packages/iproute
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from community

Browse Source
This commit is contained in:
sunsuwan 2022-08-26 17:33:43 +08:00
parent a7dcf9f68c
commit 8ae1c347e2
13 changed files with 626 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
backport-devlink-fix-devlink-health-dump-command-without-arg.patch Normal file
View File

@ -0,0 +1,68 @@
From e81fd551a1a0ffa7983d25f5e756a5c5b6cb4a9a Mon Sep 17 00:00:00 2001
From: Jiri Pirko <jiri@nvidia.com>
Date: Tue, 19 Apr 2022 19:15:11 +0200
Subject: [PATCH] devlink: fix "devlink health dump" command without arg
Fix bug when user calls "devlink health dump" without "show" or "clear":
$ devlink health dump
Command "(null)" not found
Put the dump command into a separate helper as it is usual in the rest
of the code. Also, treat no cmd as "show", as it is common for other
devlink objects.
Fixes: 041e6e651a8e ("devlink: Add devlink health dump show command")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=e81fd551a1a
---
devlink/devlink.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/devlink/devlink.c b/devlink/devlink.c
index da9f9778..aab739f7 100644
--- a/devlink/devlink.c
+++ b/devlink/devlink.c
@@ -8526,6 +8526,23 @@ static void cmd_health_help(void)
pr_err(" [ auto_dump { true | false } ]\n");
}
+static int cmd_health_dump(struct dl *dl)
+{
+ if (dl_argv_match(dl, "help")) {
+ cmd_health_help();
+ return 0;
+ } else if (dl_argv_match(dl, "show") ||
+ dl_argv_match(dl, "list") || dl_no_arg(dl)) {
+ dl_arg_inc(dl);
+ return cmd_health_dump_show(dl);
+ } else if (dl_argv_match(dl, "clear")) {
+ dl_arg_inc(dl);
+ return cmd_health_dump_clear(dl);
+ }
+ pr_err("Command \"%s\" not found\n", dl_argv(dl));
+ return -ENOENT;
+}
+
static int cmd_health(struct dl *dl)
{
if (dl_argv_match(dl, "help")) {
@@ -8546,13 +8563,7 @@ static int cmd_health(struct dl *dl)
return cmd_health_test(dl);
} else if (dl_argv_match(dl, "dump")) {
dl_arg_inc(dl);
- if (dl_argv_match(dl, "show")) {
- dl_arg_inc(dl);
- return cmd_health_dump_show(dl);
- } else if (dl_argv_match(dl, "clear")) {
- dl_arg_inc(dl);
- return cmd_health_dump_clear(dl);
- }
+ return cmd_health_dump(dl);
} else if (dl_argv_match(dl, "set")) {
dl_arg_inc(dl);
return cmd_health_set_params(dl);
--
2.23.0

47
backport-ip-Fix-size_columns-for-very-large-values.patch Normal file
View File

@ -0,0 +1,47 @@
From 024103923a5c826e40c993be4ee2ada5536cb66a Mon Sep 17 00:00:00 2001
From: Petr Machata <petrm@nvidia.com>
Date: Mon, 27 Jun 2022 15:18:21 +0200
Subject: [PATCH] ip: Fix size_columns() for very large values
For values near the 64-bit boundary, the iterative application of
powi *= 10 causes powi to overflow without the termination condition of
powi >= val having ever been satisfied. Instead, when determining the
length of the number, iterate val /= 10 and terminate when it's a single
digit.
Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats")
CC: Tariq Toukan <tariqt@nvidia.com>
CC: Itay Aveksis <itayav@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: void size_columns to static void size_colunms
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=024103923a5
---
ip/ipaddress.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 17341d28..5a3b1cae 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -549,7 +549,7 @@ static void print_vfinfo(FILE *fp, struct ifinfomsg *ifi, struct rtattr *vfinfo)
static void size_columns(unsigned int cols[], unsigned int n, ...)
{
unsigned int i, len;
- uint64_t val, powi;
+ uint64_t val;
va_list args;
va_start(args, n);
@@ -560,7 +560,7 @@ void size_columns(unsigned int cols[], unsigned int n, ...)
if (human_readable)
continue;
- for (len = 1, powi = 10; powi < val; len++, powi *= 10)
+ for (len = 1; val > 9; len++, val /= 10)
/* nothing */;
if (len > cols[i])
cols[i] = len;
--
2.23.0

53
backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch Normal file
View File

@ -0,0 +1,53 @@
From 329fda1861560b06e60a7bd1004647bb65708295 Mon Sep 17 00:00:00 2001
From: Petr Machata <petrm@nvidia.com>
Date: Tue, 28 Jun 2022 12:17:31 +0200
Subject: [PATCH] ip: Fix size_columns() invocation that passes a 32-bit
quantity
In print_stats64(), the last size_columns() invocation passes number of
carrier changes as one of the arguments. The value is decoded as a 32-bit
quantity, but size_columns() expects a 64-bit one. This is undefined
behavior.
The reason valgrind does not cite this is that the previous size_columns()
invocations prime the ABI area used for the value transfer. When these
other invocations are commented away, valgrind does complain that
"conditional jump or move depends on uninitialised value", as would be
expected.
Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=329fda18615
---
ip/ipaddress.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 5a3b1cae..a288341c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -783,13 +783,15 @@ void print_stats64(FILE *fp, struct rtnl_link_stats64 *s,
s->tx_bytes, s->tx_packets, s->tx_errors,
s->tx_dropped, s->tx_carrier_errors,
s->collisions, s->tx_compressed);
- if (show_stats > 1)
+ if (show_stats > 1) {
+ uint64_t cc = carrier_changes ?
+ rta_getattr_u32(carrier_changes) : 0;
+
size_columns(cols, ARRAY_SIZE(cols), 0, 0,
s->tx_aborted_errors, s->tx_fifo_errors,
s->tx_window_errors,
- s->tx_heartbeat_errors,
- carrier_changes ?
- rta_getattr_u32(carrier_changes) : 0);
+ s->tx_heartbeat_errors, cc);
+ }
/* RX stats */
fprintf(fp, " RX: %*s %*s %*s %*s %*s %*s %*s%s",
--
2.23.0

35
backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch Normal file
View File

@ -0,0 +1,35 @@
From 2bb37e90177cae1b92284a943123b0575505141f Mon Sep 17 00:00:00 2001
From: Andrea Claudi <aclaudi@redhat.com>
Date: Tue, 21 Jun 2022 18:53:08 +0200
Subject: [PATCH] l2tp: fix typo in AF_INET6 checksum JSON print
In print_tunnel json output, a typo makes it impossible to know the
value of udp6_csum_rx, printing instead udp6_csum_tx two times.
Fixed getting rid of the typo.
Fixes: 98453b65800f ("ip/l2tp: add JSON support")
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=2bb37e90177
---
ip/ipl2tp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c
index 56972358..f1d574de 100644
--- a/ip/ipl2tp.c
+++ b/ip/ipl2tp.c
@@ -258,7 +258,7 @@ static void print_tunnel(const struct l2tp_data *data)
NULL, p->udp6_csum_tx);
print_bool(PRINT_JSON, "checksum_rx",
- NULL, p->udp6_csum_tx);
+ NULL, p->udp6_csum_rx);
} else {
printf(" UDP checksum: %s%s%s%s\n",
p->udp6_csum_tx && p->udp6_csum_rx
--
2.23.0

75
backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch Normal file
View File

@ -0,0 +1,75 @@
From f8beda6e00e57b8f875442351f91e5c01530ad8e Mon Sep 17 00:00:00 2001
From: Maxim Petrov <mmrmaximuzz@gmail.com>
Date: Tue, 8 Feb 2022 20:20:45 +0300
Subject: [PATCH] libnetlink: fix socket leak in rtnl_open_byproto()
rtnl_open_byproto() does not close the opened socket in case of
errors, and the socket is returned to the caller in the `fd` field of
the struct. However, none of the callers care about the socket, so
close it in the function immediately to avoid any potential resource
leaks.
Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=f8beda6e00e
---
lib/libnetlink.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index 7e977a67..6d1b1187 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -210,13 +210,13 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions,
if (setsockopt(rth->fd, SOL_SOCKET, SO_SNDBUF,
&sndbuf, sizeof(sndbuf)) < 0) {
perror("SO_SNDBUF");
- return -1;
+ goto err;
}
if (setsockopt(rth->fd, SOL_SOCKET, SO_RCVBUF,
&rcvbuf, sizeof(rcvbuf)) < 0) {
perror("SO_RCVBUF");
- return -1;
+ goto err;
}
/* Older kernels may no support extended ACK reporting */
@@ -230,25 +230,28 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions,
if (bind(rth->fd, (struct sockaddr *)&rth->local,
sizeof(rth->local)) < 0) {
perror("Cannot bind netlink socket");
- return -1;
+ goto err;
}
addr_len = sizeof(rth->local);
if (getsockname(rth->fd, (struct sockaddr *)&rth->local,
&addr_len) < 0) {
perror("Cannot getsockname");
- return -1;
+ goto err;
}
if (addr_len != sizeof(rth->local)) {
fprintf(stderr, "Wrong address length %d\n", addr_len);
- return -1;
+ goto err;
}
if (rth->local.nl_family != AF_NETLINK) {
fprintf(stderr, "Wrong address family %d\n",
rth->local.nl_family);
- return -1;
+ goto err;
}
rth->seq = time(NULL);
return 0;
+err:
+ rtnl_close(rth);
+ return -1;
}
int rtnl_open(struct rtnl_handle *rth, unsigned int subscriptions)
--
2.23.0

37
backport-lnstat-fix-buffer-overflow-in-header-output.patch Normal file
View File

@ -0,0 +1,37 @@
From be31c2648487596f23096278dacd86bf88305a14 Mon Sep 17 00:00:00 2001
From: "[200~jiangheng" <jiangheng12@huawei.com>
Date: Wed, 17 Nov 2021 13:41:10 -0800
Subject: [PATCH] lnstat: fix buffer overflow in header output
Running lnstat will cause core dump from reading past end of array.
Segmentation fault (core dumped)
The maximum value of th.num_lines is HDR_LINES(10), h should not be equal to th.num_lines, array th.hdr may be out of bounds.
Signed-off-by jiangheng <jiangheng12@huawei.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=be31c264848
---
misc/lnstat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/misc/lnstat.c b/misc/lnstat.c
index 89cb0e7e..98904d45 100644
--- a/misc/lnstat.c
+++ b/misc/lnstat.c
@@ -210,8 +210,9 @@ static struct table_hdr *build_hdr_string(struct lnstat_file *lnstat_files,
}
ofs += width+1;
}
+
/* fill in spaces */
- for (h = 1; h <= th.num_lines; h++) {
+ for (h = 1; h < th.num_lines; h++) {
for (i = 0; i < ofs; i++) {
if (th.hdr[h][i] == '\0')
th.hdr[h][i] = ' ';
--
2.23.0

32
backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch Normal file
View File

@ -0,0 +1,32 @@
From cc143bda6bcec20d073f42162f06dde8998551d4 Mon Sep 17 00:00:00 2001
From: Maxim Petrov <mmrmaximuzz@gmail.com>
Date: Tue, 15 Feb 2022 23:53:47 +0300
Subject: [PATCH] lnstat: fix strdup leak in -w argument parsing
'tmp' string is used for safe tokenizing, but it is not required after
getting all the widths in -w option. As 'tmp' string is obtained by strdup
call, the caller has to deallocate it to avoid memory leak.
Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=cc143bda6bc
---
misc/lnstat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/misc/lnstat.c b/misc/lnstat.c
index 98904d45..c3293a8e 100644
--- a/misc/lnstat.c
+++ b/misc/lnstat.c
@@ -331,6 +331,7 @@ int main(int argc, char **argv)
for (i = 0; i < MAX_FIELDS; i++)
fp.params[i].print.width = len;
}
+ free(tmp);
break;
default:
usage(argv[0], 1);
--
2.23.0

49
backport-q_cake-allow-changing-to-diffserv3.patch Normal file
View File

@ -0,0 +1,49 @@
From eb4206ecd0342ff92b1a85b7dae3d4fd1b5be1c6 Mon Sep 17 00:00:00 2001
From: Kevin Bracey <kevin@bracey.fi>
Date: Thu, 6 Jan 2022 13:16:04 +0200
Subject: [PATCH] q_cake: allow changing to diffserv3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A diffserv3 option (enum value 0) was never sent to the kernel, so it
was not possible to use "tc qdisc change" to select it.
This also meant that were also relying on the kernel's default being
diffserv3 when adding. If the default were to change, we wouldn't have
been able to request diffserv3 explicitly.
Signed-off-by: Kevin Bracey <kevin@bracey.fi>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=eb4206ecd03
---
tc/q_cake.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tc/q_cake.c b/tc/q_cake.c
index 4cfc1c00..c438b765 100644
--- a/tc/q_cake.c
+++ b/tc/q_cake.c
@@ -95,7 +95,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv,
bool overhead_override = false;
bool overhead_set = false;
unsigned int interval = 0;
- unsigned int diffserv = 0;
+ int diffserv = -1;
unsigned int memlimit = 0;
unsigned int fwmark = 0;
unsigned int target = 0;
@@ -356,7 +356,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv,
if (bandwidth || unlimited)
addattr_l(n, 1024, TCA_CAKE_BASE_RATE64, &bandwidth,
sizeof(bandwidth));
- if (diffserv)
+ if (diffserv != -1)
addattr_l(n, 1024, TCA_CAKE_DIFFSERV_MODE, &diffserv,
sizeof(diffserv));
if (atm != -1)
--
2.23.0

63
backport-tc-em_u32-fix-offset-parsing.patch Normal file
View File

@ -0,0 +1,63 @@
From b84fc3321c6adaf76f36cf7ef0e17389bdf31500 Mon Sep 17 00:00:00 2001
From: Andrea Claudi <aclaudi@redhat.com>
Date: Fri, 6 May 2022 22:11:46 +0200
Subject: [PATCH] tc: em_u32: fix offset parsing
tc u32 ematch offset parsing might fail even if nexthdr offset is
aligned to 4. The issue can be reproduced with the following script:
tc qdisc del dev dummy0 root
tc qdisc add dev dummy0 root handle 1: htb r2q 1 default 1
tc class add dev dummy0 parent 1:1 classid 1:108 htb quantum 1000000 \
rate 1.00mbit ceil 10.00mbit burst 6k
while true; do
if ! tc filter add dev dummy0 protocol all parent 1: prio 1 basic match \
"meta(vlan mask 0xfff eq 1)" and "u32(u32 0x20011002 0xffffffff \
at nexthdr+8)" flowid 1:108; then
exit 0
fi
done
which we expect to produce an endless loop.
With the current code, instead, this ends with:
u32: invalid offset alignment, must be aligned to 4.
... meta(vlan mask 0xfff eq 1) and >>u32(u32 0x20011002 0xffffffff at nexthdr+8)<< ...
... u32(u32 0x20011002 0xffffffff at >>nexthdr+8<<)...
Usage: u32(ALIGN VALUE MASK at [ nexthdr+ ] OFFSET)
where: ALIGN := { u8 | u16 | u32 }
Example: u32(u16 0x1122 0xffff at nexthdr+4)
Illegal "ematch"
This is caused by memcpy copying into buf an unterminated string.
Fix it using strncpy instead of memcpy.
Fixes: commit 311b41454dc4 ("Add new extended match files.")
Reported-by: Alfred Yang <alf.redyoung@gmail.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=b84fc3321c6
---
tc/em_u32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tc/em_u32.c b/tc/em_u32.c
index bc284af4..ea2bf882 100644
--- a/tc/em_u32.c
+++ b/tc/em_u32.c
@@ -84,7 +84,7 @@ static int u32_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr,
char buf[a->len - nh_len + 1];
offmask = -1;
- memcpy(buf, a->data + nh_len, a->len - nh_len);
+ strncpy(buf, a->data + nh_len, a->len - nh_len + 1);
offset = strtoul(buf, NULL, 0);
} else if (!bstrcmp(a, "nexthdr+")) {
a = bstr_next(a);
--
2.23.0

38
backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch Normal file
View File

@ -0,0 +1,38 @@
From 73590d9573148804034a88ceb2f6b7ca1545561f Mon Sep 17 00:00:00 2001
From: Paul Blakey <paulb@nvidia.com>
Date: Sun, 5 Dec 2021 15:20:25 +0200
Subject: [PATCH] tc: flower: Fix buffer overflow on large labels
Buffer is 64bytes, but label printing can take 66bytes printing
in hex, and will overflow when setting the string delimiter ('\0').
Fix that by increasing the print buffer size.
Example of overflowing ct_label:
ct_label 11111111111111111111111111111111/11111111111111111111111111111111
Fixes: 2fffb1c03056 ("tc: flower: Add matching on conntrack info")
Signed-off-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=73590d95731
---
tc/f_flower.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 7f78195f..6d70b92a 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -2195,7 +2195,7 @@ static void flower_print_ct_label(struct rtattr *attr,
const unsigned char *str;
bool print_mask = false;
int data_len, i;
- SPRINT_BUF(out);
+ char out[128];
char *p;
if (!attr)
--
2.23.0

54
backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch Normal file
View File

@ -0,0 +1,54 @@
From 7f70eb2a8b2c451683c801b23b25f34071a8882f Mon Sep 17 00:00:00 2001
From: Roi Dayan <roid@nvidia.com>
Date: Thu, 3 Feb 2022 14:20:46 +0200
Subject: [PATCH] tc_util: Fix parsing action control with space and slash
For action police there is an conform-exceed action control
which can be for example "jump 2 / pipe".
The current parsing loop is doing one more iteration than necessary
and results in ok var being 3.
Example filter:
tc filter add dev enp8s0f0_0 ingress protocol ip prio 2 flower \
verbose action police rate 100mbit burst 12m \
conform-exceed jump 1 / pipe mirred egress redirect dev enp8s0f0_1 action drop
Before this change the command will fail.
Trying to add another "pipe" before mirred as a workaround for the stopping the loop
in ok var 3 resulting in result2 not being saved and wrong filter.
... conform-exceed jump 1 / pipe pipe mirred ...
Example dump of the action part:
... action order 1: police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1 overhead 0b ...
Fix the behavior by removing redundant case 2 handling, either argc is over or breaking.
Example dump of the action part with the fix:
... action order 1: police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1/pipe overhead 0b ...
Signed-off-by: Roi Dayan <roid@nvidia.com>
Reviewed-by: Maor Dickman <maord@nvidia.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=7f70eb2a8b2
---
tc/tc_util.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tc/tc_util.c b/tc/tc_util.c
index 48065897..b82dbd5d 100644
--- a/tc/tc_util.c
+++ b/tc/tc_util.c
@@ -476,7 +476,6 @@ static int parse_action_control_slash_spaces(int *argc_p, char ***argv_p,
NEXT_ARG();
/* fall-through */
case 0: /* fall-through */
- case 2:
ret = parse_action_control(&argc, &argv,
result_p, allow_num);
if (ret)
--
2.23.0

44
backport-tipc-fix-keylen-check.patch Normal file
View File

@ -0,0 +1,44 @@
From 4429a6c9b484bc02dfab1e020a9b6f9f77370331 Mon Sep 17 00:00:00 2001
From: Andrea Claudi <aclaudi@redhat.com>
Date: Fri, 13 May 2022 11:52:30 +0200
Subject: [PATCH] tipc: fix keylen check
Key length check in str2key() is wrong for hex. Fix this using the
proper hex key length.
Fixes: 28ee49e5153b ("tipc: bail out if key is abnormally long")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Conflict: NA
Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=4429a6c9b48
---
tipc/misc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/tipc/misc.c b/tipc/misc.c
index 909975d8..6175bf07 100644
--- a/tipc/misc.c
+++ b/tipc/misc.c
@@ -113,16 +113,15 @@ int str2key(char *str, struct tipc_aead_key *key)
}
}
- if (len > TIPC_AEAD_KEYLEN_MAX)
+ key->keylen = ishex ? (len + 1) / 2 : len;
+ if (key->keylen > TIPC_AEAD_KEYLEN_MAX)
return -1;
/* Obtain key: */
if (!ishex) {
- key->keylen = len;
memcpy(key->key, str, len);
} else {
/* Convert hex string to key */
- key->keylen = (len + 1) / 2;
for (i = 0; i < key->keylen; i++) {
if (i == 0 && len % 2 != 0) {
if (sscanf(str, "%1hhx", &key->key[0]) != 1)
--
2.23.0

32
iproute.spec
View File

@ -1,6 +1,6 @@
Name: iproute
Version: 5.15.0
Release: 3
Release: 4
Summary: Linux network configuration utilities
License: GPLv2+ and Public Domain
URL: https://kernel.org/pub/linux/utils/net/iproute2/
@ -9,6 +9,19 @@ Source0: https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/iproute2-%
Patch1: bugfix-iproute2-3.10.0-fix-maddr-show.patch
Patch2: bugfix-iproute2-change-proc-to-ipnetnsproc-which-is-private.patch
Patch6000: backport-devlink-fix-devlink-health-dump-command-without-arg.patch
Patch6001: backport-ip-Fix-size_columns-for-very-large-values.patch
Patch6002: backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch
Patch6003: backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch
Patch6004: backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch
Patch6005: backport-lnstat-fix-buffer-overflow-in-header-output.patch
Patch6006: backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch
Patch6007: backport-q_cake-allow-changing-to-diffserv3.patch
Patch6008: backport-tc-em_u32-fix-offset-parsing.patch
Patch6009: backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch
Patch6010: backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch
Patch6011: backport-tipc-fix-keylen-check.patch
BuildRequires: gcc bison elfutils-libelf-devel flex iptables-devel
BuildRequires: libmnl-devel libselinux-devel pkgconfig libbpf-devel
Requires: libbpf psmisc
@ -76,6 +89,23 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a
%{_mandir}/*
%changelog
* Fri Aug 26 2022 sunsuwan<sunsuwan3@huawei.com> - 5.15.0-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:lnstat: fix buffer overflow in header output
libnetlink: fix socket leak in rtnl_open_byptoyo
lnstat: fix strdup leak in w argument parsing
q_cake: allow fix buffer overflow on large labels
tc flower: fix buffer overflow on large labels
tc_tuil: fix parsing action control with space and sl
tipc: fix keylen check
fix devlink health dump command without arg
tc: em_u32: fix offset parsing
l2tp fix typo in AF_INET6 checksum JSON print
ip: Fix size_columns() for very large values
ip: Fix size_columns() invocation that passes a 32-bit quantity
* Tue Mar 01 2022 jiangheng<jiangheng12@huawei.com> - 5.15.0-3
- Type:bugfix
- ID:NA