Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.
This missing fix was discovered while testing SAE over a mesh interface.
With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.
Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4b3b8ec81c)
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 03e9e4ba9e)
Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.
Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 76a0ddf130)
On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.
Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Before 2019.01 version was introduced patch, which changes cache
routines: 93b283d4 ("ARM: CPU: arm926ejs: Consolidate cache
routines to common file"). Unfortunately that patch make ethernet
and usb in kirkwood broken.
This patch backport commit 599f7aa5 ("ARM: kirkwood: disable dcache
for Kirkwood boards"), which are fix for that problem.
Fixes: dc08514e6d ("uboot-kirkwood: update to 2019.01")
Run tested: pogoplugv4
Tested-by: Cezary Jackiewicz <cezary@eko.one.pl> [nsa310]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
f4d759b dhcp.c: further improve validation
Further improve input validation for CVE-2020-11752
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e2)
cdac046 dns.c: fix input validation fix
Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.
Improve CVE-2020-11750 fix
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed078)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.
Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router. dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.
The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.
A missing system.ntp.enabled UCI node is required for the bug to show
up. The reasons for why it would be missing in the first place were not
investigated.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a1)
Building libpcap with high number (64) of simultaneous jobs fails:
In file included from ./fmtutils.c:42:0:
./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
#define _BSD_SOURCE
<command-line>:0:0: note: this is the location of the previous definition
./gencode.c:67:10: fatal error: grammar.h: No such file or directory
#include "grammar.h"
^~~~~~~~~~~
compilation terminated.
Makefile:99: recipe for target 'gencode_pic.o' failed
So fix this by less intrusive way by disabling the parallel builds for
this package.
Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127a)
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50e)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:
dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]
261 | uint16_t *swap = (uint16_t *) q;
Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f0147)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a)
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d)
It's needed for optimized sysupgrade. On host machine this change
increased busybox size by 4096 B.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 547f1ec25a)
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
newly generated RSA modules
- the patch reversing EOF detection we had already applied.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac7)
This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff
This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.
Fixes: 44f11353de ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Commit 432ec292cc ("rpcd: add respawn param") has introduced infinite
restarting of the service which could be reached over network. This is
not recommended security practice as it might give potential adversary
infinite number of tries in case there might be some issue in the rpcd
or its surrounding stack.
So lets remove the currently bogus `respawn_retry` variable (it wasn't
possible to override it anyway), reverting to the previous default max.
of 5 service restarts which could be now overriden via system's UCI
settings if desired.
Cc: Jo-Philip Wich <jow@mein.io>
Cc: Florian Eckert <fe@dev.tdt.de>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: 432ec292cc ("rpcd: add respawn param")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 52e6fb1369)
We must ensure that host ncurses is build before host readline.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b294)
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6)
Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.
This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").
Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.
Also enable --script-arp if has_handlers returns true.
Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093)
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d9d689589b)
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.
This was found by accidentally building rssileds on octeon, which
resulted in:
"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"
Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a5b2c6f5ed)
8682e0d0b49c mt76: speed up usb bulk copy
884c25e7caca mt76: usb: use max packet length for m76u_copy
1ad98b95cf4a mt76: mt76u: rely only on data buffer for usb control messagges
3d491603caff mt76: fix array overflow on receiving too many fragments for a packet
9792a62e7f30 mt76: set dma-done flag for flushed descriptors
53233cdf9486 mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
a4ae9219e6c7 mt76: dma: do not write cpu_idx on rx queue reset until after refill
1198fa57d185 mt76: mt7603: increase dma mcu rx ring size
91cd5be6ee37 mt76: avoid extra RCU synchronization on station removal
7d7fb26bb78a mt76: mt76x2: avoid starting the MAC too early
aac609809de1 mt76: fix LED link time failure
18627db2e633 mt76: mt76x0u: add support to TP-Link T2UHP
5ecfdb1a6e0a mt76: mt76x02: fix handling MCU timeouts during hw restart
f7e9be89db59 mt76: mt7603: add upper limit for dynamic sensitivity minimum receive power
23b834485070 mt76: mt7603: enable dynamic sensitivity adjustment by default
08054d5ab135 mt76: mt76x02: reset MCU timeout counter earlier in watchdog reset
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The rpcd service is an important service, but if the service stops
working for any reason, no one will ever respawn that service. With this
commit, the procd service will monitor if the rpcd service
is running. If the rpcd service has crashed, then
procd respawns the rpcd service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 432ec292cc)
This reverts commit 6b7eeb74db since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.
Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.
Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 766e778226)
Add Netgear WNDR3700v2 to the list of supported boards.
Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
[rebase, adjusted commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a09408fa57)
Call skb_orphan(skb) to call the owner's destructor function and make
the skb unowned.
This is necessary to prevent sk_wmem_alloc of a socket from overflowing,
which leads to ENOBUFS errors on application level.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 996f02e5ba)