This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The referenced commit is gone, but we already have this file on our
mirror, use that one by providing the correct mirror hash.
I generated a tar.xz file with the given git commit hash using a random
fork on github and it generated the same tar.xz file as found on our
mirror so this looks correct.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The referenced commit is gone, but we already have this file on our
mirror, use that one by providing the correct mirror hash.
I generated a tar.xz file with the given git commit hash using a random
fork on github and it generated the same tar.xz file as found on our
mirror so this looks correct.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Kerning seems to be very off-putting for some people so the logo
designer thankfully updated guidelines to something which is now
considered final.
Signed-off-by: Paul Spooren <mail@aparcar.org>
These devices do not run Ubiquiti AirOS. Rename the partition to the
name used by other UniFi devices with vendor dualboot support.
Signed-off-by: David Bauer <mail@david-bauer.net>
The NanoPi R2S does not have a board specific MAC address written inside
e.g. an EEPROM, hence why it is randomly generated on first boot.
The issue with that however is the lack of a driver for the PRNG.
It often results to the same MAC address used on multiple boards by
default, as urngd is not active at this early stage resulting in low
available entropy.
There is however a semi-unique identifier available to us, which is the
CID of the used SD card. It is unique to each SD card, hence we can use
it to generate the MAC address used for LAN and WAN.
Signed-off-by: David Bauer <mail@david-bauer.net>
Flashing image with BCM4908 CFE bootloader requires specific firmware
format. It needs 20 extra bytes with magic numbers and CRC32 appended.
This tools allows appending such a tail to the specified image and also
verifying CRC32 of existing BCM4908 image.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
53f07e9 ra: fix routing loop on point to point links
2b6959d ra: align ifindex resolving
Tested-by: Karl Vogel <karl.vogel@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This enables the MikroTik platform driver, it enables us to parse
valuable info from hard_config including WLAN calibration data
extraction from sysfs.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This enables the new MikroTik specific partition parser.
This avoids manually specifying the MikroTik specific partitions as they
can be detected by their magic values.
Signed-off-by: Robert Marko <robimarko@gmail.com>
MikroTik devices require the use of raw vmlinux out of the self
extracting compressed kernels.
They also require 4K sectors, kernel2minor, partition parser as well as
RouterBoard platform drivers.
So in order to not add unnecessary code to the generic sub target lets
introduce a MikroTik sub target.
Signed-off-by: Robert Marko <robimarko@gmail.com>
If the watchdog is enabled, set the timeout to 30 seconds before
decompress is started.
Mikrotik ipq40xx devices running with RouterBoot have the SoC watchdog
enabled and running with a timeout that does not allow time for the
kernel to decompress and manage the watchdog.
On ipq40xx RouterBoot TFTP boot the watchdog countdown is reset before:
Jumping to kernel
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
This adds a appended_dtb section to the ARM decompressor
linker script.
This allows using the existing ARM zImage appended DTB support for
appending a DTB to the raw ELF kernel.
Its size is set to 1MB max to match the zImage appended DTB size limit.
To use it to pass the DTB to the kernel, objcopy is used:
objcopy --set-section-flags=.appended_dtb=alloc,contents \
--update-section=.appended_dtb=<target>.dtb vmlinux
This is based off the following patch:
c063e27e02
Signed-off-by: Robert Marko <robimarko@gmail.com>
Reordered for consistency between packages.
Fixed license information.
Change PKG_BUILD_PARALLEL to 1. This is no longer a problem.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
4c619b3eed x86: Check IFUNC definition in unrelocated executable [BZ #20019]
87450ecf8a x86: Set header.feature_1 in TCB for always-on CET [BZ #27177]
2b4f67c2b3 Update for [BZ #27130] fix
1a24bbd43e x86-64: Avoid rep movsb with short distance [BZ #27130]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The removed config symbols are already enabled by the generic kernel
configuration (or by default), while the added ones are forcefully
enabled by the specific architecture.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The USB port definition is only needed when it is linked to a USB
LED. Since there is none for this device, we might as well remove
the port definition.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
CPU: Atheros AR9342 rev 3 SoC
RAM: 64 MB DDR2
Flash: 16 MB NOR SPI
WLAN 2.4GHz: Atheros AR9342 v3 (ath9k)
WLAN 5.0GHz: QCA988X
Ports: 1x GbE
Flashing procedure is identical to other ubnt devices.
https://openwrt.org/toh/ubiquiti/common
Flashing through factory firmware
1. Ensure firmware version v8.7.0 is installed.
Up/downgrade to this exact version.
2. Patch fwupdate.real binary using
`hexdump -Cv /bin/ubntbox | sed 's/14 40 fe 27/00 00 00 00/g' | \
hexdump -R > /tmp/fwupdate.real`
3. Make the patched fwupdate.real binary executable using
`chmod +x /tmp/fwupdate.real`
4. Copy the squashfs factory image to /tmp on the device
5. Flash OpenWrt using `/tmp/fwupdate.real -m <squashfs-factory image>`
6. Wait for the device to reboot
(copied from Ubiquiti NanoBeam AC and modified)
Flashing from serial console
1. Connect serial console (115200 baud)
2. Connect ethernet to a network with a TFTP server, through a
passive PoE injector.
3. Press a key to obtain a u-boot prompt
4. Set your TFTP server's ip address, with:
setenv serverip <tftp-server-address>
5. Set the Bullet AC's ip address, with:
setenv ipaddr <bullet-ac-address>
6. Set the boot file, with:
setenv bootfile <name-of-initramfs-binary-on-tftp-server>
7. Fetch the binary with tftp:
tftpboot
8. Boot the initramfs binary:
bootm
9. From the initramfs, fetch the sysupgrade binary, and flash it with
sysupgrade.
The Bullet AC is identified as a 2WA board by Ubiquiti. As such, the UBNT_TYPE
must match from the "Flashing through factory firmware" install instructions
to work.
Phy0 is QCA988X which can tune either band (2.4 or 5GHz). Phy1 is AR9342,
on which 5GHz is disabled. It isn't currently known whether phy1 is
routed to the N connector at all.
Signed-off-by: Russell Senior <russell@personaltelco.net>
The following four led triggers are enabled in generic config.
* kmod-ledtrig-default-on
* kmod-ledtrig-heartbeat
* kmod-ledtrig-netdev
* kmod-ledtrig-timer
Drop the packages and remove them from DEVICE_PACKAGES.
There's no other package depending on them in this repo.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Those targets have already enabled some other LED triggers, so enabling
a few more won't be a big problem.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
The heartbeat trigger is used by luci-mod-system, which is installed
as a part of the standard luci package set. It seems the LED trigger
will be required quite often, so let's enable it by default.
This increases uncompressed kernel size by about 100 bytes on ath79/generic.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
CONFIG_THERMAL option was changed to boolean in upstream linux commit
554b3529fe01 ("thermal/drivers/core: Remove the module Kconfig's option").
Switch it to 'y' and remove FILES and AUTOLOAD for non-existant module file.
And update the descripton text for the package as in upstream linux commit
eb8504620381 ("thermal: Rephrase the Kconfig text for thermal").
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
The cidr_parse6 function parses a string to an ipv6-address.
The cidr struct contains a union called buf for the ipv4 and ipv6
address. Since it is a char pointer and the struct is initialized with
the maximum size (so ipv6 string) it does not make any difference.
However, we should access the buffer using the v6 name, since it could
be confusing otherwise.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes a typo in the previously committed partition map that led to
the extension of the read-only mtd partition "SSD" into the following
partitions.
Fixes: 4e46beb313 ("ipq806x: add support for Ubiquiti UniFi AC HD")
Signed-off-by: Jan Alexander <jan@nalx.net>
All modification made by update_kernel.sh in a fresh clone without
existing toolchains.
Build system: x86_64
Build-tested: ipq806x/R7800, bcm27xx/bcm2711
Run-tested: ipq806x/R7800
No dmesg regressions, everything functional
Signed-off-by: John Audia <graysky@archlinux.us>
Tested-by: Curtis Deptuck <curtdept@me.com> [x86/64]
Since 4ee3cf2b5a profiles with alternative vendor names may appear
multiple times in `tmp/.targetinfo` or `.targetinfo` (for
ImageBuilders).
The `target-metadata.pl` script adds these profiles then twice to
`PROFILE_NAMES` and the ImageBuilder show the profile twice when running
`make info`.
This patch removes duplicate profile IDs and only adds them once to
`.profiles.mk`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Not everyone will want to bloat their kernel by 24 kiB for such a niche
feature.
Fixes: a1a7f3274e "kernel: enable SRv6 support by
enabling lwtunnel"
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
BCM4908 CFE bootloader requires kernel to be prepended with a custom
header. This simple tool implements support for such headers.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
glibc does not officially support ARC700 so this adds the missing
pieces. I looked at uClibc-ng and a patch by Synopsis for glibc.
ran make toolchain/glibc/refresh to clean up fuzz.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
a46f9a9160e9 mt76: mt7915: add vif check in mt7915_update_vif_beacon()
27ad12352ac9 mt76: mt7615: add vif check in mt7615_update_vif_beacon()
0a449cef024e mt76: mt7915: fix MT_CIPHER_BIP_CMAC_128 setkey
eacd2d493c61 mt76: mt7915: reset token when mac_reset happens
e4b23301e6c9 mt76: mt7615: reset token when mac_reset happens
6e22bbfe0360 mt76: mt7615: convert comma to semicolon
37865118ae2d mt76: mt7915: convert comma to semicolon
742c36b2e527 mt76: mt7915: run mt7915_configure_filter holding mt76 mutex
a515727e8423 mt76: mt7915: add support for flash mode
b6f7b3da5216 mt76: mt7915: fix endianness warning in mt7915_mcu_set_radar_th
062f3f4f06a2 mt76: mt7915: simplify mt7915_mcu_send_message routine
dbba9b993300 mt76: mt7915: drop zero-length packet to avoid Tx hang
36a745d0f71c mt76: Fix queue ID variable types after mcu queue split
a4539760b0b1 mt7915: update the testmode support to the latest upstream patch
64bd6f87e4c2 mt7915: fix crash on failure in pci_set_dma_mask
c202ace409e0 mt76: remove unused variable q
d1b827781f84 mt76: mt7915: add partial add_bss_info command on testmode init
a897a69769f5 mt76: testmode: introduce dbdc support
b44472e99822 mt76: testmode: move mtd part to mt76_dev
45e27e6cdc12 mt76: mt7915: move testmode data from dev to phy
b6673b005770 mt76: mt7615: move testmode data from dev to phy
abdd471e9f2d mt76: mt7915: fix ht mcs in mt7915_mcu_get_rx_rate()
d679b56b9585 mt76: move mac_work in mt76_core module
36cd48ab4454 mt76: move chainmask in mt76_phy
89a6781ed045 mt76: mt7915: force ldpc for bw larger than 20MHz in testmode
3d0834e78005 mt76: testmode: add support to set user-defined spe index
cc05f4679667 mt76: testmode: add attributes for ipg related parameters
77b18b16fe16 mt76: testmode: make tx queued limit adjustable
6365a58573cb mt76: mt7915: split edca update function
e56282bf67f6 mt76: mt7915: add support for ipg in testmode
6fa642903e4e mt76: mt7915: calculate new packet length when tx_time is set in testmode
729ec5daeba5 mt76: mt7915: clean hw queue before starting new testmode tx
981443da5cf7 mt76: testmode: add a new state for continuous tx
4793fc9b3d48 mt76: mt7915: rework set state part in testmode
11a1e86e5946 mt76: mt7915: add support for continuous tx in testmode
364affef82fc mt76: mt7615: mt7915: disable txpower sku when testmode enabled
9fc19db51293 mt76: mt7915: simplify peer's TxBF capability check
6377b7f330be mt76: mt7915: add implicit Tx beamforming support
983091a40633 mt76: mt7915: fix MESH ifdef block
bbb7a9e77751 mt76: mt76u: fix NULL pointer dereference in mt76u_status_worker
a28a8dd2f7de mt76: usb: fix crash on device removal
9c312f2ce2c5 mt76: mt7915: rework mcu API
e6fe82acb111 mt76: mt7915: disable RED support in the WA firmware
25d7429bdc41 mt76: mt7915: fix eeprom parsing for DBDC
7a93026dd3dc mt76: mt7915: fix eeprom DBDC band selection
4c8a09cc45d0 tools: Set mode for new file /tmp/mt76-test-%s
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.
Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
'base' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
'enc_str' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>