From 1356b123da67b224162415628d04df58649460da Mon Sep 17 00:00:00 2001 From: Leo Date: Thu, 21 Jan 2021 01:49:29 -0300 Subject: [PATCH] main/*: remove stale patches --- main/ppp/fix-bound-check-eap.patch | 40 ------------ main/ppp/fix-pppd-pppoe.h.patch | 21 ------ ...ived-EAP-messages-when-not-doing-EAP.patch | 64 ------------------- ...-Prevent-buffer-overflow-in-rc_mksid.patch | 33 ---------- .../0001-don-t-depend-on-certifi.patch | 21 ------ main/py3-requests/certs.patch | 14 ---- .../ip_route_me_harder-5.4.78.patch | 48 -------------- 7 files changed, 241 deletions(-) delete mode 100644 main/ppp/fix-bound-check-eap.patch delete mode 100644 main/ppp/fix-pppd-pppoe.h.patch delete mode 100644 main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch delete mode 100644 main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch delete mode 100644 main/py3-requests/0001-don-t-depend-on-certifi.patch delete mode 100644 main/py3-requests/certs.patch delete mode 100644 main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch diff --git a/main/ppp/fix-bound-check-eap.patch b/main/ppp/fix-bound-check-eap.patch deleted file mode 100644 index 746eb70961..0000000000 --- a/main/ppp/fix-bound-check-eap.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Mon, 3 Feb 2020 15:53:28 +1100 -Subject: [PATCH] pppd: Fix bounds check in EAP code - -Given that we have just checked vallen < len, it can never be the case -that vallen >= len + sizeof(rhostname). This fixes the check so we -actually avoid overflowing the rhostname array. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Paul Mackerras ---- - pppd/eap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 94407f5..1b93db0 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1420,7 +1420,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; -@@ -1846,7 +1846,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; --- -2.25.0 - diff --git a/main/ppp/fix-pppd-pppoe.h.patch b/main/ppp/fix-pppd-pppoe.h.patch deleted file mode 100644 index efe02ecfe3..0000000000 --- a/main/ppp/fix-pppd-pppoe.h.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/pppd/plugins/pppoe/pppoe.h 2020-02-06 09:59:38.086103782 +0100 -+++ b/pppd/plugins/pppoe/pppoe.h 2020-02-06 20:50:20.159705281 +0100 -@@ -84,18 +84,6 @@ - #include - #endif - --#ifdef HAVE_NETINET_IF_ETHER_H --#include -- --#ifdef HAVE_SYS_SOCKET_H --#include --#endif --#ifndef HAVE_SYS_DLPI_H --#include --#endif --#endif -- -- - /* Ethernet frame types according to RFC 2516 */ - #define ETH_PPPOE_DISCOVERY 0x8863 - #define ETH_PPPOE_SESSION 0x8864 diff --git a/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch b/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch deleted file mode 100644 index e5442079ef..0000000000 --- a/main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Mon, 3 Feb 2020 16:31:42 +1100 -Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP - -This adds some basic checks to the subroutines of eap_input to check -that we have requested or agreed to doing EAP authentication before -doing any processing on the received packet. The motivation is to -make it harder for a malicious peer to disrupt the operation of pppd -by sending unsolicited EAP packets. Note that eap_success() already -has a check that the EAP client state is reasonable, and does nothing -(apart from possibly printing a debug message) if not. - -Signed-off-by: Paul Mackerras ---- - pppd/eap.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 1b93db0..082e953 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1328,6 +1328,12 @@ int len; - int fd; - #endif /* USE_SRP */ - -+ /* -+ * Ignore requests if we're not open -+ */ -+ if (esp->es_client.ea_state <= eapClosed) -+ return; -+ - /* - * Note: we update es_client.ea_id *only if* a Response - * message is being generated. Otherwise, we leave it the -@@ -1736,6 +1742,12 @@ int len; - u_char dig[SHA_DIGESTSIZE]; - #endif /* USE_SRP */ - -+ /* -+ * Ignore responses if we're not open -+ */ -+ if (esp->es_server.ea_state <= eapClosed) -+ return; -+ - if (esp->es_server.ea_id != id) { - dbglog("EAP: discarding Response %d; expected ID %d", id, - esp->es_server.ea_id); -@@ -2047,6 +2059,12 @@ u_char *inp; - int id; - int len; - { -+ /* -+ * Ignore failure messages if we're not open -+ */ -+ if (esp->es_client.ea_state <= eapClosed) -+ return; -+ - if (!eap_client_active(esp)) { - dbglog("EAP unexpected failure message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), --- -2.24.1 - diff --git a/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch b/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch deleted file mode 100644 index 112b259802..0000000000 --- a/main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Sat, 4 Jan 2020 12:01:32 +1100 -Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid() - -On some systems getpid() can return a value greater than 65535. -Increase the size of buf[] to allow for this, and use slprintf() -to make sure we never overflow it. - -Signed-off-by: Paul Mackerras ---- - pppd/plugins/radius/util.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c -index 6f976a7..740131e 100644 ---- a/pppd/plugins/radius/util.c -+++ b/pppd/plugins/radius/util.c -@@ -73,9 +73,9 @@ void rc_mdelay(int msecs) - char * - rc_mksid (void) - { -- static char buf[15]; -+ static char buf[32]; - static unsigned short int cnt = 0; -- sprintf (buf, "%08lX%04X%02hX", -+ slprintf(buf, sizeof(buf), "%08lX%04X%02hX", - (unsigned long int) time (NULL), - (unsigned int) getpid (), - cnt & 0xFF); --- -2.24.1 - diff --git a/main/py3-requests/0001-don-t-depend-on-certifi.patch b/main/py3-requests/0001-don-t-depend-on-certifi.patch deleted file mode 100644 index c91741724b..0000000000 --- a/main/py3-requests/0001-don-t-depend-on-certifi.patch +++ /dev/null @@ -1,21 +0,0 @@ -From c67893eec31f4538dec95e208bbf418cf5f2e0de Mon Sep 17 00:00:00 2001 -From: Leo -Date: Fri, 11 Dec 2020 01:15:29 -0300 -Subject: [PATCH 1/2] don't depend on certifi - ---- - setup.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/setup.py b/setup.py -index 7ba4b2a..065eb22 100755 ---- a/setup.py -+++ b/setup.py -@@ -45,7 +45,6 @@ requires = [ - 'chardet>=3.0.2,<5', - 'idna>=2.5,<3', - 'urllib3>=1.21.1,<1.27', -- 'certifi>=2017.4.17' - - ] - test_requirements = [ diff --git a/main/py3-requests/certs.patch b/main/py3-requests/certs.patch deleted file mode 100644 index 47a32f3802..0000000000 --- a/main/py3-requests/certs.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/requests/certs.py b/requests/certs.py -index d1a378d7..4e0bffd4 100644 ---- a/requests/certs.py -+++ b/requests/certs.py -@@ -12,7 +12,8 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed - environment, you can change the definition of where() to return a separately - packaged CA bundle. - """ --from certifi import where -+def where(): -+ return "/etc/ssl/certs/ca-certificates.crt" - - if __name__ == '__main__': - print(where()) diff --git a/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch b/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch deleted file mode 100644 index 075f52dade..0000000000 --- a/main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c -index b384c8e..cb1d055 100644 ---- a/extensions/xt_DELUDE.c -+++ b/extensions/xt_DELUDE.c -@@ -122,7 +122,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb, - /* ip_route_me_harder expects skb->dst to be set */ - skb_dst_set(nskb, dst_clone(skb_dst(oldskb))); - -- if (ip_route_me_harder(net, nskb, addr_type)) -+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) - goto free_nskb; - else - niph = ip_hdr(nskb); -diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c -index e99312b..2ab413b 100644 ---- a/extensions/xt_ECHO.c -+++ b/extensions/xt_ECHO.c -@@ -192,7 +192,7 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par) - /* ip_route_me_harder expects the skb's dst to be set */ - skb_dst_set(newskb, dst_clone(skb_dst(oldskb))); - -- if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0) -+ if (ip_route_me_harder(par_net(par), par->state->sk, newskb, RTN_UNSPEC) != 0) - goto free_nskb; - - newip->ttl = ip4_dst_hoplimit(skb_dst(newskb)); -diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c -index 4926f2e..6256e60 100644 ---- a/extensions/xt_TARPIT.c -+++ b/extensions/xt_TARPIT.c -@@ -265,7 +265,7 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb, - #endif - addr_type = RTN_LOCAL; - -- if (ip_route_me_harder(net, nskb, addr_type)) -+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type)) - goto free_nskb; - else - niph = ip_hdr(nskb); -@@ -399,7 +399,7 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb, - IPPROTO_TCP, - csum_partial(tcph, sizeof(struct tcphdr), 0)); - -- if (ip6_route_me_harder(net, nskb)) -+ if (ip6_route_me_harder(net, nskb->sk, nskb)) - goto free_nskb; - - nskb->ip_summed = CHECKSUM_NONE; -- GitLab