Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Dear release team, This is a pre-approval request that please unblock package ocserv/1.1.2-2, which is a version with cherry picked upstream bug fixes. unblock ocserv/1.1.2-2 Regards, Aron
diff -Nru ocserv-1.1.2/debian/changelog ocserv-1.1.2/debian/changelog --- ocserv-1.1.2/debian/changelog 2020-12-17 18:38:57.000000000 +0800 +++ ocserv-1.1.2/debian/changelog 2021-02-22 11:37:07.000000000 +0800 @@ -1,3 +1,9 @@ +ocserv (1.1.2-2) unstable; urgency=medium + + * d/patches: cherry-pick upstream post 1.1.2 bug fixes + + -- Aron Xu <a...@debian.org> Mon, 22 Feb 2021 11:37:07 +0800 + ocserv (1.1.2-1) unstable; urgency=medium * New upstream version 1.1.2 diff -Nru ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch --- ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch 1970-01-01 08:00:00.000000000 +0800 +++ ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch 2021-02-22 11:33:03.000000000 +0800 @@ -0,0 +1,27 @@ +From e035221030f8fdfbb38483889631916fef9d9798 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> +Date: Wed, 9 Dec 2020 15:05:24 +0100 +Subject: [PATCH 09/36] update_auth_time_stats: cast operations to avoid + overflows + +Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> +--- + src/sec-mod-auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c +index c769643c..b4b2f3fd 100644 +--- a/src/sec-mod-auth.c ++++ b/src/sec-mod-auth.c +@@ -131,7 +131,7 @@ static void update_auth_time_stats(sec_mod_st * sec, time_t secs) + + if (secs > sec->max_auth_time) + sec->max_auth_time = secs; +- sec->avg_auth_time = (sec->avg_auth_time*(sec->total_authentications-1)+secs) / sec->total_authentications; ++ sec->avg_auth_time = ((uint64_t)sec->avg_auth_time*((uint64_t)(sec->total_authentications-1))+secs) / (uint64_t)sec->total_authentications; + } + + static +-- +2.20.1 + diff -Nru ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch --- ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch 1970-01-01 08:00:00.000000000 +0800 +++ ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch 2021-02-22 11:35:22.000000000 +0800 @@ -0,0 +1,131 @@ +From 47c6638286a694b4d278e01b278f64f9368b3e1a Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> +Date: Sat, 12 Dec 2020 22:41:50 +0100 +Subject: [PATCH 20/36] ocserv-worker: renamed loop to worker_loop + +This avoids warnings and static analyzers complains about +the libev functions hiding the global 'loop' variable + +Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> +--- + src/worker-vpn.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +Index: ocserv/src/worker-vpn.c +=================================================================== +--- ocserv.orig/src/worker-vpn.c ++++ ocserv/src/worker-vpn.c +@@ -95,7 +95,7 @@ struct worker_st *global_ws = NULL; + static int terminate = 0; + static int terminate_reason = REASON_SERVER_DISCONNECT; + +-static struct ev_loop *loop = NULL; ++static struct ev_loop *worker_loop = NULL; + ev_io command_watcher; + ev_io tls_watcher; + ev_io tun_watcher; +@@ -433,8 +433,8 @@ static int setup_dtls_connection(struct + dtls->dtls_session = session; + ev_init(&dtls->io, dtls_watcher_cb); + ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ); +- ev_io_start(loop, &dtls->io); +- ev_invoke(loop, &dtls->io, EV_READ); ++ ev_io_start(worker_loop, &dtls->io); ++ ev_invoke(worker_loop, &dtls->io, EV_READ); + + return 0; + fail: +@@ -2609,7 +2609,7 @@ static int test_for_tcp_health_probe(str + + static void syserr_cb (const char *msg) + { +- struct worker_st * ws = ev_userdata(loop); ++ struct worker_st * ws = ev_userdata(worker_loop); + int err = errno; + + oclog(ws, LOG_ERR, "libev fatal error: %s / %s", msg, strerror(err)); +@@ -2637,7 +2637,7 @@ static void cstp_send_terminate(struct w + + static void command_watcher_cb (EV_P_ ev_io *w, int revents) + { +- struct worker_st *ws = ev_userdata(loop); ++ struct worker_st *ws = ev_userdata(worker_loop); + + int ret = handle_commands_from_main(ws); + if (ret == ERR_NO_CMD_FD) { +@@ -2723,7 +2723,7 @@ static void invoke_dtls_if_needed(struct + if ((dtls->udp_state > UP_WAIT_FD) && + (dtls->dtls_session != NULL) && + (gnutls_record_check_pending(dtls->dtls_session))) { +- ev_invoke(loop, &dtls->io, EV_READ); ++ ev_invoke(worker_loop, &dtls->io, EV_READ); + } + } + +@@ -2757,9 +2757,9 @@ static int worker_event_loop(struct work + struct timespec tnow; + + #if defined(__linux__) && defined(HAVE_LIBSECCOMP) +- loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL); ++ worker_loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL); + #else +- loop = EV_DEFAULT; ++ worker_loop = EV_DEFAULT; + #endif + + // Restore the signal handlers +@@ -2769,37 +2769,37 @@ static int worker_event_loop(struct work + + ev_init(&alarm_sig_watcher, term_sig_watcher_cb); + ev_signal_set (&alarm_sig_watcher, SIGALRM); +- ev_signal_start (loop, &alarm_sig_watcher); ++ ev_signal_start (worker_loop, &alarm_sig_watcher); + + ev_init (&int_sig_watcher, term_sig_watcher_cb); + ev_signal_set (&int_sig_watcher, SIGINT); +- ev_signal_start (loop, &int_sig_watcher); ++ ev_signal_start (worker_loop, &int_sig_watcher); + + ev_init (&term_sig_watcher, term_sig_watcher_cb); + ev_signal_set (&term_sig_watcher, SIGTERM); +- ev_signal_start (loop, &term_sig_watcher); ++ ev_signal_start (worker_loop, &term_sig_watcher); + +- ev_set_userdata (loop, ws); ++ ev_set_userdata (worker_loop, ws); + ev_set_syserr_cb(syserr_cb); + + ev_init(&command_watcher, command_watcher_cb); + ev_io_set(&command_watcher, ws->cmd_fd, EV_READ); +- ev_io_start(loop, &command_watcher); ++ ev_io_start(worker_loop, &command_watcher); + + ev_init(&tls_watcher, tls_watcher_cb); + ev_io_set(&tls_watcher, ws->conn_fd, EV_READ); +- ev_io_start(loop, &tls_watcher); ++ ev_io_start(worker_loop, &tls_watcher); + + ev_init(&DTLS_ACTIVE(ws)->io, dtls_watcher_cb); + ev_init(&DTLS_INACTIVE(ws)->io, dtls_watcher_cb); + + ev_init(&tun_watcher, tun_watcher_cb); + ev_io_set(&tun_watcher, ws->tun_fd, EV_READ); +- ev_io_start(loop, &tun_watcher); ++ ev_io_start(worker_loop, &tun_watcher); + + ev_init (&period_check_watcher, periodic_check_watcher_cb); + ev_timer_set(&period_check_watcher, WORKER_MAINTENANCE_TIME, WORKER_MAINTENANCE_TIME); +- ev_timer_start(loop, &period_check_watcher); ++ ev_timer_start(worker_loop, &period_check_watcher); + + + /* start dead peer detection */ +@@ -2810,7 +2810,7 @@ static int worker_event_loop(struct work + bandwidth_init(&ws->b_tx, ws->user_config->tx_per_sec); + + +- ev_run(loop, 0); ++ ev_run(worker_loop, 0); + if (terminate != 0) + { + goto exit; diff -Nru ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch --- ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch 1970-01-01 08:00:00.000000000 +0800 +++ ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch 2021-02-22 11:33:16.000000000 +0800 @@ -0,0 +1,25 @@ +From c53cc97395efccaf9a567c51475bcfc3d1a8ee5e Mon Sep 17 00:00:00 2001 +From: Alan Jowett <alan.jow...@microsoft.com> +Date: Thu, 4 Feb 2021 09:29:45 -0700 +Subject: [PATCH 33/36] Close fd and stop ev_io on failed handshake. + Signed-off-by: Alan Jowett <ala...@microsoft.com> + +--- + src/worker-vpn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/worker-vpn.c b/src/worker-vpn.c +index 185a5eae..b77597c5 100644 +--- a/src/worker-vpn.c ++++ b/src/worker-vpn.c +@@ -1479,6 +1479,7 @@ static int dtls_mainloop(worker_st * ws, struct dtls_st * dtls, struct timespec + "error in DTLS handshake: %s\n", + gnutls_strerror(ret)); + dtls->udp_state = UP_DISABLED; ++ ev_io_stop(worker_loop, &dtls->io); + break; + } + +-- +2.20.1 + diff -Nru ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch --- ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch 1970-01-01 08:00:00.000000000 +0800 +++ ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch 2021-02-22 11:33:16.000000000 +0800 @@ -0,0 +1,33 @@ +From 4cea55c6d68c1c46755876af4e3ff142cd6c81a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stefan.bueh...@tik.uni-stuttgart.de> +Date: Wed, 10 Feb 2021 13:23:42 +0100 +Subject: [PATCH 35/36] dtls connection setup: fix memory corruption, proper + watcher setup + +ev_init and ev_io_set must never be called on active watchers - we +need to cleanup previous connection state before setting a new one. + +ev_init clears the "active" flag, but doesn't remove the watcher from +libev internal linked lists (and doesn't clear the "next" pointer for +it). This can for example lead to (unexpected) cyclic lists in libev, +and libev can loop forever trying to deal with them. +--- + src/worker-vpn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/worker-vpn.c b/src/worker-vpn.c +index b77597c5..146c6acf 100644 +--- a/src/worker-vpn.c ++++ b/src/worker-vpn.c +@@ -431,7 +431,7 @@ static int setup_dtls_connection(struct worker_st *ws, struct dtls_st * dtls) + } + + dtls->dtls_session = session; +- ev_init(&dtls->io, dtls_watcher_cb); ++ ev_io_stop(worker_loop, &dtls->io); + ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ); + ev_io_start(worker_loop, &dtls->io); + ev_invoke(worker_loop, &dtls->io, EV_READ); +-- +2.20.1 + diff -Nru ocserv-1.1.2/debian/patches/series ocserv-1.1.2/debian/patches/series --- ocserv-1.1.2/debian/patches/series 2020-07-13 15:52:07.000000000 +0800 +++ ocserv-1.1.2/debian/patches/series 2021-02-22 11:35:09.000000000 +0800 @@ -1 +1,5 @@ legacy_pidfile.patch +0009-update_auth_time_stats-cast-operations-to-avoid-over.patch +0020-ocserv-worker-renamed-loop-to-worker_loop.patch +0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch +0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
signature.asc
Description: PGP signature