From 81cdbd3b62ed07834a8cd2203adb73fc358f8271 Mon Sep 17 00:00:00 2001 From: Rob White Date: Thu, 23 Nov 2023 16:06:11 +0000 Subject: [PATCH 1/8] opennds: update to version 10.2.0 Maintainer: Rob White rob@blue-wave.net Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64 Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03 Description: opennds (10.2.0) - This version is a minor upgrade that introduces some significant additional functionality. In addition it includes numerous enhancements bug fixes and cosmetic fixes. Additional functionality includes: * Pre-emptive Client Lists * Autonomous Block Lists * Internet hosted https FAS support for resource limited routers * Fair Usage Policy Details can be found here: https://github.com/openNDS/openNDS/releases/tag/v10.2.0 Signed-off-by: Rob White (cherry picked from commit a5ec54aee3df6aa400e454ef0468127dcd0c6b25) --- opennds/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/opennds/Makefile b/opennds/Makefile index 3f0f78110..6941ebeac 100644 --- a/opennds/Makefile +++ b/opennds/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=opennds -PKG_VERSION:=10.1.3 +PKG_VERSION:=10.2.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/opennds/opennds/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=8016a8d20643a2dfc7e8d9e8012e300db6996aeede5ea8a895cb1b95e52f202a +PKG_HASH:=c2da51e3051e390fc1ddae2a4fa751f7b62919eb8e5526710067ca4622331017 PKG_BUILD_DIR:=$(BUILD_DIR)/openNDS-$(PKG_VERSION) PKG_MAINTAINER:=Rob White @@ -72,6 +72,7 @@ define Package/opennds/install $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/post-request.php $(1)/usr/lib/opennds/ $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-aes/fas-aes.php $(1)/etc/opennds/ $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-hid/fas-hid.php $(1)/etc/opennds/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-hid/fas-hid-https.php $(1)/etc/opennds/ $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-aes/fas-aes-https.php $(1)/etc/opennds/ endef From b848b61afa13fc15d1b3ec9eb4fb28723050c4f8 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Sat, 23 Dec 2023 11:55:49 +0100 Subject: [PATCH 2/8] batman-adv: compat: Fix skb_vlan_eth_hdr conflict in stable kernels The newest Linux stable kernel releases: * v5.10.205 * v5.15.144 * v6.1.69 received a backported version of commit 1f5020acb33f ("net: vlan: introduce skb_vlan_eth_hdr()"). batman-adv must therefore not provide this function any longer for these kernel versions. Signed-off-by: Sven Eckelmann --- batman-adv/Makefile | 2 +- batman-adv/src/compat-hacks.h | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 6026b6680..03459113c 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2023.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION) diff --git a/batman-adv/src/compat-hacks.h b/batman-adv/src/compat-hacks.h index fcf7b936c..364e312e0 100644 --- a/batman-adv/src/compat-hacks.h +++ b/batman-adv/src/compat-hacks.h @@ -28,7 +28,10 @@ static inline u32 batadv_get_random_u32_below(u32 ep_ro) #endif /* LINUX_VERSION_IS_LESS(6, 2, 0) */ -#if LINUX_VERSION_IS_LESS(6, 4, 0) +#if LINUX_VERSION_IS_LESS(6, 4, 0) && \ + !(LINUX_VERSION_IS_GEQ(5, 10, 205) && LINUX_VERSION_IS_LESS(5, 11, 0)) && \ + !(LINUX_VERSION_IS_GEQ(5, 15, 144) && LINUX_VERSION_IS_LESS(5, 16, 0)) && \ + !(LINUX_VERSION_IS_GEQ(6, 1, 69) && LINUX_VERSION_IS_LESS(6, 2, 0)) #include From 75e1614d06097cf04b77838b54e3c4c91e138289 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Fri, 2 Feb 2024 22:59:34 +0100 Subject: [PATCH 3/8] batctl: Merge bugfixes from 2024.0 * tcpdump: Fix missing sanity check for batman-adv header * tcpdump: Add missing throughput header length check * tcpdump: Fix IPv4 header length check * tcpdump: Add missing ICMPv6 Neighbor Advert length check * tcpdump: Add missing ICMPv6 Neighbor Solicit length check * tcpdump: Fix ICMPv4 inner IPv4 header length check Signed-off-by: Sven Eckelmann --- batctl/Makefile | 2 +- ...ix-missing-sanity-check-for-batman-a.patch | 26 ++++++++++++ ...dd-missing-throughput-header-length-.patch | 34 +++++++++++++++ ...tcpdump-Fix-IPv4-header-length-check.patch | 27 ++++++++++++ ...dd-missing-ICMPv6-Neighbor-Advert-le.patch | 25 +++++++++++ ...dd-missing-ICMPv6-Neighbor-Solicit-l.patch | 25 +++++++++++ ...ix-ICMPv4-inner-IPv4-header-length-c.patch | 41 +++++++++++++++++++ 7 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 batctl/patches/0001-batctl-tcpdump-Fix-missing-sanity-check-for-batman-a.patch create mode 100644 batctl/patches/0002-batctl-tcpdump-Add-missing-throughput-header-length-.patch create mode 100644 batctl/patches/0003-batctl-tcpdump-Fix-IPv4-header-length-check.patch create mode 100644 batctl/patches/0004-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Advert-le.patch create mode 100644 batctl/patches/0005-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Solicit-l.patch create mode 100644 batctl/patches/0006-batctl-tcpdump-Fix-ICMPv4-inner-IPv4-header-length-c.patch diff --git a/batctl/Makefile b/batctl/Makefile index 70ca77176..4cb336b2c 100644 --- a/batctl/Makefile +++ b/batctl/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batctl PKG_VERSION:=2023.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION) diff --git a/batctl/patches/0001-batctl-tcpdump-Fix-missing-sanity-check-for-batman-a.patch b/batctl/patches/0001-batctl-tcpdump-Fix-missing-sanity-check-for-batman-a.patch new file mode 100644 index 000000000..c2972873c --- /dev/null +++ b/batctl/patches/0001-batctl-tcpdump-Fix-missing-sanity-check-for-batman-a.patch @@ -0,0 +1,26 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:48:59 +0100 +Subject: batctl: tcpdump: Fix missing sanity check for batman-adv header + +parse_eth_hdr() is assuming that every ETH_P_BATMAN ethernet packet has a +valid, minimal batman-adv header (packet_type, version, ttl) attached. But +it doesn't actually check if the received buffer has enough bytes to access +the two bytes packet_type + version. So it is possible that it tries to +read outside of the received data. + +Fixes: 3bdfc388e74b ("implement simple tcpdump, first only batman packets") +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/7ae3bdb59a7501197e12d3a7ab0d9924341e9ca8 + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -1068,6 +1068,9 @@ static void parse_eth_hdr(unsigned char + dump_vlan(packet_buff, buff_len, read_opt, time_printed); + break; + case ETH_P_BATMAN: ++ /* check for batman-adv packet_type + version */ ++ LEN_CHECK(buff_len, sizeof(*eth_hdr) + 2, "BAT HEADER") ++ + batman_ogm_packet = (struct batadv_ogm_packet *)(packet_buff + ETH_HLEN); + + if ((read_opt & COMPAT_FILTER) && diff --git a/batctl/patches/0002-batctl-tcpdump-Add-missing-throughput-header-length-.patch b/batctl/patches/0002-batctl-tcpdump-Add-missing-throughput-header-length-.patch new file mode 100644 index 000000000..282341d91 --- /dev/null +++ b/batctl/patches/0002-batctl-tcpdump-Add-missing-throughput-header-length-.patch @@ -0,0 +1,34 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:49:00 +0100 +Subject: batctl: tcpdump: Add missing throughput header length check + +dump_batman_icmp() is only doing a length check for the original ICMP +packet length. But the throughput packet (which is also handled by this +function) is accessed without doing an additional length check. So it is +possible that it tries to read outside of the received data. + +Fixes: f109b3473f86 ("batctl: introduce throughput meter support") +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/189b66496309bc1a54b4821292da2428de8ceb1c + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -863,7 +863,6 @@ static void dump_batman_icmp(unsigned ch + LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(struct batadv_icmp_packet), "BAT ICMP"); + + icmp_packet = (struct batadv_icmp_packet *)(packet_buff + sizeof(struct ether_header)); +- tp = (struct batadv_icmp_tp_packet *)icmp_packet; + + if (!time_printed) + print_time(); +@@ -894,6 +893,10 @@ static void dump_batman_icmp(unsigned ch + (size_t)buff_len - sizeof(struct ether_header)); + break; + case BATADV_TP: ++ LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(*tp), "BAT TP"); ++ ++ tp = (struct batadv_icmp_tp_packet *)icmp_packet; ++ + printf("%s: ICMP TP type %s (%hhu), id %hhu, seq %u, ttl %2d, v %d, length %zu\n", + name, tp->subtype == BATADV_TP_MSG ? "MSG" : + tp->subtype == BATADV_TP_ACK ? "ACK" : "N/A", diff --git a/batctl/patches/0003-batctl-tcpdump-Fix-IPv4-header-length-check.patch b/batctl/patches/0003-batctl-tcpdump-Fix-IPv4-header-length-check.patch new file mode 100644 index 000000000..bb99930f8 --- /dev/null +++ b/batctl/patches/0003-batctl-tcpdump-Fix-IPv4-header-length-check.patch @@ -0,0 +1,27 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:49:01 +0100 +Subject: batctl: tcpdump: Fix IPv4 header length check + +dump_ip() is directly accessing the header in the header length check and +assumes that ihl can be trusted. But when when ihl is set to something less +than 5 then it would not even be possible to store the basic IPv4 header in +it. But dump_ip would have still accepted it because it didn't check if +there are at least enough bytes available to read the basic IPv4 header. So +it is possible that it tries to read outside of the received data. + +Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/ddb254bd51aa43d216159f3be9c575369b041d35 + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -646,7 +646,9 @@ static void dump_ip(unsigned char *packe + struct icmphdr *icmphdr; + + iphdr = (struct iphdr *)packet_buff; ++ LEN_CHECK((size_t)buff_len, sizeof(*iphdr), ip_string); + LEN_CHECK((size_t)buff_len, (size_t)(iphdr->ihl * 4), ip_string); ++ LEN_CHECK((size_t)(iphdr->ihl * 4), sizeof(*iphdr), ip_string); + + if (!time_printed) + print_time(); diff --git a/batctl/patches/0004-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Advert-le.patch b/batctl/patches/0004-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Advert-le.patch new file mode 100644 index 000000000..403033273 --- /dev/null +++ b/batctl/patches/0004-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Advert-le.patch @@ -0,0 +1,25 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:49:02 +0100 +Subject: batctl: tcpdump: Add missing ICMPv6 Neighbor Advert length check + +dump_ipv6() is doing a length check for the original ICMPv6 header length. +But the neighbor advertisement (which is also handled by this function) is +accessed without doing an additional length check. So it is possible that +it tries to read outside of the received data. + +Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") +Cc: Marco Dalla Torre +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/da75747d435ca8a32a74895655a1d5bff8b7709b + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -611,6 +611,8 @@ static void dump_ipv6(unsigned char *pac + nd_nas_target, buff_len); + break; + case ND_NEIGHBOR_ADVERT: ++ LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), ++ sizeof(*nd_advert), "ICMPv6 Neighbor Advertisement"); + nd_advert = (struct nd_neighbor_advert *)icmphdr; + inet_ntop(AF_INET6, &(nd_advert->nd_na_target), + nd_nas_target, 40); diff --git a/batctl/patches/0005-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Solicit-l.patch b/batctl/patches/0005-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Solicit-l.patch new file mode 100644 index 000000000..199e7809c --- /dev/null +++ b/batctl/patches/0005-batctl-tcpdump-Add-missing-ICMPv6-Neighbor-Solicit-l.patch @@ -0,0 +1,25 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:49:03 +0100 +Subject: batctl: tcpdump: Add missing ICMPv6 Neighbor Solicit length check + +dump_ipv6() is doing a length check for the original ICMPv6 header length. +But the neighbor solicitation (which is also handled by this function) is +accessed without doing an additional length check. So it is possible that +it tries to read outside of the received data. + +Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") +Cc: Marco Dalla Torre +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/83025933cb502192d22edc89de3c57103968c4ed + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -604,6 +604,8 @@ static void dump_ipv6(unsigned char *pac + (size_t)buff_len - sizeof(struct icmp6_hdr)); + break; + case ND_NEIGHBOR_SOLICIT: ++ LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), ++ sizeof(*nd_neigh_sol), "ICMPv6 Neighbor Solicitation"); + nd_neigh_sol = (struct nd_neighbor_solicit *)icmphdr; + inet_ntop(AF_INET6, &(nd_neigh_sol->nd_ns_target), + nd_nas_target, 40); diff --git a/batctl/patches/0006-batctl-tcpdump-Fix-ICMPv4-inner-IPv4-header-length-c.patch b/batctl/patches/0006-batctl-tcpdump-Fix-ICMPv4-inner-IPv4-header-length-c.patch new file mode 100644 index 000000000..0e7488ede --- /dev/null +++ b/batctl/patches/0006-batctl-tcpdump-Fix-ICMPv4-inner-IPv4-header-length-c.patch @@ -0,0 +1,41 @@ +From: Sven Eckelmann +Date: Sat, 27 Jan 2024 13:49:04 +0100 +Subject: batctl: tcpdump: Fix ICMPv4 inner IPv4 header length check + +dump_ip() is doing a length check for the inner (inside ICMP) IPv4 header +length. But it is just assuming that the inner ICMPv4 header has ihl set to +5 - without actually checking for this. The more complex IPv4 header length +check for the outer IPv4 header is missing before it tries to access the +UDP header using the inner ihl IPv4 header length information. So it is +possible that it tries to read outside of the received data. + +Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batctl.git/commit/fb7a51466bf46a4914a32edd8e1be6ba0733cd49 + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -682,12 +682,20 @@ static void dump_ip(unsigned char *packe + (size_t)buff_len - (iphdr->ihl * 4)); + break; + case ICMP_DEST_UNREACH: +- LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), +- sizeof(struct iphdr) + 8, "ICMP DEST_UNREACH"); +- + switch (icmphdr->code) { + case ICMP_PORT_UNREACH: ++ LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), ++ sizeof(struct iphdr), "ICMP DEST_UNREACH"); ++ ++ /* validate inner IP header information */ + tmp_iphdr = (struct iphdr *)(((char *)icmphdr) + sizeof(struct icmphdr)); ++ LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), ++ (size_t)(tmp_iphdr->ihl * 4), "ICMP DEST_UNREACH"); ++ LEN_CHECK((size_t)(tmp_iphdr->ihl * 4), sizeof(*iphdr), "ICMP DEST_UNREACH"); ++ ++ LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr) - (tmp_iphdr->ihl * 4), ++ sizeof(*tmp_udphdr), "ICMP DEST_UNREACH"); ++ + tmp_udphdr = (struct udphdr *)(((char *)tmp_iphdr) + (tmp_iphdr->ihl * 4)); + + printf("%s: ICMP ", ipdst); From 5a7cac9b4ecf78c686fd2afeacec591cecf60a6b Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Mon, 5 Feb 2024 08:52:23 +0100 Subject: [PATCH 4/8] batman-adv: Provide teardown hook for batadv_vlan proto The batadv_vlan proto doesn't need to do anything when it gets teared down. But the scripts are still trying to call the teardown function of this proto. This results in warnings like: daemon.notice netifd: batmesh1 (18940): ./batadv_vlan.sh: eval: line 37: proto_batadv_vlan_teardown: not found Just providing a stub function avoids this log spam. Fixes: #1044 Reported-by: Rani Hod Fixes: f5205d7d2434 ("batman-adv: upgrade package to latest release 2014.2.0") Signed-off-by: Sven Eckelmann --- batman-adv/Makefile | 2 +- batman-adv/files/lib/netifd/proto/batadv_vlan.sh | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 03459113c..253f7c7df 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2023.1 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION) diff --git a/batman-adv/files/lib/netifd/proto/batadv_vlan.sh b/batman-adv/files/lib/netifd/proto/batadv_vlan.sh index 115e61cde..5b0c76fd2 100755 --- a/batman-adv/files/lib/netifd/proto/batadv_vlan.sh +++ b/batman-adv/files/lib/netifd/proto/batadv_vlan.sh @@ -22,4 +22,8 @@ proto_batadv_vlan_setup() { proto_send_update "$config" } +proto_batadv_vlan_teardown() { + local cfg="$1" +} + add_protocol batadv_vlan From 5c9b2f40e2603e91159f7c3ed4e3c50a87c1cf82 Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Wed, 10 Jan 2024 17:22:54 +0100 Subject: [PATCH 5/8] ci: no longer require real name This goes in accordance with the Linux Kernel: > using a known identity (sorry, no anonymous contributions.) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=HEAD#n442 Signed-off-by: Paul Spooren (cherry picked from commit 7e6cd98ad481184b1a620a9862aa3713d1ab85cc) (cherry picked from commit 10d7b7847f9537099dec6c7f82ab370f39cd6ddb) --- .github/workflows/formal.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml index b3f824c52..c1a039d2e 100644 --- a/.github/workflows/formal.yml +++ b/.github/workflows/formal.yml @@ -34,14 +34,6 @@ jobs: RET=1 fi - author="$(git show -s --format=%aN $commit)" - if echo $author | grep -q '\S\+\s\+\S\+'; then - success "Author name ($author) seems ok" - else - err "Author name ($author) need to be your real name 'firstname lastname'" - RET=1 - fi - subject="$(git show -s --format=%s $commit)" if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then success "Commit subject line seems ok ($subject)" From 1c108d27f737722c68a5696ced895a81f4fb7a6b Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Thu, 14 Mar 2024 14:46:15 +0100 Subject: [PATCH 6/8] ci: set correct arch for rootfs tests With the commit 01e5cfc "CI: Add target/arch tags (no suffix) for snapshot images"[1] the os/platform is set for all images, which is usually different from what the GitHub action runner uses (x86). The Docker deamon still tries to fetch the x86 version and fails. This commit explicitly sets the fitting arch. [1]: https://github.com/openwrt/docker/commit/01e5cfccd73a72ecab730496607c7c22b904f366 Signed-off-by: Paul Spooren (cherry picked from commit d359fa04eda29638b9326c194490685c1177fd49) (cherry picked from commit da3b77402d4acee2139eb11726788599cbca45fb) --- .github/workflows/multi-arch-test-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/multi-arch-test-build.yml b/.github/workflows/multi-arch-test-build.yml index 0fb6c606c..03aafc7de 100644 --- a/.github/workflows/multi-arch-test-build.yml +++ b/.github/workflows/multi-arch-test-build.yml @@ -147,11 +147,11 @@ jobs: - name: Build Docker container if: ${{ matrix.runtime_test && fromJSON(env.HAVE_IPKS) }} run: | - docker build -t test-container --build-arg ARCH .github/workflows/ + docker build --platform linux/${{ matrix.arch }} -t test-container --build-arg ARCH .github/workflows/ env: ARCH: ${{ matrix.arch }}-${{ env.BRANCH }} - name: Test via Docker container if: ${{ matrix.runtime_test && fromJSON(env.HAVE_IPKS) }} run: | - docker run --rm -v $GITHUB_WORKSPACE:/ci test-container + docker run --platform linux/${{ matrix.arch }} --rm -v $GITHUB_WORKSPACE:/ci test-container From 0617824a44f037f68dfa80be25693bf5bc6f4ce5 Mon Sep 17 00:00:00 2001 From: Rob White Date: Thu, 21 Mar 2024 20:39:24 +0000 Subject: [PATCH 7/8] mesh11sd: update to version 3.1.0 Maintainer: Rob White rob@blue-wave.net Compile tested: All Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, mips_24kc, aarch64_cortex-a53, x86-64 On 23.5 and master/snapshot. Description: mesh11sd (3.1.0) This release contains new functionality and numerous fixes. New functionality includes support of non-mesh segments of backhaul with blocking of bridge loops and spanning tree priority settable in the configuration Details can be found here: https://github.com/openNDS/mesh11sd/releases/tag/v3.1.0 Signed-off-by: Rob White (cherry picked from commit 4af9b69e1ba22a7406e20cdfb4982962e631fce4) --- mesh11sd/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mesh11sd/Makefile b/mesh11sd/Makefile index e86674f95..d35b848ab 100644 --- a/mesh11sd/Makefile +++ b/mesh11sd/Makefile @@ -2,13 +2,13 @@ # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. -# Copyright (C) 2022 BlueWave Projects and Services +# Copyright (C) 2022 - 2024 BlueWave Projects and Services # include $(TOPDIR)/rules.mk PKG_NAME:=mesh11sd -PKG_VERSION:=2.0.0 +PKG_VERSION:=3.1.0 PKG_RELEASE:=1 PKG_MAINTAINER:=Rob White @@ -17,7 +17,7 @@ PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/opennds/mesh11sd/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=741d219ea9c6fcb5e58771130c319c5b983274caf08f5c1cd5a458864e928649 +PKG_HASH:=841cec7484272155e1200edb354c8a76dc1416390dafd60bef2b8459fbf3ee21 PKG_BUILD_DIR:=$(BUILD_DIR)/mesh11sd-$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk From 419a866f031ad4dae4fd5dcac50d24633dc07815 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Fri, 5 Apr 2024 21:55:06 +0200 Subject: [PATCH 8/8] batman-adv: Avoid infinite loop trying to resize local TT If the MTU of one of an attached interface becomes too small to transmit the local translation table then it must be resized to fit inside all fragments (when enabled) or a single packet. But if the MTU becomes too low to transmit even the header + the VLAN specific part then the resizing of the local TT will never succeed. This can for example happen when the usable space is 110 bytes and 11 VLANs are on top of batman-adv. In this case, at least 116 byte would be needed. There will just be an endless spam of batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110) in the log but the function will never finish. Problem here is that the timeout will be halved all the time and will then stagnate at 0 and therefore never be able to reduce the table even more. There are other scenarios possible with a similar result. The number of BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too high to fit inside a packet. Such a scenario can therefore happen also with only a single VLAN + 7 non-purgable addresses - requiring at least 120 bytes. While this should be handled proactively when: * interface with too low MTU is added * VLAN is added * non-purgeable local mac is added * MTU of an attached interface is reduced * fragmentation setting gets disabled (which most likely requires dropping attached interfaces) not all of these scenarios can be prevented because batman-adv is only consuming events without the the possibility to prevent these actions (non-purgable MAC address added, MTU of an attached interface is reduced). It is therefore necessary to also make sure that the code is able to handle also the situations when there were already incompatible system configuration are present. Signed-off-by: Sven Eckelmann --- batman-adv/Makefile | 2 +- ...-infinite-loop-trying-to-resize-loca.patch | 59 +++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 253f7c7df..e5cf7b466 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2023.1 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION) diff --git a/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch b/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch new file mode 100644 index 000000000..7d4f071e1 --- /dev/null +++ b/batman-adv/patches/0011-batman-adv-Avoid-infinite-loop-trying-to-resize-loca.patch @@ -0,0 +1,59 @@ +From: Sven Eckelmann +Date: Mon, 12 Feb 2024 14:32:13 +0100 +Subject: batman-adv: Avoid infinite loop trying to resize local TT + +If the MTU of one of an attached interface becomes too small to transmit +the local translation table then it must be resized to fit inside all +fragments (when enabled) or a single packet. + +But if the MTU becomes too low to transmit even the header + the VLAN +specific part then the resizing of the local TT will never succeed. This +can for example happen when the usable space is 110 bytes and 11 VLANs are +on top of batman-adv. In this case, at least 116 byte would be needed. +There will just be an endless spam of + + batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110) + +in the log but the function will never finish. Problem here is that the +timeout will be halved all the time and will then stagnate at 0 and +therefore never be able to reduce the table even more. + +There are other scenarios possible with a similar result. The number of +BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too +high to fit inside a packet. Such a scenario can therefore happen also with +only a single VLAN + 7 non-purgable addresses - requiring at least 120 +bytes. + +While this should be handled proactively when: + +* interface with too low MTU is added +* VLAN is added +* non-purgeable local mac is added +* MTU of an attached interface is reduced +* fragmentation setting gets disabled (which most likely requires dropping + attached interfaces) + +not all of these scenarios can be prevented because batman-adv is only +consuming events without the the possibility to prevent these actions +(non-purgable MAC address added, MTU of an attached interface is reduced). +It is therefore necessary to also make sure that the code is able to handle +also the situations when there were already incompatible system +configuration are present. + +Cc: stable@vger.kernel.org +Fixes: f7f2fe494388 ("batman-adv: limit local translation table max size") +Reported-by: syzbot+a6a4b5bb3da165594cff@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/05f6eadbbddc834669249ae204026c383445b571 + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -3948,7 +3948,7 @@ void batadv_tt_local_resize_to_mtu(struc + + spin_lock_bh(&bat_priv->tt.commit_lock); + +- while (true) { ++ while (timeout) { + table_size = batadv_tt_local_table_transmit_size(bat_priv); + if (packet_size_max >= table_size) + break;