backport some upstream patches

(cherry picked from commit a243b3aaead8589c2b1e7955d9efd91f158b4dc0)

backport-Fix-parsing-of-empty-string-arg-in-c-option.patch

@@ -0,0 +1,81 @@
+From a2911408959d7e86bc4bad4f1be2551a19ad125c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 9 Apr 2024 13:18:12 +0200
+Subject: xshared: Fix parsing of empty string arg in '-c' option
+
+Calling iptables with '-c ""' resulted in a call to strchr() with an
+invalid pointer as 'optarg + 1' points to past the buffer. The most
+simple fix is to drop the offset: The global optstring part specifies a
+single colon after 'c', so getopt() enforces a valid pointer in optarg.
+If it contains a comma at first position, packet counter value parsing
+will fail so all cases are covered.
+
+Reported-by: gorbanev.es@gmail.com
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1741
+Fixes: 60a6073690a45 ("Make --set-counters (-c) accept comma separated counters")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:iptables/xshared.c => iptables/ip6tables.c,iptables/iptables.c,iptables/xtables.c;Because the higher version has do_parse as a public function and resolves by calling do_parse
+Reference:https://git.netfilter.org/iptables/commit/?id=a2911408959d7e86bc4bad4f1be2551a19ad125c
+---
+ extensions/iptables.t | 5 +++++
+ iptables/ip6tables.c  | 2 +-
+ iptables/iptables.c   | 2 +-
+ iptables/xtables.c    | 2 +-
+ 4 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/iptables.t b/extensions/iptables.t
+index b4b6d67..5d6d3d1 100644
+--- a/extensions/iptables.t
++++ b/extensions/iptables.t
+@@ -4,3 +4,8 @@
+ -i eth+ -o alongifacename+;=;OK
+ ! -i eth0;=;OK
+ ! -o eth+;=;OK
++-c "";;FAIL
++-c ,3;;FAIL
++-c 3,;;FAIL
++-c ,;;FAIL
++-c 2,3 -j ACCEPT;-j ACCEPT;OK
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 9ada9d7..c271442 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -1425,7 +1425,7 @@ int do_command6(int argc, char *argv[], char **table,
+ 			set_option(&cs.options, OPT_COUNTERS, &cs.fw6.ipv6.invflags,
+ 				   cs.invert);
+ 			pcnt = optarg;
+-			bcnt = strchr(pcnt + 1, ',');
++			bcnt = strchr(pcnt, ',');
+ 			if (bcnt)
+ 			    bcnt++;
+ 			if (!bcnt && xs_has_arg(argc, argv))
+diff --git a/iptables/iptables.c b/iptables/iptables.c
+index 4a3c7ef..9a61f8b 100644
+--- a/iptables/iptables.c
++++ b/iptables/iptables.c
+@@ -1416,7 +1416,7 @@ int do_command4(int argc, char *argv[], char **table,
+ 			set_option(&cs.options, OPT_COUNTERS, &cs.fw.ip.invflags,
+ 				   cs.invert);
+ 			pcnt = optarg;
+-			bcnt = strchr(pcnt + 1, ',');
++			bcnt = strchr(pcnt, ',');
+ 			if (bcnt)
+ 			    bcnt++;
+ 			if (!bcnt && xs_has_arg(argc, argv))
+diff --git a/iptables/xtables.c b/iptables/xtables.c
+index a16bba7..dd3410d 100644
+--- a/iptables/xtables.c
++++ b/iptables/xtables.c
+@@ -812,7 +812,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
+ 			set_option(&cs->options, OPT_COUNTERS, &args->invflags,
+ 				   cs->invert);
+ 			args->pcnt = optarg;
+-			args->bcnt = strchr(args->pcnt + 1, ',');
++			args->bcnt = strchr(args->pcnt, ',');
+ 			if (args->bcnt)
+ 			    args->bcnt++;
+ 			if (!args->bcnt && xs_has_arg(argc, argv))
+-- 
+2.33.0
+

backport-libxtables-Fix-memleak-of-matches-udata.patch

@@ -0,0 +1,37 @@
+From e7366db80740d34d2fe4ba8d12ef86a423e66280 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 31 Jan 2024 14:58:17 +0100
+Subject: libxtables: Fix memleak of matches' udata
+
+If the extension specifies a non-zero udata_size, field 'udata' points
+to an allocated buffer which needs to be freed upon extension deinit.
+
+Interestingly, this bug was identified by ASAN and missed by valgrind.
+
+Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=e7366db80740d34d2fe4ba8d12ef86a423e66280
+---
+ libxtables/xtables.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index b4339e8d..856bfae8 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -1420,6 +1420,10 @@ void xtables_rule_matches_free(struct xtables_rule_match **matches)
+ 			free(matchp->match->m);
+ 			matchp->match->m = NULL;
+ 		}
++		if (matchp->match->udata_size) {
++			free(matchp->match->udata);
++			matchp->match->udata = NULL;
++		}
+ 		if (matchp->match == matchp->match->next) {
+ 			free(matchp->match);
+ 			matchp->match = NULL;
+-- 
+cgit v1.2.3
+

iptables.spec

@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.7
-Release:	  16
+Release:	  17
 Summary:	  IP packet filter administration utilities
 License:	  GPL-2.0-only and Artistic-2.0
 URL:		  https://www.netfilter.org/
@@ -46,6 +46,8 @@ Patch28:      backport-Fix-for-non-CIDR-compatible-hostmasks.patch
 Patch29:      backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch
 Patch30:      backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch
 Patch31:      backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch
+Patch32:      backport-libxtables-Fix-memleak-of-matches-udata.patch
+Patch33:      backport-Fix-parsing-of-empty-string-arg-in-c-option.patch
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@@ -354,6 +356,13 @@ fi
 %{_mandir}/man8/xtables-legacy*
 
 %changelog
+* Tue Jun 25 2024 yanglu <yanglu72@h-partners.com> - 1.8.7-17
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:libxtables:Fix memleak of matches' udata
+       Fix parsing of empty string arg in '-c' option
+
 * Fri Jun 14 2024 xinghe <xinghe2@h-partners.com> - 1.8.7-16
 - Type:bugfix
 - CVE:NA