Hello community,
here is the log from the commit of package openslp for openSUSE:Factory
checked in at Fri Oct 15 12:39:35 CEST 2010.
--------
--- openslp/openslp.changes 2009-12-14 17:04:42.000000000 +0100
+++ /mounts/work_src_done/STABLE/openslp/openslp.changes 2010-10-12 18:20:40.000000000 +0200
@@ -1,0 +2,41 @@
+Tue Oct 12 17:46:47 CEST 2010 - mls@suse.de
+
+- fix extension parsing code, CVE-2010-3609 [bnc#642571]
+
+-------------------------------------------------------------------
+Fri Oct 1 13:36:48 CEST 2010 - mls@suse.de
+
+- ignore leading and trailing spaces when comparing strings
+ [bnc#626444]
+
+-------------------------------------------------------------------
+Thu Sep 30 12:35:54 CEST 2010 - mls@suse.de
+
+- change DA pull code to not use the pulled-from-de prediacte, but
+ instead don't overwrite non-pulled registrations
+
+-------------------------------------------------------------------
+Thu Jul 29 13:28:41 CEST 2010 - mls@suse.de
+
+- add DABackupLocalReg option to enable backup of local services
+ [bnc#597215]
+
+-------------------------------------------------------------------
+Tue May 11 18:09:09 CEST 2010 - jeffm@suse.de
+
+- avoid CPU usage spike while while reading /proc/net/tcp
+ on systems with many connections (bnc#601002)
+
+-------------------------------------------------------------------
+Wed Apr 28 17:03:14 CEST 2010 - mls@suse.de
+
+- do not ignore DA answers if active and passive DA detection is off
+ [bnc#564504]
+- add DASyncReg and isDABackup options for OES folks
+
+-------------------------------------------------------------------
+Fri Mar 12 13:55:47 UTC 2010 - kkaempf@novell.com
+
+- Add SuSEfirewall2 description file
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
openslp.SuSEfirewall2
openslp.discovery.diff
openslp.ignorespaces.diff
openslp.initda.diff
openslp.parseext.diff
openslp.use-TCPDIAG-for-checking-listeners
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openslp.spec ++++++
--- /var/tmp/diff_new_pack.IKU5RR/_old 2010-10-15 12:39:09.000000000 +0200
+++ /var/tmp/diff_new_pack.IKU5RR/_new 2010-10-15 12:39:09.000000000 +0200
@@ -21,8 +21,8 @@
BuildRequires: bison flex openssl-devel
Summary: An OpenSLP Implementation of Service Location Protocol V2
Version: 1.2.0
-Release: 175
-License: BSD3c(or similar) ; GPLv2+
+Release: 182
+License: BSD3c
Group: System/Daemons
Url: http://www.openslp.org/
# bug437293
@@ -38,7 +38,8 @@
Source4: openslp-devel.desktop
Source5: openslp.logrotate
Source6: slpd.xml
-Source7: baselibs.conf
+Source7: openslp.SuSEfirewall2
+Source8: baselibs.conf
Patch1: openslp.diff
Patch2: openslp.audit.diff
Patch3: extensions.diff
@@ -56,6 +57,11 @@
Patch15: openslp.fixaddrcheck.diff
Patch16: openslp.fixdsareturn.diff
Patch17: openslp.clrflags.diff
+Patch18: openslp.use-TCPDIAG-for-checking-listeners
+Patch19: openslp.discovery.diff
+Patch20: openslp.initda.diff
+Patch21: openslp.ignorespaces.diff
+Patch22: openslp.parseext.diff
%description
Service Location Protocol is an IETF standards track protocol that
@@ -79,7 +85,7 @@
Praveen Kumar Amritaluru
%package server
-License: BSD3c(or similar)
+License: BSD3c
Group: System/Daemons
Summary: The OpenSLP Implementation of the Service Location Protocol V2
PreReq: %fillup_prereq %insserv_prereq
@@ -107,7 +113,7 @@
Praveen Kumar Amritaluru
%package devel
-License: BSD3c(or similar)
+License: BSD3c
Requires: openssl-devel openslp = %version
Group: System/Daemons
Summary: OpenSLP Development SDK
@@ -159,6 +165,11 @@
%patch15
%patch16
%patch17
+%patch18 -p1
+%patch19
+%patch20
+%patch21
+%patch22
%build
autoreconf -fiv
@@ -169,6 +180,7 @@
%install
mkdir -p ${RPM_BUILD_ROOT}/etc/slp.reg.d
+mkdir -p ${RPM_BUILD_ROOT}/etc/slp.reg.d/slpd
cp etc/slp.conf ${RPM_BUILD_ROOT}/etc
cp etc/slp.reg ${RPM_BUILD_ROOT}/etc
cp etc/slp.spi ${RPM_BUILD_ROOT}/etc
@@ -205,6 +217,9 @@
%suse_update_desktop_file $RPM_BUILD_ROOT/usr/share/susehelp/meta/Development/Libraries/openslp-devel.desktop
%endif
%{__rm} -f %{buildroot}%{_libdir}/*.la
+%if 0%{?suse_version}
+install -D -m 644 %{S:7} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openslp
+%endif
%post -p /sbin/ldconfig
@@ -252,6 +267,7 @@
%doc %_defaultdocdir/%name/rfc
%doc /usr/share/susehelp/meta/Administration/openslp.desktop
%dir /etc/slp.reg.d/
+%dir /etc/slp.reg.d/slpd
/usr/sbin/rcopenslp
/usr/sbin/rcslpd
/usr/sbin/slpd
@@ -259,6 +275,9 @@
%config(noreplace) /etc/slp.reg
%config(noreplace) /etc/logrotate.d/openslp-server
/usr/share/omc/svcinfo.d/slpd.xml
+%if 0%{?suse_version} > 0
+%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openslp
+%endif
%files devel
%defattr(-,root,root)
++++++ openslp.SuSEfirewall2 ++++++
## Name: Openslp server (SLP)
## Description: Enables Openslp server to advertise services
# space separated list of allowed ports
TCP="427"
UDP="427"
++++++ openslp.discovery.diff ++++++
--- slpd/slpd_outgoing.c.orig 2009-12-22 15:23:09.000000000 +0000
+++ slpd/slpd_outgoing.c 2009-12-22 15:47:35.000000000 +0000
@@ -420,6 +420,24 @@ SLPDSocket* SLPDOutgoingConnect(struct i
}
/*=========================================================================*/
+int SLPDHaveOutgoingConnectedSocket(struct in_addr* addr)
+/* Check if there is an outgoing socket for the specified address */
+/* */
+/* addr (IN) the address of the peer to check */
+/*=========================================================================*/
+{
+ SLPDSocket* sock = (SLPDSocket*)G_OutgoingSocketList.head;
+ while ( sock )
+ {
+ if (sock->state >= STREAM_CONNECT_IDLE &&
+ sock->peeraddr.sin_addr.s_addr == addr->s_addr)
+ return 1;
+ sock = (SLPDSocket*)sock->listitem.next;
+ }
+ return 0;
+}
+
+/*=========================================================================*/
void SLPDOutgoingDatagramWrite(SLPDSocket* sock)
/* Add a ready to write outgoing datagram socket to the outgoing list. */
/* The datagram will be written then sit in the list until it ages out */
--- slpd/slpd_outgoing.h.orig 2009-12-22 15:43:52.000000000 +0000
+++ slpd/slpd_outgoing.h 2009-12-22 15:45:26.000000000 +0000
@@ -107,6 +107,13 @@ SLPDSocket* SLPDOutgoingConnect(struct i
/* returns: pointer to socket or null on error */
/*=========================================================================*/
+/*=========================================================================*/
+int SLPDHaveOutgoingConnectedSocket(struct in_addr* addr);
+/* Check if there is an outgoing socket for the specified address */
+/* */
+/* addr (IN) the address of the peer to check */
+/*=========================================================================*/
+
/*=========================================================================*/
int SLPDOutgoingInit();
--- slpd/slpd_process.c.orig 2009-12-22 15:01:43.000000000 +0000
+++ slpd/slpd_process.c 2009-12-22 15:43:20.000000000 +0000
@@ -1120,7 +1120,11 @@ int ProcessDAAdvert(SLPMessage message,
if(G_SlpdProperty.DAActiveDiscoveryInterval == 0 &&
message->header.xid != 0)
{
- goto RESPOND;
+ /* do not ignore replys of our DiscoveryRequests made for
+ * static and dhcp configured DAs. For now we check this by
+ * testing if the sockaddr is on the outgoing socket list */
+ if (!SLPDHaveOutgoingConnectedSocket(&message->peer.sin_addr))
+ goto RESPOND;
}
/*-------------------------------*/
++++++ openslp.ignorespaces.diff ++++++
--- common/slp_compare.c.orig 2010-10-01 11:17:13.000000000 +0000
+++ common/slp_compare.c 2010-10-01 11:26:52.000000000 +0000
@@ -105,6 +105,16 @@ int SLPCompareString(int str1len,
/* <0 if s1 is less than str2 */
/*=========================================================================*/
{
+ /* strip leading/trailing while space */
+ while (str1len && (*str1 == ' ' || *str1 == '\t' || *str1 == '\r' || *str1 == '\n'))
+ str1++, str1len--;
+ while (str1len && (str1[str1len - 1] == ' ' || str1[str1len - 1] == '\t' || str1[str1len - 1] == '\r' || str1[str1len - 1] == '\n'))
+ str1len--;
+ while (str2len && (*str2 == ' ' || *str2 == '\t' || *str2 == '\r' || *str2 == '\n'))
+ str2++, str2len--;
+ while (str2len && (str2[str2len - 1] == ' ' || str2[str2len - 1] == '\t' || str2[str2len - 1] == '\r' || str2[str2len - 1] == '\n'))
+ str2len--;
+
/* TODO: fold whitespace and handle escapes*/
if(str1len == str2len)
{
++++++ openslp.initda.diff ++++++
++++ 1448 lines (skipped)
++++++ openslp.parseext.diff ++++++
--- ./common/slp_message.c.orig 2010-10-12 15:42:23.439823000 +0000
+++ ./common/slp_message.c 2010-10-12 15:45:44.936750000 +0000
@@ -872,10 +872,19 @@ int ParseExtension(SLPBuffer buffer, SLP
int extid;
int nextoffset;
int result = SLP_ERROR_OK;
+ int bufsz = (int)(buffer->end - buffer->start);
nextoffset = message->header.extoffset;
while(nextoffset)
{
+ /* check for circular reference in list
+ * if the size gets below zero, we know we're
+ * reprocessing extensions in a loop.
+ */
+ bufsz -= 5;
+ if (bufsz <= 0)
+ return SLP_ERROR_PARSE_ERROR;
+
buffer->curpos = buffer->start + nextoffset;
if(buffer->curpos + 5 >= buffer->end)
{
++++++ openslp.use-TCPDIAG-for-checking-listeners ++++++
From: Jeff Mahoney
Subject: openslp: Use TCPDIAG for checking listeners
References: bnc#601002
The use of /proc/net/tcp is deprecated and can cause performance issues on
large systems. The issue is that there are a great many locks that must
be claimed and released in order to produce the contents of the proc file.
The replacement mechanism is to use the INETDIAG/TCPDIAG interface to
get the results. This has the advantage of using in-kernel filtering as
well as a binary interface so that the parsing of the proc file is
unnecessary.
Support is limited to TCP so the use of /proc/net/udp is still required.
If for whatever reason the netlink connection is lost and can't be
re-established, we fall back to reading /proc/net/tcp until the daemon
is restarted.
Signed-off-by: Jeff Mahoney
---
slpd/slpd_database.c | 179 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 176 insertions(+), 3 deletions(-)
--- a/slpd/slpd_database.c
+++ b/slpd/slpd_database.c
@@ -76,6 +76,9 @@ FILE *regfileFP;
/* standard header files */
/*=========================================================================*/
#include
+#include
+#include
+#include
/*=========================================================================*/
SLPDDatabase G_SlpdDatabase;
@@ -919,11 +922,176 @@ static void SLPDDatabaseWatcher_fd(int f
}
}
+enum {
+ SS_UNKNOWN,
+ SS_ESTABLISHED,
+ SS_SYN_SENT,
+ SS_SYN_RECV,
+ SS_FIN_WAIT1,
+ SS_FIN_WAIT2,
+ SS_TIME_WAIT,
+ SS_CLOSE,
+ SS_CLOSE_WAIT,
+ SS_LAST_ACK,
+ SS_LISTEN,
+ SS_CLOSING,
+ SS_MAX
+};
+
+#define SS_ALL ((1< 0) {
+ if (sendmsg(*fd, &msg, 0) >= 0)
+ break;
+
+ if (reconnect_nl(fd)) {
+ SLPDLog("Lost TCPDIAG netlink connection and attempts to "
+ "re-establish have failed. Falling back to /proc/net/tcp "
+ "for dead/alive updates.\n");
+ *fd = -1;
+ return;
+ }
+ sched_yield();
+ }
+
+ iov.iov_base = buf;
+ iov.iov_len = sizeof(buf);
+
+ dh = SLPDatabaseOpen(&G_SlpdDatabase.database);
+ while (!status) {
+ struct nlmsghdr *h;
+
+ status = recvmsg(*fd, &msg, 0);
+ if (status < 0) {
+ if (errno == EINTR)
+ continue;
+ goto retry_sendmsg;
+ }
+
+ /* Socket has shut down */
+ if (status == 0)
+ goto retry_sendmsg;
+
+ for (h = (struct nlmsghdr *) buf; NLMSG_OK(h, status);
+ h = NLMSG_NEXT(h, status)) {
+ SLPDatabaseEntry *entry;
+ struct inet_diag_msg *r = NLMSG_DATA(h);
+
+ if (h->nlmsg_seq != 123456)
+ continue;
+
+ if (h->nlmsg_type == NLMSG_DONE)
+ goto close;
+
+ if (h->nlmsg_type == NLMSG_ERROR) {
+ struct nlmsgerr *err = NLMSG_DATA(h);
+ if (h->nlmsg_len >= NLMSG_LENGTH(sizeof(*err)))
+ status = EINVAL;
+ else
+ status = -err->error;
+ break;
+ }
+
+ if (r->idiag_family != AF_INET && r->idiag_family != AF_INET6)
+ continue;
+
+ if (r->idiag_family == AF_INET &&
+ ipv4_loopback.s_addr == r->id.idiag_src[0])
+ continue;
+
+ if (r->idiag_family == AF_INET6 &&
+ !memcmp(ipv6_loopback.s6_addr32, r->id.idiag_src,
+ sizeof(ipv6_loopback)))
+ continue;
+
+ port = ntohs(r->id.idiag_sport);
+ if (!(porthash[(port / 8) & 255] & (1 << (port & 7))))
+ continue;
+
+ SLPDatabaseRewind(dh);
+
+ while ((entry = SLPDatabaseEnum(dh)) != 0) {
+ SLPSrvReg *srvreg = &(entry->msg->body.srvreg);
+ if (!(srvreg->watchflags & flag))
+ continue;
+ if (port == srvreg->watchport)
+ srvreg->watchflags &= ~SLP_REG_WATCH_CHECKING;
+ }
+ }
+ }
+
+close:
+ SLPDatabaseClose(dh);
+}
+
/*=========================================================================*/
void SLPDDatabaseWatcher(void)
{
static int initialized = 0;
- static int proctcp, procudp, proctcp6, procudp6;
+ static int proctcp, procudp, proctcp6, procudp6, inet_diag = -1;
unsigned char porthash[256];
int flags, port;
SLPDatabaseHandle dh;
@@ -931,6 +1099,7 @@ void SLPDDatabaseWatcher(void)
SLPSrvReg* srvreg;
if (!initialized) {
+ inet_diag = socket(AF_NETLINK, SOCK_RAW, NETLINK_INET_DIAG);
proctcp = open("/proc/net/tcp_listen", O_RDONLY);
if (proctcp == -1)
proctcp = open("/proc/net/tcp", O_RDONLY);
@@ -955,8 +1124,12 @@ void SLPDDatabaseWatcher(void)
}
SLPDatabaseClose(dh);
if ((flags & SLP_REG_WATCH_TCP) != 0) {
- SLPDDatabaseWatcher_fd(proctcp, SLP_REG_WATCH_TCP, porthash);
- SLPDDatabaseWatcher_fd(proctcp6, SLP_REG_WATCH_TCP, porthash);
+ if (inet_diag >= 0)
+ SLPDDatabaseWatcher_nl(&inet_diag, SLP_REG_WATCH_TCP, porthash);
+ if (inet_diag < 0) { /* Fallback if _nl fails */
+ SLPDDatabaseWatcher_fd(proctcp, SLP_REG_WATCH_TCP, porthash);
+ SLPDDatabaseWatcher_fd(proctcp6, SLP_REG_WATCH_TCP, porthash);
+ }
}
if ((flags & SLP_REG_WATCH_UDP) != 0) {
SLPDDatabaseWatcher_fd(procudp, SLP_REG_WATCH_UDP, porthash);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org