This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The VGV7510KW22BRN and VGV7519BRN do not have the same brnImage
signature. It was accidentally changed with ba42c1d ("lantiq: un-macro
the image building code").
Signed-off-by: Mathias Kresin <dev@kresin.me>
If only a single opkg control file exists (which can happen with
CONFIG_CLEAN_IPKG), grep would not print the file name by default. Instead
of forcing it using -H, we just switch to -l (print only file names) and
get rid of the cut.
Add -s to suppress an error message when no control files exist.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Require-User is handled by /etc/uci-defaults/13_fix_group_user on first
boot, so we need to keep these when removing all opkg data with
CONFIG_CLEAN_IPKG.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The name "Plat'Home OpenBlocks AX3" causes the imagebuilders "make info"
command to fail with:
bash: -c: line 0: syntax error near unexpected token `('
bash: -c: line 0: `echo; [...]'
Makefile:99: recipe for target '_call_info' failed
Properly escape single quotes to avoid breaking the echo commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The radio would stop communicating completely. This issue was easiest to
trigger on AR913x devices, e.g. the TP-Link TL-WR1043ND, but other
hardware was occasionally affected as well.
The most critical issue was a race condition in disabling/enabling IRQs
between the IRQ handler and the IRQ processing tasklet
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit c296ba834d.
According to several reports, the issues with the airtime fairness
changes are gone in current versions.
It's time to re-apply the patch now.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This device has 2 TRX partitions (main one and failsafe one) and Linux
may not detect them properly failing to run userspace.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Even when the disk uses 4k blocks, the partition table still uses units
of 512 byte sectors. Always use ibs=512 for the offsets
Signed-off-by: Felix Fietkau <nbd@nbd.name>
There was a bug in brcmfmac patch that could result in treating random
memory as source of country codes.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Upon first invocation, the ccache program will create the required directory
hierarchy so there is no point in shipping these empty directories.
Removing those paths also avoids shipping dangling symlinks in case the
directories got linked elsewhere, e.g. into a shared global cache.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
According to some reports, -march=pentium-mmx is a better choice for
older Geode CPUs than -march=geode anyway.
Bump the minimum architecture of the legacy target from i486 to
pentium-mmx. Anything older is not worth supporting anyway.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The le64 and be64 subtargets do not share a package architecture with
any other targets, so they are pretty wasteful for a development-only
target.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
While rt288x only has a MIPS 4KEc processor, it implements the MIPS32r2
architecture just like the 24Kc, so the instruction set should be 100%
compatible.
Switching it to 24kc allows it to share the package architecture with a
lot of other targets instead of creating a special case, saving
buildbot resources.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.
The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The last two parameters passed between user space tc and kernel space
sched-cake were transposed due to a merge mistake in a parameter header
file.
As such, using a packet overhead figure was likely to set cake to wash
packet DSCP values. Similarly, the DSCP wash flag was used as an offset
to the displayed packet overhead value.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Instead of relying on complex sed patterns that trip up make syntax rules, use
GNU Makes builtin filter function to match desired URLs.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Only consider the repository origin url as valid base feed entry if it is a
git://, http:// or https:// location.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Disabling ethernet during reboot (only to enable it again when the
ethernet driver attaches) can put the chip into a faulty state where it
corrupts the header of all incoming packets.
This happens if packets arrive during the time window where the core is
disabled, and it can be easily reproduced by rebooting while sending a
flood ping to the broadcast address.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Since the MIPS IRQ stack patches, lantiq devices were emitting a storm
of messages like this:
[ 567.872172] Spurious IRQ: CAUSE=0x1100c300
Fix this by reworking the IRQ dispatch code
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Before SUBDIR was set to $(PATCHVER) which may
or may not include the minor version number of
the linux kernel version. Usually it doesn't.
So the git-clone'd linux kernel was packed without
the minor version number taken into account, which
broke further processing, as it expected the
extracted dir being named linux-$(LINUX_VERSION)
(=with minor version) rather than linux-$(PATCHVER)
(=without minor version).
Changing SUBDIR to $(LINUX_VERSION) creates
consistent behaviour here.
Signed-off-by: Mirko Vogt <mirko-openwrt@nanl.de>
Do not strip static libraries shipped with the SDK in order to preserve the
archive index. If we strip the index of the shipped libraries, host programs
will fail to link these libraries with errors like:
libssl.a: error adding symbols: Archive has no index; run ranlib to add one
The error was found while investigating a Python host build failure within
the SDK environment.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Knowing the package architecture at runtime can be useful, e.g. to
configure opkg repository URLs. The value of ARCH_PACKAGES ("%A" in
VERSION_SED) as added to openwrt_release (as DISTRIB_ARCH) and os-release
(as LEDE_ARCH).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Currently system log is always included as a part of ubox. Add logd as a
seperate package and add it to default packages list.
Signed-off-by: Andrej Vlasic <andrej.vlasic@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
This fixes hangs in igb that happen if the update call interrupts an
already existing dev_get_stats call. In that case the calling CPU
deadlocks because it's trying to acquire the same spinlock recursively.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
opkg doesn't have BUILD_VARIANTs anymore, so the previously defined
PKG_BUILD_DIR would lead to a weird 'opkg-' path component.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This allows some basic region switching on Netgear R8000. More devices &
codes may be added. Ideally it should be converted into DT info & patch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>