!183 backport patchs to fix problems

From: @Venland 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

backport-bridge-fix-potential-snprintf-overflow.patch

@@ -0,0 +1,40 @@
+From 4d80122ae82aea86cb740b5202f6c3fde6183538 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Mon, 18 Sep 2023 11:34:42 -0700
+Subject: [PATCH] bridge: fix potential snprintf overflow
+
+There is a theoretical snprintf overflow in bridge slave bitmask
+print code found by CodeQL scan.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ ip/iplink_bridge_slave.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
+index dc73c8657..3821923b5 100644
+--- a/ip/iplink_bridge_slave.c
++++ b/ip/iplink_bridge_slave.c
+@@ -100,13 +100,20 @@ static void _bitmask2str(__u16 bitmask, char *dst, size_t dst_size,
+ 	int len, i;
+ 
+ 	for (i = 0, len = 0; bitmask; i++, bitmask >>= 1) {
++		int n;
++
+ 		if (bitmask & 0x1) {
+ 			if (tbl[i])
+-				len += snprintf(dst + len, dst_size - len, "%s,",
++				n = snprintf(dst + len, dst_size - len, "%s,",
+ 						tbl[i]);
+ 			else
+-				len += snprintf(dst + len, dst_size - len, "0x%x,",
++				n = snprintf(dst + len, dst_size - len, "0x%x,",
+ 						(1 << i));
++
++			if (n < 0 || n >= dst_size - len)
++				break;
++
++			len += n;
+ 		}
+ 	}
+ 

backport-ila-fix-potential-snprintf-buffer-overflow.patch

@@ -0,0 +1,27 @@
+From e8a3fca81cd4b8fee14cfb14a5ce9c1b3b63e797 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Mon, 18 Sep 2023 11:36:32 -0700
+Subject: [PATCH] ila: fix potential snprintf buffer overflow
+
+The code to print 64 bit address has a theoretical overflow
+of snprintf buffer found by CodeQL scan.
+Address by checking result.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ ip/ipila.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ip/ipila.c b/ip/ipila.c
+index 4f6d578f2..23b19a108 100644
+--- a/ip/ipila.c
++++ b/ip/ipila.c
+@@ -60,6 +60,8 @@ static void print_addr64(__u64 addr, char *buff, size_t len)
+ 			sep = "";
+ 
+ 		ret = snprintf(&buff[written], len - written, "%x%s", v, sep);
++		if (ret < 0 || ret >= len - written)
++			break;
+ 		written += ret;
+ 	}
+ }

backport-ip-fix-memory-leak-in-ip-maddr-show.patch

@@ -0,0 +1,44 @@
+From 575322b09c3c6bc1806f2faa31edcfb64df302bb Mon Sep 17 00:00:00 2001
+From: Maxim Petrov <mmrmaximuzz@gmail.com>
+Date: Sun, 15 Oct 2023 16:32:12 +0200
+Subject: [PATCH] ip: fix memory leak in 'ip maddr show'
+
+In `read_dev_mcast`, the list of ma_info is allocated, but not cleared
+after use. Free the list in the end to make valgrind happy.
+
+Detected by valgrind: "valgrind ./ip/ip maddr show"
+
+Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
+---
+ ip/ipmaddr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ip/ipmaddr.c b/ip/ipmaddr.c
+index 176f6ab74..2418b3031 100644
+--- a/ip/ipmaddr.c
++++ b/ip/ipmaddr.c
+@@ -79,6 +79,16 @@ static void maddr_ins(struct ma_info **lst, struct ma_info *m)
+ 	*lst = m;
+ }
+ 
++static void maddr_clear(struct ma_info *lst)
++{
++	struct ma_info *mp;
++
++	while ((mp = lst) != NULL) {
++		lst = mp->next;
++		free(mp);
++	}
++}
++
+ static void read_dev_mcast(struct ma_info **result_p)
+ {
+ 	char buf[256];
+@@ -286,6 +296,7 @@ static int multiaddr_list(int argc, char **argv)
+ 	if (!filter.family || filter.family == AF_INET6)
+ 		read_igmp6(&list);
+ 	print_mlist(stdout, list);
++	maddr_clear(list);
+ 	return 0;
+ }
+ 

backport-iproute2-prevent-memory-leak.patch

@@ -0,0 +1,148 @@
+From 2c3ebb2ae08a634615e56303d784ddb366e47f04 Mon Sep 17 00:00:00 2001
+From: heminhong <heminhong@kylinos.cn>
+Date: Thu, 16 Nov 2023 11:13:08 +0800
+Subject: [PATCH] iproute2: prevent memory leak
+
+When the return value of rtnl_talk() is not less than 0,
+'answer' will be allocated. The 'answer' should be free
+after using, otherwise it will cause memory leak.
+
+Fixes: a066cc6623e1 ("gre/gre6: Unify local/remote endpoint address parsing")
+Signed-off-by: heminhong <heminhong@kylinos.cn>
+Reviewed-by: Andrea Claudi <aclaudi@redhat.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ ip/link_gre.c    | 3 ++-
+ ip/link_gre6.c   | 3 ++-
+ ip/link_ip6tnl.c | 3 ++-
+ ip/link_iptnl.c  | 3 ++-
+ ip/link_vti.c    | 3 ++-
+ ip/link_vti6.c   | 3 ++-
+ 6 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/ip/link_gre.c b/ip/link_gre.c
+index 74a5b5e96..6d71864c1 100644
+--- a/ip/link_gre.c
++++ b/ip/link_gre.c
+@@ -76,7 +76,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *greinfo[IFLA_GRE_MAX + 1];
+@@ -113,6 +113,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 
+diff --git a/ip/link_gre6.c b/ip/link_gre6.c
+index b03bd65ad..4d1c65748 100644
+--- a/ip/link_gre6.c
++++ b/ip/link_gre6.c
+@@ -79,7 +79,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *greinfo[IFLA_GRE_MAX + 1];
+@@ -115,6 +115,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 
+diff --git a/ip/link_ip6tnl.c b/ip/link_ip6tnl.c
+index b27d696f5..3a30dca93 100644
+--- a/ip/link_ip6tnl.c
++++ b/ip/link_ip6tnl.c
+@@ -72,7 +72,7 @@ static int ip6tunnel_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *iptuninfo[IFLA_IPTUN_MAX + 1];
+@@ -101,6 +101,7 @@ static int ip6tunnel_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 
+diff --git a/ip/link_iptnl.c b/ip/link_iptnl.c
+index 1315aebe9..879202f71 100644
+--- a/ip/link_iptnl.c
++++ b/ip/link_iptnl.c
+@@ -73,7 +73,7 @@ static int iptunnel_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *iptuninfo[IFLA_IPTUN_MAX + 1];
+@@ -105,6 +105,7 @@ static int iptunnel_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 
+diff --git a/ip/link_vti.c b/ip/link_vti.c
+index 509432543..7a95dc02d 100644
+--- a/ip/link_vti.c
++++ b/ip/link_vti.c
+@@ -48,7 +48,7 @@ static int vti_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *vtiinfo[IFLA_VTI_MAX + 1];
+@@ -69,6 +69,7 @@ static int vti_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 
+diff --git a/ip/link_vti6.c b/ip/link_vti6.c
+index 5764221eb..aaf701d33 100644
+--- a/ip/link_vti6.c
++++ b/ip/link_vti6.c
+@@ -50,7 +50,7 @@ static int vti6_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		.i.ifi_family = preferred_family,
+ 		.i.ifi_index = ifi->ifi_index,
+ 	};
+-	struct nlmsghdr *answer;
++	struct nlmsghdr *answer = NULL;
+ 	struct rtattr *tb[IFLA_MAX + 1];
+ 	struct rtattr *linkinfo[IFLA_INFO_MAX+1];
+ 	struct rtattr *vtiinfo[IFLA_VTI_MAX + 1];
+@@ -71,6 +71,7 @@ static int vti6_parse_opt(struct link_util *lu, int argc, char **argv,
+ get_failed:
+ 			fprintf(stderr,
+ 				"Failed to get existing tunnel info.\n");
++			free(answer);
+ 			return -1;
+ 		}
+ 

backport-libnetlink-validate-nlmsg-header-length-first.patch

@@ -0,0 +1,39 @@
+From 78eebdbc7d2f96b01a18d7db33c1c99266efc4bc Mon Sep 17 00:00:00 2001
+From: Max Kunzelmann <maxdev@posteo.de>
+Date: Tue, 7 Nov 2023 01:20:55 +0000
+Subject: [PATCH] libnetlink: validate nlmsg header length first
+
+Validate the nlmsg header length before accessing the nlmsg payload
+length.
+
+Fixes: 892a25e286fb ("libnetlink: break up dump function")
+
+Signed-off-by: Max Kunzelmann <maxdev@posteo.de>
+Reviewed-by: Benny Baumann <BenBE@geshi.org>
+Reviewed-by: Robert Geislinger <github@crpykng.de>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ lib/libnetlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/libnetlink.c b/lib/libnetlink.c
+index 7edcd2856..016482294 100644
+--- a/lib/libnetlink.c
++++ b/lib/libnetlink.c
+@@ -727,13 +727,15 @@ int rtnl_dump_request_n(struct rtnl_handle *rth, struct nlmsghdr *n)
+ static int rtnl_dump_done(struct nlmsghdr *h,
+ 			  const struct rtnl_dump_filter_arg *a)
+ {
+-	int len = *(int *)NLMSG_DATA(h);
++	int len;
+ 
+ 	if (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) {
+ 		fprintf(stderr, "DONE truncated\n");
+ 		return -1;
+ 	}
+ 
++	len = *(int *)NLMSG_DATA(h);
++
+ 	if (len < 0) {
+ 		errno = -len;
+ 

backport-lnstat-Fix-deref-of-null-in-print_json-function.patch

@@ -0,0 +1,32 @@
+From a193733b7a7ef1e65e1b88045c32f96ed16caeb9 Mon Sep 17 00:00:00 2001
+From: Maks Mishin <maks.mishinfz@gmail.com>
+Date: Sat, 6 Jan 2024 22:04:23 +0300
+Subject: [PATCH] lnstat: Fix deref of null in print_json() function
+
+Now pointer `jw` is being checked for NULL before using
+in function `jsonw_start_object`.
+Added exit from function when `jw==NULL`.
+
+Found by RASU JSC
+
+Signed-off-by: Maks Mishin <maks.mishinFZ@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ misc/lnstat.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/misc/lnstat.c b/misc/lnstat.c
+index c3f2999cc..f802a0f35 100644
+--- a/misc/lnstat.c
++++ b/misc/lnstat.c
+@@ -112,6 +112,10 @@ static void print_json(FILE *of, const struct lnstat_file *lnstat_files,
+ 	json_writer_t *jw = jsonw_new(of);
+ 	int i;
+ 
++	if (jw == NULL) {
++		fprintf(stderr, "Failed to create JSON writer\n");
++		exit(1);
++	}
+ 	jsonw_start_object(jw);
+ 	for (i = 0; i < fp->num; i++) {
+ 		const struct lnstat_field *lf = fp->params[i].lf;

backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch

@@ -0,0 +1,47 @@
+From 1a68525f4613b4e02e83d4b8004f22ac7ecbfedf Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@nvidia.com>
+Date: Thu, 7 Dec 2023 13:53:51 +0100
+Subject: [PATCH] mnl_utils: sanitize incoming netlink payload size in
+ callbacks
+
+Don't trust the kernel to send payload of certain size. Sanitize that by
+checking the payload length in mnlu_cb_stop() and mnlu_cb_error() and
+only access the payload if it is of required size.
+
+Note that for mnlu_cb_stop(), this is happening already for example
+with devlink resource. Kernel sends NLMSG_DONE with zero size payload.
+
+Fixes: 049c58539f5d ("devlink: mnlg: Add support for extended ack")
+Fixes: c934da8aaacb ("devlink: mnlg: Catch returned error value of dumpit commands")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ lib/mnl_utils.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/mnl_utils.c b/lib/mnl_utils.c
+index 1c7822282..af5aa4f9e 100644
+--- a/lib/mnl_utils.c
++++ b/lib/mnl_utils.c
+@@ -61,6 +61,8 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
+ {
+ 	const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh);
+ 
++	if (mnl_nlmsg_get_payload_len(nlh) < sizeof(*err))
++		return MNL_CB_STOP;
+ 	/* Netlink subsystems returns the errno value with different signess */
+ 	if (err->error < 0)
+ 		errno = -err->error;
+@@ -75,8 +77,11 @@ static int mnlu_cb_error(const struct nlmsghdr *nlh, void *data)
+ 
+ static int mnlu_cb_stop(const struct nlmsghdr *nlh, void *data)
+ {
+-	int len = *(int *)NLMSG_DATA(nlh);
++	int len;
+ 
++	if (mnl_nlmsg_get_payload_len(nlh) < sizeof(len))
++		return MNL_CB_STOP;
++	len = *(int *)mnl_nlmsg_get_payload(nlh);
+ 	if (len < 0) {
+ 		errno = -len;
+ 		nl_dump_ext_ack_done(nlh, len);

backport-tc-remove-tcindex-classifier.patch

@@ -0,0 +1,336 @@
+From bc0c1661eb229b77a65f8c5f305fd6fa56e9667f Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Mon, 30 Oct 2023 11:26:33 -0700
+Subject: [PATCH] tc: remove tcindex classifier
+
+Support for tcindex classifier was removed by upstream commit
+8c710f75256b (net/sched: Retire tcindex classifier, 2023-02-14)
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+---
+ bash-completion/tc    |   7 +-
+ man/man8/tc-tcindex.8 |  58 -------------
+ man/man8/tc.8         |   7 +-
+ tc/Makefile           |   1 -
+ tc/f_tcindex.c        | 185 ------------------------------------------
+ 5 files changed, 2 insertions(+), 256 deletions(-)
+ delete mode 100644 man/man8/tc-tcindex.8
+ delete mode 100644 tc/f_tcindex.c
+
+diff --git a/bash-completion/tc b/bash-completion/tc
+index 6af3b7998..db5558ab6 100644
+--- a/bash-completion/tc
++++ b/bash-completion/tc
+@@ -5,7 +5,7 @@
+ QDISC_KIND=' choke codel bfifo pfifo pfifo_head_drop fq fq_codel gred hhf \
+             mqprio multiq netem pfifo_fast pie fq_pie red rr sfb sfq tbf atm \
+             cbq drr dsmark hfsc htb prio qfq '
+-FILTER_KIND=' basic bpf cgroup flow flower fw route rsvp tcindex u32 matchall '
++FILTER_KIND=' basic bpf cgroup flow flower fw route rsvp u32 matchall '
+ ACTION_KIND=' gact mirred bpf sample '
+ 
+ # Takes a list of words in argument; each one of them is added to COMPREPLY if
+@@ -487,11 +487,6 @@ _tc_filter_options()
+                     COMPREPLY+=( $( compgen -W 'at' -- "$cur" ) )
+             return 0
+             ;;
+-        tcindex)
+-            _tc_once_attr 'hash mask shift classid action'
+-            _tc_one_of_list 'pass_on fall_through'
+-            return 0
+-            ;;
+         u32)
+             _tc_once_attr 'match link classid action offset ht hashkey sample'
+             COMPREPLY+=( $( compgen -W 'ip ip6 udp tcp icmp u8 u16 u32 mark \
+diff --git a/man/man8/tc-tcindex.8 b/man/man8/tc-tcindex.8
+deleted file mode 100644
+index ccf2c5e81..000000000
+--- a/man/man8/tc-tcindex.8
++++ /dev/null
+@@ -1,58 +0,0 @@
+-.TH "Traffic control index filter" 8 "21 Oct 2015" "iproute2" "Linux"
+-
+-.SH NAME
+-tcindex \- traffic control index filter
+-.SH SYNOPSIS
+-.in +8
+-.ti -8
+-.BR tc " " filter " ... " tcindex " [ " hash
+-.IR SIZE " ] [ "
+-.B mask
+-.IR MASK " ] [ "
+-.B shift
+-.IR SHIFT " ] [ "
+-.BR pass_on " | " fall_through " ] [ " classid
+-.IR CLASSID " ] [ "
+-.B action
+-.BR ACTION_SPEC " ]"
+-.SH DESCRIPTION
+-This filter allows to match packets based on their
+-.B tcindex
+-field value, i.e. the combination of the DSCP and ECN fields as present in IPv4
+-and IPv6 headers.
+-.SH OPTIONS
+-.TP
+-.BI action " ACTION_SPEC"
+-Apply an action from the generic actions framework on matching packets.
+-.TP
+-.BI classid " CLASSID"
+-Push matching packets into the class identified by
+-.IR CLASSID .
+-.TP
+-.BI hash " SIZE"
+-Hash table size in entries to use. Defaults to 64.
+-.TP
+-.BI mask " MASK"
+-An optional bitmask to binary
+-.BR AND " to the packet's " tcindex
+-field before use.
+-.TP
+-.BI shift " SHIFT"
+-The number of bits to right-shift a packet's
+-.B tcindex
+-value before use. If a
+-.B mask
+-has been set, masking is done before shifting.
+-.TP
+-.B pass_on
+-If this flag is set, failure to find a class for the resulting ID will make the
+-filter fail and lead to the next filter being consulted.
+-.TP
+-.B fall_through
+-This is the opposite of
+-.B pass_on
+-and the default. The filter will classify the packet even if there is no class
+-present for the resulting class ID.
+-
+-.SH SEE ALSO
+-.BR tc (8)
+diff --git a/man/man8/tc.8 b/man/man8/tc.8
+index 59cc7b17d..ae6de397f 100644
+--- a/man/man8/tc.8
++++ b/man/man8/tc.8
+@@ -244,10 +244,6 @@ for details.
+ rsvp
+ Match Resource Reservation Protocol (RSVP) packets.
+ .TP
+-tcindex
+-Filter packets based on traffic control index. See
+-.BR tc-tcindex (8).
+-.TP
+ u32
+ Generic filtering on arbitrary packet data, assisted by syntax to abstract common operations. See
+ .BR tc-u32 (8)
+@@ -906,8 +902,7 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2.
+ .BR tc-sfq (8),
+ .BR tc-stab (8),
+ .BR tc-tbf (8),
+-.BR tc-tcindex (8),
+-.BR tc-u32 (8),
++.BR tc-u32 (8)
+ .br
+ .RB "User documentation at " http://lartc.org/ ", but please direct bugreports and patches to: " <netdev@vger.kernel.org>
+ 
+diff --git a/tc/Makefile b/tc/Makefile
+index 82e611257..ab6ad2f5d 100644
+--- a/tc/Makefile
++++ b/tc/Makefile
+@@ -31,7 +31,6 @@ TCMODULES += f_cgroup.o
+ TCMODULES += f_flower.o
+ TCMODULES += q_dsmark.o
+ TCMODULES += q_gred.o
+-TCMODULES += f_tcindex.o
+ TCMODULES += q_ingress.o
+ TCMODULES += q_hfsc.o
+ TCMODULES += q_htb.o
+diff --git a/tc/f_tcindex.c b/tc/f_tcindex.c
+deleted file mode 100644
+index ae4cbf118..000000000
+--- a/tc/f_tcindex.c
++++ /dev/null
+@@ -1,185 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-/*
+- * f_tcindex.c		Traffic control index filter
+- *
+- * Written 1998,1999 by Werner Almesberger
+- */
+-
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <unistd.h>
+-#include <fcntl.h>
+-#include <string.h>
+-#include <netinet/in.h>
+-
+-#include "utils.h"
+-#include "tc_util.h"
+-
+-static void explain(void)
+-{
+-	fprintf(stderr,
+-		" Usage: ... tcindex	[ hash SIZE ] [ mask MASK ] [ shift SHIFT ]\n"
+-		"			[ pass_on | fall_through ]\n"
+-		"			[ classid CLASSID ] [ action ACTION_SPEC ]\n");
+-}
+-
+-static int tcindex_parse_opt(struct filter_util *qu, char *handle, int argc,
+-			     char **argv, struct nlmsghdr *n)
+-{
+-	struct tcmsg *t = NLMSG_DATA(n);
+-	struct rtattr *tail;
+-	char *end;
+-
+-	if (handle) {
+-		t->tcm_handle = strtoul(handle, &end, 0);
+-		if (*end) {
+-			fprintf(stderr, "Illegal filter ID\n");
+-			return -1;
+-		}
+-	}
+-	if (!argc) return 0;
+-	tail = addattr_nest(n, 4096, TCA_OPTIONS);
+-	while (argc) {
+-		if (!strcmp(*argv, "hash")) {
+-			int hash;
+-
+-			NEXT_ARG();
+-			hash = strtoul(*argv, &end, 0);
+-			if (*end || !hash || hash > 0x10000) {
+-				explain();
+-				return -1;
+-			}
+-			addattr_l(n, 4096, TCA_TCINDEX_HASH, &hash,
+-				  sizeof(hash));
+-		} else if (!strcmp(*argv,"mask")) {
+-			__u16 mask;
+-
+-			NEXT_ARG();
+-			mask = strtoul(*argv, &end, 0);
+-			if (*end) {
+-				explain();
+-				return -1;
+-			}
+-			addattr_l(n, 4096, TCA_TCINDEX_MASK, &mask,
+-				  sizeof(mask));
+-		} else if (!strcmp(*argv,"shift")) {
+-			int shift;
+-
+-			NEXT_ARG();
+-			shift = strtoul(*argv, &end, 0);
+-			if (*end) {
+-				explain();
+-				return -1;
+-			}
+-			addattr_l(n, 4096, TCA_TCINDEX_SHIFT, &shift,
+-			    sizeof(shift));
+-		} else if (!strcmp(*argv,"fall_through")) {
+-			int value = 1;
+-
+-			addattr_l(n, 4096, TCA_TCINDEX_FALL_THROUGH, &value,
+-			    sizeof(value));
+-		} else if (!strcmp(*argv,"pass_on")) {
+-			int value = 0;
+-
+-			addattr_l(n, 4096, TCA_TCINDEX_FALL_THROUGH, &value,
+-			    sizeof(value));
+-		} else if (!strcmp(*argv,"classid")) {
+-			__u32 handle;
+-
+-			NEXT_ARG();
+-			if (get_tc_classid(&handle, *argv)) {
+-				fprintf(stderr, "Illegal \"classid\"\n");
+-				return -1;
+-			}
+-			addattr_l(n, 4096, TCA_TCINDEX_CLASSID, &handle, 4);
+-		} else if (!strcmp(*argv,"police")) {
+-			NEXT_ARG();
+-			if (parse_police(&argc, &argv, TCA_TCINDEX_POLICE, n)) {
+-				fprintf(stderr, "Illegal \"police\"\n");
+-				return -1;
+-			}
+-			continue;
+-		} else if (!strcmp(*argv,"action")) {
+-			NEXT_ARG();
+-			if (parse_action(&argc, &argv, TCA_TCINDEX_ACT, n)) {
+-				fprintf(stderr, "Illegal \"action\"\n");
+-				return -1;
+-			}
+-			continue;
+-		} else {
+-			explain();
+-			return -1;
+-		}
+-		argc--;
+-		argv++;
+-	}
+-	addattr_nest_end(n, tail);
+-	return 0;
+-}
+-
+-
+-static int tcindex_print_opt(struct filter_util *qu, FILE *f,
+-			     struct rtattr *opt, __u32 handle)
+-{
+-	struct rtattr *tb[TCA_TCINDEX_MAX+1];
+-
+-	if (opt == NULL)
+-		return 0;
+-
+-	parse_rtattr_nested(tb, TCA_TCINDEX_MAX, opt);
+-
+-	if (handle != ~0) fprintf(f, "handle 0x%04x ", handle);
+-	if (tb[TCA_TCINDEX_HASH]) {
+-		__u16 hash;
+-
+-		if (RTA_PAYLOAD(tb[TCA_TCINDEX_HASH]) < sizeof(hash))
+-			return -1;
+-		hash = rta_getattr_u16(tb[TCA_TCINDEX_HASH]);
+-		fprintf(f, "hash %d ", hash);
+-	}
+-	if (tb[TCA_TCINDEX_MASK]) {
+-		__u16 mask;
+-
+-		if (RTA_PAYLOAD(tb[TCA_TCINDEX_MASK]) < sizeof(mask))
+-			return -1;
+-		mask = rta_getattr_u16(tb[TCA_TCINDEX_MASK]);
+-		fprintf(f, "mask 0x%04x ", mask);
+-	}
+-	if (tb[TCA_TCINDEX_SHIFT]) {
+-		int shift;
+-
+-		if (RTA_PAYLOAD(tb[TCA_TCINDEX_SHIFT]) < sizeof(shift))
+-			return -1;
+-		shift = rta_getattr_u32(tb[TCA_TCINDEX_SHIFT]);
+-		fprintf(f, "shift %d ", shift);
+-	}
+-	if (tb[TCA_TCINDEX_FALL_THROUGH]) {
+-		int fall_through;
+-
+-		if (RTA_PAYLOAD(tb[TCA_TCINDEX_FALL_THROUGH]) <
+-		    sizeof(fall_through))
+-			return -1;
+-		fall_through = rta_getattr_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
+-		fprintf(f, fall_through ? "fall_through " : "pass_on ");
+-	}
+-	if (tb[TCA_TCINDEX_CLASSID]) {
+-		SPRINT_BUF(b1);
+-		fprintf(f, "classid %s ", sprint_tc_classid(*(__u32 *)
+-		    RTA_DATA(tb[TCA_TCINDEX_CLASSID]), b1));
+-	}
+-	if (tb[TCA_TCINDEX_POLICE]) {
+-		fprintf(f, "\n");
+-		tc_print_police(f, tb[TCA_TCINDEX_POLICE]);
+-	}
+-	if (tb[TCA_TCINDEX_ACT]) {
+-		fprintf(f, "\n");
+-		tc_print_action(f, tb[TCA_TCINDEX_ACT], 0);
+-	}
+-	return 0;
+-}
+-
+-struct filter_util tcindex_filter_util = {
+-	.id = "tcindex",
+-	.parse_fopt = tcindex_parse_opt,
+-	.print_fopt = tcindex_print_opt,
+-};

iproute.spec

@@ -2,7 +2,7 @@
 Name:		iproute
 Version:	5.15.0
 Epoch:      1
-Release:	18
+Release:	19
 Summary:	Linux network configuration utilities
 License:	GPLv2+ and Public Domain
 URL:		https://kernel.org/pub/linux/utils/net/iproute2/
@@ -59,6 +59,15 @@ Patch6042:      backport-ss-Fix-socket-type-check-in-packet_show_line.patch
 Patch6043:      backport-ss-print-unix-socket-ports-as-unsigned-int-inode.patch
 Patch6044:      backport-utils-fix-get_integer-logic.patch
 
+patch6045:      backport-lnstat-Fix-deref-of-null-in-print_json-function.patch
+patch6046:      backport-iproute2-prevent-memory-leak.patch
+patch6047:      backport-libnetlink-validate-nlmsg-header-length-first.patch
+patch6048:      backport-tc-remove-tcindex-classifier.patch
+patch6049:      backport-ip-fix-memory-leak-in-ip-maddr-show.patch
+patch6050:      backport-ila-fix-potential-snprintf-buffer-overflow.patch
+patch6051:      backport-bridge-fix-potential-snprintf-overflow.patch
+patch6052:      backport-mnl_utils-sanitize-incoming-netlink-payload-size-in-callbacks.patch
+
 Patch9000:      feature-iproute-add-support-for-ipvlan-l2e-mode.patch
 Patch9001:      bugfix-iproute2-cancel-some-test-cases.patch
 Patch9002:      feature-iproute2-supports-to-parse-UB-device-and-related-display-of-vf-address.patch
@@ -138,6 +147,19 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a
 %{_mandir}/*
 
 %changelog
+* Tue Apr 16 2024 liweigang <liweiganga@uniontech.com> - 1:5.15.0-19
+- Type: bugfix
+- ID: NA
+- SUG: NA
+- DESC: lnstat: Fix deref of null in print_json() function
+        iproute2: prevent memory leak
+        libnetlink: validate nlmsg header length first
+        tc: remove tcindex classifier
+        ip: fix memory leak in 'ip maddr show'
+        ila: fix potential snprintf buffer overflow
+        bridge: fix potential snprintf overflow
+        mnl_utils: sanitize incoming netlink payload size in callbacks
+
 * Fri Jan 12 2024 liubo <liubo335@huawei.com> - 1:5.15.0-18
 - Type:bugfix
 - ID:NA