Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Dear release team, This is a pre-approval request that please unblock package ocserv/1.1.2-2, which is a version with cherry picked upstream bug fixes. unblock ocserv/1.1.2-2 Regards, Aron
diff -Nru ocserv-1.1.2/debian/changelog ocserv-1.1.2/debian/changelog
--- ocserv-1.1.2/debian/changelog 2020-12-17 18:38:57.000000000 +0800
+++ ocserv-1.1.2/debian/changelog 2021-02-22 11:37:07.000000000 +0800
@@ -1,3 +1,9 @@
+ocserv (1.1.2-2) unstable; urgency=medium
+
+ * d/patches: cherry-pick upstream post 1.1.2 bug fixes
+
+ -- Aron Xu <a...@debian.org> Mon, 22 Feb 2021 11:37:07 +0800
+
ocserv (1.1.2-1) unstable; urgency=medium
* New upstream version 1.1.2
diff -Nru
ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
---
ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
1970-01-01 08:00:00.000000000 +0800
+++
ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
2021-02-22 11:33:03.000000000 +0800
@@ -0,0 +1,27 @@
+From e035221030f8fdfbb38483889631916fef9d9798 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com>
+Date: Wed, 9 Dec 2020 15:05:24 +0100
+Subject: [PATCH 09/36] update_auth_time_stats: cast operations to avoid
+ overflows
+
+Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com>
+---
+ src/sec-mod-auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
+index c769643c..b4b2f3fd 100644
+--- a/src/sec-mod-auth.c
++++ b/src/sec-mod-auth.c
+@@ -131,7 +131,7 @@ static void update_auth_time_stats(sec_mod_st * sec,
time_t secs)
+
+ if (secs > sec->max_auth_time)
+ sec->max_auth_time = secs;
+- sec->avg_auth_time =
(sec->avg_auth_time*(sec->total_authentications-1)+secs) /
sec->total_authentications;
++ sec->avg_auth_time =
((uint64_t)sec->avg_auth_time*((uint64_t)(sec->total_authentications-1))+secs)
/ (uint64_t)sec->total_authentications;
+ }
+
+ static
+--
+2.20.1
+
diff -Nru
ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch
ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch
---
ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch
1970-01-01 08:00:00.000000000 +0800
+++
ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch
2021-02-22 11:35:22.000000000 +0800
@@ -0,0 +1,131 @@
+From 47c6638286a694b4d278e01b278f64f9368b3e1a Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com>
+Date: Sat, 12 Dec 2020 22:41:50 +0100
+Subject: [PATCH 20/36] ocserv-worker: renamed loop to worker_loop
+
+This avoids warnings and static analyzers complains about
+the libev functions hiding the global 'loop' variable
+
+Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com>
+---
+ src/worker-vpn.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+Index: ocserv/src/worker-vpn.c
+===================================================================
+--- ocserv.orig/src/worker-vpn.c
++++ ocserv/src/worker-vpn.c
+@@ -95,7 +95,7 @@ struct worker_st *global_ws = NULL;
+ static int terminate = 0;
+ static int terminate_reason = REASON_SERVER_DISCONNECT;
+
+-static struct ev_loop *loop = NULL;
++static struct ev_loop *worker_loop = NULL;
+ ev_io command_watcher;
+ ev_io tls_watcher;
+ ev_io tun_watcher;
+@@ -433,8 +433,8 @@ static int setup_dtls_connection(struct
+ dtls->dtls_session = session;
+ ev_init(&dtls->io, dtls_watcher_cb);
+ ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ);
+- ev_io_start(loop, &dtls->io);
+- ev_invoke(loop, &dtls->io, EV_READ);
++ ev_io_start(worker_loop, &dtls->io);
++ ev_invoke(worker_loop, &dtls->io, EV_READ);
+
+ return 0;
+ fail:
+@@ -2609,7 +2609,7 @@ static int test_for_tcp_health_probe(str
+
+ static void syserr_cb (const char *msg)
+ {
+- struct worker_st * ws = ev_userdata(loop);
++ struct worker_st * ws = ev_userdata(worker_loop);
+ int err = errno;
+
+ oclog(ws, LOG_ERR, "libev fatal error: %s / %s", msg, strerror(err));
+@@ -2637,7 +2637,7 @@ static void cstp_send_terminate(struct w
+
+ static void command_watcher_cb (EV_P_ ev_io *w, int revents)
+ {
+- struct worker_st *ws = ev_userdata(loop);
++ struct worker_st *ws = ev_userdata(worker_loop);
+
+ int ret = handle_commands_from_main(ws);
+ if (ret == ERR_NO_CMD_FD) {
+@@ -2723,7 +2723,7 @@ static void invoke_dtls_if_needed(struct
+ if ((dtls->udp_state > UP_WAIT_FD) &&
+ (dtls->dtls_session != NULL) &&
+ (gnutls_record_check_pending(dtls->dtls_session))) {
+- ev_invoke(loop, &dtls->io, EV_READ);
++ ev_invoke(worker_loop, &dtls->io, EV_READ);
+ }
+ }
+
+@@ -2757,9 +2757,9 @@ static int worker_event_loop(struct work
+ struct timespec tnow;
+
+ #if defined(__linux__) && defined(HAVE_LIBSECCOMP)
+- loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL);
++ worker_loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL);
+ #else
+- loop = EV_DEFAULT;
++ worker_loop = EV_DEFAULT;
+ #endif
+
+ // Restore the signal handlers
+@@ -2769,37 +2769,37 @@ static int worker_event_loop(struct work
+
+ ev_init(&alarm_sig_watcher, term_sig_watcher_cb);
+ ev_signal_set (&alarm_sig_watcher, SIGALRM);
+- ev_signal_start (loop, &alarm_sig_watcher);
++ ev_signal_start (worker_loop, &alarm_sig_watcher);
+
+ ev_init (&int_sig_watcher, term_sig_watcher_cb);
+ ev_signal_set (&int_sig_watcher, SIGINT);
+- ev_signal_start (loop, &int_sig_watcher);
++ ev_signal_start (worker_loop, &int_sig_watcher);
+
+ ev_init (&term_sig_watcher, term_sig_watcher_cb);
+ ev_signal_set (&term_sig_watcher, SIGTERM);
+- ev_signal_start (loop, &term_sig_watcher);
++ ev_signal_start (worker_loop, &term_sig_watcher);
+
+- ev_set_userdata (loop, ws);
++ ev_set_userdata (worker_loop, ws);
+ ev_set_syserr_cb(syserr_cb);
+
+ ev_init(&command_watcher, command_watcher_cb);
+ ev_io_set(&command_watcher, ws->cmd_fd, EV_READ);
+- ev_io_start(loop, &command_watcher);
++ ev_io_start(worker_loop, &command_watcher);
+
+ ev_init(&tls_watcher, tls_watcher_cb);
+ ev_io_set(&tls_watcher, ws->conn_fd, EV_READ);
+- ev_io_start(loop, &tls_watcher);
++ ev_io_start(worker_loop, &tls_watcher);
+
+ ev_init(&DTLS_ACTIVE(ws)->io, dtls_watcher_cb);
+ ev_init(&DTLS_INACTIVE(ws)->io, dtls_watcher_cb);
+
+ ev_init(&tun_watcher, tun_watcher_cb);
+ ev_io_set(&tun_watcher, ws->tun_fd, EV_READ);
+- ev_io_start(loop, &tun_watcher);
++ ev_io_start(worker_loop, &tun_watcher);
+
+ ev_init (&period_check_watcher, periodic_check_watcher_cb);
+ ev_timer_set(&period_check_watcher, WORKER_MAINTENANCE_TIME,
WORKER_MAINTENANCE_TIME);
+- ev_timer_start(loop, &period_check_watcher);
++ ev_timer_start(worker_loop, &period_check_watcher);
+
+
+ /* start dead peer detection */
+@@ -2810,7 +2810,7 @@ static int worker_event_loop(struct work
+ bandwidth_init(&ws->b_tx, ws->user_config->tx_per_sec);
+
+
+- ev_run(loop, 0);
++ ev_run(worker_loop, 0);
+ if (terminate != 0)
+ {
+ goto exit;
diff -Nru
ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
---
ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
1970-01-01 08:00:00.000000000 +0800
+++
ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
2021-02-22 11:33:16.000000000 +0800
@@ -0,0 +1,25 @@
+From c53cc97395efccaf9a567c51475bcfc3d1a8ee5e Mon Sep 17 00:00:00 2001
+From: Alan Jowett <alan.jow...@microsoft.com>
+Date: Thu, 4 Feb 2021 09:29:45 -0700
+Subject: [PATCH 33/36] Close fd and stop ev_io on failed handshake.
+ Signed-off-by: Alan Jowett <ala...@microsoft.com>
+
+---
+ src/worker-vpn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index 185a5eae..b77597c5 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -1479,6 +1479,7 @@ static int dtls_mainloop(worker_st * ws, struct dtls_st
* dtls, struct timespec
+ "error in DTLS handshake: %s\n",
+ gnutls_strerror(ret));
+ dtls->udp_state = UP_DISABLED;
++ ev_io_stop(worker_loop, &dtls->io);
+ break;
+ }
+
+--
+2.20.1
+
diff -Nru
ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
---
ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
1970-01-01 08:00:00.000000000 +0800
+++
ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
2021-02-22 11:33:16.000000000 +0800
@@ -0,0 +1,33 @@
+From 4cea55c6d68c1c46755876af4e3ff142cd6c81a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stefan.bueh...@tik.uni-stuttgart.de>
+Date: Wed, 10 Feb 2021 13:23:42 +0100
+Subject: [PATCH 35/36] dtls connection setup: fix memory corruption, proper
+ watcher setup
+
+ev_init and ev_io_set must never be called on active watchers - we
+need to cleanup previous connection state before setting a new one.
+
+ev_init clears the "active" flag, but doesn't remove the watcher from
+libev internal linked lists (and doesn't clear the "next" pointer for
+it). This can for example lead to (unexpected) cyclic lists in libev,
+and libev can loop forever trying to deal with them.
+---
+ src/worker-vpn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index b77597c5..146c6acf 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -431,7 +431,7 @@ static int setup_dtls_connection(struct worker_st *ws,
struct dtls_st * dtls)
+ }
+
+ dtls->dtls_session = session;
+- ev_init(&dtls->io, dtls_watcher_cb);
++ ev_io_stop(worker_loop, &dtls->io);
+ ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ);
+ ev_io_start(worker_loop, &dtls->io);
+ ev_invoke(worker_loop, &dtls->io, EV_READ);
+--
+2.20.1
+
diff -Nru ocserv-1.1.2/debian/patches/series ocserv-1.1.2/debian/patches/series
--- ocserv-1.1.2/debian/patches/series 2020-07-13 15:52:07.000000000 +0800
+++ ocserv-1.1.2/debian/patches/series 2021-02-22 11:35:09.000000000 +0800
@@ -1 +1,5 @@
legacy_pidfile.patch
+0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
+0020-ocserv-worker-renamed-loop-to-worker_loop.patch
+0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
+0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
signature.asc
Description: PGP signature
