Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: main.conf (Sorrillo, Lawrence)
2. Re: main.conf (Daniel Wagner)
3. Re: Domain name setting error and fix (Patrik Flykt)
4. Re: Raspberry Pi 3 stretch connman V1.33 no p2p (Patrik Flykt)
5. [PATCH 1/3] dnsproxy: Send a short response on error
(Patrik Flykt)
6. [PATCH 2/3] dnsproxy: Be more strict with incoming DNS
requests (Patrik Flykt)
7. [PATCH 3/3] backtrace: Add checks for backtrace consistency
(Patrik Flykt)
8. [PATCH 0/3] Stricter handling of DNS requests (Patrik Flykt)
----------------------------------------------------------------------
Message: 1
Date: Thu, 24 Aug 2017 19:06:03 +0000
From: "Sorrillo, Lawrence" <[email protected]>
To: Daniel Wagner <[email protected]>, "[email protected]"
<[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: main.conf
Message-ID: <d5c49a9b.4c0ac%[email protected]>
Content-Type: text/plain; charset="us-ascii"
I have been editing files under /var/lib/connman. Per your guidance,
should I add the contents of
The ethernet_505663c9579b_cable/settings file into /etc/connman/main.cf
And manage the network that way?
root@xxx:/etc/ssh# connmanctl services
*AR Wired ethernet_505663c9579b_cable
root@xxx:/etc/ssh#
root@xxx:/etc/ssh#
root@xxx:/etc/ssh# cat
/var/lib/connman/ethernet_505663c9579b_cable/settings
[ethernet_505663c9579b_cable]
Name=Wired
AutoConnect=true
IPv4.method=fixed
IPv4.netmask_prefixlen=25
IPv4.local_address=xxx.xxx.xxx.xxx
IPv4.gateway=xxx.xxx.xxx.xxx.
IPv6.method=off
IPv6.privacy=disabled
Nameservers=x.x.x.x;y.y.y.y;
Domains=mydomain.com;
Timeservers=ntp1.mydomain.com;ntp2.mydomain.com;
Modified=2017-04-14T01:16:46.603301Z
root@xxxx:/etc/ssh#
Cheers,
On 8/24/17, 2:23 PM, "connman on behalf of Daniel Wagner"
<[email protected] on behalf of [email protected]> wrote:
>
>Hi Peter,
>
>[email protected] writes:
>
>> Hi all
>>
>> Sorry for a trival question.
>
>That is fine. It's easy to anwser :)
>
>> Am I supposed to create /etc/connman/main.conf manually?
>> In other words /etc/connman/main.conf is not automatically generated,
>> correct?
>
>Correct. The /etc/connman/main.conf file is maintained by you.
>
>ConnMan's state file are stored at /var/lib/connman with the default
>settings. Note: you should not modify those files under
>/var/lib/connman.
>
>Thanks,
>Daniel
>_______________________________________________
>connman mailing list
>[email protected]
>https://lists.01.org/mailman/listinfo/connman
>
------------------------------
Message: 2
Date: Fri, 25 Aug 2017 08:47:25 +0200
From: Daniel Wagner <[email protected]>
To: "Sorrillo, Lawrence" <[email protected]>,
"[email protected]" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: main.conf
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi,
On 08/24/2017 09:06 PM, Sorrillo, Lawrence wrote:
> I have been editing files under /var/lib/connman. Per your guidance,
> should I add the contents of
> The ethernet_505663c9579b_cable/settings file into /etc/connman/main.cf
The /etc/connman/main.conf file allows to set some behavior knobs such
as PreferredTechnologies.
> And manage the network that way?
There are two ways how you can configure/provision ConnMan.
1) ConnMan is already running
The configuration is done via D-Bus. There are a bunch of
graphical clients or you can use the command line tool
connmanctl. The Arch community has a pretty neat wiki
page on this [1]
2) ConnMan is not running yet (*)
This is useful if you want to provision something like
an embedded system.
In this case you drop a file under /var/lib/connman with the
file extension ".config". When ConnMan starts(*) it will
read in this configuration file and applies the settings.
The config file format is documented here [2].
(*) ConnMan is monitoring the /var/lib/connman directory
when it is running. That means you can also add a config file
while ConnMan is running. The settings will be applied
immediately.
> root@xxx:/etc/ssh# connmanctl services
> *AR Wired ethernet_505663c9579b_cable
> root@xxx:/etc/ssh#
> root@xxx:/etc/ssh#
> root@xxx:/etc/ssh# cat
> /var/lib/connman/ethernet_505663c9579b_cable/settings
> [ethernet_505663c9579b_cable]
> Name=Wired
> AutoConnect=true
> IPv4.method=fixed
> IPv4.netmask_prefixlen=25
> IPv4.local_address=xxx.xxx.xxx.xxx
> IPv4.gateway=xxx.xxx.xxx.xxx.
> IPv6.method=off
> IPv6.privacy=disabled
> Nameservers=x.x.x.x;y.y.y.y;
> Domains=mydomain.com;
> Timeservers=ntp1.mydomain.com;ntp2.mydomain.com;
> Modified=2017-04-14T01:16:46.603301Z
> root@xxxx:/etc/ssh#
If I understood you correctly you want to provision your device with
above settings via option 2).
In this case you cann add a config file to /var/lib/connman, let's say
it is called homenet.config. The content might look like:
"""
[service_home_ethernet]
Type = ethernet
IPv4 = 192.168.1.42/255.255.255.0/192.168.1.1
IPv6 = 2001:db8::42/64/2001:db8::1
MAC = 01:02:03:04:05:06
Nameservers = 10.2.3.4,192.168.1.99
SearchDomains = my.home,isp.net
Timeservers = 10.172.2.1,ntp.my.isp.net
Domain = my.home
"""
The all available fields should be documented in the
connman-service.config man page or in [2]. If the man page is something
missing please let us know. We just had the case that the man page was
lacking some information.
NOTE: The section name needs to start with the prefix "service_". The
matching is done via the MAC address.
HTH!
Thanks,
Daniel
[1] https://wiki.archlinux.org/index.php/ConnMan
[2]
https://git.kernel.org/pub/scm/network/connman/connman.git/tree/doc/config-format.txt
------------------------------
Message: 3
Date: Fri, 25 Aug 2017 10:57:22 +0300
From: Patrik Flykt <[email protected]>
To: Daniel Wagner <[email protected]>, Neven Sajko <[email protected]>
Cc: [email protected]
Subject: Re: Domain name setting error and fix
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
On Thu, 2017-08-24 at 20:32 +0200, Daniel Wagner wrote:
> Hi Neven,
>
> Neven Sajko <[email protected]> writes:
>
> > Setting the domain name fails with setdomainname setting
> > errno=EPERM. Because connmand isn't given CAP_SYS_ADMIN by systemd.
> > Which needs to be fixed in connman.service.
> >
> > I'd suggest just removing the capability bounding from the Systemd
> > service because CAP_SYS_ADMIN and CAP_SYS_MODULE basically equal
> > root anyway.
> >
> > Relevant line: https://git.kernel.org/pub/scm/network/connman/connm
> > an.git/tree/src/connman.service.in#n16
>
> I agree, CAP_SYS_ADMIN equals more or less root these days. Usually,
> The whole capability API is not really usable.
>
> @Patrik: you have added the capabilities initially:
>
> 36aaa77f88d0 ("connman.service: Restrict capabilities")
>
> Any strong feelings, arguments against removing the
> CapabilityBoundingSet?
CapabilityBoundingSet is preferred in order to keep some kind of lid on
ConnMan, although CAP_SYS_ADMIN is reaching quite far anyway. Its not
nice to add CAP_SYS_ADMIN, but there doesn't seem to be any other way
to do it either. And now that I look at it, don't we fork when writing
a backtrace, which was restricted by a capability I can't remember...
Cheers,
Patrik
------------------------------
Message: 4
Date: Fri, 25 Aug 2017 11:03:11 +0300
From: Patrik Flykt <[email protected]>
To: Jose Blanquicet <[email protected]>, "Carl D. Blake"
<[email protected]>
Cc: [email protected]
Subject: Re: Raspberry Pi 3 stretch connman V1.33 no p2p
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
On Thu, 2017-08-24 at 06:35 +0000, Jose Blanquicet wrote:
> If you are managing all your connections from ConnMan, you do not
> need additional DHCP daemons. On the contrary, I would suggest you to
> not lunch them or even better remove them from your system to save
> resources.
Actually, if other DHCP daemons are running on the same interface, the
usual problem is that no IP address is getting assigned to the
interface. And this causes quite a lot of head scratching, so I'm with
Jose here that all other DHCP daemons better be removed unless it is
known they are absolutely necessary. DHCP daemons have a tendency to
suddenly start running after software upgrades, usually since someone
forgot the disabling patch...
Cheers,
Patrik
------------------------------
Message: 5
Date: Fri, 25 Aug 2017 12:12:51 +0300
From: Patrik Flykt <[email protected]>
To: [email protected]
Subject: [PATCH 1/3] dnsproxy: Send a short response on error
Message-ID: <[email protected]>
On error there is no need to send the whole packet back to the
client, only the basic headers informing of the error. Also check
the length of the buffer, including protocol offsets.
---
src/dnsproxy.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index 40b4f159..e50f2740 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -470,7 +470,7 @@ static void send_cached_response(int sk, unsigned char
*buf, int len,
err, len, dns_len);
}
-static void send_response(int sk, unsigned char *buf, int len,
+static void send_response(int sk, unsigned char *buf, size_t len,
const struct sockaddr *to, socklen_t tolen,
int protocol)
{
@@ -482,21 +482,27 @@ static void send_response(int sk, unsigned char *buf, int
len,
if (offset < 0)
return;
- if (len < 12)
+ if (len < sizeof(struct domain_hdr) + offset)
return;
hdr = (void *) (buf + offset);
+ if (offset) {
+ buf[0] = 0;
+ buf[1] = 12;
+ }
debug("id 0x%04x qr %d opcode %d", hdr->id, hdr->qr, hdr->opcode);
hdr->qr = 1;
hdr->rcode = ns_r_servfail;
+ hdr->qdcount = 0;
hdr->ancount = 0;
hdr->nscount = 0;
hdr->arcount = 0;
- err = sendto(sk, buf, len, MSG_NOSIGNAL, to, tolen);
+ err = sendto(sk, buf, sizeof(struct domain_hdr) + offset, MSG_NOSIGNAL,
+ to, tolen);
if (err < 0) {
connman_error("Failed to send DNS response to %d: %s",
sk, strerror(errno));
--
2.11.0
------------------------------
Message: 6
Date: Fri, 25 Aug 2017 12:12:52 +0300
From: Patrik Flykt <[email protected]>
To: [email protected]
Subject: [PATCH 2/3] dnsproxy: Be more strict with incoming DNS
requests
Message-ID: <[email protected]>
Be more strict with incoming DNS requests. Verify that there is
only one entry in the question section and none in the answer or
name server sections.
Ensure that the question section has a proper IN class and
compute the remaing length and the pointer position with respect
to the end of the question section. If there is an EDNS0 extension,
log its length.
---
src/dnsproxy.c | 59 ++++++++++++++++++++++++++++++++++------------------------
1 file changed, 35 insertions(+), 24 deletions(-)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index e50f2740..06c53b26 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -2919,26 +2919,33 @@ static struct connman_notifier dnsproxy_notifier = {
static unsigned char opt_edns0_type[2] = { 0x00, 0x29 };
-static int parse_request(unsigned char *buf, int len,
+static int parse_request(unsigned char *buf, size_t len,
char *name, unsigned int size)
{
struct domain_hdr *hdr = (void *) buf;
uint16_t qdcount = ntohs(hdr->qdcount);
+ uint16_t ancount = ntohs(hdr->ancount);
+ uint16_t nscount = ntohs(hdr->nscount);
uint16_t arcount = ntohs(hdr->arcount);
unsigned char *ptr;
- char *last_label = NULL;
unsigned int remain, used = 0;
- if (len < 12)
+ if (len < sizeof(struct domain_hdr) + 5 || hdr->qr ||
+ qdcount != 1 || ancount || nscount) {
+ DBG("Dropped DNS request qr %d with len %zd qdcount %d "
+ "ancount %d nscount %d", hdr->qr, len, qdcount, ancount,
+ nscount);
+
+ return -EINVAL;
+ }
+
+ if (!name || !size)
return -EINVAL;
debug("id 0x%04x qr %d opcode %d qdcount %d arcount %d",
hdr->id, hdr->qr, hdr->opcode,
qdcount, arcount);
- if (hdr->qr != 0 || qdcount != 1)
- return -EINVAL;
-
name[0] = '\0';
ptr = buf + sizeof(struct domain_hdr);
@@ -2948,7 +2955,22 @@ static int parse_request(unsigned char *buf, int len,
uint8_t label_len = *ptr;
if (label_len == 0x00) {
- last_label = (char *) (ptr + 1);
+ uint16_t class;
+
+ if (remain < 5) {
+ DBG("Dropped malformed DNS query");
+ return -EINVAL;
+ }
+
+ class = ptr[3] << 8 | ptr[4];
+ if (class != 1 && class != 255) {
+ DBG("Dropped non-IN DNS class %d", class);
+
+ return -EINVAL;
+ }
+
+ ptr += 5;
+ remain -= 5;
break;
}
@@ -2964,26 +2986,15 @@ static int parse_request(unsigned char *buf, int len,
remain -= label_len + 1;
}
- if (last_label && arcount && remain >= 9 && last_label[4] == 0 &&
- !memcmp(last_label + 5, opt_edns0_type, 2)) {
+ if (arcount && remain >= 11 && !ptr[0] &&
+ ptr[1] == opt_edns0_type[0] && ptr[2] == opt_edns0_type[1]) {
uint16_t edns0_bufsize;
- edns0_bufsize = last_label[7] << 8 | last_label[8];
+ edns0_bufsize = ptr[3] << 8 | ptr[4];
- debug("EDNS0 buffer size %u", edns0_bufsize);
-
- /* This is an evil hack until full TCP support has been
- * implemented.
- *
- * Somtimes the EDNS0 request gets send with a too-small
- * buffer size. Since glibc doesn't seem to crash when it
- * gets a response biffer then it requested, just bump
- * the buffer size up to 4KiB.
- */
- if (edns0_bufsize < 0x1000) {
- last_label[7] = 0x10;
- last_label[8] = 0x00;
- }
+ DBG("EDNS0 buffer size %u", edns0_bufsize);
+ } else if (!arcount && remain) {
+ DBG("DNS request with %d garbage bytes", remain);
}
debug("query %s", name);
--
2.11.0
------------------------------
Message: 7
Date: Fri, 25 Aug 2017 12:12:53 +0300
From: Patrik Flykt <[email protected]>
To: [email protected]
Subject: [PATCH 3/3] backtrace: Add checks for backtrace consistency
Message-ID: <[email protected]>
If newlines cannot be found, stop processing the backtrace as
something is wrong with it.
---
src/backtrace.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/backtrace.c b/src/backtrace.c
index 6a66c0ac..e8d7f432 100644
--- a/src/backtrace.c
+++ b/src/backtrace.c
@@ -111,6 +111,11 @@ void print_backtrace(const char* program_path, const char*
program_exec,
buf[len] = '\0';
pos = strchr(buf, '\n');
+ if (!pos) {
+ connman_error("Error in backtrace format");
+ break;
+ }
+
*pos++ = '\0';
if (strcmp(buf, "??") == 0) {
@@ -120,6 +125,11 @@ void print_backtrace(const char* program_path, const char*
program_exec,
}
ptr = strchr(pos, '\n');
+ if (!ptr) {
+ connman_error("Error in backtrace format");
+ break;
+ }
+
*ptr++ = '\0';
if (strncmp(pos, program_path, pathlen) == 0)
--
2.11.0
------------------------------
Message: 8
Date: Fri, 25 Aug 2017 12:12:50 +0300
From: Patrik Flykt <[email protected]>
To: [email protected]
Subject: [PATCH 0/3] Stricter handling of DNS requests
Message-ID: <[email protected]>
Hi,
Here are a few fixes for stricter handling of DNS requests. If there
are some extra sections or more than one question in the request, the
request is dropped. Nowadays a properly formatted DNS request contains
exactly one question, it might have been different when the DNS
protocol was initially specified.
Also, if there are no newlines in the backtrace output, something
surprising has happened and processing cannot continue.
Cheers,
Patrik
Patrik Flykt (3):
dnsproxy: Send a short response on error
dnsproxy: Be more strict with incoming DNS requests
backtrace: Add checks for backtrace consistency
src/backtrace.c | 10 ++++++++
src/dnsproxy.c | 71 +++++++++++++++++++++++++++++++++++----------------------
2 files changed, 54 insertions(+), 27 deletions(-)
--
2.11.0
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 22, Issue 19
***************************************
