Luis Araneda writes:
> I think this could be archived without patching the upstream
> fw_printenv tool, depending on what solution you find acceptable.
>
> My motivation is to reduce the amount of patches that I think are not
> going to be accepted upstream.
Thanks a lot for your valuable
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.
Signed-off-by: John Crispin
---
package/network/services/hostapd/files/wpad.init | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git
The script was missing the reload trigger. Additionally running lldpid on a
bridge is not correct. Rather than running lldpd on the L3 bridge, it needs
to be run on all the L2 members.
Signed-off-by: John Crispin
---
package/network/services/lldpd/files/lldpd.init | 8
1 file changed,
Starting lldpd on 'lo' makes no sense. We know that we are the only one on
that device.
Signed-off-by: John Crispin
---
package/network/services/lldpd/files/lldpd.config | 1 -
1 file changed, 1 deletion(-)
diff --git a/package/network/services/lldpd/files/lldpd.config
Hi Bjørn,
On Thu, Dec 10, 2020 at 9:42 AM Bjørn Mork wrote:
>
> Now that we can create an alternate configuration file, add support
> for selecting it by using the alternate application names
> `fw_printsys' or `fw_setsys'.
>
> Signed-off-by: Bjørn Mork
> ---
>
On Thu, Dec 10, 2020 at 7:44 AM Petr Štetiar wrote:
>
> Let's enforce additional automatic checks enforced by the compiler in
> order to catch possible errors during compilation.
>
> Signed-off-by: Petr Štetiar
> ---
> CMakeLists.txt | 8 +++-
> 1 file changed, 7 insertions(+), 1
https://openwrt.org/advisory/2020-12-09-1
DESCRIPTION
A flaw has been found in the ICMP rate limiting algorithm of the Linux
kernel.
This flaw allows an off-path attacker to quickly determine open ephemeral
ports that are used by applications making outbound connections.
This can be exploited
Hi Petr
On Thu, Dec 10, 2020 at 12:57 PM Petr Štetiar wrote:
> > After tackling BIO_free, my suggestion would be to determine where the
> > method table variable should go, and where to call BIO_meth_new and
> > BIO_meth_free. I would add it to a defined struct
> > ustream_ssl_ctx--which is now
Paul Spooren [2020-11-25 08:52:30]:
Hi,
> Until somebody jumps on ustream-ssl and fixes the WolfSSL
> implementation, we should consider to disable it.
FYI I've just posted hopefully fixes for those issue(s):
uclient https://patchwork.ozlabs.org/project/openwrt/list/?series=219813
Eneas U de Queiroz [2020-12-10 11:29:36]:
Hi,
> access that memory after we free it. This would be after we call
> BIO_free. The thing is, we aren't making that call. so we are leaking
> that resource as well.
IIRC this is solved by OpenSSL internal reference counting and executed in
Uses currently proof-of-concept openwrt-ci[1] in order to:
* improve the quality of the codebase in various areas
* decrease code review time and help merging contributions faster
* get automagic feedback loop on various platforms and tools
- out of tree build with OpenWrt SDK on following
Currently wolfSSL doesn't validate any certificates, quoting from
README:
wolfSSL takes a different approach to certificate verification than
OpenSSL does. The default policy for the client is to verify the server,
this means that if you don't load CAs to verify the server you'll get a
For the start just basic uclient-fetch functionality coverage.
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 24 -
tests/CMakeLists.txt| 1 +
tests/cram/CMakeLists.txt | 38 ++
tests/cram/server/lorem | 64
Fixes following memory leak:
$ valgrind --quiet --leak-check=full uclient-fetch -q
http://127.0.0.1:1922/does-not-exist
51 (16 direct, 35 indirect) bytes in 1 blocks are definitely lost in loss
record 4 of 9
at 0x4C31A3F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
Fixes following -Wextra compiler warnings:
uclient.c:195:16: error: comparison of integers of different signs: 'int' and
'unsigned long' [-Werror,-Wsign-compare]
for (i = 0; i < ARRAY_SIZE(backends); i++) {
~ ^
uclient-http.c:619:2: error:
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index
Fixes following warnings as reported on 32-bit platforms
toolchain-mips_24kc_gcc-8.4.0_musl and
toolchain-arm_cortex-a9+neon_gcc-8.4.0_musl_eabi:
uclient-http.c::10: error: comparison of integer expressions of different
signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
if (len
Fixes following issue reported by clang-12 static analyzer:
uclient-fetch.c:228:6: error: this statement may fall through
[-Werror=implicit-fallthrough=]
if (sscanf(blobmsg_get_string(tb[H_RANGE]),
^
uclient-fetch.c:236:2: note: here
case 204:
^~~~
Signed-off-by: Petr Štetiar
Fixes following issue reported by clang-12 static analyzer:
uclient-fetch.c:612:25: warning: Potential leak of memory pointed to by
'username' [unix.Malloc]
memset(optarg, '*', strlen(optarg));
^~
Fixes following issue reported by clang-12 static analyzer:
uclient.c:290:22: warning: Value stored to 'url' during its initialization is
never read [deadcode.DeadStores]
struct uclient_url *url = cl->url;
^~~ ~~~
Signed-off-by: Petr Štetiar
---
Hi,
this series should fix certificate verification in mbedTLS and wolfSSL like
for example FS#3465, few issues spotted by Valgrind and clang-12 static code
analyzer and adds basic cram based unit tests which should be executed on
GitLab CI.
You can find the packages ready for testing in my
When building out of the tree, linker is unable to find the ubox library
so fix it by using find_library CMake command.
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index
Fixes following issue reported by clang-12 static analyzer:
uclient-http.c:568:2: warning: Memory allocated by alloca() should not be
deallocated [unix.Malloc]
free(buf_orig);
^~
Signed-off-by: Petr Štetiar
---
uclient-http.c | 12 +---
1 file changed, 5
Currently wolfSSL doesn't validate any certificates, quoting from
README:
wolfSSL takes a different approach to certificate verification than
OpenSSL does. The default policy for the client is to verify the server,
this means that if you don't load CAs to verify the server you'll get a
Mainly that NO_X509_CHECK_HOST is causing certificate validation issues
in some setups:
root@OpenWrt:/# wget https://www.google.com
Downloading 'https://www.google.com'
Connecting to 172.217.23.196:443
Connection error: Server hostname does not match SSL certificate
but instead of spending
Fixes following issues as reported by clang-12 LeakSanitizer:
$ uclient-fetch-san -q -O /dev/null 'https://expired.badssl.com/'
Direct leak of 96 byte(s) in 1 object(s) allocated from:
#0 0x49716d in malloc (uclient-fetch-san+0x49716d)
#1 0x7f551cbabe58 in CRYPTO_zalloc
Fixes certificate verification if no CA certificates are available, it's
visible when you run:
$ uclient-fetch https://www.openwrt.org
(so no explicit certificate is given) and have *not* installed
`ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do
verification since no root
Uses currently proof-of-concept openwrt-ci[1] in order to:
* improve the quality of the codebase in various areas
* decrease code review time and help merging contributions faster
* get automagic feedback loop on various platforms and tools
- out of tree build with OpenWrt SDK on following
Fixes following compiler extra warning:
ustream-mbedtls.c:40:11: error: comparison of integers of different signs:
'int' and 'size_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
if (slen > len)
^ ~~~
Signed-off-by: Petr Štetiar
---
ustream-mbedtls.c | 2 +-
1 file
In commit "ustream-openssl: wolfSSL: fix certificate validation" we've
added new set_require_validation() function so implement it for mbed TLS
as well.
Signed-off-by: Petr Štetiar
---
ustream-mbedtls.c | 12
1 file changed, 12 insertions(+)
diff --git a/ustream-mbedtls.c
Fixes following compilation errors:
ustream-io-wolfssl.c:74:2: error: implicit declaration of function
'wolfSSL_SetIORecv' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
ustream-io-wolfssl.c:75:2: error: implicit declaration of function
'wolfSSL_SetIOSend' is invalid in C99
Hi,
this series should fix several issues related to certificate verification in
mbedTLS and wolfSSL like for example FS#3465.
You can find the packages ready for testing in my staging tree:
https://git.openwrt.org/?p=openwrt/staging/ynezz.git;a=shortlog;h=refs/heads/staging
Cheers,
Petr
Fixes following issue when mbed TLS libs are installed in different
paths:
/usr/bin/ld: cannot find -lmbedtls
/usr/bin/ld: cannot find -lmbedcrypto
/usr/bin/ld: cannot find -lmbedx509
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index
Fixes following issue when wolfSSL libs are installed in different
paths:
/usr/bin/ld: cannot find -lwolfssl
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 315aeb87c80b..42c7f1fb00de
When building out of the tree, linker is unable to find the ubox library
so fix it by using find_library CMake command.
Signed-off-by: Petr Štetiar
---
CMakeLists.txt | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index
Backport upstream post 4.5.0 fix for broken wolfSSL_X509_check_host().
References: https://github.com/wolfSSL/wolfssl/issues/3329
Signed-off-by: Petr Štetiar
---
package/libs/wolfssl/Makefile | 2 +-
.../200-fix-checkhostname-matching.patch | 123 ++
2
Hi Petr
On Wed, Dec 9, 2020 at 6:59 PM Petr Štetiar wrote:
>
> Eneas U de Queiroz [2020-12-09 14:39:06]:
>
> Hi,
>
> > So the answer to your question is because you only allocate the table if
> > methods_ustream is NULL, and it will point to the created table then.
>
> I was referencing the
From: Arne Kappen
This extension is based on an idea by Felix Fietkau which I implemented as part
of a student project at TU Berlin in 2015 and during Google Summer of Code 2016
for Freifunk. I've since been using this prototype to allow for native UCI
configuration of Open vSwitch devices
From: Arne Kappen
This allows to integrate external daemons that configure network devices with
netifd. At startup, netifd generates device handler stubs from descriptions in
/lib/netifd/extdev-config via the mechanism in handler.c. These are then added
to the list of device handlers. Device
From: Arne Kappen
Parse JSON files in a given directory and pass the information on to a callback
function for creation of an external device handler stub.
The description contains:
- 'name': the name of the device type,
- 'ubus_name': the name of the external device handler daemon on ubus,
-
From: Arne Kappen
Signed-off-by: Arne Kappen
---
This is an irrelevant left-over from an earlier shot at publishing
this extension. It is obviously no longer needed.
device.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/device.c b/device.c
index 73cc4bf..32e4549 100644
---
Albeit a separate crypto module, lzo-rle uses the same kernel library as lzo.
Crypto API users (zram, for example) expect both lzo and lzo-rle to be
available, so let's include lzo-rle (about 5.5 kiB) in the lib-lzo package.
Based on e9hack's original patch:
Please bump PKG_RELEASE
> -Original Message-
> From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org]
> On Behalf Of Bjørn Mork
> Sent: Donnerstag, 10. Dezember 2020 13:40
> To: openwrt-devel@lists.openwrt.org
> Cc: Bjørn Mork
> Subject: [PATCH 1/2] uboot-envtools:
Most (all?) of the realtek devices have two u-boot config partitions
with a different set of variables in each. The U-Boot shell provides
two sets of apps to manipulate these:
printenv- print environment variables
printsys- printsys - print system information variables
saveenv - save
Now that we can create an alternate configuration file, add support
for selecting it by using the alternate application names
`fw_printsys' or `fw_setsys'.
Signed-off-by: Bjørn Mork
---
package/boot/uboot-envtools/Makefile | 2 +
.../002-support-alternate-config.patch| 91
CPU: Atheros AR9342 rev 3 SoC
RAM: 64 MB DDR2
Flash: 16 MB NOR SPI
WLAN 2.4GHz: Atheros AR9342 v3 (ath9k)
WLAN 5.0GHz: QCA988X
Ports: 1x GbE
Flashing procedure is identical to other ubnt devices.
https://openwrt.org/toh/ubiquiti/common
Flashing through factory
The paths are pointing to OS paths, not OpenWrt ones. Use SED line from
libpng to fix and adjust accordingly.
This may allow certain packages that use the config file to pick up pcre.
Signed-off-by: Rosen Penev
---
package/libs/pcre/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1
The Netgear DGND3700v1/DGND3800B shows kernel redundant info at the board
message, already provided by the machine info message.
Use the real board name which is silkscreened on the PCB and used in the
stock firmware header.
Signed-off-by: Daniel González Cabanelas
---
Security Advisory 2020-12-09-2 - libuci import heap use after free
(CVE-2020-28951)
DESCRIPTION
Possibly exploitable vulnerability was found in Unified Config Interface (UCI)
library named libuci, specifically in uci_import() C API function.
CVE-2020-28951[1] has been assigned to this issue,
50 matches
Mail list logo