aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* comgt: fix hotplug event handlingRozhuk Ivan2020-09-192-5/+5
| | | | | | | | | | | | Hotplug manager send: "remove" -> "add" -> "bind" events, script interpret bind as "not add" = "remove" and mark device as unavailable. Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase] (cherry picked from commit 4821ff064b735c320ae2625a739018d1fc7d6457) Fixes: FS#3351 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: Fix compile errors after wolfssl updateHauke Mehrtens2020-09-041-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile errors after the wolfssl 4.5.0 update: LD wpa_cli ../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject': ../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? type = GEN_EMAIL; ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in ../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function) type = GEN_DNS; ^~~~~~~ ../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function) type = GEN_URI; ^~~~~~~ ../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event': ../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? if (gen->type != GEN_EMAIL && ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function) gen->type != GEN_DNS && ^~~~~~~ ../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function) gen->type != GEN_URI) ^~~~~~~ Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed Fixes: 00722a720c77 ("wolfssl: Update to version 4.5.0") Reported-by: Andre Heider <a.heider@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit bc19481826e0da9119945eaae4f25736306f023b)
* hostapd: add wpad-basic-wolfssl variantPetr Štetiar2020-08-102-0/+16
| | | | | | | | | | Add package which provides size optimized wpad with support for just WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w. Signed-off-by: Petr Štetiar <ynezz@true.cz> [adapt to recent changes, add dependency for WPA_WOLFSSL config] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c487cf8e94cbdf582dfc3c2bdaab913a146a2100)
* hostapd: reorganize config selection hierarchy for WPA3Adrian Schmutzler2020-08-101-16/+18
| | | | | | | | | | | | | | | | | | | | | The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is exceptionally hard to read. This tries to make things a little easier by inverting the hierarchy of the conditions, so SSL_VARIANT is checked first and LOCAL_VARIANT is checked second. This exploits the fact that some of the previous conditions were unnecessary, e.g. there is no hostapd-mesh*, so we don't need to exclude this combination. It also should make it a little easier to see which options are actually switched by SSL_VARIANT and which by LOCAL_VARIANT. The patch is supposed to be cosmetic. However, the improvement for readers and the maintained consistency with master qualify this for backporting. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c4dd7fc23bfcf3b3f1a838668bb070edc9db5d4b)
* hostapd: improve TITLE for packagesAdrian Schmutzler2020-07-301-25/+33
| | | | | | | | | | | | | | | For a few packages, the current TITLE is too long, so it is not displayed at all when running make menuconfig. Despite, there is no indication of OpenSSL vs. wolfSSL in the titles. Thus, this patch adjusts titles to be generally shorter, and adds the SSL variant to it. While at it, make things easier by creating a shared definition for eapol-test like it's done already for all the other flavors. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 917980fd8a6589d6911797211f1871016f527f8c)
* curl: patch CVE-2020-8169Jan Pavlinec2020-07-292-1/+39
| | | | | | | | | | | Affected versions: curl 7.62.0 to and including 7.70.0 https://curl.haxx.se/docs/CVE-2020-8169.html Run tested on Omnia with OpenWrt 19.07 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firewall: backport patch for mss clamping in both directionsYousong Zhou2020-07-262-1/+34
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* vxlan: bump and change to PKG_RELEASEAdrian Schmutzler2020-07-171-1/+1
| | | | | | | | | | | | | | Bumping package version has been overlooked in a previous commit. While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter is meant for upstream version number only. (The effective version string for the package would be "3" in both cases, so there is no harm done for version comparison.) Fixes: 0453c3866feb ("vxlan: fix udp checksum control") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit b29d620ed2521fe6fda40ddafe6cb0f1d70e4503)
* vxlan: fix udp checksum controlJohannes Kimmel2020-07-171-0/+2
| | | | | | | | | | | | So far, passing "rxcsum" and "txcsum" had no effect. Fixes: 95ab18e0124e ("vxlan: add options to enable and disable UDP checksums") Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> [add Fixes:] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 0453c3866feb701160bbab4ecf9762c5a3038503)
* wireguard: bump to 1.0.20200611Stijn Segers2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f, which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14. This breaks the older WireGuard version currently in 19.07. For reference, the compilation error is the one below: build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'? #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst Changelogs below taken from the official release announcements. == Changes since v1.0.20200506 == This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 == Changes since v1.0.20200611 == * qemu: always use cbuild gcc rather than system gcc * qemu: remove -Werror in order to build ancient kernels better * qemu: patch kernels that rely on ancient make * qemu: force 2MB pages for binutils 2.31 * qemu: use cbuild gcc for avx512 exclusion * qemu: add extra fill in idt handler for newer binutils * qemu: support fetching kernels for arbitrary URLs * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection * qemu: work around broken centos8 kernel * qemu: mark per_cpu_load_addr as static for gcc-10 Our qemu test suite can now handle more kernels and more compilers. Scroll down to the bottom of https://www.wireguard.com/build-status/ to see the expanded array of kernels we now test against, including some distro kernels. * compat: widen breadth of integer constants * compat: widen breadth of memzero_explicit backport * compat: backport skb_scrub_packet to 3.11 * compat: widen breadth of prandom_u32_max backport * compat: narrow the breadth of iptunnel_xmit backport * compat: backport iptunnel_xmit to 3.11 With the expanded qemu test suite, it was possible to expand our list of mainline kernels, so the backport compat layer is now more precise. * compat: ubuntu appears to have backported ipv6_dst_lookup_flow * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow Ubuntu kernels changed recently, so this ensures we can compile with the latest Ubuntu releases. * compat: remove stale suse support Signed-off-by: Stijn Segers <foss@volatilesystems.org> (cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
* qos-scripts: fix interface resolvingJo-Philipp Wich2020-05-292-8/+14
| | | | | | | | | Also ensure that the error message is actually printed to stderr and that the rule generation is aborted if an interface cannot be resolved. Ref: https://github.com/openwrt/luci/issues/3975 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 559b3384666bbc6e4e9e6d86cf54bd88d30b341f)
* hostapd: backport wolfssl bignum fixesDaniel Golle2020-05-254-1/+107
| | | | | | | | | crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 631c437a91c20df678b25dcc34fe23636116a35a)
* opkg: Fix PKG_MIRROR_HASHHauke Mehrtens2020-05-081-1/+1
| | | | | Fixes: c61fbdd0879b ("odhcpd: fix PKG_SOURCE_DATE") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wireguard: bump to 1.0.20200506Jason A. Donenfeld2020-05-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * compat: timeconst.h is a generated artifact Before we were trying to check for timeconst.h by looking in the kernel source directory. This isn't quite correct on configurations in which the object directory is separate from the kernel source directory, for example when using O="elsewhere" as a make option when building the kernel. The correct fix is to use $(CURDIR), which should point to where we want. * compat: use bash instead of bc for HZ-->USEC calculation This should make packaging somewhat easier, as bash is generally already available (at least for dkms), whereas bc isn't provided by distros by default in their build meta packages. * socket: remove errant restriction on looping to self It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. * send: cond_resched() when processing tx ringbuffers Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. We don't do this on encryption/decryption because the compat module here uses simd_relax, which already includes a call to schedule in preempt_enable. * selftests: initalize ipv6 members to NULL to squelch clang warning This fixes a worthless warning from clang. * send/receive: use explicit unlikely branch instead of implicit coalescing Some code readibility cleanups. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit 4f6343ffe7fe8f7018f904b153dea9fc6038daf4)
* wireguard: bump to 20191226Jason A. Donenfeld2020-05-074-34/+61
| | | | | | | | | | | | | | | | | As announced on the mailing list, WireGuard will be in Linux 5.6. As a result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is moving to its own wireguard-tools repo. Meanwhile, the out-of-tree kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux- compat repo. Yesterday, releases were cut out of these repos, so this commit bumps packages to match. Since wg(8) and the compat kernel module are versioned and released separately, we create a wireguard-tools Makefile to contain the source for the new tools repo. Later, when OpenWRT moves permanently to Linux 5.6, we'll drop the original module package, leaving only the tools. So this commit shuffles the build definition around a bit but is basically the same idea as before. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit ea980fb9c6de24350976dcc6c20da2bed5fc8cb8)
* odhcpd: fix PKG_SOURCE_DATEHans Dedecker2020-05-071-1/+1
| | | | | | Fixes: 5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: fix lan host reachibility due to identical RIO and PIO prefixes ↵Hans Dedecker2020-05-061-3/+3
| | | | | | | | (FS#3056) 49e4949 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: update to 19.07 Git HEADJo-Philipp Wich2020-05-061-3/+3
| | | | | | | 975dce2 client: allow keep-alive for POST requests d062f85 file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dante: Fix compile with glibcHauke Mehrtens2020-05-052-1/+54
| | | | | | | | | | | | | | | | | | | | When compiled with glibc the config_scan.c wants to use the cpupolicy2numeric() function which is only available when HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here. This fixes a build problem with glibc in combination with the force ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS. This fixes the following compile error with glibc: ---------------------------------------------------------------------- /bin/ld: config_scan.o: in function `socks_yylex': dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric' collect2: error: ld returned 1 exit status make[5]: *** [Makefile:522: sockd] Error 1 Fixes: aaf46a8fe23e ("dante: disable sched_getscheduler() - not implemented in musl") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit ce1798e915181e6c1f3ba735b254b37b84261303)
* wpad-wolfssl: fix crypto_bignum_sub()Antonio Quartulli2020-05-011-0/+26
| | | | | | | | | | | | | | | Backport patch from hostapd.git master that fixes copy/paste error in crypto_bignum_sub() in crypto_wolfssl.c. This missing fix was discovered while testing SAE over a mesh interface. With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with wpad-mesh-wolfssl. Cc: Sean Parkinson <sean@wolfssl.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 4b3b8ec81cd1965d0bd548fa31db491295b83354)
* hostapd: unconditionally enable ap/mesh for wpa-cliFelix Fietkau2020-05-012-2/+8
| | | | | | | | | | | Without this change, wpa-cli features depend on which wpad build variant was used to build the wpa-cli package Signed-off-by: Felix Fietkau <nbd@nbd.name> Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1] [added missing package version bump] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 03e9e4ba9ea8f00ff7c6f076f2cdc322e18cd3a4)
* curl: backport fix for CVE-2019-15601Petr Štetiar2020-05-012-1/+45
| | | | | | | | | | On Windows, refuse paths that start with \\ ... as that might cause an unexpected SMB connection to a given host name. Ref: PR#2730 Ref: https://curl.haxx.se/docs/CVE-2019-15601.html Suggested-by: Jerome Benoit <jerome.benoit@sap.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* relayd: bump to version 2020-04-25Kevin Darbyshire-Bryant2020-04-271-3/+3
| | | | | | | | | f4d759b dhcp.c: further improve validation Further improve input validation for CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 9e7d11f3e275d6f5d6b3edd7f0fa0440da43c45a)
* umdns: update to version 2020-04-25Kevin Darbyshire-Bryant2020-04-271-3/+3
| | | | | | | | | | | | cdac046 dns.c: fix input validation fix Due to a slight foobar typo, failing to de-reference a pointer, previous fix not quite as complete as it should have been. Improve CVE-2020-11750 fix Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 9f7c8ed0786be97eda879e5f6681994e4de53d74)
* dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)Henrique de Moraes Holschuh2020-04-252-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | Fix the test for an enabled sysntp initscript in dnsmasq.init, and get rid of "test -o" while at it. Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an RTC-less ath79 router. dnssec-no-timecheck would be clearly missing from /var/etc/dnsmasq.conf.* while the router was still a few days in the past due to non-working DNSSEC + DNS-based NTP server config. The fix was tested with the router in the "DNSSEC broken state": it properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp was able to resolve the server name to an IP address, and set the system time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook, as expected. A missing system.ntp.enabled UCI node is required for the bug to show up. The reasons for why it would be missing in the first place were not investigated. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase] (cherry picked from commit 556b8581a15c855b2de0efbea6b625ab16cc9daf)
* relayd: bump to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-3/+3
| | | | | | | | | 796da66 dhcp.c: improve input validation & length checks Addresses CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit be172e663f318ec364c13f795df025bbcce9ac18)
* umdns: update to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | | e74a3f9 dns.c: improve input validation Addresses CVE-2020-11750 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 533da61ac63079f218a9946cd8e347b880c33dc0)
* umdns: update to the version 2020-04-05Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | | ab7a39a umdns: fix unused error 45c4953 dns: explicitly endian-convert all fields in header and question Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 22ae8bd50ef6d056b25a96ce6c77de0b0d53c1a1) (cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
* umdns: suppress address-of-packed-member warningKevin Darbyshire-Bryant2020-04-201-2/+2
| | | | | | | | | | | | | | | | | | | gcc 8 & 9 appear to be more picky with regards access alignment to packed structures, leading to this warning in dns.c: dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer (alignment 2) may result in an unaligned pointer value [-Werror=address-of-packed-member] 261 | uint16_t *swap = (uint16_t *) q; Work around what I think is a false positive by turning the warning off. Not ideal, but not quite as not ideal as build failure. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 02640f014719a994e2e538b2cb6376a189cd39de) (cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
* dnsmasq: add 'scriptarp' optionJordan Sokolic2020-03-232-1/+3
| | | | | | | | | | | Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions. The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute. Also enable --script-arp if has_handlers returns true. Signed-off-by: Jordan Sokolic <oofnik@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* rssileds: add dependencies based on LDFLAGSopenwrt-19.07Adrian Schmutzler2020-03-111-1/+1
| | | | | | | | | | | | | | | | | | This adds the direct dependencies introduced by TARGET_LDFLAGS to the package's DEPENDS variable. This was found by accidentally building rssileds on octeon, which resulted in: "Package rssileds is missing dependencies for the following libraries: libnl-tiny.so" Though the dependencies are provided when building for the relevant targets ar71xx, ath79 and ramips, it seems more tidy to specify them explicitly. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit a5b2c6f5edef1958d8789ff9bd89b408893b4358)
* ppp: backport security fixesPetr Štetiar2020-02-264-1/+129
| | | | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee) Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "ppp: backport security fixes"Jo-Philipp Wich2020-02-264-129/+1
| | | | | | | | This reverts commit 6b7eeb74dbf8b491b6426820bfa230fca60047dc since it didn't contain a reference to the CVE it addresses. The next commit will re-add the commit including a CVE reference in its commit message. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uhttpd: update to latest Git HEADJo-Philipp Wich2020-02-261-3/+3
| | | | | | | 2ee323c file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 04069fde19e86af7728111814afadf780bf08018)
* ppp: backport security fixesPetr Štetiar2020-02-204-1/+129
| | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee)
* hostapd: remove erroneous $(space) redefinitionJo-Philipp Wich2020-02-081-3/+0
| | | | | | | | | | | | | | | | | The $(space) definition in the hostapd Makefile ceased to work with GNU Make 4.3 and later, leading to syntax errors in the generated Kconfig files. Drop the superfluous redefinition and reuse the working $(space) declaration from rules.mk to fix this issue. Fixes: GH#2713 Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469 Reported-by: Karel Kočí <cynerd@email.cz> Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Tested-by: Shaleen Jain <shaleen@jain.sh> Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 766e778226f5d4c6ec49ce22b101a5dbd4306644)
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 702c70264b388c2b47e171843f297f43c71b86b9)
* ethtool: fix PKG_CONFIG_DEPENDSMatthias Schiffer2020-01-071-1/+1
| | | | | | | Add missing CONFIG_ prefix. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 41c19dd542973dbc1336ecceaa32777506933cdf)
* dnsmasq: Fix potential dnsmasq crash with TCPHauke Mehrtens2020-01-062-1/+36
| | | | | | | | | | | | | | | | This is a backport from the dnsmasq master which should fix a bug which could cause a crash in dnsmasq. I saw the following crashes in my log: [522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450 [522413.124464] epc = 004197f1 in dnsmasq[400000+23000] [522413.129459] ra = 004197ef in dnsmasq[400000+23000] This is happening in blockdata_write() when block->next is dereferenced, but I am not sure if this is related to this problem or if this is a different problem. I am unable to reproduce this problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 414d0541381d432e69190f394dfe2a6e8122d6bb)
* uhttpd: reset PKG_RELEASEJo-Philipp Wich2019-12-221-1/+1
| | | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 97af1fc979d0683649c6bea8a9245a6a9fa5413a)
* uhttpd: update to latest Git HEADJo-Philipp Wich2019-12-221-3/+3
| | | | | | | 5f9ae57 client: fix invalid data access through invalid content-length values Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit f34f9a414dd32311bda950776eb77e63c0c772cb)
* odhcpd: optimize syslog priority valuesHans Dedecker2019-12-161-3/+3
| | | | | | e53fec8 treewide: optimize syslog priority values Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* swconfig: Activate LTO compile optionHauke Mehrtens2019-11-301-0/+3
| | | | | | | | | | | | | This decreases the size of the swconfig application by 25% on MIPS BE. old: 16,916 /sbin/swconfig new: 12,565 /sbin/swconfig Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit e926681387891fe9af89d884ebc3dce4c8c7f450)
* firewall: update to latest Git HEADJo-Philipp Wich2019-11-221-3/+3
| | | | | | | | 8174814 utils: persist effective extra_src and extra_dest options in state file 72a486f zones: fix emitting match rules for zones with only "extra" options Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 482114d3f78df2a19904cc8edf7d9adcfdbb8625)
* firewall: update to latest git HEADHans Dedecker2019-11-221-3/+3
| | | | | | | daed0cf utils: fix resource leak Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 27bf8abe69f3b048cbcbf9d2e796ecba5f0a42e7)
* hostapd: add IEEE 802.11k supportKyle Copperfield2019-11-141-0/+13
| | | | | | | | | | | | Enables radio resource management to be reported by hostapd to clients. Ref: https://github.com/lede-project/source/pull/1430 Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me> [removed the DMARC crap] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 87f9292300cf56ad17f44363ced213c59a95ef44)
* hostapd: Add mesh support for wpad fullHauke Mehrtens2019-11-141-2/+2
| | | | | | | | | | | | | | | This increases the size of the binary slightly: old: 427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk new: 442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 49cc712b44c76e99bfb716c06700817692975e05)
* hostapd: use getrandom syscallHauke Mehrtens2019-11-147-7/+7
| | | | | | | | | hostapd will not use the getrandom() syscall and as a fallback use /dev/random, the syscall is supported since Linux 3.17 and in the musl, glibc and uclibc version used by OpenWrt. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 998686364da7d002ba9f6dbb43cc5f32294dd4ab)
* hostapd: Remove unneeded patchHauke Mehrtens2019-11-148-28/+14
| | | | | | | | All the content of this function is proceeded by IEEE8021X_EAPOL no code accesses the ssid variable outside of this ifdef. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 0d86bf518aaefa57bef577d09a18aff03eccb70c)