rpms/ipsec-tools/devel ipsec-tools-0.6.5-leak.patch, 1.1, 1.2 ipsec-tools.spec, 1.39, 1.40
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Apr 14 21:02:17 UTC 2007
Author: sgrubb
Update of /cvs/dist/rpms/ipsec-tools/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18410
Modified Files:
ipsec-tools-0.6.5-leak.patch ipsec-tools.spec
Log Message:
* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-6%{?dist}
- Resolves: #235680 racoon socket descriptor exhaustion
ipsec-tools-0.6.5-leak.patch:
main.c | 4 +++-
policy.h | 1 +
security.c | 25 +++++++++----------------
3 files changed, 13 insertions(+), 17 deletions(-)
Index: ipsec-tools-0.6.5-leak.patch
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools-0.6.5-leak.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ipsec-tools-0.6.5-leak.patch 14 Apr 2007 20:37:16 -0000 1.1
+++ ipsec-tools-0.6.5-leak.patch 14 Apr 2007 21:02:15 -0000 1.2
@@ -1,42 +1,65 @@
diff -urp ipsec-tools-0.6.5.orig/src/racoon/main.c ipsec-tools-0.6.5/src/racoon/main.c
--- ipsec-tools-0.6.5.orig/src/racoon/main.c 2007-04-14 16:00:16.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/main.c 2007-04-14 16:10:12.000000000 -0400
-@@ -163,7 +163,10 @@ main(ac, av)
++++ ipsec-tools-0.6.5/src/racoon/main.c 2007-04-14 16:46:32.000000000 -0400
+@@ -163,7 +163,9 @@ main(ac, av)
#ifdef DEBUG_RECORD_MALLOCATION
DRM_init();
#endif
-
+#ifdef HAVE_SECCTX
-+ if (init_avc() != 0)
-+ errx(1, "Could not init avcs");
++ init_avc();
+#endif
eay_init();
initlcconf();
initrmconf();
diff -urp ipsec-tools-0.6.5.orig/src/racoon/policy.h ipsec-tools-0.6.5/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h 2007-04-14 16:00:17.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/policy.h 2007-04-14 16:06:13.000000000 -0400
++++ ipsec-tools-0.6.5/src/racoon/policy.h 2007-04-14 16:51:37.000000000 -0400
@@ -154,6 +154,7 @@ extern const char *spidx2str __P((const
#ifdef HAVE_SECCTX
#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
-+extern int init_avc __P((void));
++extern void init_avc __P((void));
extern int within_range __P((security_context_t, security_context_t));
extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
#endif
diff -urp ipsec-tools-0.6.5.orig/src/racoon/security.c ipsec-tools-0.6.5/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c 2007-04-14 16:00:17.000000000 -0400
-+++ ipsec-tools-0.6.5/src/racoon/security.c 2007-04-14 16:09:40.000000000 -0400
-@@ -182,7 +182,7 @@ set_secctx_in_proposal(iph2, spidx)
++++ ipsec-tools-0.6.5/src/racoon/security.c 2007-04-14 16:50:53.000000000 -0400
+@@ -181,24 +181,21 @@ set_secctx_in_proposal(iph2, spidx)
+ * return: 0 if avc was successfully initialized
* 1 if the avc could not be initialized
*/
-
+-
-static int
-+int
++static int mls_ready = 0;
++void
init_avc(void)
{
- int rtn = 0;
-@@ -225,13 +225,6 @@ within_range(security_context_t sl, secu
+- int rtn = 0;
+-
+ if (!is_selinux_mls_enabled()) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ " enabled.\n");
+- return 1;
++ return;
+ }
+
+- rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+- if (rtn != 0) {
+- plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize avc.\n");
+- rtn = 1;
+- }
+- return rtn;
++ if (avc_init("racoon", NULL, NULL, NULL, NULL) == 0)
++ mls_ready = 1;
++ else
++ plog(LLV_ERROR, LOCATION, NULL,
++ "racoon: could not initialize avc.\n");
+ }
+
+ /*
+@@ -225,12 +222,8 @@ within_range(security_context_t sl, secu
if (!*range) /* This policy doesn't have security context */
return 1;
@@ -44,9 +67,9 @@
- if (rtn != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "within_range: couldn't initialize the AVC\n");
-- return 0;
++ if (!mls_ready) /* mls may not be enabled */
+ return 0;
- }
--
+
/*
* Get the sids for the sl and range contexts
- */
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- ipsec-tools.spec 14 Apr 2007 20:37:16 -0000 1.39
+++ ipsec-tools.spec 14 Apr 2007 21:02:15 -0000 1.40
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.6.6
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -107,7 +107,7 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
-* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-5%{?dist}
+* Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-6%{?dist}
- Resolves: #235680 racoon socket descriptor exhaustion
* Fri Apr 13 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-4%{?dist}
More information about the fedora-cvs-commits
mailing list