Date: Wednesday, December 28, 2016 @ 21:24:36 Author: seblu Revision: 284950
upgpkg: nftables 1:0.7-1 Modified: nftables/trunk/PKGBUILD Deleted: nftables/trunk/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch ---------------------------------------------------------------+ 01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch | 108 ---------- PKGBUILD | 8 2 files changed, 3 insertions(+), 113 deletions(-) Deleted: 01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch =================================================================== --- 01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch 2016-12-28 18:53:03 UTC (rev 284949) +++ 01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch 2016-12-28 21:24:36 UTC (rev 284950) @@ -1,108 +0,0 @@ -From 3503738f77cdbe521da1054a37f59ac2e442b4cf Mon Sep 17 00:00:00 2001 -From: Florian Westphal <[email protected]> -Date: Mon, 6 Jun 2016 21:52:28 +0200 -Subject: [PATCH 2/7] payload: don't update protocol context if we can't find a - description - -Since commit -20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking") -we deref null pointer if we can't find a description for the desired -protocol, so "ip protocol 254" crashes while testing protocols 6 or 17 -(tcp, udp) works. - -Also add a test case for this. - -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072 -Signed-off-by: Florian Westphal <[email protected]> -Acked-by: Pablo Neira Ayuso <[email protected]> ---- - src/payload.c | 3 +++ - tests/py/ip/ip.t | 3 +++ - tests/py/ip/ip.t.payload | 5 +++++ - tests/py/ip/ip.t.payload.inet | 7 +++++++ - tests/py/ip/ip.t.payload.netdev | 7 +++++++ - 5 files changed, 25 insertions(+) - -diff --git a/src/payload.c b/src/payload.c -index ac0e917..9ba980a 100644 ---- a/src/payload.c -+++ b/src/payload.c -@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, - base = ctx->protocol[left->payload.base].desc; - desc = proto_find_upper(base, proto); - -+ if (!desc) -+ return; -+ - assert(desc->base <= PROTO_BASE_MAX); - if (desc->base == base->base) { - assert(base->length > 0); -diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t -index 594136c..a265b75 100644 ---- a/tests/py/ip/ip.t -+++ b/tests/py/ip/ip.t -@@ -75,6 +75,9 @@ ip protocol != tcp;ok;ip protocol != 6 - ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept - - ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok - -+ip protocol 255;ok -+ip protocol 256;fail -+ - ip checksum 13172 drop;ok - ip checksum 22;ok - ip checksum != 233;ok -diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload -index 3bd3358..15cc590 100644 ---- a/tests/py/ip/ip.t.payload -+++ b/tests/py/ip/ip.t.payload -@@ -204,6 +204,11 @@ ip test-ip4 input - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - ip test-ip4 input - [ payload load 2b @ network header + 10 => reg 1 ] -diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet -index ef4692e..e495246 100644 ---- a/tests/py/ip/ip.t.payload.inet -+++ b/tests/py/ip/ip.t.payload.inet -@@ -268,6 +268,13 @@ inet test-inet input - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - inet test-inet input - [ meta load nfproto => reg 1 ] -diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev -index 4feaa27..8eaee4c 100644 ---- a/tests/py/ip/ip.t.payload.netdev -+++ b/tests/py/ip/ip.t.payload.netdev -@@ -204,6 +204,13 @@ netdev test-netdev ingress - [ lookup reg 1 set __set%d ] - [ immediate reg 0 accept ] - -+# ip protocol 255 -+ip test-ip4 input -+ [ meta load protocol => reg 1 ] -+ [ cmp eq reg 1 0x00000008 ] -+ [ payload load 1b @ network header + 9 => reg 1 ] -+ [ cmp eq reg 1 0x000000ff ] -+ - # ip checksum 13172 drop - netdev test-netdev ingress - [ meta load protocol => reg 1 ] --- -2.8.3 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-12-28 18:53:03 UTC (rev 284949) +++ PKGBUILD 2016-12-28 21:24:36 UTC (rev 284950) @@ -3,8 +3,8 @@ pkgname=nftables epoch=1 -pkgver=0.6 -pkgrel=3 +pkgver=0.7 +pkgrel=1 pkgdesc='Netfilter tables userspace tools' arch=('i686' 'x86_64') url='https://netfilter.org/projects/nftables/' @@ -15,13 +15,11 @@ validpgpkeys=('C09DB2063F1D7034BA6152ADAB4655A126D292E4') # Netfilter Core Team # 2016-11-03: https sources download is broken with curl source=("http://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"{,.sig} - '01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch' 'nftables.conf' 'nftables.service' 'nftables-reload') -sha1sums=('c0f90a208e0ab5d43d3e638350a4fe58e6f4366f' +sha1sums=('c003fa8b63b1b44c52de345a4d84487d81865a98' 'SKIP' - 'c2f79f151a57ba6888d325f2573a6a0269830e9b' 'a7146fad414f9e827e2e83b630308890c876b80d' '65833b9c5b777cfb3a0776060c569a727ce6f460' 'd9f40e751b44dd9dc9fdb3b7eba3cc0a9b7e1b01')
