The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.
This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.
It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.
The patch is supposed to be cosmetic. However, the improvement
for readers and the maintained consistency with master qualify
this for backporting.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c4dd7fc23b)
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.
Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.
While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 917980fd8a)
Affected versions: curl 7.62.0 to and including 7.70.0
https://curl.haxx.se/docs/CVE-2020-8169.html
Run tested on Omnia with OpenWrt 19.07
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Bumping package version has been overlooked in a previous commit.
While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)
Fixes: 0453c3866f ("vxlan: fix udp checksum control")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit b29d620ed2)
So far, passing "rxcsum" and "txcsum" had no effect.
Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 0453c3866f)
This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f,
which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14.
This breaks the older WireGuard version currently in 19.07.
For reference, the compilation error is the one below:
build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'?
#define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst
Changelogs below taken from the official release announcements.
== Changes since v1.0.20200506 ==
This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.
* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10
These enable the test suite to compile with gcc-10.
* noise: read preshared key while taking lock
Matt noticed a benign data race when porting the Linux code to OpenBSD.
* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter
WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png
* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings
The usual RHEL churn.
* compat: backport renamed/missing skb hash members
The new support for fq_codel and friends meant more backporting work.
* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4
== Changes since v1.0.20200611 ==
* qemu: always use cbuild gcc rather than system gcc
* qemu: remove -Werror in order to build ancient kernels better
* qemu: patch kernels that rely on ancient make
* qemu: force 2MB pages for binutils 2.31
* qemu: use cbuild gcc for avx512 exclusion
* qemu: add extra fill in idt handler for newer binutils
* qemu: support fetching kernels for arbitrary URLs
* qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection
* qemu: work around broken centos8 kernel
* qemu: mark per_cpu_load_addr as static for gcc-10
Our qemu test suite can now handle more kernels and more compilers. Scroll
down to the bottom of https://www.wireguard.com/build-status/ to see the
expanded array of kernels we now test against, including some distro kernels.
* compat: widen breadth of integer constants
* compat: widen breadth of memzero_explicit backport
* compat: backport skb_scrub_packet to 3.11
* compat: widen breadth of prandom_u32_max backport
* compat: narrow the breadth of iptunnel_xmit backport
* compat: backport iptunnel_xmit to 3.11
With the expanded qemu test suite, it was possible to expand our list of
mainline kernels, so the backport compat layer is now more precise.
* compat: ubuntu appears to have backported ipv6_dst_lookup_flow
* compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow
Ubuntu kernels changed recently, so this ensures we can compile with the
latest Ubuntu releases.
* compat: remove stale suse support
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
mac80211_get_addr is called from mac80211_generate_mac, where the local variable
initialisation id="${macidx:-0}" suggests that macidx is not always defined.
Probably, idx was supposed to be used instead of $(($macidx + 1)).
Fixes: 4d99db168c ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set")
Signed-off-by: Leon M. George <leon@georgemail.eu>
(cherry picked from commit 8f95220bcb)
The original text was copy/pasted from some other package.
Adjust the package title and description to match the description
on the publishers page.
Signed-off-by: Catalin Patulea <catalinp@google.com>
[slightly adjust content and commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 492a6594b9)
urandom-seed has a separate Makefile, we can safely remove the definition here.
Fixes: 27bfde9c9f ("base-files: move urandom seed bits into separate package")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 46a6586c83)
51e16eb uclient-fetch: add option to read POST data from file
99aebe3 uclient: Add string error function
Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This reverts commit 0c910d8459.
We cannot use uclient Git HEAD as-is on 19.07 due to an older
version of the ustream-ssl API.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fef6d3d uclient: Add string error function
af585db uclient-fetch: support specifying advertised TLS ciphers
c660986 uclient-fetch: add option to read POST data from file
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry-squashed from commits 05145ffbef98017228dddd166960f48e98613f4d)
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.
Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 559b338466)
Add a local hack to prevent the Broadcom WPA authenticator process from
inheriting the lock descriptor 1000 used to prevent concurrent executions
of the init script.
Without this fix, repeated invocations of /etc/init.d/network, e.g. for
obtaining the enabled state, would hang forever.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a03d6d2fab)
078bb57 uci: reset uci_ptr flags when merging options during section add
3df62bc session: deny access if password login is disabled
efe51f4 iwinfo: add current hw and ht mode to info call
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b371182d24)
5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a765b063ee)
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 631c437a91)
00b921d80ac0 Do not print line number in debug messages
96c42c5ed320 Fix length checks in cert_load()
fe06b4b836b3 usign-exec: improve usign -F output handling
19f9e1917e1b usign-exec: return code fixes
077feb5b5824 usign-exec: close writing end of pipe early in parent process
7ec4bb764e1e usign-exec: remove redundant return statements
5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17]
112488bbbccc usign-exec: do not close stdin and stderr before exec
38dcb1a6f121 usign-exec: fix exec error handling
a9be4fb17df2 usign-exec: simplify usign execv calls
854d93e2326a Introduce read_file() helper, improve error reporting
afc86f352bf7 Fix return code of write_file()
fdff10852326 stdout/stderr improvements
dddb2aa8124d ci: fix unit test failures by enabling full ucert build
5f206bcfe5c2 ci: enable unit testing
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit bc0288b768)
Program received signal SIGSEGV, Segmentation fault.
main_autofs (argv=<optimized out>, argc=<optimized out>)
at fstools-2020-05-06-eec16e2f/block.c:1193
1193: if (!m->autofs && (mp = find_mount_point(pr->dev))) {
Fixes: 3b9e4d6d4c ("fstools: update to the latest version")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit b181294b02)
* compat: timeconst.h is a generated artifact
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
Some code readibility cleanups.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 4f6343ffe7)
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit ea980fb9c6)
Fixes: 5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056))
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
975dce2 client: allow keep-alive for POST requests
d062f85 file: poke ustream after starting deferred program
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Workaround a bug in patches/100-debian_shared_lib.patch - it attemptss to
extract the library major version from debian/changelog which does not exist
in the vanilla upstream tarball.
Create a fake changelog file for now to satisfy the version extraction
routine until we get around to properly augment the patch.
Fixes: FS#2970
Fixes: 96ee7c8bfd ("libpcap: Update shared-lib patch from Debian to fix linking problems")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
84965b92f635 blockd: print symlink error code and string message
62c578c22f9d blockd: report "target" path as "mount" for autofs available mounts
d1f1f2b38fa1 block: remove mount target file if it's a link
830441d790d6 blockd: remove symlink linkpath file if it's a dir or link
c80f7002114f libfstools/mtd: attempt to read from OOB data if empty space is found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b7d6e80fee)
This extra _DEFAULT_SOURCE definition results in a double definition
which is a compile error.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
ugps-2019-06-25-cd7eabcd/nmea.c:19: error: "_DEFAULT_SOURCE" redefined [-Werror]
#define _DEFAULT_SOURCE
<command-line>: note: this is the location of the previous definition
cc1: all warnings being treated as errors
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 70a962ca6f)
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.
This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1
Fixes: aaf46a8fe2 ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ce1798e915)
Build with NO_LIBCAP=1. This is to resolve build issue.
Package perf is missing dependencies for the following libraries:
libcap.so.2
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
(cherry picked from commit 80f128d2aa)
Before, only frames with a maximum size of 1528 bytes could be
transmitted between two 802.11s nodes.
For batman-adv for instance, which adds its own header to each frame,
we typically need an MTU of at least 1532 bytes to be able to transmit
without fragmentation.
This patch now increases the maxmimum frame size from 1528 to 1656
bytes.
Tested with two ath10k devices in 802.11s mode, as well as with
batman-adv on top of 802.11s with forwarding disabled.
Fix originally found and developed by Ben Greear.
Link: https://github.com/greearb/ath10k-ct/issues/89
Link: 9e5ab25027
Cc: Ben Greear <greearb@candelatech.com>
Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit 066ec97167)
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.
This missing fix was discovered while testing SAE over a mesh interface.
With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.
Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4b3b8ec81c)
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 03e9e4ba9e)
Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.
Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 76a0ddf130)
On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.
Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Before 2019.01 version was introduced patch, which changes cache
routines: 93b283d4 ("ARM: CPU: arm926ejs: Consolidate cache
routines to common file"). Unfortunately that patch make ethernet
and usb in kirkwood broken.
This patch backport commit 599f7aa5 ("ARM: kirkwood: disable dcache
for Kirkwood boards"), which are fix for that problem.
Fixes: dc08514e6d ("uboot-kirkwood: update to 2019.01")
Run tested: pogoplugv4
Tested-by: Cezary Jackiewicz <cezary@eko.one.pl> [nsa310]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
f4d759b dhcp.c: further improve validation
Further improve input validation for CVE-2020-11752
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e2)
cdac046 dns.c: fix input validation fix
Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.
Improve CVE-2020-11750 fix
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed078)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.
Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router. dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.
The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.
A missing system.ntp.enabled UCI node is required for the bug to show
up. The reasons for why it would be missing in the first place were not
investigated.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a1)
Building libpcap with high number (64) of simultaneous jobs fails:
In file included from ./fmtutils.c:42:0:
./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
#define _BSD_SOURCE
<command-line>:0:0: note: this is the location of the previous definition
./gencode.c:67:10: fatal error: grammar.h: No such file or directory
#include "grammar.h"
^~~~~~~~~~~
compilation terminated.
Makefile:99: recipe for target 'gencode_pic.o' failed
So fix this by less intrusive way by disabling the parallel builds for
this package.
Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127a)
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50e)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:
dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]
261 | uint16_t *swap = (uint16_t *) q;
Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f0147)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a)
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d)
It's needed for optimized sysupgrade. On host machine this change
increased busybox size by 4096 B.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 547f1ec25a)
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
newly generated RSA modules
- the patch reversing EOF detection we had already applied.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac7)
This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff
This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.
Fixes: 44f11353de ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Commit 432ec292cc ("rpcd: add respawn param") has introduced infinite
restarting of the service which could be reached over network. This is
not recommended security practice as it might give potential adversary
infinite number of tries in case there might be some issue in the rpcd
or its surrounding stack.
So lets remove the currently bogus `respawn_retry` variable (it wasn't
possible to override it anyway), reverting to the previous default max.
of 5 service restarts which could be now overriden via system's UCI
settings if desired.
Cc: Jo-Philip Wich <jow@mein.io>
Cc: Florian Eckert <fe@dev.tdt.de>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: 432ec292cc ("rpcd: add respawn param")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 52e6fb1369)
We must ensure that host ncurses is build before host readline.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b294)
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6)
Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.
This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").
Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.
Also enable --script-arp if has_handlers returns true.
Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093)
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d9d689589b)
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.
This was found by accidentally building rssileds on octeon, which
resulted in:
"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"
Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a5b2c6f5ed)
8682e0d0b49c mt76: speed up usb bulk copy
884c25e7caca mt76: usb: use max packet length for m76u_copy
1ad98b95cf4a mt76: mt76u: rely only on data buffer for usb control messagges
3d491603caff mt76: fix array overflow on receiving too many fragments for a packet
9792a62e7f30 mt76: set dma-done flag for flushed descriptors
53233cdf9486 mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
a4ae9219e6c7 mt76: dma: do not write cpu_idx on rx queue reset until after refill
1198fa57d185 mt76: mt7603: increase dma mcu rx ring size
91cd5be6ee37 mt76: avoid extra RCU synchronization on station removal
7d7fb26bb78a mt76: mt76x2: avoid starting the MAC too early
aac609809de1 mt76: fix LED link time failure
18627db2e633 mt76: mt76x0u: add support to TP-Link T2UHP
5ecfdb1a6e0a mt76: mt76x02: fix handling MCU timeouts during hw restart
f7e9be89db59 mt76: mt7603: add upper limit for dynamic sensitivity minimum receive power
23b834485070 mt76: mt7603: enable dynamic sensitivity adjustment by default
08054d5ab135 mt76: mt76x02: reset MCU timeout counter earlier in watchdog reset
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The rpcd service is an important service, but if the service stops
working for any reason, no one will ever respawn that service. With this
commit, the procd service will monitor if the rpcd service
is running. If the rpcd service has crashed, then
procd respawns the rpcd service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 432ec292cc)
This reverts commit 6b7eeb74db since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.
Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.
Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 766e778226)
Add Netgear WNDR3700v2 to the list of supported boards.
Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
[rebase, adjusted commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a09408fa57)
Call skb_orphan(skb) to call the owner's destructor function and make
the skb unowned.
This is necessary to prevent sk_wmem_alloc of a socket from overflowing,
which leads to ENOBUFS errors on application level.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 996f02e5ba)
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
