Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
This adds metadata to wpj344 and wpj558 images to prevent loading
firmware of wpj344 into wpj558 and vice versa. This until now was
possible and break the units and had to be recovered from the uboot.
Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
COMFAST CF-E355AC is a ceiling mount AP with PoE support, based on
Qualcomm/Atheros QCA9531 + QCA9882.
Short specification:
- 2x 10/100 Mbps Ethernet, with PoE support
- 64MB of RAM (DDR2)
- 16 MB of FLASH
- 2T2R 2.4 GHz, 802.11b/g/n
- 2T2R 5 GHz, 802.11ac/n/a
- built-in 4x 3 dBi antennas
- output power (max): 500 mW (27 dBm)
- 1x RGB LED, 1x button
- built-in watchdog chipset
Flash instruction:
Original firmware is based on OpenWrt.
Use sysupgrade image directly in vendor GUI.
Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
[whitespace fixes, ac radio caldata offset fix]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
GL.iNet GL-USB150 is an USB dongle WiFi router, based on Atheros AR9331.
Specification:
- 400/400/200 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- Realtek RTL8152B USB to Ethernet bridge (connected with AR9331 PHY4)
- 1T1R 2.4 GHz
- 2x LED, 1x button
- UART header on PCB
Flash instruction:
Vendor firmware is based on OpenWrt CC. GUI or sysupgrade can be used
to flash LEDE firmware.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option
Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
For the Archer C50v1, the EU and US versions are differentiated by their
respective HW additional version (0x0 for US, 0x2 for EU).
The stock web interface checks this field before flashing, making it
impossible to flash the current (US) factory image on EU hardware.
However the bootloader does not check this field, making it possible to use
a single sysupgrade image for both hardware.
This patch adds the necessary build bits to generate both EU and US factory
images, and renames the target as "Archer C50v1" since there are as of now
3 different versions of Archer C50 (all with different CPUs).
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
The HNET C108
(http://www.szhwtech88.com/Product-product-cid-100-id-4374.html) is a
mifi based on MT7602A, which has the following specifications:
* CPU: MT7620A
* 1x 10/100Mbps Ethernet.
* 16 MB Flash.
* 64 MB RAM.
* 1x USB 2.0 port. Only power is connected, this port is meant for
charging other devices.
* 1x mini-PCIe slots.
* 1x SIM slots.
* 1x 2.4Ghz WIFI.
* 1x button.
* 6000 mAh battery.
* 5x controllable LEDs.
Works:
* Wifi.
* Switch.
* mini-PCIe slot. Only tested with a USB device (a modem).
* SIM slot.
* Sysupgrade.
* Button (reset).
Not working (also applies to the factory firmware):
* Wifi LED. It is always switched on, there is no relation to the
up/down state or activity of the wireless interface.
Not tested:
* SD card reader.
Notes:
* The C108 has no dedicated status LED. I therefore set the LAN LED as
status LED.
Installation:
The router comes pre-installed with OpenWRT, including a variant of
Luci. The initial firmware install can be done through this UI,
following normal procedure. I.e., access the UI and update the firmware
using the sysupgrade-image. Remember to select that you do not want to
keep existing settings.
Recovery:
If you brick the device, the C108 supports recovery using TFTP. Keep the
reset button pressed for ~5sec when booting to trigger TFTP. Set the
address of the network interface on your machine to 10.10.10.3/24, and
rename your image file to Kernal.bin.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
In case the link changes from down to up, the register is only updated
on read. If the link failed/was down, this bit will be 0 until after
reading this bit again.
Fixes a reported link down by swconfig alebit the link is up (query for
the link again will show the correct link status)
Signed-off-by: Mathias Kresin <dev@kresin.me>
In conditions where none of the switch ports is connected during boot,
the priv->port[i].link != priv->port[i].phydev->link condition is false
since both link values are equal (false). The carrier of the switch
netdev is never set to off and the link state reported by ip is UNKNOWN.
Turn the carrier off if none of the switch ports has a link, regardless
whether something has been changed. Add a check for a carrier to
prevent unnecessary calls to netif_carrier_off() if the carrier is
already off.
Based on a patch send by Martin Schiller.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Don't return arcount=1 if EDNS0 RR won't fit in the packet.
Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Remove LEDE partial fix for CVE-2017-13704.
Backport official fix from upstream.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
Commit 77645ffcd9 ("ramips: add support for the GnuBee Personal Cloud
One") dropped the execution permission from 01_leds with the result
that the file isn't started during first boot and no default LED
configuration is added.
Revert the introduced file permission change.
Fixes: FS#979
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
[cherry picked the fix from a board support patch]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Extendprefix is typically used to extend an IPv6 RA prefix from a mobile
wan link to the LAN; such scenario requires correct RA prefix settings
like the on link flag not being set.
However some mobile manufacter set the RA prefix on link flag which breaks
basic IPv6 routing.
Work around this issue by filtering out the route being equal to the
extended prefix.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The WAN port on the Netgear WNDR4300 router has two LEDs,
amber and green. Use the switch LED trigger to behave as the
rest of the LAN HW controlled LEDs
- Green: 1 Gbps
- Amber: 100/10 Mbps
Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
1. Add support to LAN/WAN LEDs attached to ar8327.
2. Fix the problem that LAN/WAN LEDs does not blink in hardware (auto)
mode when connected to 10M/100M ethernet.
Signed-off-by: Kuang Rufan <master@a1983.com.cn>
51733a6 ra: align RA update interval with RFC4861 (FS#964)
Add ra_holdoff config option which allows to configure the RA minimum
update interval which is by default 3 seconds as stated in RFC4861.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Refresh patches.
Compile-tested on ramips/mt7621 and x86/64.
Runtime-tested on ramips/mt7621 and x86/64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
b1bc8d5 kmodloader: log error message in case of out of memory
f346111 kmodloader: lift restriction on module alias info
f1ef2c3 kmodloader: fix possible segfaults
9cb63df kmodloader: fix endianess check
2cff779 kmodloader: Check module endian before loading
d54f38a kmodloader/get_module_info: initialized aliases to make it more clean
a0b6fef kmodloader: insmod: fix a memoryleak in error case
278c4c4 kmodloader/get_module_name: null-terminate the string
16f7e16 syslog: remove unnecessary sizeof struct between messages
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This generic structure defines tx_bytes and rx_bytes as unsigned long (u32),
while several devices would typically report unsigned long long (u64).
The code can work as is, but there's a chance that with a sufficiently fast
interface the overflow might happen too fast to be correctly noticed by the
consumers of this data.
This patch makes both field unsigned long long and updates the only known
consumer of this data: swconfig_leds.c
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
This patch provides a generic switch_dev_ops 'get_port_stats()' callback by
taping into the relevant port MIB counters.
This callback is used by swconfig_leds led trigger to blink LEDs with port
network traffic.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
This patch provides a generic switch_dev_ops 'get_port_stats()' callback by
taping into the relevant port MIB counters.
This callback is used by swconfig_leds led trigger to blink LEDs with port
network traffic.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
This patch provides a generic switch_dev_ops 'get_port_stats()' callback by
taping into the relevant port MIB counters.
This callback is used by swconfig_leds led trigger to blink LEDs with port
network traffic.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
This patch provides a generic switch_dev_ops 'get_port_stats()' callback by
taping into the relevant port MIB counters.
The implementation uses a generic callback that select the correct MIB counter
index based on chip version.
This callback is used by swconfig_leds led trigger to blink LEDs with port
network traffic.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
This patch provides a generic switch_dev_ops 'get_port_stats()' callback by
taping into the relevant port MIB counters.
This callback is used by swconfig_leds led trigger to blink LEDs with port
network traffic.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
Properly quote the arguments so that you can register a service with TXT
entries that contains spaces.
Example:
procd_add_mdns myservice tcp 9999 "key=descriptive text field 1" \
"another=something equally verbose"
Output before:
$ avahi-browse -r -v _myservice._tcp
_myservice._tcp local
hostname = [blah.local]
address = [192.168.255.74]
port = [9999]
txt = ["verbose" "equally" "another=something" "1" "field" "text" "key=descriptive"]
Output now:
$ avahi-browse -r -v _myservice._tcp
_myservice._tcp local
hostname = [blah.local]
address = [192.168.255.74]
port = [9999]
txt = ["another=something equally verbose" "key=descriptive text field 1"]
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch fixes the switch port numbering on Mikrotik RB750r2 (hEX lite) and RB750UPr2 (hEX PoE lite).
Tested on a RB750UPr2. Maybe this patch is applicable to other devices (e.g. RB951Ui-2nD, RB952Ui-5ac2nD) but I have no way to test them.
Signed-off-by: João Chaínho <joaochainho@gmail.com>
ssh and scp commands interfere with OpenSSH when installed in /usr/bin .
One use case is when installing dropbear to get root access when only OpenSSH is available (OpenSSH disallows root password logins). Once dropbear installs, it replaces OpenSSH's executables, even when removed with opkg. OpenSSH must be reinstalled to get them back.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes critical issues for memset() & fflush()
Changes:
5f7efb8 move IPPORT_RESERVED from netdb.h to netinet/in.h
5f3b652 add powerpc64 and s390x to list of supported archs in INSTALL
file
9d4c902 fix undefined behavior in memset due to missing sequence points
c7f56b4 __init_libc: add fallbacks for __progname setup
cc08669 add SIOCGSTAMPNS socket ioctl macro to ioctl.h
02b50c9 fix mips ioctl macros to match linux asm/sockios.h
670d6d0 fix unsynchronized access to FILE structure in fflush(0)
Tested on cns3xxx & imx6
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Refresh patches, delete patches backported from upstream.
This fixes ntpd sync issues (ntpd would not sync if the first provided
peer address was unreachable).
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
IPQ806x AP148 and DB149 boards didn't have the UCI ubootenv
section initialized, so the usage of fw_printenv required manual
configuration. With this change, the "fw_printenv" and "fw_setenv"
command will automatically work on NOR and NAND based platforms.
Signed-off-by: Ram Chandra Jangir <rjangir@codeaurora.org>
busybox currently installs passwd into /usr/bin which prevents its
'full' shadow-utils variant from being installed.
Move the passwd applet to /bin to avoid that collision.
shadow also provides /usr/bin/login which doesn't collide with busybox
as the busybox login applet is installed at /bin/login.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>