diff --git a/backport-devlink-fix-devlink-health-dump-command-without-arg.patch b/backport-devlink-fix-devlink-health-dump-command-without-arg.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c4133655dedd9431442896cfcb83ecff0db06b4 --- /dev/null +++ b/backport-devlink-fix-devlink-health-dump-command-without-arg.patch @@ -0,0 +1,68 @@ +From e81fd551a1a0ffa7983d25f5e756a5c5b6cb4a9a Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Tue, 19 Apr 2022 19:15:11 +0200 +Subject: [PATCH] devlink: fix "devlink health dump" command without arg + +Fix bug when user calls "devlink health dump" without "show" or "clear": +$ devlink health dump +Command "(null)" not found + +Put the dump command into a separate helper as it is usual in the rest +of the code. Also, treat no cmd as "show", as it is common for other +devlink objects. + +Fixes: 041e6e651a8e ("devlink: Add devlink health dump show command") +Signed-off-by: Jiri Pirko +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=e81fd551a1a +--- + devlink/devlink.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/devlink/devlink.c b/devlink/devlink.c +index da9f9778..aab739f7 100644 +--- a/devlink/devlink.c ++++ b/devlink/devlink.c +@@ -8526,6 +8526,23 @@ static void cmd_health_help(void) + pr_err(" [ auto_dump { true | false } ]\n"); + } + ++static int cmd_health_dump(struct dl *dl) ++{ ++ if (dl_argv_match(dl, "help")) { ++ cmd_health_help(); ++ return 0; ++ } else if (dl_argv_match(dl, "show") || ++ dl_argv_match(dl, "list") || dl_no_arg(dl)) { ++ dl_arg_inc(dl); ++ return cmd_health_dump_show(dl); ++ } else if (dl_argv_match(dl, "clear")) { ++ dl_arg_inc(dl); ++ return cmd_health_dump_clear(dl); ++ } ++ pr_err("Command \"%s\" not found\n", dl_argv(dl)); ++ return -ENOENT; ++} ++ + static int cmd_health(struct dl *dl) + { + if (dl_argv_match(dl, "help")) { +@@ -8546,13 +8563,7 @@ static int cmd_health(struct dl *dl) + return cmd_health_test(dl); + } else if (dl_argv_match(dl, "dump")) { + dl_arg_inc(dl); +- if (dl_argv_match(dl, "show")) { +- dl_arg_inc(dl); +- return cmd_health_dump_show(dl); +- } else if (dl_argv_match(dl, "clear")) { +- dl_arg_inc(dl); +- return cmd_health_dump_clear(dl); +- } ++ return cmd_health_dump(dl); + } else if (dl_argv_match(dl, "set")) { + dl_arg_inc(dl); + return cmd_health_set_params(dl); +-- +2.23.0 + diff --git a/backport-ip-Fix-size_columns-for-very-large-values.patch b/backport-ip-Fix-size_columns-for-very-large-values.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3910fe3b8eea5f57a1de315382679b38681a827 --- /dev/null +++ b/backport-ip-Fix-size_columns-for-very-large-values.patch @@ -0,0 +1,47 @@ +From 024103923a5c826e40c993be4ee2ada5536cb66a Mon Sep 17 00:00:00 2001 +From: Petr Machata +Date: Mon, 27 Jun 2022 15:18:21 +0200 +Subject: [PATCH] ip: Fix size_columns() for very large values + +For values near the 64-bit boundary, the iterative application of +powi *= 10 causes powi to overflow without the termination condition of +powi >= val having ever been satisfied. Instead, when determining the +length of the number, iterate val /= 10 and terminate when it's a single +digit. + +Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats") +CC: Tariq Toukan +CC: Itay Aveksis +Signed-off-by: Petr Machata +Signed-off-by: Stephen Hemminger +Conflict: void size_columns to static void size_colunms +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=024103923a5 +--- + ip/ipaddress.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ip/ipaddress.c b/ip/ipaddress.c +index 17341d28..5a3b1cae 100644 +--- a/ip/ipaddress.c ++++ b/ip/ipaddress.c +@@ -549,7 +549,7 @@ static void print_vfinfo(FILE *fp, struct ifinfomsg *ifi, struct rtattr *vfinfo) + static void size_columns(unsigned int cols[], unsigned int n, ...) + { + unsigned int i, len; +- uint64_t val, powi; ++ uint64_t val; + va_list args; + + va_start(args, n); +@@ -560,7 +560,7 @@ void size_columns(unsigned int cols[], unsigned int n, ...) + if (human_readable) + continue; + +- for (len = 1, powi = 10; powi < val; len++, powi *= 10) ++ for (len = 1; val > 9; len++, val /= 10) + /* nothing */; + if (len > cols[i]) + cols[i] = len; +-- +2.23.0 + diff --git a/backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch b/backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd91ce1b08cd39119e57af6f14b2be004aca8017 --- /dev/null +++ b/backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch @@ -0,0 +1,53 @@ +From 329fda1861560b06e60a7bd1004647bb65708295 Mon Sep 17 00:00:00 2001 +From: Petr Machata +Date: Tue, 28 Jun 2022 12:17:31 +0200 +Subject: [PATCH] ip: Fix size_columns() invocation that passes a 32-bit + quantity + +In print_stats64(), the last size_columns() invocation passes number of +carrier changes as one of the arguments. The value is decoded as a 32-bit +quantity, but size_columns() expects a 64-bit one. This is undefined +behavior. + +The reason valgrind does not cite this is that the previous size_columns() +invocations prime the ABI area used for the value transfer. When these +other invocations are commented away, valgrind does complain that +"conditional jump or move depends on uninitialised value", as would be +expected. + +Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats") +Signed-off-by: Petr Machata +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=329fda18615 +--- + ip/ipaddress.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/ip/ipaddress.c b/ip/ipaddress.c +index 5a3b1cae..a288341c 100644 +--- a/ip/ipaddress.c ++++ b/ip/ipaddress.c +@@ -783,13 +783,15 @@ void print_stats64(FILE *fp, struct rtnl_link_stats64 *s, + s->tx_bytes, s->tx_packets, s->tx_errors, + s->tx_dropped, s->tx_carrier_errors, + s->collisions, s->tx_compressed); +- if (show_stats > 1) ++ if (show_stats > 1) { ++ uint64_t cc = carrier_changes ? ++ rta_getattr_u32(carrier_changes) : 0; ++ + size_columns(cols, ARRAY_SIZE(cols), 0, 0, + s->tx_aborted_errors, s->tx_fifo_errors, + s->tx_window_errors, +- s->tx_heartbeat_errors, +- carrier_changes ? +- rta_getattr_u32(carrier_changes) : 0); ++ s->tx_heartbeat_errors, cc); ++ } + + /* RX stats */ + fprintf(fp, " RX: %*s %*s %*s %*s %*s %*s %*s%s", +-- +2.23.0 + diff --git a/backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch b/backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb3cc70cdffd29665e1ba395d93f269786582b56 --- /dev/null +++ b/backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch @@ -0,0 +1,35 @@ +From 2bb37e90177cae1b92284a943123b0575505141f Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Tue, 21 Jun 2022 18:53:08 +0200 +Subject: [PATCH] l2tp: fix typo in AF_INET6 checksum JSON print + +In print_tunnel json output, a typo makes it impossible to know the +value of udp6_csum_rx, printing instead udp6_csum_tx two times. + +Fixed getting rid of the typo. + +Fixes: 98453b65800f ("ip/l2tp: add JSON support") +Signed-off-by: Andrea Claudi +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=2bb37e90177 +--- + ip/ipl2tp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c +index 56972358..f1d574de 100644 +--- a/ip/ipl2tp.c ++++ b/ip/ipl2tp.c +@@ -258,7 +258,7 @@ static void print_tunnel(const struct l2tp_data *data) + NULL, p->udp6_csum_tx); + + print_bool(PRINT_JSON, "checksum_rx", +- NULL, p->udp6_csum_tx); ++ NULL, p->udp6_csum_rx); + } else { + printf(" UDP checksum: %s%s%s%s\n", + p->udp6_csum_tx && p->udp6_csum_rx +-- +2.23.0 + diff --git a/backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch b/backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch new file mode 100644 index 0000000000000000000000000000000000000000..002a09ce5f6d8ddc7740daa31d81e9f17aa12574 --- /dev/null +++ b/backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch @@ -0,0 +1,75 @@ +From f8beda6e00e57b8f875442351f91e5c01530ad8e Mon Sep 17 00:00:00 2001 +From: Maxim Petrov +Date: Tue, 8 Feb 2022 20:20:45 +0300 +Subject: [PATCH] libnetlink: fix socket leak in rtnl_open_byproto() + +rtnl_open_byproto() does not close the opened socket in case of +errors, and the socket is returned to the caller in the `fd` field of +the struct. However, none of the callers care about the socket, so +close it in the function immediately to avoid any potential resource +leaks. + +Signed-off-by: Maxim Petrov +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=f8beda6e00e +--- + lib/libnetlink.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/lib/libnetlink.c b/lib/libnetlink.c +index 7e977a67..6d1b1187 100644 +--- a/lib/libnetlink.c ++++ b/lib/libnetlink.c +@@ -210,13 +210,13 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions, + if (setsockopt(rth->fd, SOL_SOCKET, SO_SNDBUF, + &sndbuf, sizeof(sndbuf)) < 0) { + perror("SO_SNDBUF"); +- return -1; ++ goto err; + } + + if (setsockopt(rth->fd, SOL_SOCKET, SO_RCVBUF, + &rcvbuf, sizeof(rcvbuf)) < 0) { + perror("SO_RCVBUF"); +- return -1; ++ goto err; + } + + /* Older kernels may no support extended ACK reporting */ +@@ -230,25 +230,28 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions, + if (bind(rth->fd, (struct sockaddr *)&rth->local, + sizeof(rth->local)) < 0) { + perror("Cannot bind netlink socket"); +- return -1; ++ goto err; + } + addr_len = sizeof(rth->local); + if (getsockname(rth->fd, (struct sockaddr *)&rth->local, + &addr_len) < 0) { + perror("Cannot getsockname"); +- return -1; ++ goto err; + } + if (addr_len != sizeof(rth->local)) { + fprintf(stderr, "Wrong address length %d\n", addr_len); +- return -1; ++ goto err; + } + if (rth->local.nl_family != AF_NETLINK) { + fprintf(stderr, "Wrong address family %d\n", + rth->local.nl_family); +- return -1; ++ goto err; + } + rth->seq = time(NULL); + return 0; ++err: ++ rtnl_close(rth); ++ return -1; + } + + int rtnl_open(struct rtnl_handle *rth, unsigned int subscriptions) +-- +2.23.0 + diff --git a/backport-lnstat-fix-buffer-overflow-in-header-output.patch b/backport-lnstat-fix-buffer-overflow-in-header-output.patch new file mode 100644 index 0000000000000000000000000000000000000000..48c1ecc16559318247303d5ea653ffb77619c369 --- /dev/null +++ b/backport-lnstat-fix-buffer-overflow-in-header-output.patch @@ -0,0 +1,37 @@ +From be31c2648487596f23096278dacd86bf88305a14 Mon Sep 17 00:00:00 2001 +From: "[200~jiangheng" +Date: Wed, 17 Nov 2021 13:41:10 -0800 +Subject: [PATCH] lnstat: fix buffer overflow in header output + +Running lnstat will cause core dump from reading past end of array. + +Segmentation fault (core dumped) + +The maximum value of th.num_lines is HDR_LINES(10), h should not be equal to th.num_lines, array th.hdr may be out of bounds. + +Signed-off-by jiangheng +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=be31c264848 +--- + misc/lnstat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/misc/lnstat.c b/misc/lnstat.c +index 89cb0e7e..98904d45 100644 +--- a/misc/lnstat.c ++++ b/misc/lnstat.c +@@ -210,8 +210,9 @@ static struct table_hdr *build_hdr_string(struct lnstat_file *lnstat_files, + } + ofs += width+1; + } ++ + /* fill in spaces */ +- for (h = 1; h <= th.num_lines; h++) { ++ for (h = 1; h < th.num_lines; h++) { + for (i = 0; i < ofs; i++) { + if (th.hdr[h][i] == '\0') + th.hdr[h][i] = ' '; +-- +2.23.0 + diff --git a/backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch b/backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0815a35fde5da33f15872bdceadfced9c5045e9 --- /dev/null +++ b/backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch @@ -0,0 +1,32 @@ +From cc143bda6bcec20d073f42162f06dde8998551d4 Mon Sep 17 00:00:00 2001 +From: Maxim Petrov +Date: Tue, 15 Feb 2022 23:53:47 +0300 +Subject: [PATCH] lnstat: fix strdup leak in -w argument parsing + +'tmp' string is used for safe tokenizing, but it is not required after +getting all the widths in -w option. As 'tmp' string is obtained by strdup +call, the caller has to deallocate it to avoid memory leak. + +Signed-off-by: Maxim Petrov +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=cc143bda6bc +--- + misc/lnstat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/misc/lnstat.c b/misc/lnstat.c +index 98904d45..c3293a8e 100644 +--- a/misc/lnstat.c ++++ b/misc/lnstat.c +@@ -331,6 +331,7 @@ int main(int argc, char **argv) + for (i = 0; i < MAX_FIELDS; i++) + fp.params[i].print.width = len; + } ++ free(tmp); + break; + default: + usage(argv[0], 1); +-- +2.23.0 + diff --git a/backport-q_cake-allow-changing-to-diffserv3.patch b/backport-q_cake-allow-changing-to-diffserv3.patch new file mode 100644 index 0000000000000000000000000000000000000000..697aa5456a70aaff1a86fcf1cc61148bbb045998 --- /dev/null +++ b/backport-q_cake-allow-changing-to-diffserv3.patch @@ -0,0 +1,49 @@ +From eb4206ecd0342ff92b1a85b7dae3d4fd1b5be1c6 Mon Sep 17 00:00:00 2001 +From: Kevin Bracey +Date: Thu, 6 Jan 2022 13:16:04 +0200 +Subject: [PATCH] q_cake: allow changing to diffserv3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A diffserv3 option (enum value 0) was never sent to the kernel, so it +was not possible to use "tc qdisc change" to select it. + +This also meant that were also relying on the kernel's default being +diffserv3 when adding. If the default were to change, we wouldn't have +been able to request diffserv3 explicitly. + +Signed-off-by: Kevin Bracey +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=eb4206ecd03 +--- + tc/q_cake.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tc/q_cake.c b/tc/q_cake.c +index 4cfc1c00..c438b765 100644 +--- a/tc/q_cake.c ++++ b/tc/q_cake.c +@@ -95,7 +95,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv, + bool overhead_override = false; + bool overhead_set = false; + unsigned int interval = 0; +- unsigned int diffserv = 0; ++ int diffserv = -1; + unsigned int memlimit = 0; + unsigned int fwmark = 0; + unsigned int target = 0; +@@ -356,7 +356,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv, + if (bandwidth || unlimited) + addattr_l(n, 1024, TCA_CAKE_BASE_RATE64, &bandwidth, + sizeof(bandwidth)); +- if (diffserv) ++ if (diffserv != -1) + addattr_l(n, 1024, TCA_CAKE_DIFFSERV_MODE, &diffserv, + sizeof(diffserv)); + if (atm != -1) +-- +2.23.0 + diff --git a/backport-tc-em_u32-fix-offset-parsing.patch b/backport-tc-em_u32-fix-offset-parsing.patch new file mode 100644 index 0000000000000000000000000000000000000000..6929b156e1313a314b37e3eb0efaacd9690d9132 --- /dev/null +++ b/backport-tc-em_u32-fix-offset-parsing.patch @@ -0,0 +1,63 @@ +From b84fc3321c6adaf76f36cf7ef0e17389bdf31500 Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Fri, 6 May 2022 22:11:46 +0200 +Subject: [PATCH] tc: em_u32: fix offset parsing + +tc u32 ematch offset parsing might fail even if nexthdr offset is +aligned to 4. The issue can be reproduced with the following script: + +tc qdisc del dev dummy0 root +tc qdisc add dev dummy0 root handle 1: htb r2q 1 default 1 +tc class add dev dummy0 parent 1:1 classid 1:108 htb quantum 1000000 \ + rate 1.00mbit ceil 10.00mbit burst 6k + +while true; do +if ! tc filter add dev dummy0 protocol all parent 1: prio 1 basic match \ + "meta(vlan mask 0xfff eq 1)" and "u32(u32 0x20011002 0xffffffff \ + at nexthdr+8)" flowid 1:108; then + exit 0 +fi +done + +which we expect to produce an endless loop. +With the current code, instead, this ends with: + +u32: invalid offset alignment, must be aligned to 4. +... meta(vlan mask 0xfff eq 1) and >>u32(u32 0x20011002 0xffffffff at nexthdr+8)<< ... +... u32(u32 0x20011002 0xffffffff at >>nexthdr+8<<)... +Usage: u32(ALIGN VALUE MASK at [ nexthdr+ ] OFFSET) +where: ALIGN := { u8 | u16 | u32 } + +Example: u32(u16 0x1122 0xffff at nexthdr+4) +Illegal "ematch" + +This is caused by memcpy copying into buf an unterminated string. + +Fix it using strncpy instead of memcpy. + +Fixes: commit 311b41454dc4 ("Add new extended match files.") +Reported-by: Alfred Yang +Signed-off-by: Andrea Claudi +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=b84fc3321c6 +--- + tc/em_u32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/em_u32.c b/tc/em_u32.c +index bc284af4..ea2bf882 100644 +--- a/tc/em_u32.c ++++ b/tc/em_u32.c +@@ -84,7 +84,7 @@ static int u32_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr, + char buf[a->len - nh_len + 1]; + + offmask = -1; +- memcpy(buf, a->data + nh_len, a->len - nh_len); ++ strncpy(buf, a->data + nh_len, a->len - nh_len + 1); + offset = strtoul(buf, NULL, 0); + } else if (!bstrcmp(a, "nexthdr+")) { + a = bstr_next(a); +-- +2.23.0 + diff --git a/backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch b/backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bebf76b7937c23f24a2bea7076ae75617d73b93 --- /dev/null +++ b/backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch @@ -0,0 +1,38 @@ +From 73590d9573148804034a88ceb2f6b7ca1545561f Mon Sep 17 00:00:00 2001 +From: Paul Blakey +Date: Sun, 5 Dec 2021 15:20:25 +0200 +Subject: [PATCH] tc: flower: Fix buffer overflow on large labels + +Buffer is 64bytes, but label printing can take 66bytes printing +in hex, and will overflow when setting the string delimiter ('\0'). + +Fix that by increasing the print buffer size. + +Example of overflowing ct_label: +ct_label 11111111111111111111111111111111/11111111111111111111111111111111 + +Fixes: 2fffb1c03056 ("tc: flower: Add matching on conntrack info") +Signed-off-by: Paul Blakey +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=73590d95731 +--- + tc/f_flower.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/f_flower.c b/tc/f_flower.c +index 7f78195f..6d70b92a 100644 +--- a/tc/f_flower.c ++++ b/tc/f_flower.c +@@ -2195,7 +2195,7 @@ static void flower_print_ct_label(struct rtattr *attr, + const unsigned char *str; + bool print_mask = false; + int data_len, i; +- SPRINT_BUF(out); ++ char out[128]; + char *p; + + if (!attr) +-- +2.23.0 + diff --git a/backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch b/backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a939961b2c854920f62cfba132ba63ce5730b82 --- /dev/null +++ b/backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch @@ -0,0 +1,54 @@ +From 7f70eb2a8b2c451683c801b23b25f34071a8882f Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Thu, 3 Feb 2022 14:20:46 +0200 +Subject: [PATCH] tc_util: Fix parsing action control with space and slash + +For action police there is an conform-exceed action control +which can be for example "jump 2 / pipe". +The current parsing loop is doing one more iteration than necessary +and results in ok var being 3. + +Example filter: + +tc filter add dev enp8s0f0_0 ingress protocol ip prio 2 flower \ + verbose action police rate 100mbit burst 12m \ + conform-exceed jump 1 / pipe mirred egress redirect dev enp8s0f0_1 action drop + +Before this change the command will fail. +Trying to add another "pipe" before mirred as a workaround for the stopping the loop +in ok var 3 resulting in result2 not being saved and wrong filter. + +... conform-exceed jump 1 / pipe pipe mirred ... + +Example dump of the action part: +... action order 1: police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1 overhead 0b ... + +Fix the behavior by removing redundant case 2 handling, either argc is over or breaking. + +Example dump of the action part with the fix: +... action order 1: police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1/pipe overhead 0b ... + +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=7f70eb2a8b2 +--- + tc/tc_util.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tc/tc_util.c b/tc/tc_util.c +index 48065897..b82dbd5d 100644 +--- a/tc/tc_util.c ++++ b/tc/tc_util.c +@@ -476,7 +476,6 @@ static int parse_action_control_slash_spaces(int *argc_p, char ***argv_p, + NEXT_ARG(); + /* fall-through */ + case 0: /* fall-through */ +- case 2: + ret = parse_action_control(&argc, &argv, + result_p, allow_num); + if (ret) +-- +2.23.0 + diff --git a/backport-tipc-fix-keylen-check.patch b/backport-tipc-fix-keylen-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..24f2c9ae1363d750bcd5088e04f737b430bc71f7 --- /dev/null +++ b/backport-tipc-fix-keylen-check.patch @@ -0,0 +1,44 @@ +From 4429a6c9b484bc02dfab1e020a9b6f9f77370331 Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Fri, 13 May 2022 11:52:30 +0200 +Subject: [PATCH] tipc: fix keylen check + +Key length check in str2key() is wrong for hex. Fix this using the +proper hex key length. + +Fixes: 28ee49e5153b ("tipc: bail out if key is abnormally long") +Suggested-by: Xin Long +Signed-off-by: Andrea Claudi +Signed-off-by: Stephen Hemminger +Conflict: NA +Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=4429a6c9b48 +--- + tipc/misc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tipc/misc.c b/tipc/misc.c +index 909975d8..6175bf07 100644 +--- a/tipc/misc.c ++++ b/tipc/misc.c +@@ -113,16 +113,15 @@ int str2key(char *str, struct tipc_aead_key *key) + } + } + +- if (len > TIPC_AEAD_KEYLEN_MAX) ++ key->keylen = ishex ? (len + 1) / 2 : len; ++ if (key->keylen > TIPC_AEAD_KEYLEN_MAX) + return -1; + + /* Obtain key: */ + if (!ishex) { +- key->keylen = len; + memcpy(key->key, str, len); + } else { + /* Convert hex string to key */ +- key->keylen = (len + 1) / 2; + for (i = 0; i < key->keylen; i++) { + if (i == 0 && len % 2 != 0) { + if (sscanf(str, "%1hhx", &key->key[0]) != 1) +-- +2.23.0 + diff --git a/iproute.spec b/iproute.spec index 3791c6e9cb1a64440e5fed19b36306fdf74c7269..cf9ceff86b8de4007af5be041557ab30ac906a67 100644 --- a/iproute.spec +++ b/iproute.spec @@ -1,6 +1,6 @@ Name: iproute Version: 5.15.0 -Release: 3 +Release: 4 Summary: Linux network configuration utilities License: GPLv2+ and Public Domain URL: https://kernel.org/pub/linux/utils/net/iproute2/ @@ -9,6 +9,19 @@ Source0: https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/iproute2-% Patch1: bugfix-iproute2-3.10.0-fix-maddr-show.patch Patch2: bugfix-iproute2-change-proc-to-ipnetnsproc-which-is-private.patch +Patch6000: backport-devlink-fix-devlink-health-dump-command-without-arg.patch +Patch6001: backport-ip-Fix-size_columns-for-very-large-values.patch +Patch6002: backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch +Patch6003: backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch +Patch6004: backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch +Patch6005: backport-lnstat-fix-buffer-overflow-in-header-output.patch +Patch6006: backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch +Patch6007: backport-q_cake-allow-changing-to-diffserv3.patch +Patch6008: backport-tc-em_u32-fix-offset-parsing.patch +Patch6009: backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch +Patch6010: backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch +Patch6011: backport-tipc-fix-keylen-check.patch + BuildRequires: gcc bison elfutils-libelf-devel flex iptables-devel BuildRequires: libmnl-devel libselinux-devel pkgconfig libbpf-devel Requires: libbpf psmisc @@ -76,6 +89,23 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a %{_mandir}/* %changelog +* Fri Aug 26 2022 sunsuwan - 5.15.0-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:lnstat: fix buffer overflow in header output + libnetlink: fix socket leak in rtnl_open_byptoyo + lnstat: fix strdup leak in w argument parsing + q_cake: allow fix buffer overflow on large labels + tc flower: fix buffer overflow on large labels + tc_tuil: fix parsing action control with space and sl + tipc: fix keylen check + fix devlink health dump command without arg + tc: em_u32: fix offset parsing + l2tp fix typo in AF_INET6 checksum JSON print + ip: Fix size_columns() for very large values + ip: Fix size_columns() invocation that passes a 32-bit quantity + * Tue Mar 01 2022 jiangheng - 5.15.0-3 - Type:bugfix - ID:NA