (handle != ~0) fprintf(f, "handle 0x%04x ", handle); +- if (tb[TCA_TCINDEX_HASH]) { +- __u16 hash; +- +- if (RTA_PAYLOAD(tb[TCA_TCINDEX_HASH]) < sizeof(hash)) +- return -1; +- hash = rta_getattr_u16(tb[TCA_TCINDEX_HASH]); +- fprintf(f, "hash %d ", hash); +- } +- if (tb[TCA_TCINDEX_MASK]) { +- __u16 mask; +- +- if (RTA_PAYLOAD(tb[TCA_TCINDEX_MASK]) < sizeof(mask)) +- return -1; +- mask = rta_getattr_u16(tb[TCA_TCINDEX_MASK]); +- fprintf(f, "mask 0x%04x ", mask); +- } +- if (tb[TCA_TCINDEX_SHIFT]) { +- int shift; +- +- if (RTA_PAYLOAD(tb[TCA_TCINDEX_SHIFT]) < sizeof(shift)) +- return -1; +- shift = rta_getattr_u32(tb[TCA_TCINDEX_SHIFT]); +- fprintf(f, "shift %d ", shift); +- } +- if (tb[TCA_TCINDEX_FALL_THROUGH]) { +- int fall_through; +- +- if (RTA_PAYLOAD(tb[TCA_TCINDEX_FALL_THROUGH]) < +- sizeof(fall_through)) +- return -1; +- fall_through = rta_getattr_u32(tb[TCA_TCINDEX_FALL_THROUGH]); +- fprintf(f, fall_through ? "fall_through " : "pass_on "); +- } +- if (tb[TCA_TCINDEX_CLASSID]) { +- SPRINT_BUF(b1); +- fprintf(f, "classid %s ", sprint_tc_classid(*(__u32 *) +- RTA_DATA(tb[TCA_TCINDEX_CLASSID]), b1)); +- } +- if (tb[TCA_TCINDEX_POLICE]) { +- fprintf(f, "\n"); +- tc_print_police(f, tb[TCA_TCINDEX_POLICE]); +- } +- if (tb[TCA_TCINDEX_ACT]) { +- fprintf(f, "\n"); +- tc_print_action(f, tb[TCA_TCINDEX_ACT], 0); +- } +- return 0; +-} +- +-struct filter_util tcindex_filter_util = { +- .id = "tcindex", +- .parse_fopt = tcindex_parse_opt, +- .print_fopt = tcindex_print_opt, +-}; diff --git a/feature-iproute2-supports-to-parse-UB-device-and-related-display-of-vf-address.patch b/feature-iproute2-supports-to-parse-UB-device-and-related-display-of-vf-address.patch new file mode 100644 index 0000000000000000000000000000000000000000..d4bd24dccabd9e8db2d4256c7e391d4f0e893e59 --- /dev/null +++ b/feature-iproute2-supports-to-parse-UB-device-and-related-display-of-vf-address.patch @@ -0,0 +1,199 @@ +From fc8d86356ef55fc4716e9bfb643592c1e1aef9a6 Mon Sep 17 00:00:00 2001 +From: Fengyan Mu +Date: Sat, 25 Nov 2023 12:10:29 +0800 +Subject: [PATCH] [feature]iproute2 supports to parse UB device and related + display of vf address + +tool inclusion +category: feature +bugzilla: https://gitee.com/src-openeuler/iproute/issues/I8EZGI +CVE: NA + +----------------------------------------------------- + +This patch adds ARPHRD_UB for iproute2 and support name parse for it. +The pf in the ub does not manage the addresses of VFs and the address +information of the VF cannot be obtained. +This patch deletes the display of vf address information in the pf. + +Signed-off-by: Junxin Chen +Signed-off-by: Fengyan Mu +--- + configure | 23 +++++++++++++ + include/uapi/linux/if_arp.h | 4 +++ + ip/ipaddress.c | 68 ++++++++++++++++++++++++++----------- + lib/ll_types.c | 3 ++ + 4 files changed, 79 insertions(+), 19 deletions(-) + +diff --git a/configure b/configure +index 7f4f3bd..094582b 100755 +--- a/configure ++++ b/configure +@@ -265,6 +265,17 @@ check_elf() + fi + } + ++check_support_ub() ++{ ++ if [ "$SUPPORT_UB" = on ]; then ++ echo "yes" ++ echo 'CFLAGS += -DSUPPORT_UB' >> $CONFIG ++ else ++ echo "no" ++ return ++ fi ++} ++ + have_libbpf_basic() + { + cat >$TMPDIR/libbpf_test.c <> $CONFIG + echo "%.o: %.c" >> $CONFIG + echo ' $(QUIET_CC)$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(CPPFLAGS) -c -o $@ $<' >> $CONFIG +diff --git a/include/uapi/linux/if_arp.h b/include/uapi/linux/if_arp.h +index 12d06bb..b7111a5 100644 +--- a/include/uapi/linux/if_arp.h ++++ b/include/uapi/linux/if_arp.h +@@ -43,6 +43,10 @@ + #define ARPHRD_EUI64 27 /* EUI-64 */ + #define ARPHRD_INFINIBAND 32 /* InfiniBand */ + ++#ifdef SUPPORT_UB ++#define ARPHRD_UB 38 /* Unified bus */ ++#endif ++ + /* Dummy types for non ARP hardware */ + #define ARPHRD_SLIP 256 + #define ARPHRD_CSLIP 257 +diff --git a/ip/ipaddress.c b/ip/ipaddress.c +index 85534aa..463b8fd 100644 +--- a/ip/ipaddress.c ++++ b/ip/ipaddress.c +@@ -374,31 +374,61 @@ static void print_vfinfo(FILE *fp, struct ifinfomsg *ifi, struct rtattr *vfinfo) + "link_type", + " link/%s ", + ll_type_n2a(ifi->ifi_type, b1, sizeof(b1))); +- +- print_color_string(PRINT_ANY, COLOR_MAC, +- "address", "%s", +- ll_addr_n2a((unsigned char *) &vf_mac->mac, +- ifi->ifi_type == ARPHRD_ETHER ? +- ETH_ALEN : INFINIBAND_ALEN, +- ifi->ifi_type, +- b1, sizeof(b1))); +- +- if (vf[IFLA_VF_BROADCAST]) { +- if (ifi->ifi_flags&IFF_POINTOPOINT) { +- print_string(PRINT_FP, NULL, " peer ", NULL); +- print_bool(PRINT_JSON, +- "link_pointtopoint", NULL, true); +- } else +- print_string(PRINT_FP, NULL, " brd ", NULL); +- ++#ifdef SUPPORT_UB ++ if (ifi->ifi_type == ARPHRD_UB) { ++ print_string(PRINT_FP, NULL, "pointtopoint", NULL); ++ } else { + print_color_string(PRINT_ANY, COLOR_MAC, +- "broadcast", "%s", +- ll_addr_n2a((unsigned char *) &vf_broadcast->broadcast, ++ "address", "%s", ++ ll_addr_n2a((unsigned char *) &vf_mac->mac, + ifi->ifi_type == ARPHRD_ETHER ? + ETH_ALEN : INFINIBAND_ALEN, + ifi->ifi_type, + b1, sizeof(b1))); ++ ++ if (vf[IFLA_VF_BROADCAST]) { ++ if (ifi->ifi_flags&IFF_POINTOPOINT) { ++ print_string(PRINT_FP, NULL, " peer ", NULL); ++ print_bool(PRINT_JSON, ++ "link_pointtopoint", NULL, true); ++ } else ++ print_string(PRINT_FP, NULL, " brd ", NULL); ++ ++ print_color_string(PRINT_ANY, COLOR_MAC, ++ "broadcast", "%s", ++ ll_addr_n2a((unsigned char *) &vf_broadcast->broadcast, ++ ifi->ifi_type == ARPHRD_ETHER ? ++ ETH_ALEN : INFINIBAND_ALEN, ++ ifi->ifi_type, ++ b1, sizeof(b1))); ++ } + } ++#else ++ print_color_string(PRINT_ANY, COLOR_MAC, ++ "address", "%s", ++ ll_addr_n2a((unsigned char *) &vf_mac->mac, ++ ifi->ifi_type == ARPHRD_ETHER ? ++ ETH_ALEN : INFINIBAND_ALEN, ++ ifi->ifi_type, ++ b1, sizeof(b1))); ++ ++ if (vf[IFLA_VF_BROADCAST]) { ++ if (ifi->ifi_flags&IFF_POINTOPOINT) { ++ print_string(PRINT_FP, NULL, " peer ", NULL); ++ print_bool(PRINT_JSON, ++ "link_pointtopoint", NULL, true); ++ } else ++ print_string(PRINT_FP, NULL, " brd ", NULL); ++ ++ print_color_string(PRINT_ANY, COLOR_MAC, ++ "broadcast", "%s", ++ ll_addr_n2a((unsigned char *) &vf_broadcast->broadcast, ++ ifi->ifi_type == ARPHRD_ETHER ? ++ ETH_ALEN : INFINIBAND_ALEN, ++ ifi->ifi_type, ++ b1, sizeof(b1))); ++ } ++#endif + + if (vf[IFLA_VF_VLAN_LIST]) { + struct rtattr *i, *vfvlanlist = vf[IFLA_VF_VLAN_LIST]; +diff --git a/lib/ll_types.c b/lib/ll_types.c +index 49da15d..2dc8140 100644 +--- a/lib/ll_types.c ++++ b/lib/ll_types.c +@@ -106,6 +106,9 @@ __PF(CAIF, caif) + __PF(IP6GRE, gre6) + __PF(NETLINK, netlink) + __PF(6LOWPAN, 6lowpan) ++#ifdef SUPPORT_UB ++__PF(UB, ub) ++#endif + + __PF(NONE, none) + __PF(VOID,void) +-- +2.33.0 + diff --git a/iproute.spec b/iproute.spec index d59f3c7f3b026876ed4bbcb92ee04fd74403b98b..ae67559b7689241241fd255f104fd2a9d3b88b3c 100644 --- a/iproute.spec +++ b/iproute.spec @@ -2,7 +2,7 @@ Name: iproute Version: 5.15.0 Epoch: 1 -Release: 17 +Release: 18 Summary: Linux network configuration utilities License: GPLv2+ and Public Domain URL: https://kernel.org/pub/linux/utils/net/iproute2/ @@ -58,10 +58,22 @@ Patch6041: backport-ss-change-aafilter-port-from-int-to-long-inode-support. Patch6042: backport-ss-Fix-socket-type-check-in-packet_show_line.patch Patch6043: backport-ss-print-unix-socket-ports-as-unsigned-int-inode.patch Patch6044: backport-utils-fix-get_integer-logic.patch +Patch6045: backport-bridge-fix-potential-snprintf-overflow.patch +Patch6046: backport-ila-fix-potential-snprintf-buffer-overflow.patch +Patch6047: backport-ip-fix-memory-leak-in-ip-maddr-show.patch +Patch6048: backport-tc-remove-tcindex-classifier.patch +Patch6049: backport-libnetlink-validate-nlmsg-header-length-first.patch +Patch6050: backport-iproute2-prevent-memory-leak.patch +Patch6051: backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch +Patch6052: backport-lnstat-Fix-deref-of-null-in-print_json-function.patch +Patch6053: backport-devlink-use-snprintf-instead-of-sprintf.patch +Patch6054: backport-ctrl-Fix-fd-leak-in-ctrl_list.patch +Patch6055: backport-ctrl-Fix-fd-leak-in-ctrl_listen.patch Patch9000: feature-iproute-add-support-for-ipvlan-l2e-mode.patch Patch9001: bugfix-iproute2-cancel-some-test-cases.patch -Patch9002: sync-ipvlan_mode-enum-with-kernel-headers.patch +Patch9002: feature-iproute2-supports-to-parse-UB-device-and-related-display-of-vf-address.patch +Patch9003: sync-ipvlan_mode-enum-with-kernel-headers.patch BuildRequires: gcc bison elfutils-libelf-devel flex iptables-devel BuildRequires: libmnl-devel libselinux-devel pkgconfig libbpf-devel sudo make @@ -137,6 +149,24 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a %{_mandir}/* %changelog +* Fri Jul 26 2024 caokeming - 1:5.15.0-18 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:bridge: fix potential snprintf overflow + ctrl: Fix fd leak in ctrl_list() + ctrl: Fix fd leak in ctrl_listen() + devlink: use snprintf instead of sprintf + ila: fix potential snprintf buffer overflow + ip: fix memory leak in 'ip maddr show' + iproute2: prevent memory leak + libnetlink: validate nlmsg header length first + lnstat: Fix deref of null in print_json() function + mnl_utils: sanitize incoming netlink payload size in callbacks + tc: remove tcindex classifier + iproute2 supports to parse UB device and related + + * Wed Jan 10 2024 liubo - 1:5.15.0-17 - Type:bugfix - ID:NA