packages/libnetfilter_queue
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 1.0.5

Browse Source
This commit is contained in:
yanan-rock 2020-07-24 09:48:45 +08:00
parent fcf791b955
commit 0a2528d2f3
10 changed files with 9 additions and 670 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

428
build-avoid-symbol-namespace-pollution.patch
View File

@ -1,428 +0,0 @@
From 7983983a2912165aaa3b9fff2f7aa42421d2f730 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 13 Aug 2013 10:48:50 +0200
Subject: [PATCH 11/38] build: avoid symbol namespace pollution
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Make_global.am | 2 +-
src/extra/pktbuff.c | 12 ++++++++++++
src/internal.h | 2 ++
src/libnetfilter_queue.c | 38 +++++++++++++++++++++++++++++++++++---
4 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/Make_global.am b/Make_global.am
index 9bc8ea1..91da5da 100644
--- a/Make_global.am
+++ b/Make_global.am
@@ -1,2 +1,2 @@
AM_CPPFLAGS = -I${top_srcdir}/include ${LIBNFNETLINK_CFLAGS} ${LIBMNL_CFLAGS}
-AM_CFLAGS = -Wall
+AM_CFLAGS = -Wall ${GCC_FVISIBILITY_HIDDEN}
diff --git a/src/extra/pktbuff.c b/src/extra/pktbuff.c
index 0bd778d..1c15a00 100644
--- a/src/extra/pktbuff.c
+++ b/src/extra/pktbuff.c
@@ -84,6 +84,7 @@ pktb_alloc(int family, void *data, size_t len, size_t extra)
}
return pktb;
}
+EXPORT_SYMBOL(pktb_alloc);
/**
* pktb_data - return pointer to the beginning of the packet buffer
@@ -93,6 +94,7 @@ uint8_t *pktb_data(struct pkt_buff *pktb)
{
return pktb->data;
}
+EXPORT_SYMBOL(pktb_data);
/**
* pktb_len - return length of the packet buffer
@@ -102,6 +104,7 @@ uint32_t pktb_len(struct pkt_buff *pktb)
{
return pktb->len;
}
+EXPORT_SYMBOL(pktb_len);
/**
* pktb_free - release packet buffer
@@ -111,6 +114,7 @@ void pktb_free(struct pkt_buff *pktb)
{
free(pktb);
}
+EXPORT_SYMBOL(pktb_free);
/**
* pktb_push - update pointer to the beginning of the packet buffer
@@ -121,6 +125,7 @@ void pktb_push(struct pkt_buff *pktb, unsigned int len)
pktb->data -= len;
pktb->len += len;
}
+EXPORT_SYMBOL(pktb_push);
/**
* pktb_pull - update pointer to the beginning of the packet buffer
@@ -131,6 +136,7 @@ void pktb_pull(struct pkt_buff *pktb, unsigned int len)
pktb->data += len;
pktb->len -= len;
}
+EXPORT_SYMBOL(pktb_pull);
/**
* pktb_put - add extra bytes to the tail of the packet buffer
@@ -141,6 +147,7 @@ void pktb_put(struct pkt_buff *pktb, unsigned int len)
pktb->tail += len;
pktb->len += len;
}
+EXPORT_SYMBOL(pktb_put);
/**
* pktb_trim - set new length for this packet buffer
@@ -150,6 +157,7 @@ void pktb_trim(struct pkt_buff *pktb, unsigned int len)
{
pktb->len = len;
}
+EXPORT_SYMBOL(pktb_trim);
/**
* pktb_tailroom - get room in bytes in the tail of the packet buffer
@@ -159,6 +167,7 @@ unsigned int pktb_tailroom(struct pkt_buff *pktb)
{
return pktb->data_len - pktb->len;
}
+EXPORT_SYMBOL(pktb_tailroom);
/**
* pktb_mac_header - return pointer to layer 2 header (if any)
@@ -168,6 +177,7 @@ uint8_t *pktb_mac_header(struct pkt_buff *pktb)
{
return pktb->mac_header;
}
+EXPORT_SYMBOL(pktb_mac_header);
/**
* pktb_network_header - return pointer to layer 3 header
@@ -177,6 +187,7 @@ uint8_t *pktb_network_header(struct pkt_buff *pktb)
{
return pktb->network_header;
}
+EXPORT_SYMBOL(pktb_network_header);
/**
* pktb_transport_header - return pointer to layer 4 header (if any)
@@ -186,6 +197,7 @@ uint8_t *pktb_transport_header(struct pkt_buff *pktb)
{
return pktb->transport_header;
}
+EXPORT_SYMBOL(pktb_transport_header);
static int pktb_expand_tail(struct pkt_buff *pkt, int extra)
{
diff --git a/src/internal.h b/src/internal.h
index 37bf79e..7f9d5f4 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -2,6 +2,8 @@
#define INTERNAL_H 1
#include "config.h"
+#include <stdint.h>
+#include <stdbool.h>
#ifdef HAVE_VISIBILITY_HIDDEN
# define __visible __attribute__((visibility("default")))
# define EXPORT_SYMBOL(x) typeof(x) (x) __visible
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 6817957..fa8efe7 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -32,6 +32,7 @@
#include <libnfnetlink/libnfnetlink.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
+#include "src/internal.h"
/**
* \mainpage
@@ -133,6 +134,7 @@ struct nfq_data {
};
int nfq_errno;
+EXPORT_SYMBOL(nfq_errno);
/***********************************************************************
* low level stuff
@@ -225,6 +227,7 @@ struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
{
return h->nfnlh;
}
+EXPORT_SYMBOL(nfq_nfnlh);
/**
*
@@ -300,7 +303,7 @@ int nfq_fd(struct nfq_handle *h)
{
return nfnl_fd(nfq_nfnlh(h));
}
-
+EXPORT_SYMBOL(nfq_fd);
/**
* @}
*/
@@ -368,6 +371,7 @@ struct nfq_handle *nfq_open(void)
return qh;
}
+EXPORT_SYMBOL(nfq_open);
/**
* @}
@@ -416,6 +420,7 @@ out_free:
free(h);
return NULL;
}
+EXPORT_SYMBOL(nfq_open_nfnl);
/**
* \addtogroup LibrarySetup
@@ -443,6 +448,7 @@ int nfq_close(struct nfq_handle *h)
free(h);
return ret;
}
+EXPORT_SYMBOL(nfq_close);
/**
* nfq_bind_pf - bind a nfqueue handler to a given protocol family
@@ -458,6 +464,7 @@ int nfq_bind_pf(struct nfq_handle *h, u_int16_t pf)
{
return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf);
}
+EXPORT_SYMBOL(nfq_bind_pf);
/**
* nfq_unbind_pf - unbind nfqueue handler from a protocol family
@@ -471,7 +478,7 @@ int nfq_unbind_pf(struct nfq_handle *h, u_int16_t pf)
{
return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf);
}
-
+EXPORT_SYMBOL(nfq_unbind_pf);
/**
@@ -544,6 +551,7 @@ struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h,
add_qh(qh);
return qh;
}
+EXPORT_SYMBOL(nfq_create_queue);
/**
* @}
@@ -571,6 +579,7 @@ int nfq_destroy_queue(struct nfq_q_handle *qh)
return ret;
}
+EXPORT_SYMBOL(nfq_destroy_queue);
/**
* nfq_handle_packet - handle a packet received from the nfqueue subsystem
@@ -588,6 +597,7 @@ int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)
{
return nfnl_handle_packet(h->nfnlh, buf, len);
}
+EXPORT_SYMBOL(nfq_handle_packet);
/**
* nfq_set_mode - set the amount of packet data that nfqueue copies to userspace
@@ -624,6 +634,7 @@ int nfq_set_mode(struct nfq_q_handle *qh,
return nfnl_query(qh->h->nfnlh, &u.nmh);
}
+EXPORT_SYMBOL(nfq_set_mode);
/**
* nfq_set_queue_flags - set flags (options) for the kernel queue
@@ -693,6 +704,7 @@ int nfq_set_queue_flags(struct nfq_q_handle *qh,
return nfnl_query(qh->h->nfnlh, &u.nmh);
}
+EXPORT_SYMBOL(nfq_set_queue_flags);
/**
* nfq_set_queue_maxlen - Set kernel queue maximum length parameter
@@ -723,6 +735,7 @@ int nfq_set_queue_maxlen(struct nfq_q_handle *qh,
return nfnl_query(qh->h->nfnlh, &u.nmh);
}
+EXPORT_SYMBOL(nfq_set_queue_maxlen);
/**
* @}
@@ -815,7 +828,8 @@ int nfq_set_verdict(struct nfq_q_handle *qh, u_int32_t id,
{
return __set_verdict(qh, id, verdict, 0, 0, data_len, buf,
NFQNL_MSG_VERDICT);
-}
+}
+EXPORT_SYMBOL(nfq_set_verdict);
/**
* nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
@@ -833,6 +847,7 @@ int nfq_set_verdict2(struct nfq_q_handle *qh, u_int32_t id,
return __set_verdict(qh, id, verdict, htonl(mark), 1, data_len,
buf, NFQNL_MSG_VERDICT);
}
+EXPORT_SYMBOL(nfq_set_verdict2);
/**
* nfq_set_verdict_batch - issue verdicts on several packets at once
@@ -852,6 +867,7 @@ int nfq_set_verdict_batch(struct nfq_q_handle *qh, u_int32_t id,
return __set_verdict(qh, id, verdict, 0, 0, 0, NULL,
NFQNL_MSG_VERDICT_BATCH);
}
+EXPORT_SYMBOL(nfq_set_verdict_batch);
/**
* nfq_set_verdict_batch2 - like nfq_set_verdict_batch, but you can set a mark.
@@ -866,6 +882,7 @@ int nfq_set_verdict_batch2(struct nfq_q_handle *qh, u_int32_t id,
return __set_verdict(qh, id, verdict, htonl(mark), 1, 0,
NULL, NFQNL_MSG_VERDICT_BATCH);
}
+EXPORT_SYMBOL(nfq_set_verdict_batch2);
/**
* nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark.
@@ -888,6 +905,7 @@ int nfq_set_verdict_mark(struct nfq_q_handle *qh, u_int32_t id,
return __set_verdict(qh, id, verdict, mark, 1, data_len, buf,
NFQNL_MSG_VERDICT);
}
+EXPORT_SYMBOL(nfq_set_verdict_mark);
/**
* @}
@@ -927,6 +945,7 @@ struct nfqnl_msg_packet_hdr *nfq_get_msg_packet_hdr(struct nfq_data *nfad)
return nfnl_get_pointer_to_data(nfad->data, NFQA_PACKET_HDR,
struct nfqnl_msg_packet_hdr);
}
+EXPORT_SYMBOL(nfq_get_msg_packet_hdr);
/**
* nfq_get_nfmark - get the packet mark
@@ -938,6 +957,7 @@ uint32_t nfq_get_nfmark(struct nfq_data *nfad)
{
return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, u_int32_t));
}
+EXPORT_SYMBOL(nfq_get_nfmark);
/**
* nfq_get_timestamp - get the packet timestamp
@@ -961,6 +981,7 @@ int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv)
return 0;
}
+EXPORT_SYMBOL(nfq_get_timestamp);
/**
* nfq_get_indev - get the interface that the packet was received through
@@ -977,6 +998,7 @@ u_int32_t nfq_get_indev(struct nfq_data *nfad)
{
return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_INDEV, u_int32_t));
}
+EXPORT_SYMBOL(nfq_get_indev);
/**
* nfq_get_physindev - get the physical interface that the packet was received
@@ -990,6 +1012,7 @@ u_int32_t nfq_get_physindev(struct nfq_data *nfad)
{
return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSINDEV, u_int32_t));
}
+EXPORT_SYMBOL(nfq_get_physindev);
/**
* nfq_get_outdev - gets the interface that the packet will be routed out
@@ -1003,6 +1026,7 @@ u_int32_t nfq_get_outdev(struct nfq_data *nfad)
{
return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_OUTDEV, u_int32_t));
}
+EXPORT_SYMBOL(nfq_get_outdev);
/**
* nfq_get_physoutdev - get the physical interface that the packet output
@@ -1018,6 +1042,7 @@ u_int32_t nfq_get_physoutdev(struct nfq_data *nfad)
{
return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSOUTDEV, u_int32_t));
}
+EXPORT_SYMBOL(nfq_get_physoutdev);
/**
* nfq_get_indev_name - get the name of the interface the packet
@@ -1063,6 +1088,7 @@ int nfq_get_indev_name(struct nlif_handle *nlif_handle,
u_int32_t ifindex = nfq_get_indev(nfad);
return nlif_index2name(nlif_handle, ifindex, name);
}
+EXPORT_SYMBOL(nfq_get_indev_name);
/**
* nfq_get_physindev_name - get the name of the physical interface the
@@ -1082,6 +1108,7 @@ int nfq_get_physindev_name(struct nlif_handle *nlif_handle,
u_int32_t ifindex = nfq_get_physindev(nfad);
return nlif_index2name(nlif_handle, ifindex, name);
}
+EXPORT_SYMBOL(nfq_get_physindev_name);
/**
* nfq_get_outdev_name - get the name of the physical interface the
@@ -1101,6 +1128,7 @@ int nfq_get_outdev_name(struct nlif_handle *nlif_handle,
u_int32_t ifindex = nfq_get_outdev(nfad);
return nlif_index2name(nlif_handle, ifindex, name);
}
+EXPORT_SYMBOL(nfq_get_outdev_name);
/**
* nfq_get_physoutdev_name - get the name of the interface the
@@ -1121,6 +1149,7 @@ int nfq_get_physoutdev_name(struct nlif_handle *nlif_handle,
u_int32_t ifindex = nfq_get_physoutdev(nfad);
return nlif_index2name(nlif_handle, ifindex, name);
}
+EXPORT_SYMBOL(nfq_get_physoutdev_name);
/**
* nfq_get_packet_hw
@@ -1149,6 +1178,7 @@ struct nfqnl_msg_packet_hw *nfq_get_packet_hw(struct nfq_data *nfad)
return nfnl_get_pointer_to_data(nfad->data, NFQA_HWADDR,
struct nfqnl_msg_packet_hw);
}
+EXPORT_SYMBOL(nfq_get_packet_hw);
/**
* nfq_get_payload - get payload
@@ -1170,6 +1200,7 @@ int nfq_get_payload(struct nfq_data *nfad, unsigned char **data)
return -1;
}
+EXPORT_SYMBOL(nfq_get_payload);
/**
* @}
@@ -1356,6 +1387,7 @@ int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags)
return len;
}
+EXPORT_SYMBOL(nfq_snprintf_xml);
/**
* @}
--
1.8.3.1

39
extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch
View File

@ -1,39 +0,0 @@
From 7335cbed46eb81cd4f521966ef508e18b6e8059f Mon Sep 17 00:00:00 2001
From: Ting-Wei Lan <lantw44@gmail.com>
Date: Fri, 20 Jun 2014 18:27:00 +0800
Subject: [PATCH 21/38] extra: fix wrong implementation in nfq_udp_get_payload
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/extra/udp.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/extra/udp.c b/src/extra/udp.c
index eee732e..6e6baed 100644
--- a/src/extra/udp.c
+++ b/src/extra/udp.c
@@ -56,13 +56,17 @@ EXPORT_SYMBOL(nfq_udp_get_hdr);
*/
void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb)
{
- unsigned int doff = udph->len;
+ uint16_t len = ntohs(udph->len);
- /* malformed UDP data offset. */
- if (pktb->transport_header + doff > pktb->tail)
+ /* the UDP packet is too short. */
+ if (len < sizeof(struct udphdr))
return NULL;
- return pktb->transport_header + doff;
+ /* malformed UDP packet. */
+ if (pktb->transport_header + len > pktb->tail)
+ return NULL;
+
+ return pktb->transport_header + sizeof(struct udphdr);
}
EXPORT_SYMBOL(nfq_udp_get_payload);
--
1.8.3.1

42
extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch
View File

@ -1,42 +0,0 @@
From 32946848916002e1014e6125f2b3aee208d37700 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 30 Jun 2014 12:18:07 +0200
Subject: [PATCH 22/38] extra: tcp: insufficient sanitization in
nfq_tcp_get_payload()
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/extra/tcp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/extra/tcp.c b/src/extra/tcp.c
index 2eb5763..bf161aa 100644
--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
@@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr);
*/
void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
{
- unsigned int doff = tcph->doff * 4;
+ unsigned int len = tcph->doff * 4;
+
+ /* TCP packet is too short */
+ if (len < sizeof(struct tcphdr))
+ return NULL;
/* malformed TCP data offset. */
- if (pktb->transport_header + doff >= pktb->tail)
+ if (pktb->transport_header + len > pktb->tail)
return NULL;
- return pktb->transport_header + doff;
+ return pktb->transport_header + len;
}
EXPORT_SYMBOL(nfq_tcp_get_payload);
--
1.8.3.1

36
extra-use-inet_ntop-instead-of-inet_ntoa.patch
View File

@ -1,36 +0,0 @@
From 3065fb3642c8e554432059629808a62560e2184f Mon Sep 17 00:00:00 2001
From: Ting-Wei Lan <lantw44@gmail.com>
Date: Fri, 20 Jun 2014 18:26:59 +0800
Subject: [PATCH 20/38] extra: use inet_ntop instead of inet_ntoa
The result of inet_ntoa() will be overwritten by the next call to
inet_ntoa(), so using it twice in the same snprintf() call causes
wrong result.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/extra/ipv4.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/extra/ipv4.c b/src/extra/ipv4.c
index 0fe716b..a93d113 100644
--- a/src/extra/ipv4.c
+++ b/src/extra/ipv4.c
@@ -134,9 +134,13 @@ int nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph)
struct in_addr src = { iph->saddr };
struct in_addr dst = { iph->daddr };
+ char src_str[INET_ADDRSTRLEN];
+ char dst_str[INET_ADDRSTRLEN];
+
ret = snprintf(buf, size, "SRC=%s DST=%s LEN=%u TOS=0x%X "
"PREC=0x%X TTL=%u ID=%u PROTO=%u ",
- inet_ntoa(src), inet_ntoa(dst),
+ inet_ntop(AF_INET, &src, src_str, INET_ADDRSTRLEN),
+ inet_ntop(AF_INET, &dst, dst_str, INET_ADDRSTRLEN),
ntohs(iph->tot_len), IPTOS_TOS(iph->tos),
IPTOS_PREC(iph->tos), iph->ttl, ntohs(iph->id),
iph->protocol);
--
1.8.3.1

38
fix-valgrind-errors-of-uninitialised-byte-during-cal.patch
View File

@ -1,38 +0,0 @@
From 84d24281f4cfac9597ee9184a30cb1aa91d8a86e Mon Sep 17 00:00:00 2001
From: Tamas Lengyel <tamas.k.lengyel@gmail.com>
Date: Fri, 31 May 2013 12:20:57 +0000
Subject: [PATCH 10/38] fix valgrind errors of uninitialised byte during call
to nfq_unbind_pf
Valgrind generates error reports during a call
to the nfq_unbind_pf function:
==00:00:00:08.662 22111== 4 errors in context 1 of 1:
==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points
to uninitialised byte(s)
...
==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation
==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg
(libnetfilter_queue.c:178
Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/libnetfilter_queue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 2894ccd..bf944f0 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -186,6 +186,7 @@ __build_send_cfg_msg(struct nfq_handle *h, u_int8_t command,
nfnl_fill_hdr(h->nfnlssh, &u.nmh, 0, AF_UNSPEC, queuenum,
NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
+ cmd._pad = 0;
cmd.command = command;
cmd.pf = htons(pf);
nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_CMD, &cmd, sizeof(cmd));
--
1.8.3.1

BIN
libnetfilter_queue-1.0.2.tar.bz2
View File

Binary file not shown.

BIN
libnetfilter_queue-1.0.5.tar.bz2 Normal file
View File

Binary file not shown.

20
libnetfilter_queue.spec
View File

@ -1,6 +1,6 @@
Name: libnetfilter_queue
Version: 1.0.2
Release: 13
Version: 1.0.5
Release: 1
Summary: A userspace library to the queued packets
License: GPLv2
URL: http://netfilter.org
@ -8,14 +8,6 @@ Source0: https://netfilter.org/projects/libnetfilter_queue/files/libnetfil
BuildRequires: autoconf automake libtool pkgconfig kernel-headers
BuildRequires: libnfnetlink-devel >= 1.0.1 libmnl-devel >= 1.0.3
Patch6001: fix-valgrind-errors-of-uninitialised-byte-during-cal.patch
Patch6002: build-avoid-symbol-namespace-pollution.patch
Patch6003: extra-use-inet_ntop-instead-of-inet_ntoa.patch
Patch6004: extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch
Patch6005: extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch
Patch6006: src-make-nfq_open_nfnl-thread-safe.patch
Patch6007: src-check-result-of-malloc-when-creating-queue.patch
%description
libnetfilter_queue is a userspace library providing an API to packets that
have been queued by the kernel packet filter. It is is part of a system that
@ -35,7 +27,7 @@ Includes development headers and librarys for libnetfilter_queue.
%autosetup -n %{name}-%{version} -p1
%build
%configure
%configure --disable-static
%make_build
%install
@ -67,6 +59,12 @@ make check
%exclude %{_libdir}/libnetfilter_queue.la
%changelog
* Fri Jul 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.0.5-1
- Type:NA
- Id:NA
- SUG:NA
- DESC: update to 1.0.5
* Tue Sep 17 2019 Huiming Xie <xiehuiming@huawei.com> - 1.0.2.13
- Package init

27
src-check-result-of-malloc-when-creating-queue.patch
View File

@ -1,27 +0,0 @@
From 981025e103d887fb6a9c9bb49c74ec323108d098 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sun, 3 Jul 2016 09:38:02 +0200
Subject: [PATCH 30/38] src: check result of malloc when creating queue
Signed-off-by: Victor Julien <victor@inliniac.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/libnetfilter_queue.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 5fbde5b..211a8ba 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -536,6 +536,8 @@ struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h,
return NULL;
qh = malloc(sizeof(*qh));
+ if (!qh)
+ return NULL;
memset(qh, 0, sizeof(*qh));
qh->h = h;
--
1.8.3.1

49
src-make-nfq_open_nfnl-thread-safe.patch
View File

@ -1,49 +0,0 @@
From 4ca06bc967d94b7b7b5a6efc76e870f0efc77e24 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Thu, 16 Jun 2016 15:11:32 +0200
Subject: [PATCH 29/38] src: make nfq_open_nfnl thread-safe
nfq_open_nfnl uses an intermediate static object, so when it is invoked
by distinct threads at the same time there is a small chance that some
threads end up with another threads nfq_handle pointer stored in ->data.
The result is that the affected queue will be stuck because the thread
that was supposed to service it is handling another/wrong queue instead.
Tested-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/libnetfilter_queue.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 84184ee..5fbde5b 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -216,11 +216,6 @@ static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[],
return qh->cb(qh, nfmsg, &nfqa, qh->data);
}
-static struct nfnl_callback pkt_cb = {
- .call = &__nfq_rcv_pkt,
- .attr_count = NFQA_MAX,
-};
-
/* public interface */
struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
@@ -389,6 +384,10 @@ EXPORT_SYMBOL(nfq_open);
*/
struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh)
{
+ struct nfnl_callback pkt_cb = {
+ .call = __nfq_rcv_pkt,
+ .attr_count = NFQA_MAX,
+ };
struct nfq_handle *h;
int err;
--
1.8.3.1