Commit Graph

13262 Commits

Author SHA1 Message Date
Daniel Engberg
a131f7cb69 utils/tcpdump: Rework URLs
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit fd95397ee3)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

Conflicts:
	package/network/utils/tcpdump/Makefile
2017-09-18 16:50:07 +03:00
Hans Dedecker
7f1359c14e base-files: fix wan6 interface config generation for pppoe
Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-18 13:22:58 +02:00
Lorenzo Santina
d33f7905df treewide: fix shellscript syntax errors/typos
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
2017-09-13 08:07:39 +02:00
Lorenzo Santina
082e6215b7 hostapd: fix iapp_interface option
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option

Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
2017-09-10 08:31:05 +02:00
Kevin Darbyshire-Bryant
1d15a03050 dnsmasq: backport arcount edns0 fix
Don't return arcount=1 if EDNS0 RR won't fit in the packet.

Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 10:09:48 +02:00
Kevin Darbyshire-Bryant
a7506c0e2b dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-09-07 08:11:49 +02:00
Matthias Schiffer
bb6a8b2cbf
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:48:05 +02:00
Stijn Tintel
f62a31d0e9 f2fs-tools: fix mkfs.f2fs on big-endian systems
Fixes: FS#749

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit cdb494fdc2)
2017-09-03 10:14:09 +03:00
Stijn Tintel
c3bddb49ff f2fs-tools: drop musl compat patch
It is no longer needed since version 1.4.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 252c8ddf14)
2017-09-03 10:14:09 +03:00
Stijn Tintel
707a4b459d f2fs-tools: drop patch in favour of CONFIGURE_VARS
Override the failing check in configure with CONFIGURE_VARS instead of
carrying a patch that's unlikely to be accepted by upstream.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
(cherry picked from commit d87f27af54)
2017-09-03 10:14:09 +03:00
Daniel Engberg
bd29aa1ba1 f2fs-tools: Switch to gz tarball
At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-09-03 10:14:09 +03:00
Kevin Darbyshire-Bryant
a006b48c04 dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-30 21:12:49 +02:00
Daniel Engberg
ae3c55666d tcpdump: Update to 4.9.1
Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-08-15 18:31:10 +02:00
Baptiste Jonglez
3e35eb13ad mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-08-11 20:45:28 +02:00
Rafał Miłecki
889638c8bf base-files: don't setup network in preinit if failsafe is disabled
With failsafe disabled there is no point in early network setup. We
don't send announcement over UDP and there is no way to ssh to the
device.

A side effect of this is avoiding a possibly incorrect network config
(only with failsafe disabled). This problem is related to possible
changes made by user in /etc/config/network.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-09 23:20:23 +02:00
Hans Dedecker
b67b316dd1 dnsmasq: backport remove ping check of configured dhcp address
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-08 14:44:36 +02:00
Hans Dedecker
4503d8b297 procd: update to the latest git HEAD
66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-08 14:41:02 +02:00
John Crispin
66b071fa09 procd: update to latest git HEAD
3e68cdf procd: Do not leak pipe file descriptors to children

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-01 07:02:53 +02:00
Hauke Mehrtens
7ab8bf126e curl: fix CVE-2017-7407 and CVE-2017-7468
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-07-28 23:49:39 +02:00
Uwe Arnold
823d35f2fd kernel: netfilter: fix nf-nathelper(-extra) description
The tftp and irc netfilter modules are provided by nf-nathelper-extra
and not by nf-nathelper.

Signed-off-by: Uwe Arnold <donvipre@gmail.com>
[move the irc module as well]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-07-25 21:02:27 +02:00
Piotr Dymacz
671fc88c91 uboot-envtools: add support for ALFA Network AP121F
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-07-23 00:26:51 +02:00
Hans Dedecker
82b20d74cb procd: backport kernel watchdog start/stop support
4dbf57a watchdog: add support for starting/stopping kernel watchdog

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-13 21:54:59 +02:00
Hans Dedecker
699e3127c5 dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-12 22:06:48 +02:00
Daniel Golle
7896d7b814
fstools: backport fixes from master branch
The following changes are backported from the master branch

bdcb075 libfstools: fix matching device name
(f038a61 on master)

ef2d438 fstools: use -Wno-format-truncation instead of -Wno-error=format-truncation
(c43ae11 on master)

d361923 build: disable the format-truncation warning error to fix gcc 7 build errors
(a19f2b3 on master)

cddc830 libfstools: silence mkfs.{ext4,f2fs}
(88d48d5 on master)

be5004c libfstools: add basic documentation of mount functions
(92b4c2c on master)

34d36c2 add missing includes
(7d78836 on master)

A previously added hotfix was replaced by a git commit, hence the patch
file is removed and we got instead

45c2a6f libfstools: fix multiple volume_identify usages with the same volume
(633a8d0 on master)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-07-11 23:30:10 +02:00
Matthias Schiffer
74d5c3e019
mtd-utils: use source package name for lzo in PKG_BUILD_DEPENDS
PKG_BUILD_DEPENDS should always refer to source package names.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-07-08 22:55:19 +02:00
Hans Dedecker
91d41b6305 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-01 13:53:53 +02:00
Hans Dedecker
cca765f64c dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 10:02:14 +02:00
Daniel Golle
eff3469510 procd: backport fixes from master branch
The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:

89918c8 system: introduce new attribute board_name
(79bbe6d and 453116e on master branch)

8297c38 preinit: define _GNU_SOURCE
(e5b963a on master branch)

8fd57dd upgraded: cmake: Find and include uloop.h
(e5ff8ca on master branch)

6b0da20 hotplug: fix a memory leak in handle_button_complete()
(f367ec6 on master branch)

558ffb5 service/service_stopped(): fix a use-after-free
(796ba3b on master branch)

22f89e1 upgraded: define __GNU_SOURCE
(e7bb2c8 on master branch)

6e8ea8b rcS: add missing fcntl.h include
(992b796 on master branch)

cd5225d procd/rcS: Use /dev/null as stdin
(d42b21e on master branch)

5131bec procd: Log initscript output prefixed with script name
(1247db1 on master branch)

225b18d procd: Don't use syslog before its initialization
(8d720b2 on master branch)

889442c procd: Add missing \n in debug message
(2555474 on master branch)

2716228 procd: service gets deleted when its last instance is freed
(8f218f5 on master branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-28 02:01:07 +02:00
Rafał Miłecki
761e6087ed base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-26 23:47:12 +02:00
Christian Schoenebeck
73a4568f19 ca-certificates: Update to version 20161130+nmu1
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
2017-06-26 10:09:54 +02:00
Magnus Kroken
57289ae640 openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Magnus Kroken
73e81a8318 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Hans Dedecker
8f254e9c27 Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit 78edfff530.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-19 22:07:44 +02:00
Kevin Darbyshire-Bryant
c16326cfed dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-17 13:50:27 +02:00
Alexander Couzens
a6b5ddfd9b LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:07 +02:00
Alexander Couzens
2da512ecf4 LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:02 +02:00
Jo-Philipp Wich
e5db08edf7 base-files: network.sh: fix a number of IPv6 logic flaws
* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 23:02:16 +02:00
Jo-Philipp Wich
8a42d4d851 mwlwifi: update to version 10.3.4.0 / 2017-06-06
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 19:57:31 +02:00
Jo-Philipp Wich
df4363b607 base-files: network.sh: properly report local IPv6 addresses
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 12:06:50 +02:00
Mathias Kresin
524ed5088e base-files: always set proto passed to _ucidef_set_interface()
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 20:41:26 +02:00
Jo-Philipp Wich
e78a641f52 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:51 +02:00
Jo-Philipp Wich
cdfc6788a9 dnsmasq: bump to 2.77
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 00:25:08 +02:00
Alberto Bursi
9e20cc56b9 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-06-02 00:09:14 +02:00
Karl Vogel
ebf46d2c5b dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-06-02 00:07:02 +02:00
Philip Prindeville
78edfff530 dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-06-02 00:06:24 +02:00
Julian Labus
fe5e343933 usbmode: update usb-modeswitch-data to 20170205
add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Julian Labus
4baf0ea229 usbmode: update to latest version
453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Florian Fainelli
7c1e58863c usbmode: Update to latest HEAD
Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-29 09:26:27 +02:00
Jo-Philipp Wich
22478bf473 samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 17:40:21 +02:00
Jo-Philipp Wich
757353c3a0 firewall: resync with master
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:18:31 +02:00
Matthias Schiffer
4bd3b8f8b0 mac80211, hostapd: always explicitly set beacon interval
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-05-27 14:24:13 +02:00
Nick Lowe
e194e1b3c8 hostapd: add legacy_rates option to disable 802.11b data rates.
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
2017-05-27 14:24:13 +02:00
Mathias Kresin
0e31ce730f ath10k-firmware: do not select the qca988x by default
Do not select the qca988x by default as soon as kmod-ath10k is
selected. We do support more ath10k chips than the qca988x in the
meantime, so this dependency doesn't make sense any longer.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-05-27 14:22:16 +02:00
Yousong Zhou
2f92622ce8 kernel: fix autoloading arch-specific modules
Fixes FS#745

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-25 23:21:36 +08:00
Yousong Zhou
9c2bd3d631 backlight-pwm: fix module description
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-25 23:21:35 +08:00
Hauke Mehrtens
d1a0fc3ec8 binutils: fix build with host gcc < 4.9
binutils 2.27 checks if the target compiler supports -Wstack-
usage=262144, and also uses this setting for the host compiler. If the
host compiler is gcc < 4.9 binutils build will fail. This backports 2
commits which are fixing this problem for binutils 2.28.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-05-24 18:05:18 +02:00
Hauke Mehrtens
d179aa8769 util-linux: fix build with uclibc
Fix build of scriptreplay with uClibc.
Some parts of the libm detection were backported to 2.29.2, but some
parts were missing, which are added here. This patch is needed when
libm is a separate library, this is not needed for LEDE master, because
libm is there integrated in the libc for uClibc and musl.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2017-05-24 18:04:51 +02:00
Kevin Darbyshire-Bryant
dd19a41520 dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-24 18:04:51 +02:00
Stijn Tintel
51db1f5a9a samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da)
2017-05-24 15:41:30 +02:00
Rafał Miłecki
1165c0ae0d umdns: update to the version 2017-05-22
This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label

Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.

Fixes: 474c31a20d ("umdns: update to the version 2017-03-21")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 12:11:29 +02:00
Rafał Miłecki
0bef8f8011 fstools: backport regression fix for volume_identify
This fixes regression when volume_identify didn't identify volume on
subsequent calls.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 11:15:53 +02:00
Steffen Weinreich
9423cf3e98 om-watchdog: add support for Teltonika RUT5xx (ramips)
Add rut5xx GPIO PIN selection to om-package startup script.

Testet on a RUT500 device, the timeout value of the hardware watchdog
is about 280 sec.

Signed-off-by: Steffen Weinreich <steve@weinreich.org>
[split into two commits, bump PKG_RELEASE]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:54 +02:00
Piotr Dymacz
38367c5699 om-watchdog: cosmetic code style fixes
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:47 +02:00
Piotr Dymacz
da4992f822 om-watchdog: cleanup Makefile
Drop redundant Build/Prepare, empty lines and duplicated Build/Compile.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-15 22:55:41 +02:00
Jo-Philipp Wich
aba1b3cbd1 openvpn: update to v2.4.2
Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-12 11:57:01 +02:00
Felix Fietkau
53e751e303 openvpn: add myself as maintainer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-12 11:57:01 +02:00
Daniel Engberg
d40e2efa94 OpenVPN: Update to 2.4.1
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-12 11:57:00 +02:00
Martin Schiller
98491a9ae9 openvpn: add extra respawn parameters
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.

When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.

With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-05-12 11:57:00 +02:00
Yousong Zhou
bc58099802 openvpn: move list of params and bools to a separate file
So that future patches for addition/removal of them can be more
readable

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-12 11:57:00 +02:00
Hans Dedecker
d8cfebaa50 dnsmasq: support dhcp_option config as a list
Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-09 22:39:41 +02:00
Jo-Philipp Wich
0c8f72639f base-files: implement ucidef_set_hostname(), ucidef_set_ntpserver()
Commit 2036ae4 (base-files: support hostname and ntp servers through board.d)
was supposed to implement these procedures but lacked the required changes
to uci-defaults.sh.

Add the missing procedures now to fix config generation on targets relying
on hostname or NTP server presetting.

Fixes FS#754.

Reported-by: Cristian Morales Vega <cristian@samknows.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-03 13:48:44 +02:00
Tomislav Požega
eb11207397 mac80211: rt2800: fix mt7620 E2 channel registers
update RF register 47 and 54 values according to vendor driver

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
2017-05-02 23:17:22 +02:00
Tomislav Požega
64fa4ead32 mac80211: rt2800: fix mt7620 vco calibration registers
Use register values from init LNA function instead of the ones from
restore LNA function. Apply register values based on rx path
configuration.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
2017-05-02 23:17:22 +02:00
Daniel Golle
820a39687d mac80211: rt2x00: fix MT7620 LNA gain and VCO-after-ALC
This should fix issues with bad RX as well as AP not coming up and/or
scanning failing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00
Daniel Golle
5b91d2b52e mac80211: rt2x00: import upstream changes and rebase our patches
Some of our local patches have been accepted upstream. And there are
some more relevant changes (mostly for rt2800usb). Import them and
rebase our remaining local patches on top.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00
Daniel Golle
ab7087e24f rt2x00: mt7620: make fixes requested upstream
Introduce RT6352 instead of matching against RF7620.
Clean up channel setting rfvals.
Port bandwidth filter calibration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00
Daniel Golle
4314646ac6 rt2x00: mt7620: yet another beauty session
So here is another round of improvements for MT7620 WiFi.

This commit fixes a few significant issues related to TX_PWR_CFG_x and
TX_ALC and also makes the code more readable by adding register
descriptions for things added for MT7620 and use the usual bit-field
access macros and the now defined macros instead of plain bit-ops and
magic numbers.

Properly describe EEPROM_TARGET_POWER at word 0x68 (== byte 0xD0) and
thereby fix internal TXALC which would otherwise just read
out-of-bounds of the EEPROM map.

Split-out tx-power/ALC related stuff into an additional function.
Fix VCO calibration, it was carried out properly in the channel
switching but incomplete in the actual VCO calibration function.
Also there is no need to trigger VCO calibration in channel switching,
the VCO calibration function is already being called at this point.
Remove it from channel switching function to avoid redundant code.

The TX power calibration differs significantly from all other
Mediatek/Ralink chips: They finally allow 0.5dB steps stored as 8-bit
values for (almost) each bitrate -- and promptly ran out of space and
for some reason didn't want to change the EEPROM layout. The hence
opted for a scheme of sharing values for some adjecent bitrates and
a highly over-complicated (or obfuscated?) way to populate the
TX_PWR_CFG_x registers with the values stored in the EEPROM.
The code here now looks much less complicated than what you see in the
vendor's driver, however, it does the exact same thing:
bGpwrdeltaMinus is a constant and always TRUE, hence half of the
code was dead. Gpwrdelta is always 0 (rather than using the value read
from the EEPROM). What remains is some very grotesque effort to avoid
0x20, probably some hardware bug related to some misunderstanding of
what a singed 8-bit value is (imagine: if it was a signed 6-bit value
then someone could believe that 0x20 == 0x0). And then they didn't
clean it up once they later on anandonned that whole story of having a
constant offset for 40 MHz channels and just set the offset to be
constant 0 -- there is no effort for avoiding 0x20 for the 20 MHz
values stored in the EEPROM, hence that's probably just a forbidden
value in the EEPROM specs and won't appear anyway...
Anyway, the whole thing felt like solving some college math test
where in the end everything cancels out and the result equals 0 ;)
To make sure that channel bandwidth power compensation really doesn't
need to be taken care of, output a warning when the corresponding
value stored in the EEPROM is non-zero.

Also there is no apparent reason to refrain from initializing RFCSR
register 13, it doesn't fail what-so-ever.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-05-02 23:17:22 +02:00
Jonas Gorski
ceefe616c8 mac80211: add rt2x00 debug symbols to PKG_CONFIG_DEPENDS
Chaning these symbols require a recompilation of the modules, so make the
system aware of it.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-05-02 23:17:22 +02:00
Felix Fietkau
5ac51ada60 ath9k: fix power limits on init
The tx power applied by set_txpower is limited by the CTL (conformance
test limit) entries in the EEPROM. These can change based on the user
configured regulatory domain.
Depending on the EEPROM data this can cause the tx power to become too
limited, if the original regdomain CTLs impose lowr limits than the CTLs
of the user configured regdomain.

To fix this issue, set the initial channel limits without any CTL
restrictions and only apply the CTL at run time when setting the channel
and the real tx power.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-02 23:17:22 +02:00
Felix Fietkau
a9728799bc ath: do not apply broken power limits with ATH_USER_REGD
If a device uses the default EEPROM code, typically only the main CTLs
are valid, and they do not apply properly when switching to a different
regulatory domain. If the regdomain deviates from the EEPROM one, force
the world roaming regdomain to ensure that power limits are sane

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-02 23:17:22 +02:00
Hans Dedecker
503e496366 odhcpd: update to version 2017-04-28 (FS#595)
9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-02 22:08:32 +02:00
Hans Dedecker
c266641acf odhcpd: update to version 2017-04-21
570069d ubus: rework dumping IPv6 and IPv4 leases
4e579c4 dhcpv6-ia: simplify logic to write statefile and dhcpv6 logging

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-02 22:08:21 +02:00
Florian Fainelli
e200c66a1a rpcd: Explicitly link with lcrypt
Fixes build issues with some toolchains that don't add lcrypt in the default
search paths:

CMakeFiles/rpcd.dir/session.c.o: In function `rpc_login_test_password':
build_dir/target-mipsel-linux-gnu/rpcd-2016-12-03-0577cfc1/session.c:823: undefined reference to `crypt'
collect2: error: ld returned 1 exit status

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-28 17:09:13 +02:00
Jo-Philipp Wich
ae0e167f2b busybox: revert accidential version bump
Due to an oversight during patch conflict resolution, the PKG_VERSION got
accidentially bumped instead of the PKG_RELEASE field.

Revert the bad version change as there exists no upstream 1.25.2 version.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-27 15:38:48 +02:00
Jo-Philipp Wich
fe0b171372 busybox: nslookup_lede: mimic output format of old Busybox applet
When invoking "nslookup_lede" with a domain argument and without explicit
query type, issue both A and AAAA queries and display the resulting IP
addresses in a numbered list style, similar to how the old BusyBox nslookup
used to output the records.

This is required for compatibility with certain scripts.

Ref: https://forum.lede-project.org/t/nslookup-ipv6-in-lede-17-01-1

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-27 15:33:16 +02:00
Jo-Philipp Wich
a2ee9b7068 busybox: nslookup_lede: fix compatibility with v1.25
The ":*" optstring syntax was only recently introduced with BusyBox v1.26,
older versions need a corresponding hint in the "opt_complementary" variable
to denote flag values that should be stored as llist entries.

Add the required opt_complementary entry to fix random SIGBUS, SIGILL or
SIGSEGV related crashes on BusyBox 1.25.x when attempting to use the "-q"
flag of the "nslookup_lede" applet.

Ref: https://forum.lede-project.org/t/nslookup-ipv6-in-lede-17-01-1

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-27 15:31:07 +02:00
Yousong Zhou
2bc8d5eaf1 ubox: bump to version 2017-03-10
Fixes FS#684 with commit 21a4bd0

Changes since current version.  All changes except the ones prefixed
with asterisks are for bugfixes.  Module aliases awareness is expected
by the kernel to be a basic facility and is required for properly
initializing wireguard.

    16f7e16 syslog: remove unnecessary sizeof struct between messages
    21a4bd0 kmodloader: modprobe: return 0 for loaded modules
    3dc78a4 kmodloader: don't store aliases info in struct module
    c553354 cmake: fix typo
    8973576 kmodloader: fix not being able to find some modules
    fce9382 cmake: Check for getrandom system call
    ac2d43e kmodloader: support '-q' quiet option
   *f8d3d16 ubox: Add an option for more accurate timestamps in log
    14839f0 kmodloader: make insert_module() idempotent
   *6e3c6dc kmodloader: add module alias awareness
    9371411 kmodloader: fix out-of-bound access when parsing .modinfo
    a62c946 kmodloader: modprobe: skip possible command line arguments
   *46a4b5f kmodloader: log to kmsg when loading directories of modules
    eacc426 kmodloader: remove redundant glob wildcard char
    8488bb5 ubox: Initialize conditionally uninitialized variabled
    db070f1 ubox: Fix some memory leaks
    acc48b5 kmodloader: Fix typo in error message

Size comparison on x86_64 host

    function                                             old     new   delta
    main                                                2190    2344    +154
    scan_module_folder                                   665     793    +128
    alloc_module_node                                      -     113    +113
    .rodata                                              946    1036     +90
    alloc_module                                         202     245     +43
    free_modules                                          77     119     +42
    load_modprobe                                        209     237     +28
    scan_loaded_modules                                  241     265     +24
    avl_modcmp                                            45      67     +22
    insert_module                                        204     224     +20
    find_module                                           13      30     +17
    static.optind@@GLIBC_2                                 -       4      +4
    static.load_moddeps                                  118     117      -1
    scan_module_folders                                   55      54      -1
    ------------------------------------------------------------------------------
    (add/remove: 2/0 grow/shrink: 10/2 up/down: 685/-2)           Total: 683 bytes

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-04-27 14:38:05 +08:00
Florian Fainelli
72fcdb6286 openssl: Use mkhash for STAMP_CONFIGURED
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.

Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,

Fixes #572

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-22 12:43:51 +02:00
Jo-Philipp Wich
5feb4f0e6d busybox: fix build of nslookup_lede applet without IPv6 (#728)
Protect any IPv6 related with appropriate guards to fix compilation with
disabled IPv6 support in Busybox.

Fixes #728.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-21 13:20:42 +02:00
Florian Fainelli
449880e0ff busybox: Move libresolv detection to LEDE Makefile
Since the LEDE nslookup applet is already specific to LEDE, move the
libresolv detection into the busybox Makefile that LEDE uses.

This fixes builds with external toolchains that don't automatically
search for headers and/or libraries without being told so.

Fixes: de5b8e5d2f ("busybox: add musl compatible nslookup replacement")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-21 12:24:17 +02:00
Daniel Engberg
7eb58cf109 utils/f2fs-tools: Update to 1.8.0
Update f2fs-tools to 1.8.0
Refresh patches
Remove selinux patch, use configure argument instead.
Switch to xz tarball
Adjust url to avoid redirects

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-04-17 18:15:53 +02:00
Jo-Philipp Wich
1d76542cca busybox: add musl compatible nslookup replacement
Add an alternative nslookup applet implementation which is compatible with
musl libc wrt. name server selection and which supports a number of additional
features such as query type selection.

Fixes #155, #217

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-15 18:13:45 +02:00
Hans Dedecker
c2999ef592 odhcpd: update to version 2017-03-29 (FS#635)
3d9f406 rework IPv6 dns address selection (FS#635)
bc6c3ac ndp: keep an exact copy of IPv6 interface addresses
6eb1e01 ndp: code cleanup
eea7d03 rework IPv6 address dump logic
24d21c7 ndp: add syslog debug tracing

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-13 13:55:57 +02:00
Florian Fainelli
a532aaa2aa odhcpd: update to version 2017-02-28
Brings in the following change:

9eac2a896341 dhcpv6-ia: Check lockf return value

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-13 13:55:57 +02:00
Hans Dedecker
425c6d0462 odhcpd: update to version 2017-02-21
1b630f8 router: don't announce prefixes with valid lifetime equal to 0
ba0cac0 router: fix arithmetic exception fault
3495f17 router: allow RA prefix lifetime being set to leasetime value (FS#397)
e437ce9 treewide: simplify dhcp leasetime checking
942fb33 router: support ra_mininterval and ra_lifetime uci parameters (FS#397)
f913337 router.h: fix alignment style
4dc7edb Revert "odhcpd.h: fix alignment style"
62ea54f odhcpd.h: fix alignment style
a898ee5 config: make loglevel configurable via uci (FS#481)
51c756c odhcpd: display correct default log level in usage text
68ee0b5 treewide: define and use macro IN6_IS_ADDR_ULA
fa57225 ndp: deregister netlink event socket for non recoverable errors
ac70d28 odhcpd: fix white space errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-13 13:55:57 +02:00
Felix Fietkau
caaa214eae util-linux: re-enable parallel builds
The original build error in 'more' seems to be gone

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-11 19:33:04 +02:00
Felix Fietkau
0faf921a01 util-linux: unconditionally enable ncursesw support
The build dependency is unconditional, and some components might fail if
ncurses is not available

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-11 19:33:00 +02:00
Daniel Engberg
f2a3653882 utils/util-linux: Update to 2.29.2
Update util-linux to 2.29.2
Remote 0001-fix-uClibc-ng-scanf-check.patch as it's been merged upstream.
Refresh patches
Change ncurses to ncursesw to fix compilation and avoid confusion

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove faulty dependency changes]
2017-04-11 19:32:57 +02:00
Jo-Philipp Wich
c6e79980b8 build: fix triggering opkg/host compilation
Commit 131db36 "build: remove separate /install step for host builds" dropped
the package/*/host/install targets in favor to performing the install steps
within the compile target instead.

Adjust package/Makefile accordingly in order to prevent a missing
staging_dir/host/bin/opkg when staging package archives into the rootfs.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-09 15:42:20 +02:00
Felix Fietkau
5866ff8be8 libubox: fix host build on macOS
Use the defaults instead of a custom non-portable Host/Install section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-08 14:49:05 +02:00
Jo-Philipp Wich
293c54c567 libubox: add host build
Our opkg fork requires libubox to build, so add a host build for it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-08 14:48:55 +02:00
Jo-Philipp Wich
5aa97e35de opkg: switch to LEDE fork (#120, #551, #571)
Cherry-pick the following commits from master to bump opkg in LEDE 17.01:

b65dc04712 opkg: switch to own fork to improve memory usage
55ffc38004 opkg: re-enable usign support
19720a6f03 opkg: fix handling conffiles in status lists
9e4555f58d opkg: fix stray printf() (#551)
ebf846b005 opkg: mark as essential (FS#571)
aedd5d5cb0 opkg: fix several package installation bugs
48ae44d033 opkg: gracefully handle missing $PATH, fix build warnings
1449b52f02 opkg: backport upstream fixes, code cleanups

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-08 14:31:27 +02:00
Felix Fietkau
7099bb19b5 mt76: ensure that the metapackage gets built as .ipk
Fixes errors during the image builder run

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-05 23:39:23 +02:00
Felix Fietkau
47bf110cbb mac80211: backport an upstream fix for queue start/stop handling
Fixes issues with 802.11s

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-03 15:12:50 +02:00
Piotr Dymacz
a49503bbc7 sysntpd: restore support for peer-less (standalone) mode
ntpd from Busybox supports peer-less (standalone) mode when it's started
with option -l and without any peer provided with option -p. In this
mode ntpd uses local time as reference and acts as stratum 1 server.

This mode can be used in isolated networks, where Internet access and/or
other NTP server/s are not available, but the device has some other way
of getting correct time, like e.g. GPS (ugps supports setting local time
by default).

Support for this mode was incorrectly disabled/removed in:
1527f96ca6

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-04-02 15:09:09 +02:00
Piotr Dymacz
0cb669b469 ugps: fix and improve init script
The ugps tool expects device path in last argument. If it's provided
before other options, they won't be processed at all.

Additionally, make it possible to use absolute path for gps character
device in related uci configuration.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-04-02 15:09:09 +02:00
Hauke Mehrtens
1adc6db036 ubox: fix sha256 mirror hash
Commit 5c20a4fec9 ("ubox: turn logd into a separate package") changed
the PKG_SOURCE_DATE which is also included in the tar file. This change
resulted in a new tar with a different hash, but the sha256 hash was not
updated. Fix the sha256 hash value in this commit to match what would be
created from git and what is already on the mirror.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2017-03-30 22:34:49 +02:00
Hauke Mehrtens
298c40fd34 odhcpd: fix sha256 sum
The sha256sum added in commit b8567cb44e ("odhcpd: update to git HEAD
version (FS#396)") does not match the sha256sum of the file on the mirror or
when I clone it. Update the sha256 sum to the correct value.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2017-03-30 22:00:48 +02:00
Yousong Zhou
910a9430a0 firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-28 17:46:30 +08:00
Matthias Schiffer
1b94737824
iw: enable MESH ID in scan output
Make scan output useful for 802.11s meshes. The common print_ssid function
is used, so this doesn't add any additional code.

Based-on-patch-by: Jan-Tarek Butt <tarek@ring0.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-03-25 14:55:10 +01:00
Yousong Zhou
0d304d4228 busybox: vi: backporting patches to fix ZZ and :x command
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-25 13:23:58 +08:00
Rafał Miłecki
474c31a20d umdns: update to the version 2017-03-21
This includes following changes:
480d7bc Fix sending unicast questions on cache expire
a0403cd Keep source sockaddr for every cached DNS record
1478293 Fix code freeing cached non-A(AAA) records too early
9f1cc22 Fix replying to "QU" questions received on unicast interface
943bedb Fix reading port of incoming packets
c725494 Use MCAST_PORT define for port 5353
ce7e9e9 Use one define for DNS-Based Service Discovery service name
e1bacef Drop entries cached for interface we're going to delete
496aeba Fix comment typo in cache_gc_timer
f89986b Fix refreshing cached A(AAA) records that expire

Previous updates made umdns work as expected on startup but there were
still many bugs. They were mostly related to runtime - cache management
and requests + responses. E.g. umdns was never able to send question on
DNS record expire. It was also ignoring all incoming unicast questions.

Since these issues are quite serious it makes sense to backport this
update to the stable branch.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-24 06:51:45 +01:00
Rafał Miłecki
ba076ebbc5 umdns: update to the version 2017-03-14
This includes 3 cleanups:
fd5a160 Don't cache hosts as services
80dd246 Refresh DNS records A and AAAA directly
6515101 Access cached records (instead of services) to read list of hosts

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-24 06:51:44 +01:00
Yousong Zhou
0f23e80c27 iproute2: fix ip monitor can't work when NET_NS is not enabled
The bug appeared in v4.1.0 and was fixed since v4.8.0

Fixes FS#620

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-19 12:42:16 +08:00
Hauke Mehrtens
111cf1b9f3 curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
This fixes the following security problem:
https://curl.haxx.se/docs/adv_20170222.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:51:20 +01:00
Hauke Mehrtens
c4ed92ae7d mbedtls: update to version 2.4.2
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:35:48 +01:00
Álvaro Fernández Rojas
7d70ad66ac mac80211: mwifiex-sdio: select DRIVER_11AC_SUPPORT
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2017-03-11 20:34:52 +01:00
Álvaro Fernández Rojas
7ae68124a4 mac80211: mwifiex-pcie: select DRIVER_11AC_SUPPORT
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2017-03-11 20:34:52 +01:00
Henryk Heisig
c03083339a mac80211: add support for Marvell 802.11n/802.11ac SDIO Wireless cards
This adds option to build kernel module and firmware packages
for a Marvell 8887 SDIO Wireless device

Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2017-03-11 20:34:03 +01:00
Rafał Miłecki
0eed4a61b9 umdns: update to the 2017-03-10 version
This fixes crash in interface_start caused by freeing interface in
interface_free without stopping a timeout.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-10 13:09:54 +01:00
Álvaro Fernández Rojas
b3ba3764d0 brcm2708-gpu-fw: update to latest version
This is needed in order to add support for the new RPi Zero W

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2017-03-08 09:28:19 +01:00
Jo-Philipp Wich
20a2db83de ppp: propagate master peerdns setting to dynamic slave interface
Honour the parent interfaces peerdns option when spawning a virtual DHCPv6
interface in order to avoid pulling in IPv6 DNS servers when the user opted
to inhibit peer DNS servers in the configuration.

Fixes #597.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-03-07 11:27:27 +01:00
Hsing-Wang Liao
21903d056e wireless-tools: Change download url to github
Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>
2017-03-01 20:37:37 +01:00
Alif M. Ahmad
f0e8470aa9 grub2: update to 2.02~rc1
Signed-off-by: Alif M. Ahmad <alive4ever@live.com>
2017-03-01 20:37:37 +01:00
Kevin Darbyshire-Bryant
1b2a54b5cd iftop: bump to latest upstream
Drops a LEDE carried patch now upstream.
Convert to autotools.
A number of nits fixed upstream (dns & short packet handling most
notable)

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-03-01 20:37:37 +01:00
Ben Kelly
3d52251df4 swconfig: Bugfix switch_port uci option parsing
When not defining 'device' or 'vlan' in relevant switch_port uci
sections, behaviour is inconsistent due to *devn, *port and *vlan
pointers not being zero initialized.

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-03-01 20:37:37 +01:00
Felix Fietkau
df041b6520 netifd: fix stopping netifd + interfaces
stop() is overwritten by rc.common, so implement stop_service instead.
While at it, remove the now unnecessary restart() override

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:37 +01:00
Martin Schiller
87e021e6e3 libpcap: add optional netfilter support
This is needed to use the nflog interface with tcpdump

Signed-off-by: Martin Schiller <mschiller@tdt.de>
2017-03-01 20:37:37 +01:00
Felix Fietkau
0f2757dce4 px5g: replace px5g-standalone with a statically linked variant of px5g-mbedtls
px5g-standalone only supports SHA1 for certificates, which is strongly
deprecated. The new px5g-standalone is about 27k bigger (compressed),
and has identical behavior to px5g-mbedtls (it uses SHA256).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:37 +01:00
Felix Fietkau
2e8545333a mbedtls: add --function-sections and --data-sections to CFLAGS
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:37 +01:00
Hsing-Wang Liao
b036a22fcc kernel: add Chinese codepages
Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>
2017-03-01 20:37:36 +01:00
Felix Fietkau
db7f80c587 libpcap: remove feature dependencies on kmod-* packages
USB support could be built into the kernel as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:36 +01:00
Ansuel Smith
00e4f6fd36 ebtables: update to last commit
Refreshed patches

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-03-01 20:37:36 +01:00
Daniel Albers
8aa92deaf6 hostapd: mv netifd.sh hostapd.sh
same name for the file on the host and target

Signed-off-by: Daniel Albers <daniel.albers@public-files.de>
2017-03-01 20:37:36 +01:00
Pavel Kubelun
2856c7e320 ath10k-firmware: update qca9984 firmware
Bump qca9984 firmware.

Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
2017-03-01 20:37:36 +01:00
Ulrich Weber
3983b4ad0f ppp: honor ip6table for IPv6 PPP interfaces
as we do for IPv4 PPP interfaces. When we create the
dynamic IPv6 interface we should inherit ip6table from
main interface.

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
2017-03-01 20:37:36 +01:00
Florian Eckert
352f92fe08 ppp: add pppoe-discovery to an independent package
pppoe-discovery performs the same discovery process as pppoe, but does
not initiate a session

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-01 20:37:36 +01:00
David Pinilla Caparrós
31c2461e3f base-files: Added a deprecation notice on wifi detect
When running wifi detect, the user will be told on error output that
wifi detect is deprecated, that wifi config must be used instead. Also
the commit that changes it is referenced for further info.

Signed-off-by: David Pinilla Caparrós <dpinitux@gmail.com>
2017-03-01 20:37:36 +01:00
David Pinilla Caparrós
8bb839e85a base-files: Add wifi config to wifi command usage
Since commit 5f8f8a3661 wifi detect does
not longer work and wifi config it's used to configure not yet
configured wireless devices.

This commit changes command usage to reflect that change.

Signed-off-by: David Pinilla Caparrós <dpinitux@gmail.com>
2017-03-01 20:37:36 +01:00
Ben Kelly
e1e9d27655 uclibc++: patch bugfix erase() on derived __base_associative
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.

Example code to reproduce:

	typedef std::multimap<int, int> testmap;
	testmap t;
	t.insert(std::pair<int, int>(1, 1));
	t.insert(std::pair<int, int>(2, 1));
	t.insert(std::pair<int, int>(3, 1));
	t.erase(t.begin(), t.end());

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-03-01 20:37:36 +01:00
Felix Fietkau
37b0d547db ath10k-firmware: revert faulty PKG_SOURCE_DATE change from 7cb27b46
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:35 +01:00
Pavel Kubelun
e591831430 ath10k-firmware: update qca9984 firmware and board data
Fixes firmware crash in rare cases and a bug
ath10k_pci 0001:01:00.0: received unexpected tx_fetch_ind event: in
push mode
for those who kept experiencing it after previous firmware update.

Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
2017-03-01 20:37:35 +01:00
Ben Greear
8a3ac15a47 ath10k-ct: Support ath10k CT firmware for 9887 chipsets.
And, update support for 9880 chipsets.  The new firmware
fixes a regression with EAPOL 4/4 packets added in
a recent commit.

It also fixes a case where the firmware would improperly try
to use STBC when configured for 1x1 (as 9887 always is).

Signed-off-by: Ben Greear <greearb@candelatech.com>
2017-03-01 20:37:35 +01:00
Chris Blake
9451cd7c5b leds-apu2: Add PC Engines APU2 LED driver
This adds support for the PCB LEDs and Reset Button found on the PC
Engines APU2/APU3 embedded boards.

Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
2017-03-01 20:37:35 +01:00
Koen Vandeputte
65b05463d7 netfilter: re-enable TEE support for kernel 4.4
It got disabled in commit 4454a3fb63
but works nicely these days.

Tested on cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-03-01 20:37:35 +01:00
Chris Blake
2b122a6750 gpio-nct5104d: Add nct5104d driver package
This adds support for the SuperIO chip nct5104d found on the PC Engines
APU boards, which allows for a handful of additional ports, such as 2x
additional UART pinouts, enabling an external watchdog (no driver for
this functionality yet), and 16 GPIO pins. More info can be found at
https://pcengines.ch/ht_gpio.htm

Thanks to @feckert for helping package this.

Cc: Florian Eckert <Eckert.Florian@googlemail.com>

Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
2017-03-01 20:37:35 +01:00
Mathias Kresin
c5d8d8fd64 x86: drop ep80579-drivers
The subtarget on which the driver still depends was removed with
dee8986b95 because it was unmaintained
for a long time.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-03-01 20:37:35 +01:00
Daniel Golle
83d3e393bf 6in4: add missing colon when setting default ca_path
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-03-01 20:37:35 +01:00
John Crispin
ee1cd31d2b procd: update to latest git HEAD
5f91241 procd: add cancel_timeout on rc scripts when a runtime_timeout is specified
961dc69 procd: stop service using SIGKILL if SIGTERM failed to do so

Fixes FS#516.

Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 946d1dfb87)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-03-01 12:10:06 +01:00
Felix Fietkau
bc61c1328d procd: update to the latest version
Fixes compatibility issues with glibc 2.25

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 2ffb80bc9f)
2017-03-01 12:10:06 +01:00
Jo-Philipp Wich
709c326461 hostapd: fix feature indication
- Fix eap test to work with standalone hostapd builds
 - Fix 11n test to check the correct define
 - Add 11ac, 11r and 11w tests

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-03-01 01:18:58 +01:00
Yousong Zhou
ef5cb964b1 relayd: fix making incomplete instance json data
Defer procd_open_instance only after validity check passed.

Fixes FS#541

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-02-26 14:38:25 +08:00
Yousong Zhou
77fb98ee41 relayd: remove old start-stop-service related code
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-02-26 14:38:24 +08:00
Yousong Zhou
b24273fe71 ppp: ppp6-up: add executable permission bit
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-02-26 14:38:24 +08:00
Yousong Zhou
5f5fae27b5 mac80211: hwsim: select DRIVER_11AC_SUPPORT and DRIVER_11W_SUPPORT
This is required for default wireless configuration of malta target to
work out of the box again.  Fixes "77ece30e: hostapd: Add ability to
specify that that wireless driver supports 802.11ac"

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-02-26 14:38:24 +08:00
Brandon Koepke
2b22e1d5c3 openvpn: adding key_direction to append_params.
key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me.

Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>
[Fixes FS#537]
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-02-26 14:36:16 +08:00
Felix Fietkau
6cb46adbc9 ubus: update to the latest version
c09e4f0 ubusd: fix incomplete copy of shared buf during queue-ing
453b87f cli: add support for subscribing to objects
6eb3c96 cli: do not use default timeout for listen
dfe3383 libubus: reset ctx->sock.error when doing ubus reconnect
34c6e81 cli: fix listen_timeout compile issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-25 11:15:46 +01:00
Felix Fietkau
fdc22b616c ubus: update to the latest version
Adds the following fixes:

91acde6 libubus: do not modify uloop_cancelled
763b9b2 libubus: reset ctx->sock.eof to fix reconnect issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-25 11:11:24 +01:00
Ted Hess
4c9b45966e libubox: Update to latest version
9d6305a utils: Change calloc_a() to return size_t aligned pointers

Signed-off-by: Ted Hess <thess@kitschensync.net>
2017-02-25 11:10:41 +01:00
Felix Fietkau
67c2a176ce libubox: update to the latest version
Adds the following changes:

de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-25 11:10:35 +01:00
Felix Fietkau
bf53a8327f acx-mac80211: fix scan API error that could lead to a crash
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-24 15:03:48 +01:00
Felix Fietkau
f1336d2a70 iw: sync nl80211.h with mac80211 package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-24 12:22:29 +01:00
Felix Fietkau
703515f889 mac80211: sync with master branch as of 9edff13abd
Includes the following changes:
9edff13abd mac80211: disable potentially harmful PS software retry for A-MPDU sessions
75216a76b0 mac80211: backport upstream fix for CSA in IBSS mode
368cc8ef47 mac80211: update brcmfmac backporting brcmf_err cleanups
66a63d25c4 mac80211: fix build on linux 3.18
9eacb9d7fc rt2x00: mt7620: lots of improvements
fd94fa61a7 mac80211: brcmfmac: update Raspberry Pi patches for linux 4.9
649e766a64 mac80211: update to wireless-testing 2017-01-31
47540afa5d ath9k: add a warning to the tx99 config option
b367eef21d mac80211: rt2x00: add support for external LNA on MT7620
9200e168f2 mac80211: move (& update) upstream accepted brcmfmac patches

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-24 12:22:29 +01:00
Felix Fietkau
d27dd6298b ath10k-ct: depend on kmod-hwmon-core, it gets used when CONFIG_THERMAL is set
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-24 12:22:29 +01:00
Felix Fietkau
0ce2d5b6bf ath10k-ct: fix kernel api compatibility issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-24 12:22:28 +01:00
Ben Greear
09620c0825 ath10k-ct: Fix performance of 2x2 hardware running 3x3 firmware.
The driver had a bug when calculating the rateset.  This resolves
that and allows full VHT mcs rates on 2x2 hardware.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2017-02-24 12:22:28 +01:00
Joseph C. Lehner
0a3088cb4b mt76: split kmod package
This patch splits `kmod-mt76` into three separate packages:
`kmod-mt76-core`, `kmod-mt76x2` and `kmod-mt7603`. By making
`kmod-mt76` a metapackage containing these new packages,
the previous behaviour of including all drivers and firmware
is left unchanged, unless explicitly unselected in
`DEVICE_PACKAGES`.

This splitting is especially beneficial for devices with
small flash chips, since the `kmod-mt76` package currently
requires ~160K on squashfs (after compression).

Signed-off-by: Joseph C. Lehner <joseph.c.lehner@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
2017-02-23 17:34:14 +01:00
Baptiste Jonglez
59508e309e dnsmasq: Add upstream patch fixing SERVFAIL issues with multiple servers
This fixes FS#391 for lede-17.01

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-02-20 18:13:44 +01:00
Stijn Tintel
5612114090 Revert "px5g-standalone: provide px5g via PROVIDES"
This reverts commit cc66f819b4.

This commit causes opkg to install px5g-standalone instead of px5g when
installing luci-ssl. As luci-ssl depends on mbedtls, using
px5g-standalone makes no sense. Next to that, it creates deprecated SHA1
certificates. Revert the commit to avoid pxg5-standalone to be
installed by accident.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit ca8aee0c57)
2017-02-20 15:17:20 +01:00
Alberto Bursi
4d1ab84f1e uboot-kirkwood: fix goflexhome/net bootcommand
Goflexhome/net use uImage, and to boot an uImage the u-boot
must use bootm command, not bootz.

Fixes the "i cannot boot LEDE with this u-boot" issue that I
found out myself with my goflexnet.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-02-19 21:00:19 +01:00
Felix Fietkau
c835c9ebe5 uhttpd: use sha256 when generating certificates with openssl (FS#512)
Patch from attachment to FS#512

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-17 14:43:11 +01:00
Stijn Tintel
6ebb8723a6 dropbear: bump PKG_RELEASE
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 27040dbf89)
2017-02-17 12:31:52 +01:00
Joseph C. Sible
f527436364 dropbear: enable SHA256 HMACs
The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.

Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
(cherry picked from commit 0bf85ef048)
2017-02-17 12:31:39 +01:00
Cezary Jackiewicz
44aec27112 ugps: fix typo
Removing redundant spaces from the name of the option. Without fix:

root@LEDE:~# opkg install ugps
Installing ugps (2016-10-24-32a6b2b7-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01-SNAPSHOT/packages/mips_24kc/base/ugps_2016-10-24-32a6b2b7-1_mips_24kc.ipk
Configuring ugps.
uci: Parse error (invalid character in name field) at line 3, byte 23
uci: Parse error (invalid character in name field) at line 3, byte 23
sh: out of range
root@LEDE:~# uci show gps
uci: Parse error (invalid character in name field) at line 3, byte 23

With this fix:

root@LEDE:~# uci show gps
gps.@gps[0]=gps
gps.@gps[0].tty='ttyACM0'
gps.@gps[0].adjust_time='1'

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
2017-02-16 09:54:14 +01:00
Felix Fietkau
dbb8e04472 qos-scripts: fix module load commands (FS#438)
fq_codel is built-in, and xt_CONNMARK is provided by the xt_connmark
module

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-15 14:02:04 +01:00
Rafał Miłecki
df49e49bc7 mdns: update and rename package to the umdns
This update includes numerous small fixes for:
1) Interfaces setup
2) Packets parsing
3) Sending replies
Without this there were multiple problems with exchanging information
between (u)mdns and other implementations (including (u)mdns as well).

This also follows project rename to umdns which was required to avoid
confusion with Apple's mdnsd from mDNSResponder project.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-15 13:07:21 +01:00
Felix Fietkau
b8c9ded999 build: add buildbot specific config option for setting defaults
This can be used to tweak the buildbot behavior without having to change
buildbot's configuration.
It will also allow us to add more aggressive clean steps (e.g. on
toolchain changes), which would break developers' workflows if enable
by default.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-15 11:37:13 +01:00
Sven Eckelmann
d6d9f256ff package/uboot-envtools: add OpenMesh A40 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:54 +01:00
Sven Eckelmann
e6057ed207 package/om-watchdog: add OpenMesh A40 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:53 +01:00
Sven Eckelmann
8785ebc471 package/uboot-envtools: add OpenMesh a60 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:49 +01:00
Sven Eckelmann
eb383710e2 package/om-watchdog: add OpenMesh A60 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:48 +01:00
Sven Eckelmann
a3061e57e8 package/uboot-envtools: add OpenMesh OM2Pv4/-HSv4 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:45 +01:00
Sven Eckelmann
8a35c489ad package/om-watchdog: add OpenMesh OM2Pv4/-HSv4 support
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
2017-02-15 09:35:44 +01:00
Denis Osvald
cbd69f7e4e procd: fix default timeout for reload trigger actions
Default trigger action timeout was added to procd.sh in commit f88e3a4c0
(procd: add default timeout for reload trigger actions)
However, the timeout value was not placed under the correct JSON-script
array nesting level and thus did not apply.

To fix this and make the timeout actually apply to the reload triggers,
we place it in the correct scope, that is the per-trigger array.

Fixes: f88e3a4c0a
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
2017-02-15 09:35:12 +01:00
Felix Fietkau
e967f4dd27 ath9k: fix various issues in the airtime-fairness implementation
Effects of the bugs could include memory corruption, tx hangs, kernel
crahes, possibly other things as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-12 14:27:21 +01:00
Hans Dedecker
b8567cb44e odhcpd: update to git HEAD version (FS#396)
8df4253 ndp: harden netlink event socket error handling
b02f3e6 ndp: close proc file descriptor also during error handling
8a615ad npd: rework IPv6 relay logic (FS#396)
0129f79 config: restore interface defaults when cleaning interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-02-09 21:42:48 +01:00
Hans Dedecker
03ff2d7359 odhcpd: update to git HEAD version (FS#388)
3317c86 dhcpv6-ia: apply lease delete based on assignment bound state
df50429 odhcpd: properly handle netlink messages (FS#388)
83d72cf odhcpd: fix coding style

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-02-09 21:42:00 +01:00
John Crispin
bd64568d27 procd: update to latest git HEAD
cdc3dab ujail: fix signal forwarding

Signed-off-by: John Crispin <john@phrozen.org>
2017-02-08 15:03:16 +01:00
Álvaro Fernández Rojas
86bd886697 brcmfmac: improve Raspberry Pi 3 stability
- Really disable power management (wrong config flags).
- Disable internal roaming engine.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2017-02-07 18:00:16 +01:00
Hauke Mehrtens
2ad4383b74 tcpdump: update to version 4.9.0
This fixes the following 41 security problems:
 + CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
 + CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
 + CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
 + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
 + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
 + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
 + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
 + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
 + CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
 + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
 + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
 + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
 + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
 + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
 + CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
 + CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
 + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
 + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
 + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
 + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
 + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
 + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
 + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
 + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
 + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
 + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
 + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
      buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
      lightweight resolver protocol, PIM).
 + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
 + CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
 + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
 + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
 + CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
 + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
      OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
      print-ether.c:ether_print().
 + CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
 + CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
 + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
 + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().

The size of the package is only incread very little:
new size:
306430 tcpdump_4.9.0-1_mips_24kc.ipk
130324 tcpdump-mini_4.9.0-1_mips_24kc.ipk

old size:
302782 tcpdump_4.8.1-1_mips_24kc.ipk
129033 tcpdump-mini_4.8.1-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-02-06 22:34:28 +01:00
Rafał Miłecki
5c4b2eb3dd mac80211: brcmfmac: backport wowlan netdetect fixes
I needed a moment to figure out relation between this patchset and the
nl80211: fix validation of scheduled scan info for wowlan netdetect

It appears nl80211 commit will go on top of brcmfmac changes so it's
safe to backport these patches.

One patch that was excluded is commit 2a2a5d1835b6 ("brcmfmac: add
.update_connect_params() callback") as it depends on missing commit
088e8df82f91 ("cfg80211: Add support to update connection parameters").

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:49 +01:00
Rafał Miłecki
52add1988c mac80211: brcmfmac: backport PSM watchdog improvements
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:49 +01:00
Rafał Miłecki
c578da6198 mac80211: brcmfmac: backport minor code cleanups
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:49 +01:00
Rafał Miłecki
4b9bdb48d9 mac80211: brcmfmac: backport 4.10 fixes & typo fix
This includes memory leak fix in initialization path.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:49 +01:00
Rafał Miłecki
85d128f145 mac80211: brcmfmac: backport scheduled scan cleanup and chip support
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:49 +01:00
Rafał Miłecki
e48b1c2c07 mac80211: brcmfmac: backport some old patches from 2016
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:48 +01:00
Rafał Miłecki
e8f42223be mac80211: rename brcmfmac patches to use higher prefix
There are more patches to backport that should go before these.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-06 00:10:48 +01:00
Rafał Miłecki
36288db2fd mac80211: start hostapd with logging wpa_printf messages to syslog
Some debugging/error messages are printed using wpa_printf and this
change allows finally reading them out of the syslog.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-05 22:33:05 +01:00
Rafał Miłecki
bc49d7902c hostapd: enable support for logging wpa_printf messages to syslog
This will allow starting hostapd with the new -s parameter and finally
read all (error) messages from the syslog.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-05 22:31:02 +01:00
Rafał Miłecki
a0bc62fe08 hostapd: backport support for sending debug messages to the syslog
It wasn't possible to read hostapd wpa_printf messages unless running
hostapd manually. It was because hostapd was printing them using vprintf
and not directly to the syslog.

We were trying to workaround this problem by redirecting STDIN_FILENO
and STDOUT_FILENO but it was working only for the initialization phase.
As soon as hostapd did os_daemonize our solution stopped working.

Please note despite the subject this change doesn't affect debug level
messages only but just everything printed by hostapd with wpa_printf
including MSG_ERROR-s. This makes it even more important as reading
error messages can be quite useful for debugging.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-02-05 22:29:56 +01:00