Extend the taxonomy subsystem to capture the complete association frame
in addition to the existing probe and association IE data.
This adds a new assoc_frame_taxonomy field to struct sta_info and exposes
it via the get_sta_ies ubus method as a base64-encoded "assoc_frame" field.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Extend the hostapd_rrm_beacon_req ubus method to support the optional
reporting_detail parameter as defined in IEEE 802.11-2016 section 9.4.2.21.7.
Also fix missing assignment operators (=) in the beacon_req_policy array
initialisation.
Signed-off-by: John Crispin <john@phrozen.org>
bump dnsmasq to latest 2.92
updated 200-ubus_dns.patch
no changes to 100-remove-old-runtime-kernel-support.patch
all remaining patches not required
Changelog for version 2.92 https://thekelleys.org.uk/dnsmasq/CHANGELOG
Signed-off-by: gongzi miao <miaogongzi0227@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21598
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The for-in loop variable 'name' was shadowing the function parameter,
causing remote subscription cleanup to fail when hosts disconnect.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Some packages with variants did not specify the default among the
alternatives, so were left without any apk 'provider_priority'
for that package. This caused the apk solver to select the wrong
variant, silently changing the requested package list.
Notable among these were busybox, procd and the hostapd/wpad suite.
This behavior presented in the imagebuilders when creating the
image as follows, silently replacing packages even when explicitly
requested:
$ make image PACKAGES=busybox
...
( 14/148) Installing busybox-selinux (1.37.0-r6)
...
We add 'DEFAULT_VARIANT:=1' to the packages that were missing one,
providing apk with sufficient information to choose the correct
package.
See link below for further examples and discussion.
Link: https://github.com/openwrt/openwrt/pull/21288#issuecomment-3704101422
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21358
Signed-off-by: Robert Marko <robimarko@gmail.com>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
cf51aeb93220 odhcpd: fix captive_portal_uri reset
e8b7fdea8d5e dhcpv4: fix DNS server option
b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy
da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy
bad7138b70f0 README.md: update dhcp ubus events
ca00527e5f...cf51aeb932
Also remove duplicated /usr/share/libubox/jshn.sh include.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/21071
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This will allow del_client with ban_time on a broadcast address
to also ban all clients temporarily.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to the hostapd control interface, treat ff:ff:ff:ff:ff:ff
as a stand in for "all clients".
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
The CLI tools hostapd_cli and wpa_cli are compiled with
`TARGET_LDFLAGS_C` rather than the standard `TARGET_LDFLAGS`.
This variable is empty, leading to global linker options not being
applied.
Set this variable equal to `TARGET_LDFLAGS` right after the package.mk
include to make sure global linker options are applied, but local options
such as linking to crypto libraries are not.
Signed-off-by: Matthias Van Parys <matthias.vanparys@softathome.com>
Link: https://github.com/openwrt/openwrt/pull/20345
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The function was using phydev.name (e.g., "phy0.0") instead of
phydev.phy (e.g., "phy0") when calling wpa_supplicant.phy_set_macaddr_list.
This is inconsistent with all other wpa_supplicant ubus calls in the same
file which correctly use phydev.phy.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Assign the address at wdev create time, similar to legacy interfaces.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Make it a little bit more consistant, and a bit more idiomatic.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The support has been removed from odhcpd, so remove the Makefile options
related to homenet.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
"system" is used to get the current time zone, "network" is used to get
the global DUID.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Support for this option has been removed from odhcpd, so remove it in
the defaults as well.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
`list address` entries in /etc/config/dhcp are sometimes (I'm not sure
about the exact conditions) passed to upstream resolver, bypassing local
resolution. Adding them (minus the IP) to --local prevents this. In the
configuration, this means that
# /etc/config/dhcp
list address '/hello.com/world.com/1.2.3.4'
list address '/foo.com/bar.com/4.3.2.1'
which previously translated into
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
address=/foo.com/bar.com/4.3.2.1
now becomes
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
local=/hello.com/world.com/
address=/foo.com/bar.com/4.3.2.1
local=/foo.com/bar.com/
This behaviour is controlled by the `address_as_local` boolean option, which
defaults to false (old behaviour). openwrt/luci#7957 adds support for this flag
to LuCI.
A workaround for a small list of domains is to add them to `option local`,
but this is very tedious to do for every `list address` entry and dnsmasq
limits this option to 1024 characters.
Signed-off-by: Marko Zajc <marko@zajc.tel>
Link: https://github.com/openwrt/openwrt/pull/18610
Signed-off-by: Robert Marko <robimarko@gmail.com>
d44af6dd8f4e dhcpv6: create struct dhcpv6_lease
4df45c8c3722 dhcpv4: create struct dhcpv4_lease
a6dccae41b60 odhcpd: struct lease -> struct lease_cfg
fc0abb66f122 dhcpv4: use leasetime from a->lease
74eeff193848 router: always use link-local src address for RAs
b9a071b8341f router: Rewrite the ingress MTU to one configured for the interface
1ef9e0e610d5 router: utilize interface ra_mtu for RA
1480c09ee0aa config: clamp ra_mtu to interface MTU, and default ra_mtu to interface MTU
ee4f0df6bd68 netlink: Store interface MTU at link change
d174e25e85a1 github: fix CI apt dependencies
8f393d55a76e odhcpd: more fixes for IID calculations
fc27940fe9...d44af6dd8f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This allows wpa_supplicant to process pending netlink socket messages
first. Without this change, there is a race condition where the newly
created interface processes netlink events from the removal of the
previous interface.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to have more flexible control over the supplicant
without having to install wpa_cli.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
AUTORELEASE has been deprecated from a long time. Drop it and hardcode
the release following the current one present in the downloads
repository.
Link: https://github.com/openwrt/openwrt/pull/20586
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
0d0fac30075f dhcpv4: bump problem scenario up to warn
bf6137092346 config: properly set log level from uci
7956f4271b4e dhcpv6: RFC4833 timezones
7000557cd8f6 dhcpv6-ia: respect prefix assigned to interface (>= /64)
e1e60601ffeb odhcpd: improve odhcpd_urandom()
c2eb4b59f107 config: fix erroneous clamp message if clamp value == max
54b9e729b00d dhcpv4: bail earlier on release/decline
417f4b11d352 dhcpv4: don't hardcode options array length
d63fa3c3612c dhcpv4: shrink struct dhcpv4_message
9653b43617e3 dhcpv4: use iovec for forcereconf messages, fix hash
bf41f4edfbe3 dhcpv4: fix padding of iovec message in dhcpv4_handle_msg()
be68f423c528 dhcpv4: some minor cleanups post-iovec
e24a371ef714 dhcpv4: use iovec for forcerenew opts
bd353e891ae6 dhcpv4: use iovec for router and DNS server
b81cfaa7859e dhcpv4: use iovec for DNS search and MTU
578a9289440b dhcpv4: use iovec for netmask/hostname/broadcast
5bafc17b79d8 dhcpv4: use iovec for leasetime/renew/rebind
b63448ffe447 dhcpv4: introduce a reply_opts array
0533eaea0a94 dhcpv4: use iovec for DNR
6329e37d595d dhcpv4: use iovec for NTP
87fee619205d dhcpv4: use iovec for message and serverid
2f97bf0b56de dhcpv4: reorder some more variables in dhcpv4_handle_msg()
18c1b02bdc20 dhcpv4: remove one more variable from dhcpv4_handle_msg()
6fd691ff29cd dhcpv4: move dest handling from dhcpv4_handle_msg()
1f803caf9a1f dhcpv4: don't copy reqopts around
b1be3984ebf8 dhcpv4: more refactoring of dhcpv4_handle_msg()
85717bedf8ce dhcpv4: clarify variable names in dhcpv4_handle_msg()
be864ccf9919 dhcpv4: some more cleanups to dhcpv4_handle_msg()
f87464520564 dhcpv4: preparations for iovec usage
f48e1c205af3 odhcdp: use a more suitable clock
7e78caac4eae dhcpv6: change dhcpv6 message type check in relay
288abd9c4046 dhcpv6: move dhcpv6 message type check for early exit
d504458ef515 odhcpd: add a simple build script
4ee309a54011 github: improve CI
ff3a241ccc98 odhcpd: shrink binary size by creating a logging function
e2ecf7ba6d72 odhcpd: support stderr logging
5de3b0d5b509 odhcpd: add log helpers
398d03a1a236 config: cap dhcpv6_pd_min_len to max instead of only logging error
4f54738d3ae7 config: clamp dhcpv6_hostid_len instead of only logging an error
465f19c9c2e3 config: clamp ra_mtu into 1280-65535 range
434b06133997 config: cap ra_retranstime and warn instead of only logging an error
e5f58a90a147 config: cap ra_hoplimit to maximum and warn instead of logging an error
208eb10307c1 config: cap ra_reachabletime to RFC maximum instead of logging error
93449f1513b4 config: drop double size lease times; they are all UINT32_MAX;
439c0ceab131 router: redefine ra_mininterval and ra_maxinterval as uint32_t
84b4dfe81363 config: clamp ra_mininterval, ra_maxinterval, ra_lifetime at load time
aa4f26232e05 router: refactor calc_ra_lifetime; redefine ra_lifetime as uint32_t
6ece28ffd475 config: do MaxRtrAdvInterval init at (ra_maxinterval) init time
dc03e02d973e router: Apply updated values from RFC9096 (updates RFC4861) to RA/ND
cc7766c12abe router: Apply updated values from RFC8319 (updates RFC4861) to RA/ND
964da13e758c config: refactor parse_leasetime() - branch amount remains same
9646c749467b github: fix CMAKE_SYSTEM_PROCESSOR copy&paste
288206c9a2ed github: add CI build
30780debd691 odhcpd: fix a compilation error
e0b2c3cf9476 odhcpd: allow assignments to be reassigned
01e5e311b0db odhcpd: support multiple per-client DUIDs
aebc647a6b7b odhcpd: support assignments on the basis of IAID
cc3ec9c20c61 odhcpd: support IAIDs for static DHCPv6 leases
e42c62725942 odhcpd: break up complex matching logic
e1123906a4bc odhcpd: document the ubus interface
c69200195263 dhcpv4: generate dbus events on lease expiry
dd7a2d474d0d dhcpv4: fix ubus events
22481d848e0d odhcpd: remove mac_len argument to ubus_bcast_dhcp_event()
d31d64efd56c odhcpd: fix ubus support flag in help msg
9bc1b4e26e10 odhcpd: reduce use of WITH_UBUS defines in code
d402cdae4316 ndp: fix macOS IPv6 compatibility by using link-local source addresses
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Whenever the first bss is removed, any pending scan still keeps a reference
to it. Cancel it in order to prevent use-after-free bugs.
Reported-by: Chad Monroe <chad.monroe@adtran.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
