commit 5edbd390d321532d9a697d6895a1a7c71c40bd5d rearranged the
"wifi up" code.
This commit tidies up the "wifi reconf" code so as to
keep it aligned with the "wifi up" code.
branches affected: trunk, 21.02
Signed-off-by: Bob Cantor <coxede6557@w3boats.com>
"/sbin/wifi up" makes three ubus calls:
1. ubus call network reload
2. ubus call network.wireless down
3. ubus call network.wireless up
The first and third ubus calls call drv_mac80211_setup,
while the second ubus call triggers wireless_device_setup_cancel,
so the call sequence becomes,
1. drv_mac80211_setup
2. wireless_device_setup_cancel
3. drv_mac80211_setup
This commit swaps the order of the first two ubus calls,
1. ubus call network.wireless down
2. ubus call network reload
3. ubus call network.wireless up
Consequently drv_mac80211_setup is only called once,
and two related bugs (#FS3784 and #FS3902) are no longer triggered
by /sbin/wifi.
branches affected: trunk, 21.02
Signed-off-by: Bob Cantor <coxede6557@w3boats.com>
drv_mac80211_teardown fails silently if the device to be torn down is
not defined. This commit prints an error message.
branches affected: trunk, 21.02
Signed-off-by: Bob Cantor <coxede6557@w3boats.com>
When wifi is turned off, drv_mac80211_teardown sometimes fails (silently)
because the device to be torn down is not defined.
This situation arises if drv_mac80211_setup was called twice when
wifi was turned on.
This commit ensures that the device to be torn down is always defined
in drv_mac80211_teardown.
Steps to reproduce:
1) Use /sbin/wifi to turn on wifi.
uci set wireless.@wifi-iface[0].disabled=0
uci set wireless.@wifi-device[0].disabled=0
uci commit
wifi
2) Use /sbin/wifi to turn off wifi.
uci set wireless.@wifi-device[0].disabled=1
uci commit
wifi
3) Observe that wifi is still up.
branches affected: trunk, 21.02
Signed-off-by: Bob Cantor <coxede6557@w3boats.com>
If drv_mac80211_setup is called twice with the same wifi configuration,
then the second call returns early with error HOSTAPD_START_FAILED.
(wifi works nevertheless, despite the fact that setup is incomplete. But
"ubus call network.wireless status" erroneously reports that radio0 is down.)
The relevant part of drv_mac80211_setup is,
if [ "$no_reload" != "0" ]; then
add_ap=1
ubus wait_for hostapd
local hostapd_res="$(ubus call hostapd config_add "{\"iface\":\"$primary_ap\", \"config\":\"${hostapd_conf_file}\"}")"
ret="$?"
[ "$ret" != 0 -o -z "$hostapd_res" ] && {
wireless_setup_failed HOSTAPD_START_FAILED
return
}
wireless_add_process "$(jsonfilter -s "$hostapd_res" -l 1 -e @.pid)" "/usr/sbin/hostapd" 1 1
fi
This commit sets no_reload = 0 during the second call of drv_mac80211_setup.
It is perhaps worth providing a way to reproduce the situation
where drv_mac80211_setup is called twice.
When /sbin/wifi is used to turn on wifi,
uci set wireless.@wifi-iface[0].disabled=0
uci set wireless.@wifi-device[0].disabled=0
uci commit
wifi
/sbin/wifi makes the following ubus calls,
ubus call network reload
ubus call network.wireless down
ubus call network.wireless up
The first and third ubus calls both call drv_mac80211_setup,
while the second ubus call triggers wireless_device_setup_cancel.
So the call sequence becomes,
drv_mac80211_setup
wireless_device_setup_cancel
drv_mac80211_setup
In contrast, when LuCI is used to turn on wifi only a single call
is made to drv_mac80211_setup.
branches affected: trunk, 21.02
Signed-off-by: Bob Cantor <coxede6557@w3boats.com>
sysntpd server becomes unavailable if the index of the bound
interface changes. So let's add an interface trigger to reload sysntpd.
This patch also adds the ability for the sysntpd script to handle
uci interface name from configuration.
Fixes: 4da60500ebd2 ("busybox: sysntpd: option to bind server to iface")
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
Reviewed-by: Philip Prindeville <philipp@redfish-solutions.com>
* kernel: 5.10: re-add shortcut-fe patch
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* ipq807x: compat with SFE patch
Patch for ECM support includes some stuff provided by the one for sfe
alreadly, simply remove these duplicated parts.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* qca-nss-ecm: rework netfilter conntrack notification
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* mac80211: allow VHT on 2.4GHz
Allow VHT rate on 2.4GHz in order to use 256-QAM
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* ath10k: allow VHT on 2.4GHz
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* hostapd: add vendor_vht option
hostapd has vendor_vht option to enable VHT (256-QAM) on 2.4GHz
Add this option to hostapd.sh so users can enable it via uci
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* mac80211: ath.mk: typo fixes
Co-authored-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
They can be added as hex digit strings via the 'vendor_elements' option
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
* Update to v0.3.4
Update to lastest version from lisaac.
* Update to v0.3.4
Update to lastest version from lisaac
* luci-lib-docker: Update to v0.3.4
Update to lastest version from lisaac.
* luci-app-diskman: Update to v0.2.11
* Update to v0.3.4
Update to lastest version from lisaac.
* Update to v0.3.4
Update to lastest version from lisaac
* luci-lib-docker: Update to v0.3.4
Update to lastest version from lisaac.
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.
In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.
In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.
This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Co-authored-by: Raphaël Mélotte <raphael.melotte@mind.be>
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Co-authored-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
* hostapd: make country3 option configurable
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
* hostapd: fix handling of the channel utilization options
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.
Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Co-authored-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:
0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled
hostapd currently defaults to hunting-and-pecking loop only.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
This is a follow up of 1a9b896d ("treewide: nuke DRIVER_11W_SUPPORT").
LuCI commit ab010406 ("luci-mod-network: skip check for 802.11w feature")
skips check of the 11w feature [1]. Now advertising it in hostapd is
superfluous so stop doing it.
[1]: https://github.com/openwrt/luci/pull/4689
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
[remove outdated PKG_RELEASE bump and update to SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
* mac80211: remove patches stripping down crypto support
Use of WPA3 and things like FILS is getting much more common, and platforms
that can't affort the extra kilobytes for this code are fading away.
Let's not hold back modern authentication methods any longer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: make cryptoapi support needed by mac80211 built-in
This reduces the flash space impact, since built-in code is much smaller
than a bunch of kernel modules on squashfs
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mac80211: remove extra patch accidentally added during rebase
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
We need to skip sampling if the next sample time is after jiffies, not before.
This patch fixes an issue where in some cases only very little sampling (or none
at all) is performed, leading to really bad data rates
Signed-off-by: Felix Fietkau <nbd@nbd.name>
ATH_REG_DYNAMIC_USER_REG_HINTS is currently not being set as mac80211
tries to set it as m which is not possible as its boolean only.
Since its used alongside user regulatory, move it to USER_REGD.
This is required for ath11k to accept regulatory changes, otherwise
it wont accept any changes and will simply force US.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Co-authored-by: Robert Marko <robimarko@gmail.com>
* grub2: update to 2.06-rc1
When building GRUB with binutils 2.35.2 or later, an error occurs due to
a section .note.gnu.property that is placed at an offset such that
objcopy needs to pad the img file with zeros. This in turn causes the
following error: "error: Decompressor is too big.".
The fix accepted by upstream patches a python script that isn't executed
at all when building GRUB with OpenWrt buildroot. There's another patch
that patches the files generated by that python script directly, but by
including it we would deviate further from upstream. Instead of doing
that, simply bump to the latest release candidate.
As one of the fixes for the CVEs causes grub to crash on some x86
hardware using legacy BIOS when compiled with -O2, filter -O2 and
-O3 out of TARGET_CFLAGS.
Fixes the following CVEs:
- CVE-2020-14372
- CVE-2020-25632
- CVE-2020-25647
- CVE-2020-27749
- CVE-2020-27779
- CVE-2021-3418
- CVE-2021-20225
- CVE-2021-20233
Runtime-tested on x86/64.
Fixes: FS#3790
Suggested-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* grub2: disable liblzma dependency
Florian Ekert reported:
"I have build a fresh master branch recently, Since your last change [1]
on grub2, I have now a new dependency on liblzma for the install package
grub2-editenv.
root@st-dev-07 /usr/lib # ldd /root/grub-editenv
/lib/ld-musl-x86_64.so.1 (0x7f684b088000)
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x7f684b06d000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7f684b059000)
libc.so => /lib/ld-musl-x86_64.so.1 (0x7f684b088000)
This was not the case before your update.
root@st-dev-07 /usr/sbin # ldd /usr/sbin/grub-editenv
/lib/ld-musl-x86_64.so.1 (0x7fd970176000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7fd970162000)
libc.so => /lib/ld-musl-x86_64.so.1 (0x7fd970176000)
My build complains that it cannot satisfy the runtime package dependency
for grub2-editenv.
install -d -m0755 /home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/build_dir/target-x86_64_musl/linux-x86_64/grub-pc/grub-2.06~rc1/ipkg-x86_64/grub2-editenv/usr/sbin
install -m0755 /home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/build_dir/target-x86_64_musl/linux-x86_64/grub-pc/grub-2.06~rc1/grub-editenv /home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/build_dir/target-x86_64_musl/linux-x86_64/grub-pc/grub-2.06~rc1/ipkg-x86_64/grub2-editenv/usr/sbin/
find /home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/build_dir/target-x86_64_musl/linux-x86_64/grub-pc/grub-2.06~rc1/ipkg-x86_64/grub2-editenv -name 'CVS' -o -name '.svn' -o -name '.#*' -o -name '*~'| xargs -r rm -rf
Package grub2-editenv is missing dependencies for the following libraries:
liblzma.so.5
make[2]: *** [Makefile:166: /home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/bin/APOS/feckert/master/master-Maggie-455-ga5edc0e8e/x86_64/targets/x86/64/packages/grub2-editenv_2.06~rc1-1_x86_64.ipk] Error 1
make[2]: Leaving directory '/home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/package/boot/grub2'
time: package/boot/grub2/pc/compile#78.64#9.79#83.88
ERROR: package/boot/grub2 failed to build (build variant: pc).
make[1]: *** [package/Makefile:116: package/boot/grub2/compile] Error 1
make[1]: Leaving directory '/home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt'
make: *** [/home/feckert/workspace/openwrt/LDM-master-x86_64/build/openwrt/include/toplevel.mk:230: package/boot/grub2/compile] Error 2
If I add the following changes to the package all works as expected.
<snip>
- DEPENDS:=@TARGET_x86
+ DEPENDS:=@TARGET_x86 +liblzma
VARIANT:=pc
endef
This is a hotfix but I dont´t think this is the final solution, because lzma is provided by the package xz.
And This is maintained in the package feed [not the core]"
Dirk stated & offered his patch to disable liblzma and thus resolve the
'out of core dependency' problem:
"LZMA is used in mkimage.c
disabling it prints
Without liblzma (no support for XZ-compressed mips images) (explicitly disabled)
(see configure.ac)
liblzma is autodetected so this issue was present but hidden somehow
[unsure: grep/image generation does not use grub with that option]
OpenWrt does not use that feature currently
[!] some scripts and examples use --compression=xz or -C xz and those will break
grub has an internal xzlib for different "lzma" functionality
(ext. LIBLZMA from XZ (GRUB_COMPRESSION_XZ) vs. GRUB_COMPRESSION_LZMA)"
Hopefully fixes e74d81e and doesn't
break anything else.
Signed-off-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
[include Florian's description of how problem 1st encountered]
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Co-authored-by: Stijn Tintel <stijn@linux-ipv6.be>
Co-authored-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
From the patch series description:
Several security issues in the 802.11 implementations were found by
Mathy Vanhoef (New York University Abu Dhabi), who has published all
the details at
https://papers.mathyvanhoef.com/usenix2021.pdf
Specifically, the following CVEs were assigned:
* CVE-2020-24586 - Fragmentation cache not cleared on reconnection
* CVE-2020-24587 - Reassembling fragments encrypted under different
keys
* CVE-2020-24588 - Accepting non-SPP A-MSDU frames, which leads to
payload being parsed as an L2 frame under an
A-MSDU bit toggling attack
* CVE-2020-26139 - Forwarding EAPOL from unauthenticated sender
* CVE-2020-26140 - Accepting plaintext data frames in protected
networks
* CVE-2020-26141 - Not verifying TKIP MIC of fragmented frames
* CVE-2020-26142 - Processing fragmented frames as full frames
* CVE-2020-26143 - Accepting fragmented plaintext frames in
protected networks
* CVE-2020-26144 - Always accepting unencrypted A-MSDU frames that
start with RFC1042 header with EAPOL ethertype
* CVE-2020-26145 - Accepting plaintext broadcast fragments as full
frames
* CVE-2020-26146 - Reassembling encrypted fragments with non-consecutive
packet numbers
* CVE-2020-26147 - Reassembling mixed encrypted/plaintext fragments
In general, the scope of these attacks is that they may allow an
attacker to
* inject L2 frames that they can more or less control (depending on the
vulnerability and attack method) into an otherwise protected network;
* exfiltrate (some) network data under certain conditions, this is
specific to the fragmentation issues.
A subset of these issues is known to apply to the Linux IEEE 802.11
implementation (mac80211). Where it is affected, the attached patches
fix the issues, even if not all of them reference the exact CVE IDs.
In addition, driver and/or firmware updates may be necessary, as well
as potentially more fixes to mac80211, depending on how drivers are
using it.
Specifically, for Intel devices, firmware needs to be updated to the
most recently released versions (which was done without any reference
to the security issues) to address some of the vulnerabilities.
To have a single set of patches, I'm also including patches for the
ath10k and ath11k drivers here.
We currently don't have information about how other drivers are, if
at all, affected.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
Fixes issue with merged DNS requests in 2.83/2.84 not being
retried on the firsts failed request causing lookup failures.
Also fixes the following security problem in dnsmasq:
* CVE-2021-3448:
If specifiying the source address or interface to be used
when contacting upstream name servers such as:
server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and
server=8.8.8.8@eth0 then all would use the same socket
bound to the explicitly configured port. Now only
server=8.8.8.8@1.2.3.4#66 will use the explicitly
configured port and the others random source ports.
Remove upstreamed patches and update remaining patch.
Signed-off-by: Alan Swanson <reiver@improbability.net>
[refreshed old runtime support patch]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Co-authored-by: Alan Swanson <reiver@improbability.net>
默认情况下 SSR PLUS DNS结果根本无法缓存(由于引入拒绝ipv6结果导致的问题),nslookup & dig 延迟每次依然有200-300多.
dnsmasq处设置缓存依然无效,设置TTL也无效,应该是bug。
解决办法是手动指定缓存TTL为最大一小时。域名查询实测有效缓存0延迟。
此变更仅使开启dnsmasq缓存的情况下正常工作。
The can-dev.ko kernel module was moved in kernel 5.4.110 and 5.10.28.
Fixes: 5dcbd82 ("kernel: bump 5.4 to 5.4.110")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
[Also compatible with kernel 4.x]
Signed-off-by: AmadeusGhost <amadeus@jmu.edu.cn>
Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Co-authored-by: Magnus Kroken <mkroken@gmail.com>
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This should fix the problem of mwlwifi-firmware-* not being found
when using the ImageBuilder.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 9b3aaf1)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is the vendor driver for r8152/r8153 series USB ethernet adapter, it may be
better than the driver from kernel mainline, or be worse. It's depending on your
use-case.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* mbedtls: update to 2.16.9
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* mbedtls: Implements AES and GCM with ARMv8 Crypto Extensions
A compact patch that provides AES and GCM implementations that utilize the
ARMv8 Crypto Extensions. The config flag is MBEDTLS_ARMV8CE_AES_C, which
is disabled by default as we don't do runtime checking for the feature.
The new implementation lives in armv8ce_aes.c.
Provides similar functionality to https://github.com/ARMmbed/mbedtls/pull/432
Thanks to Barry O'Rourke and others for that contribtion.
Tested on a Cortex A53 device and QEMU. On a midrange phone the real AES-GCM
throughput increases about 4x, while raw AES speed is up to 10x faster.
[updated Makefile to enable this function, adjusted commit message]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Co-authored-by: Rosen Penev <rosenp@gmail.com>
Co-authored-by: QiuSimons <45143996+QiuSimons@users.noreply.github.com>
This patch fixes the following error when we compile with GCC 10.
‘’
‘’openwrt/staging_dir/toolchain-aarch64_generic_gcc-10.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/10.2.0/../../../../aarch64-openwrt-linux-musl/bin/ld: ss_local-http.o:openwrt/build_dir/target-aarch64_generic_musl/shadowsocksr-libev/shadowsocksr-libev-2.5.6-d63ff863800a5645aca4309d5dd5962bd1e95543/src/http.h:32: multiple definition of `http_protocol'; ss_local-local.o:openwrt/build_dir/target-aarch64_generic_musl/shadowsocksr-libev/shadowsocksr-libev-2.5.6-d63ff863800a5645aca4309d5dd5962bd1e95543/src/http.h:32: first defined here
openwrt/staging_dir/toolchain-aarch64_generic_gcc-10.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/10.2.0/../../../../aarch64-openwrt-linux-musl/bin/ld: ss_local-tls.o:openwrt/build_dir/target-aarch64_generic_musl/shadowsocksr-libev/shadowsocksr-libev-2.5.6-d63ff863800a5645aca4309d5dd5962bd1e95543/src/tls.h:31: multiple definition of `tls_protocol'; ss_local-local.o:openwrt/build_dir/target-aarch64_generic_musl/shadowsocksr-libev/shadowsocksr-libev-2.5.6-d63ff863800a5645aca4309d5dd5962bd1e95543/src/tls.h:31: first defined here‘’
‘’
This fixes 4 security vulnerabilities/bugs:
- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
SSLv2, but the affected functions still exist. Considered just a bug.
- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate may overflow the output length argument in some
cases where the input length is close to the maximum permissable
length for an integer on the platform. In such cases the return value
from the function call will be 1 (indicating success), but the output
length value will be negative.
- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to
correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously
constructed). This may subsequently result in a NULL pointer deref and
a crash leading to a potential denial of service attack.
- Fixed SRP_Calc_client_key so that it runs in constant time. This could
be exploited in a side channel attack to recover the password.
The 3 CVEs above are currently awaiting analysis.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>
Running `ps` via luci.exec directly will cause no output
to compare as `ps` cannot detect the size of screen, adding
`-w` to solve this.
Fixes: 0e285c3037 ("add lean's package")
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* mt7615: try wext and cfg80211
* iwinfo: support ra frequency offset
* iwinfo: ra support assolist, support AC bandwidth, read device id from mtd
* mt7615: clean code
* k2p: wireless interface should not add to bridge, wifi system will handle this
* mt7615: adapt for modern luci
* mt7615: fix Makefile, conflicts with luci-app-mtwifi
* mt_wifi: conflicts with mt7615d
* iwinfo: fix ra probe, scan list
* iwinfo: fix ra scan list
* mt7615: speed up wifi reload
* mt7615: fix bug
* mt7615: fix isolate
* mt7615: clean code
* mt7615: fix CE without cfg80211
* mt7615: split dbdc variant
* mt7615: revert config for non dbdc variant devices
* mt7615: move maccalc dependency to dbdc variant
* mt7615: append author info
* mt7615: move config generation to uci-defaults
[mac80211]
5b29614 mac80211: another fix for the sta connection monitor
1ed6eb1 mac80211: backport sched_set_fifo_low
cba4120 mac80211: add support for specifying a per-device scan list
e0d482f rt2x00: mt7620: differentiate based on SoC's CHIP_VER
[package]
amd64-microcode/intel-microcode/linux-firmware: update version
The original patch over rode the nf_conntrack_un/register_notifier API, which will
break other modules relying on the API. Reworked the notification APIs to play nice
with others. Also avoid to touch the code of fullcone nat.
Co-authored-by: quarkysg <hhtan72@yahoo.com>
This commit add support for the yyets_le router.
Hardware Highlights:
SoC: Qualcomm IPQ4019 717 MHz
RAM: 512M NT5CC256M16ER-EK
Flash: 32M SPI NOR MX25L25635F
WIFI1: 2.4 GHz 2T2R integrated
WIFI2: 5 GHz 2T2R integrated
Ethernet: Qualcomm QCA8075 (4x LAN, 1x WAN)
USB: 1x 3.0
LEDS: power, wlan2g, wlan5g, usb
Button: Reset
Installation:
Upload the firmware on the upgrade page of the stcok, and this will
take a few minutes.
This commit also supports the addition of a 128M nand flash version,
just use the P&W R619AC's OpBoot to overwrite the original uboot.
Signed-off-by: AmadeusGhost <amadeus@jmu.edu.cn>
* autocore: add cpu freq & temp display for some arm devices
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
Co-authored-by: AmadeusGhost <42570690+AmadeusGhost@users.noreply.github.com>
* Revert "show CPU Temperature for NanoPi R2S (#5612)"
This reverts commit 099439f051.
Co-authored-by: AmadeusGhost <42570690+AmadeusGhost@users.noreply.github.com>
* Revert "uboot-rockchip: update NanoPi R2S patches"
This reverts commit bda6f6572be630bcf9a1c8a429e40d8a53033af5.
This commit breaks the onboard ethernet on some units. Revert it for
now.
Signed-off-by: David Bauer <mail@david-bauer.net>
* rockchip: enable Realtek PHY support
The NanoPi R2S features a Realtek Gigabit Ethernet PHY. Enable the
Realtek specific PHY driver to correctly configure internal delays.
Signed-off-by: David Bauer <mail@david-bauer.net>
* uboot-rockchip: fix nanopi-r2s failed to boot on some sd cards
Add regulator-boot-on parameters to vcc_sd.
Add startup-delay-us parameters to vcc_sdio.
This will improve the problem that in some SD cards are failing to boot up.
Signed-off-by: Yuan Tao <ty@wevs.org>
* rockchip: fix NanoPi R2S GMAC clock name
This commit fixes the name for the GMAC clock to gmac_clkin, as this is
the name of the clock provided by the rk3328-clk driver.
Without this commit, the GMAC will not work in TX direction.
Suggested-by: Tobias Waldvogel <tobias.waldvogel@gmail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Co-authored-by: David Bauer <mail@david-bauer.net>
Co-authored-by: Yuan Tao <ty@wevs.org>
