From patchwork Sun Jul 2 09:54:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6965 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Qv4Cj3Vphz3wm3 for ; Sun, 2 Jul 2023 09:54:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Qv4Ch39ptz1QL; Sun, 2 Jul 2023 09:54:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Qv4Ch1gn9z2yJ8; Sun, 2 Jul 2023 09:54:40 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Qv4Cf4m0fz2xQs for ; Sun, 2 Jul 2023 09:54:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Qv4Cc5cjDz1PB; Sun, 2 Jul 2023 09:54:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1688291676; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9DvOKKVHIrTV70TKy/TyTWa5miONZIU2rDOHshCxVrU=; b=7A0SwU8sSm81g0lt/xtTA4hfT/fIXgACFxZjEsK2haFvgAT3NdawvETbmCUFrwjEwM4M8R t4o1eNmUemwADACQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1688291676; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9DvOKKVHIrTV70TKy/TyTWa5miONZIU2rDOHshCxVrU=; b=c2GYpLlJ57DMznQjhZj/HarNNRRz9hf3PUE3guqCC2x/xxTJx5Y9IwH6zv9j/On0eBJFGG 3Z/JaprPSihfxOHDILb5/pbmwZ0haEozhzb7VYp7aFBT0a2tjMNzZvKYB3AMRhbcRAudqb HzKfgd8oftVLo8z3JK7MFVIgnu/u7hMHihS0Cu8qEQT0vl2uMBwiVAxm4ZzI97qazqeJuN bv0cPiNvQRDyURukIpE/LWaLZK/Pw6pLXeoq3hC75VzVm703T+gTH0vOhZZ5jA84cjXgKt 3nV9fPanx1/gvlWtKtWuIhZsO2AAa0E8Pdz+0ri0Gfxc4rS4KZuo+RGPPLmlXw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ppp: Fixes bug#13164 - Update to version 2.5.0 Date: Sun, 2 Jul 2023 11:54:32 +0200 Message-ID: <20230702095432.3804-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 2.4.9 to 2.5.0 This includes breaking changes for third-party plugins but as far as I can see IPFire is not using any third party plugins - Update of rootfile - Update of patches and sed commands - pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014 - Some of the patches required updates as additional lines needing to be patched are now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches - connect-errors file location is now defined by a configure command --with-logfile-dir - install-etcppp is no longer provided. However the install command in this version still has the same files available in /etc/ppp as previously. There is a new file, openssl.cnf, which I have commented out. If it is required in future it can always be uncommented in future releases. - Build went without any problems with the updated patches. - I cannot test this as I don't use ppp, however the original bug reporter has agreed to test this out when it is released into Testing unless anyone else is capable of testing it. - Changelog What's new in ppp-2.5.0. The 2.5.0 release is a major release of pppd which contains breaking changes for third-party plugins, a complete revamp of the build-system and that allows for flexibility of configuring features as needed. In Summary: * Support for PEAP authentication by Eivind Næss and Rustam Kovhaev * Support for loading PKCS12 certificate envelopes * Adoption of GNU Autoconf / Automake build environment, by Eivind Næss and others. * Support for pkgconfig tool has been added by Eivind Næss. * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár. * Major revision to PPPD's Plugin API by Eivind Næss. - Defines in which describes what features was included in pppd - Functions now prefixed with explicit ppp_* to indicate that pppd functions being called. - Header files were renamed to better align with their features, and now use proper include guards - A pppdconf.h file is supplied to allow third-party modules to use the same feature defines pppd was compiled with. - No extern declarations of internal variable names of pppd, continued use of these extern variables are considered unstable. * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon * Dropped IPX support, as Linux has dropped support in version 5.15 for this protocol. * Many more fixes and cleanups. * Pppd is no longer installed setuid-root. * New pppd options: - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber, ipv6-up-script, ipv6-down-script - -v, show-options - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip * On Linux, any baud rate can be set on a serial port provided the kernel serial driver supports that. Note that if you have built and installed previous versions of this package and you want to continue having configuration and TDB files in /etc/ppp, you will need to use the --sysconfdir option to ./configure. For a list of the changes made during the 2.4 series releases of this package, see the Changes-2.4 file. Compression methods. This package supports two packet compression methods: Deflate and BSD-Compress. Other compression methods which are in common use include Predictor, LZS, and MPPC. These methods are not supported for two reasons - they are patent-encumbered, and they cause some packets to expand slightly, which pppd doesn't currently allow for. BSD-Compress and Deflate (which uses the same algorithm as gzip) don't ever expand packets. Fixes: bug#13164 Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer --- config/rootfiles/common/ppp | 58 +++--- lfs/ppp | 28 +-- ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------ ...ppp-2.4.6-increase-max-padi-attempts.patch | 13 -- src/patches/ppp/ppp-2.4.7-headers_4.9.patch | 12 -- ...-configure-to-handle-cflags-properly.patch | 15 -- ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++----- ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++--------- ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++ ...p-2.5.0-4-increase-max-padi-attempts.patch | 12 ++ src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch | 12 ++ ...-configure-to-handle-cflags-properly.patch | 18 ++ 12 files changed, 344 insertions(+), 375 deletions(-) delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch => ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%) rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch => ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%) create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp index d61fdf811..6098fa7c3 100644 --- a/config/rootfiles/common/ppp +++ b/config/rootfiles/common/ppp @@ -7,49 +7,57 @@ etc/ppp/dialer etc/ppp/ioptions etc/ppp/ip-down etc/ppp/ip-up +#etc/ppp/openssl.cnf etc/ppp/options etc/ppp/pap-secrets etc/ppp/standardloginscript #usr/include/pppd +#usr/include/pppd/cbcp.h #usr/include/pppd/ccp.h -#usr/include/pppd/chap-new.h +#usr/include/pppd/chap.h #usr/include/pppd/chap_ms.h -#usr/include/pppd/eap-tls.h +#usr/include/pppd/crypto.h +#usr/include/pppd/crypto_ms.h #usr/include/pppd/eap.h #usr/include/pppd/ecp.h #usr/include/pppd/eui64.h #usr/include/pppd/fsm.h #usr/include/pppd/ipcp.h #usr/include/pppd/ipv6cp.h -#usr/include/pppd/ipxcp.h #usr/include/pppd/lcp.h #usr/include/pppd/magic.h -#usr/include/pppd/md4.h -#usr/include/pppd/md5.h #usr/include/pppd/mppe.h -#usr/include/pppd/patchlevel.h -#usr/include/pppd/pathnames.h -#usr/include/pppd/pppcrypt.h +#usr/include/pppd/multilink.h +#usr/include/pppd/options.h #usr/include/pppd/pppd.h +#usr/include/pppd/pppdconf.h #usr/include/pppd/session.h -#usr/include/pppd/sha1.h -#usr/include/pppd/spinlock.h -#usr/include/pppd/tdb.h #usr/include/pppd/upap.h +#usr/lib/pkgconfig/pppd.pc usr/lib/pppd -usr/lib/pppd/2.4.9 -usr/lib/pppd/2.4.9/minconn.so -usr/lib/pppd/2.4.9/openl2tp.so -usr/lib/pppd/2.4.9/passprompt.so -usr/lib/pppd/2.4.9/passwordfd.so -usr/lib/pppd/2.4.9/pppoatm.so -usr/lib/pppd/2.4.9/pppoe.so -usr/lib/pppd/2.4.9/pppol2tp.so -usr/lib/pppd/2.4.9/radattr.so -usr/lib/pppd/2.4.9/radius.so -usr/lib/pppd/2.4.9/radrealms.so -usr/lib/pppd/2.4.9/rp-pppoe.so -usr/lib/pppd/2.4.9/winbind.so +usr/lib/pppd/2.5.0 +#usr/lib/pppd/2.5.0/minconn.la +usr/lib/pppd/2.5.0/minconn.so +#usr/lib/pppd/2.5.0/openl2tp.la +usr/lib/pppd/2.5.0/openl2tp.so +#usr/lib/pppd/2.5.0/passprompt.la +usr/lib/pppd/2.5.0/passprompt.so +#usr/lib/pppd/2.5.0/passwordfd.la +usr/lib/pppd/2.5.0/passwordfd.so +#usr/lib/pppd/2.5.0/pppoatm.la +usr/lib/pppd/2.5.0/pppoatm.so +#usr/lib/pppd/2.5.0/pppoe.la +usr/lib/pppd/2.5.0/pppoe.so +#usr/lib/pppd/2.5.0/pppol2tp.la +usr/lib/pppd/2.5.0/pppol2tp.so +#usr/lib/pppd/2.5.0/radattr.la +usr/lib/pppd/2.5.0/radattr.so +#usr/lib/pppd/2.5.0/radius.la +usr/lib/pppd/2.5.0/radius.so +#usr/lib/pppd/2.5.0/radrealms.la +usr/lib/pppd/2.5.0/radrealms.so +#usr/lib/pppd/2.5.0/winbind.la +usr/lib/pppd/2.5.0/winbind.so usr/sbin/chat usr/sbin/pppd usr/sbin/pppdump @@ -60,5 +68,7 @@ usr/sbin/pppstats #usr/share/man/man8/pppd-radius.8 #usr/share/man/man8/pppd.8 #usr/share/man/man8/pppdump.8 +#usr/share/man/man8/pppoe-discovery.8 #usr/share/man/man8/pppstats.8 var/log/connect-errors + diff --git a/lfs/ppp b/lfs/ppp index fb46d8aac..fc4528ece 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.4.9 +VER = 2.5.0 THISAPP = ppp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5 +$(DL_FILE)_BLAKE2 = 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d install : $(TARGET) @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h - cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --with-logfile-dir=/var/log \ + cc="gcc" \ + cflags="$(CFLAGS)" cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - cd $(DIR_APP) && make install-etcppp touch /var/log/connect-errors -mkdir -p /etc/ppp for i in $(DIR_SRC)/src/ppp/* ; do \ diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch deleted file mode 100644 index fffda981d..000000000 --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 14:21:41 +0200 -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket - ---- - pppd/plugins/pppoatm/pppoatm.c | 2 +- - pppd/plugins/pppol2tp/openl2tp.c | 2 +- - pppd/plugins/pppol2tp/pppol2tp.c | 2 +- - pppd/plugins/pppoe/if.c | 2 +- - pppd/plugins/pppoe/plugin.c | 6 +++--- - pppd/plugins/pppoe/pppoe-discovery.c | 2 +- - pppd/sys-linux.c | 10 +++++----- - pppd/tty.c | 2 +- - 8 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c -index d693350..c31bb34 100644 ---- a/pppd/plugins/pppoatm/pppoatm.c -+++ b/pppd/plugins/pppoatm/pppoatm.c -@@ -135,7 +135,7 @@ static int connect_pppoatm(void) - - if (!device_got_set) - no_device_given_pppoatm(); -- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); -+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (fd < 0) - fatal("failed to create socket: %m"); - memset(&qos, 0, sizeof qos); -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c -index 9643b96..1099575 100644 ---- a/pppd/plugins/pppol2tp/openl2tp.c -+++ b/pppd/plugins/pppol2tp/openl2tp.c -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) - int result; - - if (openl2tp_fd < 0) { -- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); -+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (openl2tp_fd < 0) { - error("openl2tp connection create: %m"); - return -ENOTCONN; -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c -index a7e3400..e64a778 100644 ---- a/pppd/plugins/pppol2tp/pppol2tp.c -+++ b/pppd/plugins/pppol2tp/pppol2tp.c -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, - struct ifreq ifr; - int fd; - -- fd = socket(AF_INET, SOCK_DGRAM, 0); -+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (fd >= 0) { - memset (&ifr, '\0', sizeof (ifr)); - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c -index 91e9a57..72aba41 100644 ---- a/pppd/plugins/pppoe/if.c -+++ b/pppd/plugins/pppoe/if.c -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - stype = SOCK_PACKET; - #endif - -- if ((fd = socket(domain, stype, htons(type))) < 0) { -+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { - /* Give a more helpful message for the common error case */ - if (errno == EPERM) { - fatal("Cannot create raw socket -- pppoe must be run as root."); -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c -index a8c2bb4..24bdf8f 100644 ---- a/pppd/plugins/pppoe/plugin.c -+++ b/pppd/plugins/pppoe/plugin.c -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) - /* server equipment). */ - /* Opening this socket just before waitForPADS in the discovery() */ - /* function would be more appropriate, but it would mess-up the code */ -- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); -+ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); - if (conn->sessionSocket < 0) { - error("Failed to create PPPoE socket: %m"); - return -1; -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) - lcp_wantoptions[0].mru = conn->mru; - - /* Update maximum MRU */ -- s = socket(AF_INET, SOCK_DGRAM, 0); -+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (s < 0) { - error("Can't get MTU for %s: %m", conn->ifName); - goto errout; -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) - } - - /* Open a socket */ -- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { -+ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { - r = 0; - } - -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c -index 3d3bf4e..c0d927d 100644 ---- a/pppd/plugins/pppoe/pppoe-discovery.c -+++ b/pppd/plugins/pppoe/pppoe-discovery.c -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - stype = SOCK_PACKET; - #endif - -- if ((fd = socket(domain, stype, htons(type))) < 0) { -+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { - /* Give a more helpful message for the common error case */ - if (errno == EPERM) { - rp_fatal("Cannot create raw socket -- pppoe must be run as root."); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 00a2cf5..0690019 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits) - void sys_init(void) - { - /* Get an internet socket for doing socket ioctls. */ -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock_fd < 0) - fatal("Couldn't create IP socket: %m(%d)", errno); - - #ifdef INET6 -- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); -+ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock6_fd < 0) - sock6_fd = -errno; /* save errno for later */ - #endif -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) - struct ifreq ifreq; - int ret, sock_fd; - -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock_fd < 0) - return 0; - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); -@@ -2067,7 +2067,7 @@ int ppp_available(void) - /* - * Open a socket for doing the ioctl operations. - */ -- s = socket(AF_INET, SOCK_DGRAM, 0); -+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (s < 0) - return 0; - -diff --git a/pppd/tty.c b/pppd/tty.c -index bc96695..8e76a5d 100644 ---- a/pppd/tty.c -+++ b/pppd/tty.c -@@ -896,7 +896,7 @@ open_socket(dest) - *sep = ':'; - - /* get a socket and connect it to the other end */ -- sock = socket(PF_INET, SOCK_STREAM, 0); -+ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); - if (sock < 0) { - error("Can't create socket: %m"); - return -1; --- -1.8.3.1 - diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch deleted file mode 100644 index 1b36e8369..000000000 --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h -index 9ab2eee..86762bd 100644 ---- a/pppd/plugins/pppoe/pppoe.h -+++ b/pppd/plugins/pppoe/pppoe.h -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session; - #define STATE_TERMINATED 4 - - /* How many PADI/PADS attempts? */ --#define MAX_PADI_ATTEMPTS 3 -+#define MAX_PADI_ATTEMPTS 4 - - /* Initial timeout for PADO/PADS */ - #define PADI_TIMEOUT 5 diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/ppp-2.4.7-headers_4.9.patch deleted file mode 100644 index 686db9204..000000000 --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100 -@@ -49,6 +49,8 @@ - #include - #include - #include -+#define _LINUX_IN_H -+#define _LINUX_IN6_H - #include - - #ifndef _ROOT_PATH diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch deleted file mode 100644 index b36ace192..000000000 --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200 -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200 -@@ -121,9 +121,9 @@ - rm -f $2 - if [ -f $1 ]; then - echo " $2 <= $1" -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ -- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ -- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \ -+ -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \ -+ -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2 - fi - } - diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch similarity index 54% rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch index 90bb2d161..98ab03119 100644 --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch @@ -1,20 +1,8 @@ -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 12:23:36 +0200 -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds - ---- - pppd/auth.c | 20 ++++++++++---------- - pppd/options.c | 2 +- - pppd/sys-linux.c | 4 ++-- - 3 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/pppd/auth.c b/pppd/auth.c -index 4271af6..9e957fa 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c -@@ -428,7 +428,7 @@ setupapfile(argv) - option_error("unable to reset uid before opening %s: %m", fname); +diff -Naur pppd.orig/auth.c pppd/auth.c +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200 +@@ -518,7 +518,7 @@ + free(fname); return 0; } - ufile = fopen(fname, "r"); @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644 if (seteuid(euid) == -1) fatal("unable to regain privileges: %m"); if (ufile == NULL) { -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) - filename = _PATH_UPAPFILE; +@@ -1535,7 +1535,7 @@ + filename = PPP_PATH_UPAPFILE; addrs = opts = NULL; ret = UPAP_AUTHNAK; - f = fopen(filename, "r"); @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644 if (f == NULL) { error("Can't open PAP password file %s: %m", filename); -@@ -1512,7 +1512,7 @@ null_login(unit) +@@ -1635,7 +1635,7 @@ if (ret <= 0) { - filename = _PATH_UPAPFILE; + filename = PPP_PATH_UPAPFILE; addrs = NULL; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return 0; check_access(f, filename); -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) +@@ -1681,7 +1681,7 @@ } - filename = _PATH_UPAPFILE; + filename = PPP_PATH_UPAPFILE; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return 0; check_access(f, filename); -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) +@@ -1718,7 +1718,7 @@ } - filename = _PATH_UPAPFILE; + filename = PPP_PATH_UPAPFILE; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return 0; -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) +@@ -1760,7 +1760,7 @@ } - filename = _PATH_CHAPFILE; + filename = PPP_PATH_CHAPFILE; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return 0; -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) +@@ -1798,7 +1798,7 @@ struct wordlist *addrs; - filename = _PATH_SRPFILE; + filename = PPP_PATH_SRPFILE; - f = fopen(filename, "r"); + f = fopen(filename, "re"); if (f == NULL) return 0; -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server) +@@ -1849,7 +1849,7 @@ addrs = NULL; secbuf[0] = 0; @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644 if (f == NULL) { error("Can't open chap secret file %s: %m", filename); return 0; -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server) - filename = _PATH_SRPFILE; +@@ -1902,7 +1902,7 @@ + filename = PPP_PATH_SRPFILE; addrs = NULL; - fp = fopen(filename, "r"); @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644 if (fp == NULL) { error("Can't open srp secret file %s: %m", filename); return 0; -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags) +@@ -2291,7 +2291,7 @@ */ if (word[0] == '@' && word[1] == '/') { strlcpy(atfile, word+1, sizeof(atfile)); @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644 warn("can't open indirect secret file %s", atfile); continue; } -diff --git a/pppd/options.c b/pppd/options.c -index 45fa742..1d754ae 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv) - option_error("unable to drop privileges to open %s: %m", filename); +@@ -2461,7 +2461,7 @@ + char pkfile[MAXWORDLEN]; + + filename = PPP_PATH_EAPTLSSERVFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -2518,7 +2518,7 @@ + return 1; + + filename = PPP_PATH_EAPTLSCLIFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -2738,7 +2738,7 @@ + filename = (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFILE); + addrs = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "re"); + if (fp == NULL) + { + error("Can't open eap-tls secret file %s: %m", filename); +diff -Naur pppd.orig/options.c pppd/options.c +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200 +@@ -555,7 +555,7 @@ + ppp_option_error("unable to drop privileges to open %s: %m", filename); return 0; } - f = fopen(filename, "r"); @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644 err = errno; if (check_prot && seteuid(euid) == -1) fatal("unable to regain privileges"); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 72a7727..8a12fa0 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100 ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 +@@ -1978,7 +1978,7 @@ /* Default the mount location of /proc */ strlcpy (proc_path, "/proc", sizeof(proc_path)); proc_path_len = 5; @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644 if (fp != NULL) { while ((mntent = getmntent(fp)) != NULL) { if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0) -@@ -1472,7 +1472,7 @@ static int open_route_table (void) +@@ -2038,7 +2038,7 @@ close_route_table(); path = path_to_procfs("/net/route"); @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644 if (route_fd == NULL) { error("can't open routing table %s: %m", path); return 0; --- -1.8.3.1 - +@@ -2322,7 +2322,7 @@ + close_route_table(); + + path = path_to_procfs("/net/ipv6_route"); +- route_fd = fopen (path, "r"); ++ route_fd = fopen (path, "re"); + if (route_fd == NULL) { + error("can't open routing table %s: %m", path); + return 0; diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch similarity index 63% rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch index 0fb028779..c205c0e08 100644 --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch @@ -1,23 +1,7 @@ -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 13:56:34 +0200 -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder - ---- - pppd/eap.c | 2 +- - pppd/main.c | 4 ++-- - pppd/options.c | 4 ++-- - pppd/sys-linux.c | 22 +++++++++++----------- - pppd/tdb.c | 4 ++-- - pppd/tty.c | 4 ++-- - pppd/utils.c | 6 +++--- - 7 files changed, 23 insertions(+), 23 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 6ea6c1f..faced53 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1226,7 +1226,7 @@ mode_t modebits; +diff -Naur pppd.orig/eap.c pppd/eap.c +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200 +@@ -1542,7 +1542,7 @@ if ((path = name_of_pn_file()) == NULL) return (-1); @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644 err = errno; free(path); errno = err; -diff --git a/pppd/main.c b/pppd/main.c -index 87a5d29..152e4a2 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -400,7 +400,7 @@ main(int argc, char *argv[]) +diff -Naur pppd.orig/main.c pppd/main.c +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200 +@@ -479,7 +479,7 @@ die(0); /* Make sure fds 0, 1, 2 are open to somewhere. */ -- fd_devnull = open(_PATH_DEVNULL, O_RDWR); -+ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); +- fd_devnull = open(PPP_DEVNULL, O_RDWR); ++ fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC); if (fd_devnull < 0) - fatal("Couldn't open %s: %m", _PATH_DEVNULL); + fatal("Couldn't open %s: %m", PPP_DEVNULL); while (fd_devnull <= 2) { -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait) - if (log_to_fd >= 0) - errfd = log_to_fd; - else -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644); - - ++conn_running; - pid = safe_fork(in, out, errfd); -diff --git a/pppd/options.c b/pppd/options.c -index 1d754ae..8e62635 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -1544,9 +1544,9 @@ setlogfile(argv) - option_error("unable to drop permissions to open %s: %m", *argv); +diff -Naur pppd.orig/options.c pppd/options.c +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200 ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200 +@@ -1718,9 +1718,9 @@ + ppp_option_error("unable to drop permissions to open %s: %m", *argv); return 0; } - fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644 err = errno; if (!privileged_option && seteuid(euid) == -1) fatal("unable to regain privileges: %m"); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 8a12fa0..00a2cf5 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 +@@ -666,7 +666,7 @@ goto err; } dbglog("using channel %d", chindex); @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644 if (fd < 0) { error("Couldn't reopen /dev/ppp: %m"); goto err; -@@ -619,7 +619,7 @@ static int make_ppp_unit() +@@ -904,7 +904,7 @@ dbglog("in make_ppp_unit, already had /dev/ppp open?"); close(ppp_dev_fd); } @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644 if (ppp_dev_fd < 0) fatal("Couldn't open /dev/ppp: %m"); flags = fcntl(ppp_dev_fd, F_GETFL); -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) +@@ -1025,7 +1025,7 @@ if (!new_style_driver) return -1; @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644 if (master_fd < 0) fatal("Couldn't open /dev/ppp: %m"); if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) +@@ -2533,7 +2533,7 @@ if (tune_kernel) { forw_path = path_to_procfs("/sys/net/ipv4/ip_forward"); if (forw_path != 0) { @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644 if (fd >= 0) { if (write(fd, "1", 1) != 1) error("Couldn't enable IP forwarding: %m"); -@@ -2030,7 +2030,7 @@ int ppp_available(void) +@@ -2878,7 +2878,7 @@ sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); kernel_version = KVERSION(osmaj, osmin, ospatch); @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644 if (fd >= 0) { new_style_driver = 1; -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host) +@@ -3056,7 +3056,7 @@ #if __GLIBC__ >= 2 updwtmp(_PATH_WTMP, &ut); #else @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644 if (wtmp >= 0) { flock(wtmp, LOCK_EX); -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr, +@@ -3280,7 +3280,7 @@ int fd; path = path_to_procfs("/sys/net/ipv4/ip_dynaddr"); @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644 if (write(fd, "1", 1) != 1) error("Couldn't enable dynamic IP addressing: %m"); close(fd); -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) +@@ -3534,7 +3534,7 @@ /* * Try the unix98 way first. */ @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644 if (mfd >= 0) { int ptn; if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) { -@@ -2851,7 +2851,8 @@ +@@ -3545,7 +3545,8 @@ if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) warn("Couldn't unlock pty slave %s: %m", pty_name); #endif - if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) + -+ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) - { ++ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) + { warn("Couldn't open pty slave %s: %m", pty_name); - close(mfd); -@@ -2865,10 +2866,10 @@ + close(mfd); +@@ -3559,10 +3560,10 @@ for (i = 0; i < 64; ++i) { slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", 'p' + i / 16, i % 16); @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644 - sfd = open(pty_name, O_RDWR | O_NOCTTY, 0); + sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); if (sfd >= 0) { - fchown(sfd, uid, -1); - fchmod(sfd, S_IRUSR | S_IWUSR); -diff --git a/pppd/tdb.c b/pppd/tdb.c -index bdc5828..c7ab71c 100644 ---- a/pppd/tdb.c -+++ b/pppd/tdb.c -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags, + ret = fchown(sfd, uid, -1); + if (ret != 0) { +diff -Naur pppd.orig/tdb.c pppd/tdb.c +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200 ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200 +@@ -1728,7 +1728,7 @@ goto internal; } @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644 TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", name, strerror(errno))); goto fail; /* errno set by open(2) */ -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) +@@ -1971,7 +1971,7 @@ } if (close(tdb->fd) != 0) TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644 if (tdb->fd == -1) { TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); goto fail; -diff --git a/pppd/tty.c b/pppd/tty.c -index d571b11..bc96695 100644 ---- a/pppd/tty.c -+++ b/pppd/tty.c -@@ -569,7 +569,7 @@ int connect_tty() - status = EXIT_OPEN_FAILED; +diff -Naur pppd.orig/tty.c pppd/tty.c +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200 +@@ -621,7 +621,7 @@ + ppp_set_status(EXIT_OPEN_FAILED); goto errret; } - real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0); @@ -198,7 +168,7 @@ index d571b11..bc96695 100644 err = errno; if (prio < OPRIO_ROOT && seteuid(0) == -1) fatal("Unable to regain privileges"); -@@ -723,7 +723,7 @@ int connect_tty() +@@ -775,7 +775,7 @@ if (connector == NULL && modem && devnam[0] != 0) { int i; for (;;) { @@ -207,12 +177,11 @@ index d571b11..bc96695 100644 break; if (errno != EINTR) { error("Failed to reopen %s: %m", devnam); -diff --git a/pppd/utils.c b/pppd/utils.c -index 29bf970..6051b9a 100644 ---- a/pppd/utils.c -+++ b/pppd/utils.c -@@ -918,14 +918,14 @@ lock(dev) - slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); +diff -Naur pppd.orig/utils.c pppd/utils.c +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100 ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200 +@@ -843,14 +843,14 @@ + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev); #endif - while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644 if (fd < 0) { if (errno == ENOENT) /* This is just a timing problem. */ continue; -@@ -1004,7 +1004,7 @@ relock(pid) +@@ -933,7 +933,7 @@ if (lock_file[0] == 0) return -1; @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644 if (fd < 0) { error("Couldn't reopen lock file %s: %m", lock_file); lock_file[0] = 0; --- -1.8.3.1 - diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch new file mode 100644 index 000000000..cfd72e468 --- /dev/null +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -0,0 +1,135 @@ +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoatm.c +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200 +@@ -146,7 +146,7 @@ + + if (!device_got_set) + no_device_given_pppoatm(); +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd < 0) + fatal("failed to create socket: %m"); + memset(&qos, 0, sizeof qos); +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100 ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200 +@@ -116,7 +116,7 @@ + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + fatal("Cannot create raw socket -- pppoe must be run as root."); +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100 ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 +@@ -155,7 +155,7 @@ + /* server equipment). */ + /* Opening this socket just before waitForPADS in the discovery() */ + /* function would be more appropriate, but it would mess-up the code */ +- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); ++ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); + if (conn->sessionSocket < 0) { + error("Failed to create PPPoE socket: %m"); + return -1; +@@ -166,7 +166,7 @@ + lcp_wantoptions[0].mru = conn->mru = conn->storedmru; + + /* Update maximum MRU */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) { + error("Can't get MTU for %s: %m", conn->ifName); + goto errout; +@@ -364,7 +364,7 @@ + } + + /* Open a socket */ +- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { ++ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { + r = 0; + } + +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/openl2tp.c +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 +0100 ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200 +@@ -93,7 +93,7 @@ + int result; + + if (openl2tp_fd < 0) { +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (openl2tp_fd < 0) { + error("openl2tp connection create: %m"); + return -ENOTCONN; +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pppol2tp.c +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 +0100 ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200 +@@ -220,7 +220,7 @@ + struct ifreq ifr; + int fd; + +- fd = socket(AF_INET, SOCK_DGRAM, 0); ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd >= 0) { + memset (&ifr, '\0', sizeof (ifr)); + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name)); +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200 +@@ -499,12 +499,12 @@ + void sys_init(void) + { + /* Get an internet socket for doing socket ioctls. */ +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + fatal("Couldn't create IP socket: %m(%d)", errno); + + #ifdef PPP_WITH_IPV6CP +- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); ++ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock6_fd < 0) + sock6_fd = -errno; /* save errno for later */ + #endif +@@ -2675,7 +2675,7 @@ + struct ifreq ifreq; + int ret, sock_fd; + +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + return -1; + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); +@@ -2698,7 +2698,7 @@ + struct ifreq ifreq; + int ret, sock_fd; + +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + return -1; + +@@ -2915,7 +2915,7 @@ + /* + * Open a socket for doing the ioctl operations. + */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) + return 0; + +diff -Naur pppd.orig/tty.c pppd/tty.c +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200 ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200 +@@ -942,7 +942,7 @@ + *sep = ':'; + + /* get a socket and connect it to the other end */ +- sock = socket(PF_INET, SOCK_STREAM, 0); ++ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (sock < 0) { + error("Can't create socket: %m"); + return -1; diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch new file mode 100644 index 000000000..002b6066d --- /dev/null +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch @@ -0,0 +1,12 @@ +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100 ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200 +@@ -143,7 +143,7 @@ + #define STATE_TERMINATED 4 + + /* How many PADI/PADS attempts? */ +-#define MAX_PADI_ATTEMPTS 3 ++#define MAX_PADI_ATTEMPTS 4 + + /* Initial timeout for PADO/PADS */ + #define PADI_TIMEOUT 5 diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch new file mode 100644 index 000000000..dc6c22852 --- /dev/null +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch @@ -0,0 +1,12 @@ +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200 +@@ -46,6 +46,8 @@ + #include + #include + #include ++#define _LINUX_IN_H ++#define _LINUX_IN6_H + #include + + #include diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch new file mode 100644 index 000000000..0e9eab6ed --- /dev/null +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch @@ -0,0 +1,18 @@ +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100 ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200 +@@ -17774,10 +17774,10 @@ + rm -f $2 + if [ -f $1 ]; then + echo " $2 <= $1" +- sed -e "s,@DESTDIR@,$prefix,g" \ +- -e "s,@SYSCONF@,$sysconfdir,g" \ +- -e "s,@CC@,$CC,g" \ +- -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2 ++ sed -e "s#@DESTDIR@#$prefix#g" \ ++ -e "s#@SYSCONF@#$sysconfdir#g" \ ++ -e "s#@CC@#$CC#g" \ ++ -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2 + fi + } +