Commit Graph

13087 Commits

Author SHA1 Message Date
Hans Dedecker
91d41b6305 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-01 13:53:53 +02:00
Hans Dedecker
cca765f64c dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 10:02:14 +02:00
Daniel Golle
eff3469510 procd: backport fixes from master branch
The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:

89918c8 system: introduce new attribute board_name
(79bbe6d and 453116e on master branch)

8297c38 preinit: define _GNU_SOURCE
(e5b963a on master branch)

8fd57dd upgraded: cmake: Find and include uloop.h
(e5ff8ca on master branch)

6b0da20 hotplug: fix a memory leak in handle_button_complete()
(f367ec6 on master branch)

558ffb5 service/service_stopped(): fix a use-after-free
(796ba3b on master branch)

22f89e1 upgraded: define __GNU_SOURCE
(e7bb2c8 on master branch)

6e8ea8b rcS: add missing fcntl.h include
(992b796 on master branch)

cd5225d procd/rcS: Use /dev/null as stdin
(d42b21e on master branch)

5131bec procd: Log initscript output prefixed with script name
(1247db1 on master branch)

225b18d procd: Don't use syslog before its initialization
(8d720b2 on master branch)

889442c procd: Add missing \n in debug message
(2555474 on master branch)

2716228 procd: service gets deleted when its last instance is freed
(8f218f5 on master branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-28 02:01:07 +02:00
Rafał Miłecki
761e6087ed base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-26 23:47:12 +02:00
Christian Schoenebeck
73a4568f19 ca-certificates: Update to version 20161130+nmu1
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
2017-06-26 10:09:54 +02:00
Magnus Kroken
57289ae640 openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Magnus Kroken
73e81a8318 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Hans Dedecker
8f254e9c27 Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit 78edfff530.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-19 22:07:44 +02:00
Kevin Darbyshire-Bryant
c16326cfed dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-17 13:50:27 +02:00
Alexander Couzens
a6b5ddfd9b LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:07 +02:00
Alexander Couzens
2da512ecf4 LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:02 +02:00
Jo-Philipp Wich
e5db08edf7 base-files: network.sh: fix a number of IPv6 logic flaws
* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 23:02:16 +02:00
Jo-Philipp Wich
8a42d4d851 mwlwifi: update to version 10.3.4.0 / 2017-06-06
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 19:57:31 +02:00
Jo-Philipp Wich
df4363b607 base-files: network.sh: properly report local IPv6 addresses
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 12:06:50 +02:00
Mathias Kresin
524ed5088e base-files: always set proto passed to _ucidef_set_interface()
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 20:41:26 +02:00
Jo-Philipp Wich
e78a641f52 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:51 +02:00
Jo-Philipp Wich
cdfc6788a9 dnsmasq: bump to 2.77
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 00:25:08 +02:00
Alberto Bursi
9e20cc56b9 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-06-02 00:09:14 +02:00
Karl Vogel
ebf46d2c5b dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-06-02 00:07:02 +02:00
Philip Prindeville
78edfff530 dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-06-02 00:06:24 +02:00
Julian Labus
fe5e343933 usbmode: update usb-modeswitch-data to 20170205
add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Julian Labus
4baf0ea229 usbmode: update to latest version
453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Florian Fainelli
7c1e58863c usbmode: Update to latest HEAD
Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-29 09:26:27 +02:00
Jo-Philipp Wich
22478bf473 samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 17:40:21 +02:00
Jo-Philipp Wich
757353c3a0 firewall: resync with master
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:18:31 +02:00
Matthias Schiffer
4bd3b8f8b0 mac80211, hostapd: always explicitly set beacon interval
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-05-27 14:24:13 +02:00
Nick Lowe
e194e1b3c8 hostapd: add legacy_rates option to disable 802.11b data rates.
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
2017-05-27 14:24:13 +02:00
Mathias Kresin
0e31ce730f ath10k-firmware: do not select the qca988x by default
Do not select the qca988x by default as soon as kmod-ath10k is
selected. We do support more ath10k chips than the qca988x in the
meantime, so this dependency doesn't make sense any longer.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-05-27 14:22:16 +02:00
Yousong Zhou
2f92622ce8 kernel: fix autoloading arch-specific modules
Fixes FS#745

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-25 23:21:36 +08:00
Yousong Zhou
9c2bd3d631 backlight-pwm: fix module description
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-25 23:21:35 +08:00
Hauke Mehrtens
d1a0fc3ec8 binutils: fix build with host gcc < 4.9
binutils 2.27 checks if the target compiler supports -Wstack-
usage=262144, and also uses this setting for the host compiler. If the
host compiler is gcc < 4.9 binutils build will fail. This backports 2
commits which are fixing this problem for binutils 2.28.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-05-24 18:05:18 +02:00
Hauke Mehrtens
d179aa8769 util-linux: fix build with uclibc
Fix build of scriptreplay with uClibc.
Some parts of the libm detection were backported to 2.29.2, but some
parts were missing, which are added here. This patch is needed when
libm is a separate library, this is not needed for LEDE master, because
libm is there integrated in the libc for uClibc and musl.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2017-05-24 18:04:51 +02:00
Kevin Darbyshire-Bryant
dd19a41520 dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-24 18:04:51 +02:00
Stijn Tintel
51db1f5a9a samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da)
2017-05-24 15:41:30 +02:00
Rafał Miłecki
1165c0ae0d umdns: update to the version 2017-05-22
This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label

Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.

Fixes: 474c31a20d ("umdns: update to the version 2017-03-21")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 12:11:29 +02:00
Rafał Miłecki
0bef8f8011 fstools: backport regression fix for volume_identify
This fixes regression when volume_identify didn't identify volume on
subsequent calls.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 11:15:53 +02:00
Steffen Weinreich
9423cf3e98 om-watchdog: add support for Teltonika RUT5xx (ramips)
Add rut5xx GPIO PIN selection to om-package startup script.

Testet on a RUT500 device, the timeout value of the hardware watchdog
is about 280 sec.

Signed-off-by: Steffen Weinreich <steve@weinreich.org>
[split into two commits, bump PKG_RELEASE]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:54 +02:00
Piotr Dymacz
38367c5699 om-watchdog: cosmetic code style fixes
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:47 +02:00
Piotr Dymacz
da4992f822 om-watchdog: cleanup Makefile
Drop redundant Build/Prepare, empty lines and duplicated Build/Compile.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:41 +02:00
Jo-Philipp Wich
aba1b3cbd1 openvpn: update to v2.4.2
Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-12 11:57:01 +02:00
Felix Fietkau
53e751e303 openvpn: add myself as maintainer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-12 11:57:01 +02:00
Daniel Engberg
d40e2efa94 OpenVPN: Update to 2.4.1
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-12 11:57:00 +02:00
Martin Schiller
98491a9ae9 openvpn: add extra respawn parameters
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.

When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.

With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-05-12 11:57:00 +02:00
Yousong Zhou
bc58099802 openvpn: move list of params and bools to a separate file
So that future patches for addition/removal of them can be more
readable

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-12 11:57:00 +02:00
Hans Dedecker
d8cfebaa50 dnsmasq: support dhcp_option config as a list
Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-09 22:39:41 +02:00
Jo-Philipp Wich
0c8f72639f base-files: implement ucidef_set_hostname(), ucidef_set_ntpserver()
Commit 2036ae4 (base-files: support hostname and ntp servers through board.d)
was supposed to implement these procedures but lacked the required changes
to uci-defaults.sh.

Add the missing procedures now to fix config generation on targets relying
on hostname or NTP server presetting.

Fixes FS#754.

Reported-by: Cristian Morales Vega <cristian@samknows.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-03 13:48:44 +02:00
Tomislav Požega
eb11207397 mac80211: rt2800: fix mt7620 E2 channel registers
update RF register 47 and 54 values according to vendor driver

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
2017-05-02 23:17:22 +02:00
Tomislav Požega
64fa4ead32 mac80211: rt2800: fix mt7620 vco calibration registers
Use register values from init LNA function instead of the ones from
restore LNA function. Apply register values based on rx path
configuration.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
2017-05-02 23:17:22 +02:00
Daniel Golle
820a39687d mac80211: rt2x00: fix MT7620 LNA gain and VCO-after-ALC
This should fix issues with bad RX as well as AP not coming up and/or
scanning failing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00
Daniel Golle
5b91d2b52e mac80211: rt2x00: import upstream changes and rebase our patches
Some of our local patches have been accepted upstream. And there are
some more relevant changes (mostly for rt2800usb). Import them and
rebase our remaining local patches on top.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00