rpms/ipsec-tools/devel ipsec-tools-0.6.5-leak.patch, 1.1, 1.2 ipsec-tools.spec, 1.39, 1.40

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Sat Apr 14 21:02:17 UTC 2007 

Author: sgrubb

Update of /cvs/dist/rpms/ipsec-tools/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18410

Modified Files:
	ipsec-tools-0.6.5-leak.patch ipsec-tools.spec 
Log Message:
* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-6%{?dist}
- Resolves: #235680 racoon socket descriptor exhaustion


ipsec-tools-0.6.5-leak.patch:
 main.c     |    4 +++-
 policy.h   |    1 +
 security.c |   25 +++++++++----------------
 3 files changed, 13 insertions(+), 17 deletions(-)

Index: ipsec-tools-0.6.5-leak.patch
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools-0.6.5-leak.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ipsec-tools-0.6.5-leak.patch	14 Apr 2007 20:37:16 -0000	1.1
+++ ipsec-tools-0.6.5-leak.patch	14 Apr 2007 21:02:15 -0000	1.2
@@ -1,42 +1,65 @@
 diff -urp ipsec-tools-0.6.5.orig/src/racoon/main.c ipsec-tools-0.6.5/src/racoon/main.c
 --- ipsec-tools-0.6.5.orig/src/racoon/main.c	2007-04-14 16:00:16.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/main.c	2007-04-14 16:10:12.000000000 -0400
-@@ -163,7 +163,10 @@ main(ac, av)
++++ ipsec-tools-0.6.5/src/racoon/main.c	2007-04-14 16:46:32.000000000 -0400
+@@ -163,7 +163,9 @@ main(ac, av)
  #ifdef DEBUG_RECORD_MALLOCATION
  	DRM_init();
  #endif
 -
 +#ifdef HAVE_SECCTX
-+	if (init_avc() != 0)
-+		errx(1, "Could not init avcs");
++	init_avc();
 +#endif
  	eay_init();
  	initlcconf();
  	initrmconf();
 diff -urp ipsec-tools-0.6.5.orig/src/racoon/policy.h ipsec-tools-0.6.5/src/racoon/policy.h
 --- ipsec-tools-0.6.5.orig/src/racoon/policy.h	2007-04-14 16:00:17.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/policy.h	2007-04-14 16:06:13.000000000 -0400
++++ ipsec-tools-0.6.5/src/racoon/policy.h	2007-04-14 16:51:37.000000000 -0400
 @@ -154,6 +154,7 @@ extern const char *spidx2str __P((const 
  #ifdef HAVE_SECCTX
  #include <selinux/selinux.h>
  extern int get_security_context __P((vchar_t *, struct policyindex *));
-+extern int init_avc __P((void));
++extern void init_avc __P((void));
  extern int within_range __P((security_context_t, security_context_t));
  extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
  #endif
 diff -urp ipsec-tools-0.6.5.orig/src/racoon/security.c ipsec-tools-0.6.5/src/racoon/security.c
 --- ipsec-tools-0.6.5.orig/src/racoon/security.c	2007-04-14 16:00:17.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/security.c	2007-04-14 16:09:40.000000000 -0400
-@@ -182,7 +182,7 @@ set_secctx_in_proposal(iph2, spidx)
++++ ipsec-tools-0.6.5/src/racoon/security.c	2007-04-14 16:50:53.000000000 -0400
+@@ -181,24 +181,21 @@ set_secctx_in_proposal(iph2, spidx)
+  * return:	0	if avc was successfully initialized
   * 		1	if the avc could not be initialized
   */
- 
+-
 -static int
-+int
++static int mls_ready = 0;
++void
  init_avc(void)
  {
- 	int rtn = 0;
-@@ -225,13 +225,6 @@ within_range(security_context_t sl, secu
+-	int rtn = 0;
+-
+ 	if (!is_selinux_mls_enabled()) {
+ 		plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ 				" enabled.\n");
+-		return 1;
++		return;
+ 	}
+ 
+-	rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+-	if (rtn != 0) {
+-		plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize avc.\n");
+-		rtn = 1;
+-	}
+-	return rtn;
++	if (avc_init("racoon", NULL, NULL, NULL, NULL) == 0)
++		mls_ready = 1;
++	else
++		plog(LLV_ERROR, LOCATION, NULL,
++				"racoon: could not initialize avc.\n");
+ }
+ 
+ /*
+@@ -225,12 +222,8 @@ within_range(security_context_t sl, secu
  	if (!*range)	/* This policy doesn't have security context */
  		return 1;
  
@@ -44,9 +67,9 @@
 -	if (rtn != 0) {
 -		plog(LLV_ERROR, LOCATION, NULL, 
 -			"within_range: couldn't initialize the AVC\n");
--		return 0;
++	if (!mls_ready) /* mls may not be enabled */
+ 		return 0;
 -	}
--
+ 
  	/*
  	 * Get the sids for the sl and range contexts
- 	 */


Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- ipsec-tools.spec	14 Apr 2007 20:37:16 -0000	1.39
+++ ipsec-tools.spec	14 Apr 2007 21:02:15 -0000	1.40
@@ -1,6 +1,6 @@
 Name: ipsec-tools
 Version: 0.6.6
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Tools for configuring and using IPSEC
 License: BSD
 Group: System Environment/Base
@@ -107,7 +107,7 @@
 %config(noreplace) /etc/racoon/racoon.conf
 
 %changelog
-* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-5%{?dist}
+* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-6%{?dist}
 - Resolves: #235680 racoon socket descriptor exhaustion
 
 * Fri Apr 13 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-4%{?dist}

More information about the fedora-cvs-commits mailing list