!58 update iputils version to 20211215

From: @yinyongkang Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2022-08-03 03:35:12 +00:00 · 2022-08-03 03:35:12 +00:00 · 961be109a4
commit 961be109a4
parent f1213f9778 9bd7139bda
13 changed files with 10 additions and 717 deletions
--- a/arping-Fix-exit-code-on-w-option.patch
+++ b/arping-Fix-exit-code-on-w-option.patch
@ -1,24 +0,0 @@
 From 4c2dd9f020df2749bdff294756b04aafa99ad624 Mon Sep 17 00:00:00 2001
 From: eaglegai <eaglegai@163.com>
 Date: Fri, 18 Mar 2022 19:32:21 +0800
 Subject: [PATCH] arping: Fix exit code on -w option when count * interval >
 timeout
 Signed-off-by: eaglegai <eaglegai@163.com>
 ---
 arping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/arping.c b/arping.c
 index 20b0554b..fe79d2f8 100644
 --- a/arping.c
 +++ b/arping.c
@@ -850,7 +850,7 @@ static int event_loop(struct run_state *ctl)
 	else if (ctl->dad && ctl->quit_on_reply)
 		/* Duplicate address detection mode return value */
 		rc |= !(ctl->brd_sent != ctl->received);
 -	else if (ctl->timeout && !(ctl->count > 0))
 +	else if (ctl->timeout && (!(ctl->count > 0) || (ctl->interval > ctl->timeout / ctl->count)))
 		rc |= !(ctl->received > 0);
 	else
 		rc |= (ctl->sent != ctl->received);
--- a/backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
+++ b/backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
@ -1,60 +0,0 @@
 From 854873bdd28fcdd9cc3fe0c2d29c083a07d07a86 Mon Sep 17 00:00:00 2001
 From: Noah Meyerhans <noahm@debian.org>
 Date: Wed, 16 Feb 2022 22:27:49 -0800
 Subject: [PATCH] arping: exit 0 if running in deadline mode and we see replies
 The arping behavior when running in deadline mode without a packet
 count (-w without -c) should match that of ping: any replies indicate
 that the host is up and should result in a zero (success) exit status.
 Fixes: https://github.com/iputils/iputils/issues/392
 Closes: https://github.com/iputils/iputils/pull/395
 Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
 Signed-off-by: Noah Meyerhans <noahm@debian.org>
 ---
 arping.c       |  2 ++
 doc/arping.xml | 14 +++++++-------
 2 files changed, 9 insertions(+), 7 deletions(-)
 diff --git a/arping.c b/arping.c
 index efe3f53..c41ec74 100644
 --- a/arping.c
 +++ b/arping.c
@@ -822,6 +822,8 @@ static int event_loop(struct run_state *ctl)
 	else if (ctl->dad && ctl->quit_on_reply)
 		/* Duplicate address detection mode return value */
 		rc |= !(ctl->brd_sent != ctl->received);
 +	else if (ctl->timeout && !(ctl->count > 0))
 +		rc |= !(ctl->received > 0);
 	else
 		rc |= (ctl->sent != ctl->received);
 	return rc;
 diff --git a/doc/arping.xml b/doc/arping.xml
 index 711718f..9adbc0c 100644
 --- a/doc/arping.xml
 +++ b/doc/arping.xml
@@ -202,13 +202,13 @@ xml:id="man.arping">
         <listitem>
           <para>Specify a timeout, in seconds, before
           <command>arping</command> exits regardless of how many
 -          packets have been sent or received. In this case
 -          <command>arping</command> does not stop after
 -          <emphasis remap='I'>count</emphasis> packet are sent, it
 -          waits either for
 -          <emphasis remap='I'>deadline</emphasis> expire or until
 -          <emphasis remap='I'>count</emphasis> probes are
 -          answered.</para>
 +          packets have been sent or received.  If any replies are
 +          received, exit with status 0, otherwise status 1.  When
 +          combined with the <emphasis remap="I">count</emphasis>
 +          option, exit with status 0 if <emphasis
 +          remap="I">count</emphasis> replies are received before the
 +          deadline expiration, otherwise status 1.
 +	  </para>
         </listitem>
       </varlistentry>
       <varlistentry>
 -- 
 2.27.0
--- a/backport-arping-fix-typo-in-error-checking.patch
+++ b/backport-arping-fix-typo-in-error-checking.patch
@ -1,32 +0,0 @@
 From 8a6a2ce3cd0cdf69f0551a3a1e598a191561d18e Mon Sep 17 00:00:00 2001
 From: Noah Meyerhans <noahm@debian.org>
 Date: Wed, 16 Feb 2022 22:25:30 -0800
 Subject: [PATCH] arping: fix typo in error checking
 When attempting to check the return value of timerfd_create(), we were
 not checking the value of the variable containing the return value.
 Fixes: e594ca5 ("arping: use additional timerfd to control when timeout happens")
 Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
 Signed-off-by: Noah Meyerhans <noahm@debian.org>
 ---
 arping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/arping.c b/arping.c
 index 53fdbb4..efe3f53 100644
 --- a/arping.c
 +++ b/arping.c
@@ -733,7 +733,7 @@ static int event_loop(struct run_state *ctl)
 	/* timeout timerfd */
 	timeoutfd = timerfd_create(CLOCK_MONOTONIC, 0);
 -	if (tfd == -1) {
 +	if (timeoutfd == -1) {
 		error(0, errno, "timerfd_create failed");
 		return 1;
 	}
 -- 
 2.27.0
--- a/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
+++ b/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
@ -1,96 +0,0 @@
 From 4646703f6d8eb46355752ec033945405ca482d4e Mon Sep 17 00:00:00 2001
 From: Ralf Baechle <ralf@linux-mips.org>
 Date: Tue, 7 Feb 2017 22:10:51 +0100
 Subject: [PATCH] arping: Fix ARP protocol field for AX.25 and NETROM
 Conflict:NA
 Reference:https://github.com/iputils/iputils/commit/4646703f6d8eb46355752ec033945405ca482d4e.patch
 AX.25 and NETROM differ from other, more ethernet-like protocols in that
 they are not using a DIX protocol number but the AX.25 PID.  The arping code
 doesn't handle this special case resulting in invalid ARP packets being sent.
 The interface bpq0 is an AX.25-over-ethernet interface.  Without this
 fix:
 # arping -c 1 -I bpq0 172.20.1.3
 ARPING 172.20.1.3 from 172.20.1.2 bpq0
 Sent 1 probes (1 broadcast(s))
 Received 0 response(s)
 With this fix:
 # arping -c 1 -I bpq0 172.20.1.3
 ARPING 172.20.1.3 from 172.20.1.2 bpq0
 Unicast reply from 172.20.1.3 [88:98:60:A0:92:40:02]  1.402ms
 Sent 1 probes (1 broadcast(s))
 Received 1 response(s)
 Closes: https://github.com/iputils/iputils/pull/360
 Reviewed-by: Petr Vorel <pvorel@suse.cz>
 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
 [ pvorel: add new lines for readability ]
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 ---
 arping.c | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)
 diff --git a/arping.c b/arping.c
 index 53fdbb48..5df6d9f0 100644
 --- a/arping.c
 +++ b/arping.c
@@ -37,6 +37,14 @@
 #include "iputils_common.h"
 +/*
 + * As of July 2021 AX.25 PID values are not currently defined in any
 + * userspace headers.
 + */
 +#ifndef AX25_P_IP
 +# define AX25_P_IP		0xcc	/* ARPA Internet Protocol     */
 +#endif
 +
 #ifdef DEFAULT_DEVICE
 # define DEFAULT_DEVICE_STR	DEFAULT_DEVICE
 #else
@@ -248,7 +256,17 @@ static int send_pack(struct run_state *ctl)
 	ah->ar_hrd = htons(ME->sll_hatype);
 	if (ah->ar_hrd == htons(ARPHRD_FDDI))
 		ah->ar_hrd = htons(ARPHRD_ETHER);
 -	ah->ar_pro = htons(ETH_P_IP);
 +
 +	/*
 +	 * Exceptions everywhere. AX.25 uses the AX.25 PID value not the
 +	 * DIX code for the protocol. Make these device structure fields.
 +	 */
 +	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
 +	    ah->ar_hrd == htons(ARPHRD_NETROM))
 +		ah->ar_pro = htons(AX25_P_IP);
 +	else
 +		ah->ar_pro = htons(ETH_P_IP);
 +
 	ah->ar_hln = ME->sll_halen;
 	ah->ar_pln = 4;
 	ah->ar_op  = ctl->advert ? htons(ARPOP_REPLY) : htons(ARPOP_REQUEST);
@@ -341,9 +359,17 @@ static int recv_pack(struct run_state *ctl, unsigned char *buf, ssize_t len,
 	    (FROM->sll_hatype != ARPHRD_FDDI || ah->ar_hrd != htons(ARPHRD_ETHER)))
 		return 0;
 -	/* Protocol must be IP. */
 -	if (ah->ar_pro != htons(ETH_P_IP))
 +	/*
 +	 * Protocol must be IP - but exceptions everywhere. AX.25 and NETROM
 +	 * use the AX.25 PID value not the DIX code for the protocol.
 +	 */
 +	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
 +	    ah->ar_hrd == htons(ARPHRD_NETROM)) {
 +		if (ah->ar_pro != htons(AX25_P_IP))
 +			return 0;
 +	} else if (ah->ar_pro != htons(ETH_P_IP))
 		return 0;
 +
 	if (ah->ar_pln != 4)
 		return 0;
 	if (ah->ar_hln != ((struct sockaddr_ll *)&ctl->me)->sll_halen)
--- a/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
+++ b/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
@ -1,95 +0,0 @@
 From 7c65999f98bc4a1984594b7fad1af0eaf0b9d34b Mon Sep 17 00:00:00 2001
 From: Lahav Schlesinger <lschlesinger@drivenets.com>
 Date: Wed, 30 Jun 2021 13:06:13 +0300
 Subject: [PATCH] ping: Fix ping6 binding to VRF and address
 Since Linux kernel commit 1893ff20275b ("net/ipv6: Add l3mdev check to
 ipv6_chk_addr_and_flags") from v4.17-rc1 ping fails when trying to
 create IPv6 SOCK_RAW socket (e.g. if net.ipv4.ping_group_range = 1 0)
 and passing both -I <vrf_interface> and -I <local_ipv6_addr>.
 It works for IPv4 SOCK_RAW socket.
    # ip netns add tmp_ns
    # ip -n tmp_ns link add vrf_1 type vrf table 10001
    # ip -n tmp_ns link add lo10 type dummy
    # ip -n tmp_ns link set lo10 master vrf_1
    # ip -n tmp_ns link set vrf_1 up
    # ip -n tmp_ns link set lo10 up
    # ip -n tmp_ns link set lo up
    # ip -n tmp_ns addr add 1:2::3:4/128 dev lo10
    # ip -n tmp_ns addr add 1.2.3.4/32 dev lo10
    # ip netns exec tmp_ns ping -6 1:2::3:4 -I vrf_1 -I 1:2::3:4 -c 1 # IPv6 broken
    ping: bind icmp socket: Cannot assign requested address
    # ping  1.2.3.4 -I vrf_1 -I 1.2.3.4 -c 1 # IPv4 working
    PING 1.2.3.4 (1.2.3.4) from 1.2.3.4 vrf_1: 56(84) bytes of data.
    64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=0.090 ms
    --- 1.2.3.4 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
 ping fails because it doesn't actually bind to the VRF interface, while
 after 1893ff20275b, binding to an IPv6 address searches only on the same
 l3mdev as the device the function receives. If the socket wasn't
 SO_BINDTODEVICE-ed, then the kernel will only search for devices that
 are not ensalved to an l3mdev device (= in the default VRF), which will
 cause the bind() to fail.
 Only SOCK_RAW socket is affected. SOCK_DGRAM is not affected because
 Linux kernel doesn't check the device the socket was SO_BINDTODEVICE-ed
 to, but only the device from addr->sin6_scope_id (which if none is
 passed, it will again only search devices in the default VRF).
 NOTE: creating network namespace to reproduce the issue is needed just
 on systems with net.ipv4.ping_group_range = 0 2147483647 (e.g. current
 Fedora, openSUSE, Ubuntu), which causes to use SOCK_DGRAM socket.
 Alternatively to force SOCK_RAW to it'd be enough just to properly set
 net.ipv4.ping_group_range:
    # echo "1 0" > /proc/sys/net/ipv4/ping_group_range
 Closes: https://github.com/iputils/iputils/pull/344
 Reviewed-by: Petr Vorel <pvorel@suse.cz>
 Signed-off-by: Lahav Schlesinger <lschlesinger@drivenets.com>
 [ pvorel: adjusted commit message ]
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 Conflict:NA
 Reference: https://github.com/iputils/iputils/commit/7c65999f98bc4a1984594b7fad1af0eaf0b9d34b.patch
 ---
 ping/ping6_common.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/ping/ping6_common.c b/ping/ping6_common.c
 index fee11891..f40d279d 100644
 --- a/ping/ping6_common.c
 +++ b/ping/ping6_common.c
@@ -224,6 +224,8 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
 	if (rts->device) {
 		struct cmsghdr *cmsg;
 		struct in6_pktinfo *ipi;
 +		int rc;
 +		int errno_save;
 		cmsg = (struct cmsghdr *)(rts->cmsgbuf + rts->cmsglen);
 		rts->cmsglen += CMSG_SPACE(sizeof(*ipi));
@@ -234,6 +236,15 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
 		ipi = (struct in6_pktinfo *)CMSG_DATA(cmsg);
 		memset(ipi, 0, sizeof(*ipi));
 		ipi->ipi6_ifindex = if_name2index(rts->device);
 +
 +		enable_capability_raw();
 +		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 +				rts->device, strlen(rts->device) + 1);
 +		errno_save = errno;
 +		disable_capability_raw();
 +
 +		if (rc == -1)
 +			error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
 	}
 	if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {
--- a/backport-ping-Fix-potential-memory-leakage.patch
+++ b/backport-ping-Fix-potential-memory-leakage.patch
@ -1,32 +0,0 @@
 From 626ea66f3d54ba6e749230d3aa0ce8f4ddfded9c Mon Sep 17 00:00:00 2001
 From: lvgenggeng <lvgenggeng@uniontech.com>
 Date: Tue, 31 May 2022 08:37:38 +0800
 Subject: [PATCH] ping: Fix potential memory leakage
 If user use '-p' opt multi-times, the previous pointer generated by
 strdup() will be discarded.
 Closes: https://github.com/iputils/iputils/pull/409
 Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
 Reviewed-by: Petr Vorel <pvorel@suse.cz>
 Signed-off-by: lvgenggeng <lvgenggeng@uniontech.com>
 ---
 ping/ping.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/ping/ping.c b/ping/ping.c
 index 8a7f701..10f2cf3 100644
 --- a/ping/ping.c
 +++ b/ping/ping.c
@@ -449,6 +449,7 @@ main(int argc, char **argv)
 			break;
 		case 'p':
 			rts.opt_pingfilled = 1;
 +			free(outpack_fill);
 			outpack_fill = strdup(optarg);
 			if (!outpack_fill)
 				error(2, errno, _("memory allocation failed"));
 -- 
 2.27.0
--- a/backport-ping-Print-reply-from-Subnet-Router-anycast-address.patch
+++ b/backport-ping-Print-reply-from-Subnet-Router-anycast-address.patch
@ -1,129 +0,0 @@
 From 15a5e5c7aace5a7a782ff802988e04ed4c1148a5 Mon Sep 17 00:00:00 2001
 From: Petr Vorel <pvorel@suse.cz>
 Date: Mon, 18 Oct 2021 15:13:44 +0200
 Subject: [PATCH] ping: Print reply from Subnet-Router anycast address
 by detecting Subnet-Router address for 64 bit prefix and suppress
 address comparison check.
 5e052ad ("ping: discard packets with wrong source address") correctly
 hid replies with wrong source address to comply RFC 1122 (Section
 3.2.1.3: "The IP source address in an ICMP Echo Reply MUST be the same
 as the specific-destination address").
 While change in 5e052ad works for broadcast and multicast addresses and
 some of anycast addresses, it does not work for (at least) Subnet-Router
 anycast address):
    # VETH1_IPV6=fd00:dead:beef:1234::1
    # VPEER1_IPV6=fd00:dead:beef:1234::2
    # ip netns add ns-ipv6
    # ip li add name veth1 type veth peer name vpeer1
    # ip -6 addr add $VETH1_IPV6/64 dev veth1
    # ip li set dev veth1 up
    # ip li set dev vpeer1 netns ns-ipv6
    # ip netns exec ns-ipv6 ip li set dev lo up
    # ip netns exec ns-ipv6 ip -6 addr add $VPEER1_IPV6/64 dev vpeer1
    # ip netns exec ns-ipv6 ip li set vpeer1 up
    # ip netns exec ns-ipv6 ip -6 route add default dev vpeer1 via $VETH1_IPV6
    # sysctl -w net.ipv6.conf.all.forwarding=1
    $ ping -c1 ff02::1 # anycast - all nodes
    PING ff02::1(ff02::1) 56 data bytes
    64 bytes from fe80::9c9c:ffff:fe14:e9d2%vpeer1: icmp_seq=1 ttl=64 time=0.064 ms
    $ ping -c1 ff02::2 # anycast - all routers
    PING ff02::2(ff02::2) 56 data bytes
    64 bytes from fe80::5496:9ff:fef5:8f01%vpeer1: icmp_seq=1 ttl=64 time=0.088 ms
    $ ping -c1 -W5 fd00:dead:beef:1234:: # Subnet-Router anycast
    PING fd00:dead:beef:1234::(fd00:dead:beef:1234::) 56 data bytes
 Subnet-Router anycast address works for both busybox ping (without
 printing the real source address) and fping:
    $ busybox ping -c1 fd00:dead:beef:1234::
    PING fd00:dead:beef:1234:: (fd00:dead:beef:1234::): 56 data bytes
    64 bytes from fd00:dead:beef:1234::1: seq=0 ttl=64 time=0.122 ms
    $ fping -c1 fd00:dead:beef:1234::
     [<- fd00:dead:beef:1234::1]fd00:dead:beef:1234:: : [0], 64 bytes, 0.096 ms (0.096 avg, 0% loss)
 RFC 4291 specifies Subnet-Router anycast address as [1]:
    The Subnet-Router anycast address is predefined.  Its format is as
    follows:
    |                         n bits                 |   128-n bits   |
    +------------------------------------------------+----------------+
    |                   subnet prefix                | 00000000000000 |
    +------------------------------------------------+----------------+
    The "subnet prefix" in an anycast address is the prefix that
    identifies a specific link.  This anycast address is syntactically
    the same as a unicast address for an interface on the link with the
    interface identifier set to zero.
 => to detect Subnet-Router anycast address we need to know prefix, which
 we don't know, thus detect it for prefix 64 (the default IPv6 prefix).
 [1] https://datatracker.ietf.org/doc/html/rfc4291#section-2.6.1
 Fixes: 5e052ad ("ping: discard packets with wrong source address")
 Closes: https://github.com/iputils/iputils/issues/371
 Reported-by: Tim Sandquist
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 ---
 ping/ping.h         |  1 +
 ping/ping6_common.c | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)
 diff --git a/ping/ping.h b/ping/ping.h
 index 1be4df58..ce1d719d 100644
 --- a/ping/ping.h
 +++ b/ping/ping.h
@@ -212,6 +212,7 @@ struct ping_rts {
 #endif
 	/* Used only in ping6_common.c */
 +	int subnet_router_anycast; /* Subnet-Router anycast (RFC 4291) */
 	struct sockaddr_in6 firsthop;
 	unsigned char cmsgbuf[4096];
 	size_t cmsglen;
 diff --git a/ping/ping6_common.c b/ping/ping6_common.c
 index 986210b6..e807070e 100644
 --- a/ping/ping6_common.c
 +++ b/ping/ping6_common.c
@@ -102,6 +102,7 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
 	      struct socket_st *sock)
 {
 	int hold, packlen;
 +	size_t i;
 	unsigned char *packet;
 	char *target;
 	struct icmp6_filter filter;
@@ -248,6 +249,15 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
 			rts->pmtudisc = IPV6_PMTUDISC_DO;
 	}
 +	/* detect Subnet-Router anycast at least for the default prefix 64 */
 +	rts->subnet_router_anycast = 1;
 +	for (i = 8; i < sizeof(struct in6_addr); i++) {
 +		if (rts->whereto6.sin6_addr.s6_addr[i]) {
 +			rts->subnet_router_anycast = 0;
 +			break;
 +		}
 +	}
 +
 	if (rts->pmtudisc >= 0) {
 		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &rts->pmtudisc,
 			       sizeof rts->pmtudisc) == -1)
@@ -819,7 +829,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
 	}
 	if (icmph->icmp6_type == ICMP6_ECHO_REPLY) {
 -		if (!rts->multicast &&
 +		if (!rts->multicast && !rts->subnet_router_anycast &&
 		    memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
 			return 1;
 		if (!is_ours(rts, sock, icmph->icmp6_id))
--- a/backport-ping-Print-reply-with-wrong-source-with-warning.patch
+++ b/backport-ping-Print-reply-with-wrong-source-with-warning.patch
@ -1,145 +0,0 @@
 From 5f6bec5ab57cc8beaa78f5756a0ffbdf01f28d36 Mon Sep 17 00:00:00 2001
 From: Petr Vorel <pvorel@suse.cz>
 Date: Fri, 15 Oct 2021 17:38:51 +0200
 Subject: [PATCH] ping: Print reply with wrong source with warning
 5e052ad ("ping: discard packets with wrong source address") correctly
 hid replies with wrong source address to comply RFC 1122 (Section
 3.2.1.3: "The IP source address in an ICMP Echo Reply MUST be the same
 as the specific-destination address").
 This caused to hide reply when pinging Subnet-Router anycast address.
 Although it was fixed in the previous commit, relax this to admit the
 reply but print warning "DIFFERENT ADDRESS!". ping is diagnostic program,
 with insisting on RFC we force people to use tcpdump to see replies.
 Link: https://github.com/iputils/iputils/issues/371
 Reviewed-by: Matteo Croce <mcroce@microsoft.com>
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 ---
 ping/ping.c         | 10 ++++++----
 ping/ping.h         |  3 ++-
 ping/ping6_common.c | 13 ++++++++-----
 ping/ping_common.c  |  6 +++++-
 4 files changed, 21 insertions(+), 11 deletions(-)
 diff --git a/ping/ping.c b/ping/ping.c
 index 0655bf4a..81ee7c86 100644
 --- a/ping/ping.c
 +++ b/ping/ping.c
@@ -1504,6 +1504,7 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
 	int reply_ttl;
 	uint8_t *opts, *tmp_ttl;
 	int olen;
 +	int wrong_source = 0;
 	/* Check the IP header */
 	ip = (struct iphdr *)buf;
@@ -1544,15 +1545,16 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
 	csfailed = in_cksum((unsigned short *)icp, cc, 0);
 	if (icp->type == ICMP_ECHOREPLY) {
 -		if (!rts->broadcast_pings && !rts->multicast &&
 -		    from->sin_addr.s_addr != rts->whereto.sin_addr.s_addr)
 -			return 1;
 		if (!is_ours(rts, sock, icp->un.echo.id))
 			return 1;			/* 'Twas not our ECHO */
 +
 +		if (!rts->broadcast_pings && !rts->multicast &&
 +		    from->sin_addr.s_addr != rts->whereto.sin_addr.s_addr)
 +			wrong_source = 1;
 		if (gather_statistics(rts, (uint8_t *)icp, sizeof(*icp), cc,
 				      ntohs(icp->un.echo.sequence),
 				      reply_ttl, 0, tv, pr_addr(rts, from, sizeof *from),
 -				      pr_echo_reply, rts->multicast)) {
 +				      pr_echo_reply, rts->multicast, wrong_source)) {
 			fflush(stdout);
 			return 0;
 		}
 diff --git a/ping/ping.h b/ping/ping.h
 index ce1d719d..1697c3ec 100644
 --- a/ping/ping.h
 +++ b/ping/ping.h
@@ -389,7 +389,8 @@ extern void common_options(int ch);
 extern int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
 			     int cc, uint16_t seq, int hops,
 			     int csfailed, struct timeval *tv, char *from,
 -			     void (*pr_reply)(uint8_t *ptr, int cc), int multicast);
 +			     void (*pr_reply)(uint8_t *ptr, int cc), int multicast,
 +			     int wrong_source);
 extern void print_timestamp(struct ping_rts *rts);
 void fill(struct ping_rts *rts, char *patp, unsigned char *packet, size_t packet_size);
 diff --git a/ping/ping6_common.c b/ping/ping6_common.c
 index e807070e..fee11891 100644
 --- a/ping/ping6_common.c
 +++ b/ping/ping6_common.c
@@ -803,6 +803,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
 	struct cmsghdr *c;
 	struct icmp6_hdr *icmph;
 	int hops = -1;
 +	int wrong_source = 0;
 	for (c = CMSG_FIRSTHDR(msg); c; c = CMSG_NXTHDR(msg, c)) {
 		if (c->cmsg_level != IPPROTO_IPV6)
@@ -829,16 +830,18 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
 	}
 	if (icmph->icmp6_type == ICMP6_ECHO_REPLY) {
 -		if (!rts->multicast && !rts->subnet_router_anycast &&
 -		    memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
 -			return 1;
 		if (!is_ours(rts, sock, icmph->icmp6_id))
 			return 1;
 +
 +		if (!rts->multicast && !rts->subnet_router_anycast &&
 +		    memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
 +			wrong_source = 1;
 +
 		if (gather_statistics(rts, (uint8_t *)icmph, sizeof(*icmph), cc,
 				      ntohs(icmph->icmp6_seq),
 				      hops, 0, tv, pr_addr(rts, from, sizeof *from),
 				      pr_echo_reply,
 -				      rts->multicast)) {
 +				      rts->multicast, wrong_source)) {
 			fflush(stdout);
 			return 0;
 		}
@@ -851,7 +854,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
 				      seq,
 				      hops, 0, tv, pr_addr(rts, from, sizeof *from),
 				      pr_niquery_reply,
 -				      rts->multicast))
 +				      rts->multicast, 0))
 			return 0;
 	} else {
 		int nexthdr;
 diff --git a/ping/ping_common.c b/ping/ping_common.c
 index 357c39d7..03362590 100644
 --- a/ping/ping_common.c
 +++ b/ping/ping_common.c
@@ -711,7 +711,8 @@ int main_loop(struct ping_rts *rts, ping_func_set_st *fset, socket_st *sock,
 int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
 		      int cc, uint16_t seq, int hops,
 		      int csfailed, struct timeval *tv, char *from,
 -		      void (*pr_reply)(uint8_t *icmph, int cc), int multicast)
 +		      void (*pr_reply)(uint8_t *icmph, int cc), int multicast,
 +		      int wrong_source)
 {
 	int dupflag = 0;
 	long triptime = 0;
@@ -804,10 +805,13 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
 				printf(_(" time=%ld.%03ld ms"), triptime / 1000,
 				       triptime % 1000);
 		}
 +
 		if (dupflag && (!multicast || rts->opt_verbose))
 			printf(_(" (DUP!)"));
 		if (csfailed)
 			printf(_(" (BAD CHECKSUM!)"));
 +		if (wrong_source)
 +			printf(_(" (DIFFERENT ADDRESS!)"));
 		/* check the data */
 		cp = ((unsigned char *)ptr) + sizeof(struct timeval);
--- a/backport-ping6-Avoid-binding-to-non-VRF.patch
+++ b/backport-ping6-Avoid-binding-to-non-VRF.patch
@ -1,54 +0,0 @@
 From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001
 From: Petr Vorel <pvorel@suse.cz>
 Date: Tue, 9 Nov 2021 02:39:56 +0100
 Subject: [PATCH] ping6: Avoid binding to non-VRF
 This fixes permission issue when specifying just address (without VRF)
 unless having CAP_NET_ADMIN (i.e. root) permission:
    $ ./builddir/ping/ping -c1 -I lo ::1
    ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted
 because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on
 opt_strictsource.
 Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address")
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 Conflict:NA
 Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch
 ---
 ping/ping6_common.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 diff --git a/ping/ping6_common.c b/ping/ping6_common.c
 index f40d279d..7a43ef6a 100644
 --- a/ping/ping6_common.c
 +++ b/ping/ping6_common.c
@@ -237,14 +237,16 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
 		memset(ipi, 0, sizeof(*ipi));
 		ipi->ipi6_ifindex = if_name2index(rts->device);
 -		enable_capability_raw();
 -		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 -				rts->device, strlen(rts->device) + 1);
 -		errno_save = errno;
 -		disable_capability_raw();
 -
 -		if (rc == -1)
 -			error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
 +		if (rts->opt_strictsource) {
 +			enable_capability_raw();
 +			rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 +					rts->device, strlen(rts->device) + 1);
 +			errno_save = errno;
 +			disable_capability_raw();
 +
 +			if (rc == -1)
 +				error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
 +		}
 	}
 	if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {
--- a/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
+++ b/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
@ -1,37 +0,0 @@
 From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
 From: Sami Kerola <kerolasa@iki.fi>
 Date: Wed, 3 Mar 2021 20:51:18 +0000
 Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
 Quoting systemd.exec(5) manual page 'Specifically this means that the
 process will have zero process capabilities on the host's user namespace'.
 That does not combine will with CAP_NET_RAW that needs to take effect host's
 namespace.
 Secondly add CapabilityBoundingSet that is will ensure capabilities are
 limited to the one and only capability it needs.
 Fixes: https://github.com/iputils/iputils/issues/314
 Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
 Signed-off-by: Sami Kerola <kerolasa@iki.fi>
 ---
 systemd/rdisc.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
 index 4e2a1ec..6ef7fc3 100644
 --- a/systemd/rdisc.service.in
 +++ b/systemd/rdisc.service.in
@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
 ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
 AmbientCapabilities=CAP_NET_RAW
 +CapabilityBoundingSet=CAP_NET_RAW
 PrivateTmp=yes
 -PrivateUsers=yes
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 -- 
 2.23.0
--- a/iputils-20211215.tar.gz
+++ b/iputils-20211215.tar.gz
--- a/iputils-s20210722.tar.gz
+++ b/iputils-s20210722.tar.gz
--- a/iputils.spec
+++ b/iputils.spec
@ -1,11 +1,11 @@
 Name:            iputils
-Version:         20210722
+Version:         20211215
-Release:         6
+Release:         1
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
-Source0:         https://github.com/iputils/iputils/archive/s%{version}.tar.gz#/%{name}-s%{version}.tar.gz
+Source0:         https://github.com/iputils/iputils/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:         ifenslave.tar.gz
 Source2:         rdisc.service
 Source3:         ninfod.service
@ -14,15 +14,6 @@ Source5:         https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Patch0000:       iputils-ifenslave.patch
 Patch0001:       iputils-ifenslave-CWE-170.patch
 Patch0002:       backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
 Patch0003:       backport-arping-fix-typo-in-error-checking.patch
 Patch0004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
 Patch0005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
 Patch0006:       backport-ping6-Avoid-binding-to-non-VRF.patch
 Patch0007:       arping-Fix-exit-code-on-w-option.patch
 Patch0008:       backport-ping-Print-reply-from-Subnet-Router-anycast-address.patch
 Patch0009:       backport-ping-Print-reply-with-wrong-source-with-warning.patch
 Patch0010:       backport-ping-Fix-potential-memory-leakage.patch
 BuildRequires:   gcc meson libidn2-devel openssl-devel libcap-devel libxslt
 BuildRequires:   docbook5-style-xsl systemd iproute glibc-kernheaders gettext
@ -56,7 +47,7 @@ cp %{SOURCE4} %{SOURCE5} .
  export CFLAGS="-fpie"
  export LDFLAGS="-pie -Wl,-z,relro,-z,now"
-%meson -DBUILD_TFTPD=false
+%meson
 %meson_build
 gcc -Wall $RPM_OPT_FLAGS $CFLAGS $RPM_LD_FLAGS $LDFLAGS ifenslave.c -o ifenslave
@ -121,6 +112,12 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_unitdir}/ninfod.service
 %changelog
 * Mon Jul 11 2022 yinyongkang <yinyongkang@kylinos.cn> - 20211215-1
 - Type:requirements
 - ID:NA
 - SUG:NA
 - DESC: update iputils to 20211215
 * Mon Jun 20 2022 lvgenggeng <lvgenggeng@uniontech.com> - 20210722-6
 - Type:bugfix
 - ID:NA