webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-11 09:48:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into asterisk-update

Browse Source
This commit is contained in:
Dirk Wagner
2014-05-19 12:56:38 +02:00
parent 28b8e0ec07 30b1c1c728
commit c10ef4bd39
135 changed files with 9380 additions and 4324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
src/patches/fireinfo-0001-Exclude-some-more-invalid-patterns.patch
View File

@@ -1,55 +0,0 @@
From 220ffe76a48c72171d7724f7f602a2fdd8bbca6a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 15 Feb 2014 18:37:54 +0100
Subject: [PATCH] Exclude some more invalid patterns.
---
src/fireinfo/system.py | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/fireinfo/system.py b/src/fireinfo/system.py
index 40ff7b0..c875f96 100644
--- a/src/fireinfo/system.py
+++ b/src/fireinfo/system.py
@@ -44,12 +44,17 @@ INVALID_ID_STRINGS = (
"Chassis", "chassis",
"Not Applicable",
"None", "empty",
+ "XXXXX",
"01010101-0101-0101-0101-010101010101",
"00020003-0004-0005-0006-000700080009",
"03000200-0400-0500-0006-000700080009",
"0000000", "00000000",
)
+INVALID_ID_STRINGS_EXACT_MATCH = (
+ "NA",
+)
+
class Singleton(type):
def __init__(cls, name, bases, dict):
super(Singleton, cls).__init__(name, bases, dict)
@@ -234,12 +239,18 @@ class System(object):
if id is None:
continue
- for i in INVALID_ID_STRINGS:
- if i in id:
+ for i in INVALID_ID_STRINGS_EXACT_MATCH:
+ if id == i:
id = None
break
if id:
+ for i in INVALID_ID_STRINGS:
+ if i in id:
+ id = None
+ break
+
+ if id:
_ids.append(id)
ids = _ids
--
1.8.3.1

144
src/patches/linux-3.10-layer7-filter.patch
View File

@@ -1514,10 +1514,10 @@ index 0000000..339631f
+}
diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
new file mode 100644
index 0000000..51bb747
index 0000000..1573e9d
--- /dev/null
+++ b/net/netfilter/xt_layer7.c
@@ -0,0 +1,625 @@
@@ -0,0 +1,665 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
@@ -1726,40 +1726,67 @@ index 0000000..51bb747
+
+static int can_handle(const struct sk_buff *skb)
+{
+ if(!ip_hdr(skb)) /* not IP */
+ struct iphdr iphdr_tmp;
+ struct iphdr *iphdr;
+ int offset;
+
+ if (!ip_hdr(skb))
+ return 0;
+ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
+ ip_hdr(skb)->protocol != IPPROTO_UDP &&
+ ip_hdr(skb)->protocol != IPPROTO_ICMP)
+
+ offset = ((uintptr_t)ip_hdr(skb)) - ((uintptr_t)skb->data);
+
+ iphdr = skb_header_pointer(skb, offset, sizeof(*iphdr), &iphdr_tmp);
+ if (!iphdr)
+ return 0;
+ return 1;
+
+ if (iphdr->protocol == IPPROTO_TCP ||
+ iphdr->protocol == IPPROTO_UDP ||
+ iphdr->protocol == IPPROTO_ICMP)
+ return 1;
+
+ return 0;
+}
+
+/* Returns offset the into the skb->data that the application data starts */
+static int app_data_offset(const struct sk_buff *skb)
+{
+ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
+ int ip_hl = 4*ip_hdr(skb)->ihl;
+ int offset;
+ struct iphdr iphdr_tmp;
+ struct iphdr *iphdr;
+ struct tcphdr tcphdr_tmp;
+ struct tcphdr *tcphdr;
+
+ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
+ /* 12 == offset into TCP header for the header length field.
+ Can't get this with skb->h.th->doff because the tcphdr
+ struct doesn't get set when routing (this is confirmed to be
+ true in Netfilter as well as QoS.) */
+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
+ if (!ip_hdr(skb))
+ return -1;
+
+ return ip_hl + tcp_hl;
+ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
+ return ip_hl + 8; /* UDP header is always 8 bytes */
+ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
+ return ip_hl + 8; /* ICMP header is 8 bytes */
+ } else {
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: tried to handle unknown "
+ "protocol!\n");
+ return ip_hl + 8; /* something reasonable */
+ offset = ((uintptr_t)ip_hdr(skb)) - ((uintptr_t)skb->data);
+
+ iphdr = skb_header_pointer(skb, offset, sizeof(*iphdr), &iphdr_tmp);
+ if (!iphdr)
+ return -1;
+
+ offset += iphdr->ihl * 4;
+
+ if (iphdr->protocol == IPPROTO_TCP) {
+ tcphdr = skb_header_pointer(skb, offset, sizeof(*tcphdr),
+ &tcphdr_tmp);
+ if (!tcphdr)
+ return -1;
+
+ offset += tcphdr->doff * 4;
+
+ return offset;
+ }
+
+ if (iphdr->protocol == IPPROTO_UDP)
+ return offset + 8;
+
+ if (iphdr->protocol == IPPROTO_ICMP)
+ return offset + 8;
+
+ if (net_ratelimit())
+ pr_err(KERN_ERR "layer7: tried to handle unknown protocol!\n");
+
+ return offset + 8; /* something reasonable */
+}
+
+/* handles whether there's a match when we aren't appending data anymore */
@@ -1849,13 +1876,39 @@ index 0000000..51bb747
+ return length;
+}
+
+/* add the new app data to the buffer. Return number of bytes added. */
+static int add_data(char *target, int offset, const struct sk_buff *skb)
+{
+ int length, length_sum = 0;
+ int data_start = app_data_offset(skb);
+ int remaining = skb->len - data_start;
+ int to_copy;
+ uint8_t buf[512];
+ uint8_t *data;
+
+ while ((offset < maxdatalen - 1) && (remaining > 0)) {
+ to_copy = min_t(int, remaining, sizeof(buf));
+
+ data = skb_header_pointer(skb, data_start, to_copy, buf);
+ length = add_datastr(target, offset, data, to_copy);
+
+ remaining -= to_copy;
+ data_start += to_copy;
+ offset += length;
+ length_sum += length;
+ }
+
+ return length_sum;
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen)
+static int add_data_conntrack(struct nf_conn *master_conntrack,
+ const struct sk_buff *skb)
+{
+ int length;
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ length = add_data(master_conntrack->layer7.app_data,
+ master_conntrack->layer7.app_data_len, skb);
+ master_conntrack->layer7.app_data_len += length;
+
+ return length;
@@ -1911,20 +1964,20 @@ index 0000000..51bb747
+static bool match(const struct sk_buff *skbin, struct xt_action_param *par)
+{
+ /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin;
+ struct sk_buff *skb = (struct sk_buff *)skbin;
+
+ const struct xt_layer7_info * info = par->matchinfo;
+
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+ unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen;
+ unsigned char *tmp_data;
+ unsigned int pattern_result;
+ regexp * comppattern;
+
+ /* Be paranoid/incompetent - lock the entire match function. */
+ spin_lock_bh(&l7_lock);
+
+ if(!can_handle(skb)){
+ if (!can_handle(skbin)) {
+ DPRINTK("layer7: This is some protocol I can't handle.\n");
+ spin_unlock_bh(&l7_lock);
+ return info->invert;
@@ -1933,8 +1986,9 @@ index 0000000..51bb747
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
+ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
+ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
+ conntrack = nf_ct_get(skbin, &ctinfo);
+ master_conntrack = nf_ct_get(skbin, &master_ctinfo);
+ if (!conntrack || !master_conntrack) {
+ DPRINTK("layer7: couldn't get conntrack.\n");
+ spin_unlock_bh(&l7_lock);
+ return info->invert;
@@ -1962,20 +2016,6 @@ index 0000000..51bb747
+ return (pattern_result ^ info->invert);
+ }
+
+ if(skb_is_nonlinear(skb)){
+ if(skb_linearize(skb) != 0){
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: failed to linearize "
+ "packet, bailing.\n");
+ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
+
+ /* now that the skb is linearized, it's safe to set these. */
+ app_data = skb->data + app_data_offset(skb);
+ appdatalen = skb_tail_pointer(skb) - app_data;
+
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
@@ -1988,7 +2028,7 @@ index 0000000..51bb747
+ }
+
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ add_data(tmp_data, 0, skbin);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
+
+ kfree(tmp_data);
@@ -2023,7 +2063,7 @@ index 0000000..51bb747
+
+ if(!skb->cb[0]){
+ int newbytes;
+ newbytes = add_data(master_conntrack, app_data, appdatalen);
+ newbytes = add_data_conntrack(master_conntrack, skb);
+
+ if(newbytes == 0) { /* didn't add any data */
+ skb->cb[0] = 1;

11
src/patches/linux-3.10.37-rt2800usb_add_dlink_dwa137_usbid.patch Normal file
View File

@@ -0,0 +1,11 @@
diff -Naur linux-3.10.37.org/drivers/net/wireless/rt2x00/rt2800usb.c linux-3.10.37/drivers/net/wireless/rt2x00/rt2800usb.c
--- linux-3.10.37.org/drivers/net/wireless/rt2x00/rt2800usb.c 2014-04-14 15:42:31.000000000 +0200
+++ linux-3.10.37/drivers/net/wireless/rt2x00/rt2800usb.c 2014-04-25 10:25:12.796630526 +0200
@@ -1175,6 +1175,7 @@
/* Belkin */
{ USB_DEVICE(0x050d, 0x945b) },
/* D-Link */
+ { USB_DEVICE(0x2001, 0x3317) },
{ USB_DEVICE(0x2001, 0x3c17) },
/* Panasonic */
{ USB_DEVICE(0x083a, 0xb511) },

5081
src/patches/linux-3.10.39-add_libertas_uap.patch Normal file
View File

File diff suppressed because it is too large Load Diff

121
src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch Normal file
View File

@@ -0,0 +1,121 @@
From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 4 Apr 2014 11:29:39 +0200
Subject: [PATCH 03/25] build-sys: utilize compiler flags handed to us by
rpmbuild
---
chat/Makefile.linux | 2 +-
pppd/Makefile.linux | 3 +--
pppd/plugins/Makefile.linux | 2 +-
pppd/plugins/pppoatm/Makefile.linux | 2 +-
pppd/plugins/radius/Makefile.linux | 2 +-
pppd/plugins/rp-pppoe/Makefile.linux | 2 +-
pppdump/Makefile.linux | 2 +-
pppstats/Makefile.linux | 2 +-
8 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/chat/Makefile.linux b/chat/Makefile.linux
index 1065ac5..848cd8d 100644
--- a/chat/Makefile.linux
+++ b/chat/Makefile.linux
@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function
CDEF4= -DFNDELAY=O_NDELAY # Old name value
CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
-COPTS= -O2 -g -pipe
+COPTS= $(RPM_OPT_FLAGS)
CFLAGS= $(COPTS) $(CDEFS)
INSTALL= install
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index 5a44d30..63872eb 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -32,8 +32,7 @@ endif
CC = gcc
#
-COPTS = -O2 -pipe -Wall -g
-LIBS =
+COPTS = -Wall $(RPM_OPT_FLAGS)
# Uncomment the next 2 lines to include support for Microsoft's
# MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
index 0a7ec7b..e09a369 100644
--- a/pppd/plugins/Makefile.linux
+++ b/pppd/plugins/Makefile.linux
@@ -1,5 +1,5 @@
#CC = gcc
-COPTS = -O2 -g
+COPTS = $(RPM_OPT_FLAGS)
CFLAGS = $(COPTS) -I.. -I../../include -fPIC
LDFLAGS = -shared
INSTALL = install
diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
index 20f62e6..5a81447 100644
--- a/pppd/plugins/pppoatm/Makefile.linux
+++ b/pppd/plugins/pppoatm/Makefile.linux
@@ -1,5 +1,5 @@
#CC = gcc
-COPTS = -O2 -g
+COPTS = $(RPM_OPT_FLAGS)
CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC
LDFLAGS = -shared
INSTALL = install
diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
index 24ed3e5..45b3b8d 100644
--- a/pppd/plugins/radius/Makefile.linux
+++ b/pppd/plugins/radius/Makefile.linux
@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h)
INSTALL = install
PLUGIN=radius.so radattr.so radrealms.so
-CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
+CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON
# Uncomment the next line to include support for Microsoft's
# MS-CHAP authentication protocol.
diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
index 5d7a271..352991a 100644
--- a/pppd/plugins/rp-pppoe/Makefile.linux
+++ b/pppd/plugins/rp-pppoe/Makefile.linux
@@ -25,7 +25,7 @@ INSTALL = install
# Version is set ONLY IN THE MAKEFILE! Don't delete this!
RP_VERSION=3.8p
-COPTS=-O2 -g
+COPTS=$(RPM_OPT_FLAGS)
CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
all: rp-pppoe.so pppoe-discovery
diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
index ac028f6..d0a5032 100644
--- a/pppdump/Makefile.linux
+++ b/pppdump/Makefile.linux
@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
-CFLAGS= -O -I../include/net
+CFLAGS= $(RPM_OPT_FLAGS) -I../include/net
OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
INSTALL= install
diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
index cca6f0f..42aba73 100644
--- a/pppstats/Makefile.linux
+++ b/pppstats/Makefile.linux
@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c
PPPSTATOBJS = pppstats.o
#CC = gcc
-COPTS = -O
+COPTS = $(RPM_OPT_FLAGS)
COMPILE_FLAGS = -I../include
LIBS =
--
1.8.3.1

143
src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch Normal file
View File

@@ -0,0 +1,143 @@
From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 7 Apr 2014 12:23:36 +0200
Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds
---
pppd/auth.c | 20 ++++++++++----------
pppd/options.c | 2 +-
pppd/sys-linux.c | 4 ++--
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/pppd/auth.c b/pppd/auth.c
index 4271af6..9e957fa 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -428,7 +428,7 @@ setupapfile(argv)
option_error("unable to reset uid before opening %s: %m", fname);
return 0;
}
- ufile = fopen(fname, "r");
+ ufile = fopen(fname, "re");
if (seteuid(euid) == -1)
fatal("unable to regain privileges: %m");
if (ufile == NULL) {
@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
filename = _PATH_UPAPFILE;
addrs = opts = NULL;
ret = UPAP_AUTHNAK;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL) {
error("Can't open PAP password file %s: %m", filename);
@@ -1512,7 +1512,7 @@ null_login(unit)
if (ret <= 0) {
filename = _PATH_UPAPFILE;
addrs = NULL;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL)
return 0;
check_access(f, filename);
@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd)
}
filename = _PATH_UPAPFILE;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL)
return 0;
check_access(f, filename);
@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp)
}
filename = _PATH_UPAPFILE;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL)
return 0;
@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp)
}
filename = _PATH_CHAPFILE;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL)
return 0;
@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
struct wordlist *addrs;
filename = _PATH_SRPFILE;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL)
return 0;
@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server)
addrs = NULL;
secbuf[0] = 0;
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
if (f == NULL) {
error("Can't open chap secret file %s: %m", filename);
return 0;
@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server)
filename = _PATH_SRPFILE;
addrs = NULL;
- fp = fopen(filename, "r");
+ fp = fopen(filename, "re");
if (fp == NULL) {
error("Can't open srp secret file %s: %m", filename);
return 0;
@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags)
*/
if (word[0] == '@' && word[1] == '/') {
strlcpy(atfile, word+1, sizeof(atfile));
- if ((sf = fopen(atfile, "r")) == NULL) {
+ if ((sf = fopen(atfile, "re")) == NULL) {
warn("can't open indirect secret file %s", atfile);
continue;
}
diff --git a/pppd/options.c b/pppd/options.c
index 45fa742..1d754ae 100644
--- a/pppd/options.c
+++ b/pppd/options.c
@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv)
option_error("unable to drop privileges to open %s: %m", filename);
return 0;
}
- f = fopen(filename, "r");
+ f = fopen(filename, "re");
err = errno;
if (check_prot && seteuid(euid) == -1)
fatal("unable to regain privileges");
diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
index 72a7727..8a12fa0 100644
--- a/pppd/sys-linux.c
+++ b/pppd/sys-linux.c
@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail)
/* Default the mount location of /proc */
strlcpy (proc_path, "/proc", sizeof(proc_path));
proc_path_len = 5;
- fp = fopen(MOUNTED, "r");
+ fp = fopen(MOUNTED, "re");
if (fp != NULL) {
while ((mntent = getmntent(fp)) != NULL) {
if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0)
@@ -1472,7 +1472,7 @@ static int open_route_table (void)
close_route_table();
path = path_to_procfs("/net/route");
- route_fd = fopen (path, "r");
+ route_fd = fopen (path, "re");
if (route_fd == NULL) {
error("can't open routing table %s: %m", path);
return 0;
--
1.8.3.1

241
src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch Normal file
View File

@@ -0,0 +1,241 @@
From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 7 Apr 2014 13:56:34 +0200
Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder
---
pppd/eap.c | 2 +-
pppd/main.c | 4 ++--
pppd/options.c | 4 ++--
pppd/sys-linux.c | 22 +++++++++++-----------
pppd/tdb.c | 4 ++--
pppd/tty.c | 4 ++--
pppd/utils.c | 6 +++---
7 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/pppd/eap.c b/pppd/eap.c
index 6ea6c1f..faced53 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
@@ -1226,7 +1226,7 @@ mode_t modebits;
if ((path = name_of_pn_file()) == NULL)
return (-1);
- fd = open(path, modebits, S_IRUSR | S_IWUSR);
+ fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC);
err = errno;
free(path);
errno = err;
diff --git a/pppd/main.c b/pppd/main.c
index 6d50d1b..4880377 100644
--- a/pppd/main.c
+++ b/pppd/main.c
@@ -420,7 +420,7 @@ main(argc, argv)
die(0);
/* Make sure fds 0, 1, 2 are open to somewhere. */
- fd_devnull = open(_PATH_DEVNULL, O_RDWR);
+ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC);
if (fd_devnull < 0)
fatal("Couldn't open %s: %m", _PATH_DEVNULL);
while (fd_devnull <= 2) {
@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait)
if (log_to_fd >= 0)
errfd = log_to_fd;
else
- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600);
+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600);
++conn_running;
pid = safe_fork(in, out, errfd);
diff --git a/pppd/options.c b/pppd/options.c
index 1d754ae..8e62635 100644
--- a/pppd/options.c
+++ b/pppd/options.c
@@ -1544,9 +1544,9 @@ setlogfile(argv)
option_error("unable to drop permissions to open %s: %m", *argv);
return 0;
}
- fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
+ fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644);
if (fd < 0 && errno == EEXIST)
- fd = open(*argv, O_WRONLY | O_APPEND);
+ fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC);
err = errno;
if (!privileged_option && seteuid(euid) == -1)
fatal("unable to regain privileges: %m");
diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
index 8a12fa0..00a2cf5 100644
--- a/pppd/sys-linux.c
+++ b/pppd/sys-linux.c
@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd)
goto err;
}
dbglog("using channel %d", chindex);
- fd = open("/dev/ppp", O_RDWR);
+ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
if (fd < 0) {
error("Couldn't reopen /dev/ppp: %m");
goto err;
@@ -619,7 +619,7 @@ static int make_ppp_unit()
dbglog("in make_ppp_unit, already had /dev/ppp open?");
close(ppp_dev_fd);
}
- ppp_dev_fd = open("/dev/ppp", O_RDWR);
+ ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
if (ppp_dev_fd < 0)
fatal("Couldn't open /dev/ppp: %m");
flags = fcntl(ppp_dev_fd, F_GETFL);
@@ -693,7 +693,7 @@ int bundle_attach(int ifnum)
if (!new_style_driver)
return -1;
- master_fd = open("/dev/ppp", O_RDWR);
+ master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
if (master_fd < 0)
fatal("Couldn't open /dev/ppp: %m");
if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr)
if (tune_kernel) {
forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
if (forw_path != 0) {
- int fd = open(forw_path, O_WRONLY);
+ int fd = open(forw_path, O_WRONLY | O_CLOEXEC);
if (fd >= 0) {
if (write(fd, "1", 1) != 1)
error("Couldn't enable IP forwarding: %m");
@@ -2030,7 +2030,7 @@ int ppp_available(void)
sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
kernel_version = KVERSION(osmaj, osmin, ospatch);
- fd = open("/dev/ppp", O_RDWR);
+ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
if (fd >= 0) {
new_style_driver = 1;
@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host)
#if __GLIBC__ >= 2
updwtmp(_PATH_WTMP, &ut);
#else
- wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY);
+ wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC);
if (wtmp >= 0) {
flock(wtmp, LOCK_EX);
@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr,
int fd;
path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
- if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) {
+ if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) {
if (write(fd, "1", 1) != 1)
error("Couldn't enable dynamic IP addressing: %m");
close(fd);
@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
/*
* Try the unix98 way first.
*/
- mfd = open("/dev/ptmx", O_RDWR);
+ mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC);
if (mfd >= 0) {
int ptn;
if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
@@ -2581,7 +2581,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
warn("Couldn't unlock pty slave %s: %m", pty_name);
#endif
- if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
+ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
warn("Couldn't open pty slave %s: %m", pty_name);
}
}
@@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
for (i = 0; i < 64; ++i) {
slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
'p' + i / 16, i % 16);
- mfd = open(pty_name, O_RDWR, 0);
+ mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0);
if (mfd >= 0) {
pty_name[5] = 't';
- sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
+ sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
if (sfd >= 0) {
fchown(sfd, uid, -1);
fchmod(sfd, S_IRUSR | S_IWUSR);
diff --git a/pppd/tdb.c b/pppd/tdb.c
index bdc5828..c7ab71c 100644
--- a/pppd/tdb.c
+++ b/pppd/tdb.c
@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
goto internal;
}
- if ((tdb->fd = open(name, open_flags, mode)) == -1) {
+ if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) {
TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
name, strerror(errno)));
goto fail; /* errno set by open(2) */
@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb)
}
if (close(tdb->fd) != 0)
TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
- tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0);
+ tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0);
if (tdb->fd == -1) {
TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
goto fail;
diff --git a/pppd/tty.c b/pppd/tty.c
index d571b11..bc96695 100644
--- a/pppd/tty.c
+++ b/pppd/tty.c
@@ -569,7 +569,7 @@ int connect_tty()
status = EXIT_OPEN_FAILED;
goto errret;
}
- real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
+ real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0);
err = errno;
if (prio < OPRIO_ROOT && seteuid(0) == -1)
fatal("Unable to regain privileges");
@@ -723,7 +723,7 @@ int connect_tty()
if (connector == NULL && modem && devnam[0] != 0) {
int i;
for (;;) {
- if ((i = open(devnam, O_RDWR)) >= 0)
+ if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0)
break;
if (errno != EINTR) {
error("Failed to reopen %s: %m", devnam);
diff --git a/pppd/utils.c b/pppd/utils.c
index 29bf970..6051b9a 100644
--- a/pppd/utils.c
+++ b/pppd/utils.c
@@ -918,14 +918,14 @@ lock(dev)
slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev);
#endif
- while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
+ while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) {
if (errno != EEXIST) {
error("Can't create lock file %s: %m", lock_file);
break;
}
/* Read the lock file to find out who has the device locked. */
- fd = open(lock_file, O_RDONLY, 0);
+ fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0);
if (fd < 0) {
if (errno == ENOENT) /* This is just a timing problem. */
continue;
@@ -1004,7 +1004,7 @@ relock(pid)
if (lock_file[0] == 0)
return -1;
- fd = open(lock_file, O_WRONLY, 0);
+ fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0);
if (fd < 0) {
error("Couldn't reopen lock file %s: %m", lock_file);
lock_file[0] = 0;
--
1.8.3.1

174
src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch Normal file
View File

@@ -0,0 +1,174 @@
From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 7 Apr 2014 14:21:41 +0200
Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket
---
pppd/plugins/pppoatm/pppoatm.c | 2 +-
pppd/plugins/pppol2tp/openl2tp.c | 2 +-
pppd/plugins/pppol2tp/pppol2tp.c | 2 +-
pppd/plugins/rp-pppoe/if.c | 2 +-
pppd/plugins/rp-pppoe/plugin.c | 6 +++---
pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +-
pppd/sys-linux.c | 10 +++++-----
pppd/tty.c | 2 +-
8 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
index d693350..c31bb34 100644
--- a/pppd/plugins/pppoatm/pppoatm.c
+++ b/pppd/plugins/pppoatm/pppoatm.c
@@ -135,7 +135,7 @@ static int connect_pppoatm(void)
if (!device_got_set)
no_device_given_pppoatm();
- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (fd < 0)
fatal("failed to create socket: %m");
memset(&qos, 0, sizeof qos);
diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
index 9643b96..1099575 100644
--- a/pppd/plugins/pppol2tp/openl2tp.c
+++ b/pppd/plugins/pppol2tp/openl2tp.c
@@ -83,7 +83,7 @@ static int openl2tp_client_create(void)
int result;
if (openl2tp_fd < 0) {
- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (openl2tp_fd < 0) {
error("openl2tp connection create: %m");
return -ENOTCONN;
diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
index a7e3400..e64a778 100644
--- a/pppd/plugins/pppol2tp/pppol2tp.c
+++ b/pppd/plugins/pppol2tp/pppol2tp.c
@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu,
struct ifreq ifr;
int fd;
- fd = socket(AF_INET, SOCK_DGRAM, 0);
+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (fd >= 0) {
memset (&ifr, '\0', sizeof (ifr));
strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c
index 91e9a57..72aba41 100644
--- a/pppd/plugins/rp-pppoe/if.c
+++ b/pppd/plugins/rp-pppoe/if.c
@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
stype = SOCK_PACKET;
#endif
- if ((fd = socket(domain, stype, htons(type))) < 0) {
+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
/* Give a more helpful message for the common error case */
if (errno == EPERM) {
fatal("Cannot create raw socket -- pppoe must be run as root.");
diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
index a8c2bb4..24bdf8f 100644
--- a/pppd/plugins/rp-pppoe/plugin.c
+++ b/pppd/plugins/rp-pppoe/plugin.c
@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
/* server equipment). */
/* Opening this socket just before waitForPADS in the discovery() */
/* function would be more appropriate, but it would mess-up the code */
- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
+ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
if (conn->sessionSocket < 0) {
error("Failed to create PPPoE socket: %m");
return -1;
@@ -148,7 +148,7 @@ PPPOEConnectDevice(void)
lcp_wantoptions[0].mru = conn->mru;
/* Update maximum MRU */
- s = socket(AF_INET, SOCK_DGRAM, 0);
+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (s < 0) {
error("Can't get MTU for %s: %m", conn->ifName);
goto errout;
@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit)
}
/* Open a socket */
- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
+ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
r = 0;
}
diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
index 3d3bf4e..c0d927d 100644
--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
stype = SOCK_PACKET;
#endif
- if ((fd = socket(domain, stype, htons(type))) < 0) {
+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
/* Give a more helpful message for the common error case */
if (errno == EPERM) {
rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
index 00a2cf5..0690019 100644
--- a/pppd/sys-linux.c
+++ b/pppd/sys-linux.c
@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits)
void sys_init(void)
{
/* Get an internet socket for doing socket ioctls. */
- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (sock_fd < 0)
fatal("Couldn't create IP socket: %m(%d)", errno);
#ifdef INET6
- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
+ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (sock6_fd < 0)
sock6_fd = -errno; /* save errno for later */
#endif
@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name)
struct ifreq ifreq;
int ret, sock_fd;
- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (sock_fd < 0)
return 0;
memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
@@ -2067,7 +2067,7 @@ int ppp_available(void)
/*
* Open a socket for doing the ioctl operations.
*/
- s = socket(AF_INET, SOCK_DGRAM, 0);
+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (s < 0)
return 0;
@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64)
int skfd;
const unsigned char *ptr;
- skfd = socket(PF_INET6, SOCK_DGRAM, 0);
+ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if(skfd == -1)
{
warn("could not open IPv6 socket");
diff --git a/pppd/tty.c b/pppd/tty.c
index bc96695..8e76a5d 100644
--- a/pppd/tty.c
+++ b/pppd/tty.c
@@ -896,7 +896,7 @@ open_socket(dest)
*sep = ':';
/* get a socket and connect it to the other end */
- sock = socket(PF_INET, SOCK_STREAM, 0);
+ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (sock < 0) {
error("Can't create socket: %m");
return -1;
--
1.8.3.1

13
src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
index 9ab2eee..86762bd 100644
--- a/pppd/plugins/rp-pppoe/pppoe.h
+++ b/pppd/plugins/rp-pppoe/pppoe.h
@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
#define STATE_TERMINATED 4
/* How many PADI/PADS attempts? */
-#define MAX_PADI_ATTEMPTS 3
+#define MAX_PADI_ATTEMPTS 12
/* Initial timeout for PADO/PADS */
#define PADI_TIMEOUT 5