Bug#983298: marked as done (unblock: ocserv/1.1.2-2)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#983298: marked as done (unblock: ocserv/1.1.2-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 22 Feb 2021 18:33:03 +0000
Message-id: <[🔎] handler.983298.D983298.161401862715696.ackdone@bugs.debian.org>
Reply-to: 983298@bugs.debian.org
References: <d5f7111b-e88c-324a-4eeb-62b847e90ad6@debian.org> <[🔎] 20210222034323.GA14769@aron-workstation>

Your message dated Mon, 22 Feb 2021 19:30:25 +0100
with message-id <d5f7111b-e88c-324a-4eeb-62b847e90ad6@debian.org>
and subject line Re: Bug#983298: unblock: ocserv/1.1.2-2
has caused the Debian Bug report #983298,
regarding unblock: ocserv/1.1.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983298
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: ocserv/1.1.2-2
From: Aron Xu <aron@debian.org>
Date: Mon, 22 Feb 2021 11:43:23 +0800
Message-id: <[🔎] 20210222034323.GA14769@aron-workstation>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Dear release team,

This is a pre-approval request that please unblock package ocserv/1.1.2-2, which
is a version with cherry picked upstream bug fixes.

unblock ocserv/1.1.2-2


Regards,
Aron

diff -Nru ocserv-1.1.2/debian/changelog ocserv-1.1.2/debian/changelog
--- ocserv-1.1.2/debian/changelog	2020-12-17 18:38:57.000000000 +0800
+++ ocserv-1.1.2/debian/changelog	2021-02-22 11:37:07.000000000 +0800
@@ -1,3 +1,9 @@
+ocserv (1.1.2-2) unstable; urgency=medium
+
+  * d/patches: cherry-pick upstream post 1.1.2 bug fixes
+
+ -- Aron Xu <aron@debian.org>  Mon, 22 Feb 2021 11:37:07 +0800
+
 ocserv (1.1.2-1) unstable; urgency=medium
 
   * New upstream version 1.1.2
diff -Nru ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
--- ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch	1970-01-01 08:00:00.000000000 +0800
+++ ocserv-1.1.2/debian/patches/0009-update_auth_time_stats-cast-operations-to-avoid-over.patch	2021-02-22 11:33:03.000000000 +0800
@@ -0,0 +1,27 @@
+From e035221030f8fdfbb38483889631916fef9d9798 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date: Wed, 9 Dec 2020 15:05:24 +0100
+Subject: [PATCH 09/36] update_auth_time_stats: cast operations to avoid
+ overflows
+
+Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+---
+ src/sec-mod-auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
+index c769643c..b4b2f3fd 100644
+--- a/src/sec-mod-auth.c
++++ b/src/sec-mod-auth.c
+@@ -131,7 +131,7 @@ static void update_auth_time_stats(sec_mod_st * sec, time_t secs)
+ 
+ 	if (secs > sec->max_auth_time)
+ 		sec->max_auth_time = secs;
+-	sec->avg_auth_time = (sec->avg_auth_time*(sec->total_authentications-1)+secs) / sec->total_authentications;
++	sec->avg_auth_time = ((uint64_t)sec->avg_auth_time*((uint64_t)(sec->total_authentications-1))+secs) / (uint64_t)sec->total_authentications;
+ }
+ 
+ static
+-- 
+2.20.1
+
diff -Nru ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch
--- ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch	1970-01-01 08:00:00.000000000 +0800
+++ ocserv-1.1.2/debian/patches/0020-ocserv-worker-renamed-loop-to-worker_loop.patch	2021-02-22 11:35:22.000000000 +0800
@@ -0,0 +1,131 @@
+From 47c6638286a694b4d278e01b278f64f9368b3e1a Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date: Sat, 12 Dec 2020 22:41:50 +0100
+Subject: [PATCH 20/36] ocserv-worker: renamed loop to worker_loop
+
+This avoids warnings and static analyzers complains about
+the libev functions hiding the global 'loop' variable
+
+Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+---
+ src/worker-vpn.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+Index: ocserv/src/worker-vpn.c
+===================================================================
+--- ocserv.orig/src/worker-vpn.c
++++ ocserv/src/worker-vpn.c
+@@ -95,7 +95,7 @@ struct worker_st *global_ws = NULL;
+ static int terminate = 0;
+ static int terminate_reason = REASON_SERVER_DISCONNECT;
+ 
+-static struct ev_loop *loop = NULL;
++static struct ev_loop *worker_loop = NULL;
+ ev_io command_watcher;
+ ev_io tls_watcher;
+ ev_io tun_watcher;
+@@ -433,8 +433,8 @@ static int setup_dtls_connection(struct
+ 	dtls->dtls_session = session;
+ 	ev_init(&dtls->io, dtls_watcher_cb);
+ 	ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ);
+-	ev_io_start(loop, &dtls->io);
+-	ev_invoke(loop, &dtls->io, EV_READ);
++	ev_io_start(worker_loop, &dtls->io);
++	ev_invoke(worker_loop, &dtls->io, EV_READ);
+ 
+ 	return 0;
+  fail:
+@@ -2609,7 +2609,7 @@ static int test_for_tcp_health_probe(str
+ 
+ static void syserr_cb (const char *msg)
+ {
+-	struct worker_st * ws = ev_userdata(loop);
++	struct worker_st * ws = ev_userdata(worker_loop);
+ 	int err = errno;
+ 
+ 	oclog(ws, LOG_ERR, "libev fatal error: %s / %s", msg, strerror(err));
+@@ -2637,7 +2637,7 @@ static void cstp_send_terminate(struct w
+ 
+ static void command_watcher_cb (EV_P_ ev_io *w, int revents)
+ {
+-	struct worker_st *ws = ev_userdata(loop);
++	struct worker_st *ws = ev_userdata(worker_loop);
+ 
+ 	int ret = handle_commands_from_main(ws);
+ 	if (ret == ERR_NO_CMD_FD) {
+@@ -2723,7 +2723,7 @@ static void invoke_dtls_if_needed(struct
+ 	if ((dtls->udp_state > UP_WAIT_FD) && 
+ 		(dtls->dtls_session != NULL) &&
+ 		(gnutls_record_check_pending(dtls->dtls_session))) {
+-		ev_invoke(loop, &dtls->io, EV_READ);
++		ev_invoke(worker_loop, &dtls->io, EV_READ);
+ 	}
+ }
+ 
+@@ -2757,9 +2757,9 @@ static int worker_event_loop(struct work
+ 	struct timespec tnow;
+ 
+ #if defined(__linux__) && defined(HAVE_LIBSECCOMP)
+-	loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL);
++	worker_loop = ev_default_loop(EVFLAG_NOENV|EVBACKEND_EPOLL);
+ #else
+-	loop = EV_DEFAULT;
++	worker_loop = EV_DEFAULT;
+ #endif
+ 
+ 	// Restore the signal handlers
+@@ -2769,37 +2769,37 @@ static int worker_event_loop(struct work
+ 	
+ 	ev_init(&alarm_sig_watcher, term_sig_watcher_cb);
+ 	ev_signal_set (&alarm_sig_watcher, SIGALRM);
+-	ev_signal_start (loop, &alarm_sig_watcher);
++	ev_signal_start (worker_loop, &alarm_sig_watcher);
+ 
+ 	ev_init (&int_sig_watcher, term_sig_watcher_cb);
+ 	ev_signal_set (&int_sig_watcher, SIGINT);
+-	ev_signal_start (loop, &int_sig_watcher);
++	ev_signal_start (worker_loop, &int_sig_watcher);
+ 
+ 	ev_init (&term_sig_watcher, term_sig_watcher_cb);
+ 	ev_signal_set (&term_sig_watcher, SIGTERM);
+-	ev_signal_start (loop, &term_sig_watcher);
++	ev_signal_start (worker_loop, &term_sig_watcher);
+ 	
+-	ev_set_userdata (loop, ws);
++	ev_set_userdata (worker_loop, ws);
+ 	ev_set_syserr_cb(syserr_cb);
+ 
+ 	ev_init(&command_watcher, command_watcher_cb);
+ 	ev_io_set(&command_watcher, ws->cmd_fd, EV_READ);
+-	ev_io_start(loop, &command_watcher);
++	ev_io_start(worker_loop, &command_watcher);
+ 
+ 	ev_init(&tls_watcher, tls_watcher_cb);
+ 	ev_io_set(&tls_watcher, ws->conn_fd, EV_READ);
+-	ev_io_start(loop, &tls_watcher);
++	ev_io_start(worker_loop, &tls_watcher);
+ 
+ 	ev_init(&DTLS_ACTIVE(ws)->io, dtls_watcher_cb);
+ 	ev_init(&DTLS_INACTIVE(ws)->io, dtls_watcher_cb);
+ 
+ 	ev_init(&tun_watcher, tun_watcher_cb);
+ 	ev_io_set(&tun_watcher, ws->tun_fd, EV_READ);
+-	ev_io_start(loop, &tun_watcher);
++	ev_io_start(worker_loop, &tun_watcher);
+ 
+ 	ev_init (&period_check_watcher, periodic_check_watcher_cb);
+ 	ev_timer_set(&period_check_watcher, WORKER_MAINTENANCE_TIME, WORKER_MAINTENANCE_TIME);
+-	ev_timer_start(loop, &period_check_watcher);
++	ev_timer_start(worker_loop, &period_check_watcher);
+ 
+ 
+ 	/* start dead peer detection */
+@@ -2810,7 +2810,7 @@ static int worker_event_loop(struct work
+ 	bandwidth_init(&ws->b_tx, ws->user_config->tx_per_sec);
+ 
+ 
+-	ev_run(loop, 0);
++	ev_run(worker_loop, 0);
+ 	if (terminate != 0)
+ 	{
+ 		goto exit;
diff -Nru ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
--- ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch	1970-01-01 08:00:00.000000000 +0800
+++ ocserv-1.1.2/debian/patches/0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch	2021-02-22 11:33:16.000000000 +0800
@@ -0,0 +1,25 @@
+From c53cc97395efccaf9a567c51475bcfc3d1a8ee5e Mon Sep 17 00:00:00 2001
+From: Alan Jowett <alan.jowett@microsoft.com>
+Date: Thu, 4 Feb 2021 09:29:45 -0700
+Subject: [PATCH 33/36] Close fd and stop ev_io on failed handshake.
+ Signed-off-by: Alan Jowett <alanjo@microsoft.com>
+
+---
+ src/worker-vpn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index 185a5eae..b77597c5 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -1479,6 +1479,7 @@ static int dtls_mainloop(worker_st * ws, struct dtls_st * dtls, struct timespec
+ 				      "error in DTLS handshake: %s\n",
+ 				      gnutls_strerror(ret));
+ 			dtls->udp_state = UP_DISABLED;
++			ev_io_stop(worker_loop, &dtls->io);
+ 			break;
+ 		}
+ 
+-- 
+2.20.1
+
diff -Nru ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch
--- ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch	1970-01-01 08:00:00.000000000 +0800
+++ ocserv-1.1.2/debian/patches/0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch	2021-02-22 11:33:16.000000000 +0800
@@ -0,0 +1,33 @@
+From 4cea55c6d68c1c46755876af4e3ff142cd6c81a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stefan.buehler@tik.uni-stuttgart.de>
+Date: Wed, 10 Feb 2021 13:23:42 +0100
+Subject: [PATCH 35/36] dtls connection setup: fix memory corruption, proper
+ watcher setup
+
+ev_init and ev_io_set must never be called on active watchers - we
+need to cleanup previous connection state before setting a new one.
+
+ev_init clears the "active" flag, but doesn't remove the watcher from
+libev internal linked lists (and doesn't clear the "next" pointer for
+it).  This can for example lead to (unexpected) cyclic lists in libev,
+and libev can loop forever trying to deal with them.
+---
+ src/worker-vpn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index b77597c5..146c6acf 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -431,7 +431,7 @@ static int setup_dtls_connection(struct worker_st *ws, struct dtls_st * dtls)
+ 	}
+ 
+ 	dtls->dtls_session = session;
+-	ev_init(&dtls->io, dtls_watcher_cb);
++	ev_io_stop(worker_loop, &dtls->io);
+ 	ev_io_set(&dtls->io, dtls->dtls_tptr.fd, EV_READ);
+ 	ev_io_start(worker_loop, &dtls->io);
+ 	ev_invoke(worker_loop, &dtls->io, EV_READ);
+-- 
+2.20.1
+
diff -Nru ocserv-1.1.2/debian/patches/series ocserv-1.1.2/debian/patches/series
--- ocserv-1.1.2/debian/patches/series	2020-07-13 15:52:07.000000000 +0800
+++ ocserv-1.1.2/debian/patches/series	2021-02-22 11:35:09.000000000 +0800
@@ -1 +1,5 @@
 legacy_pidfile.patch
+0009-update_auth_time_stats-cast-operations-to-avoid-over.patch
+0020-ocserv-worker-renamed-loop-to-worker_loop.patch
+0033-Close-fd-and-stop-ev_io-on-failed-handshake.patch
+0035-dtls-connection-setup-fix-memory-corruption-proper-w.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: Aron Xu <aron@debian.org>, 983298-done@bugs.debian.org

Subject: Re: Bug#983298: unblock: ocserv/1.1.2-2

From: Paul Gevers <elbrus@debian.org>

Date: Mon, 22 Feb 2021 19:30:25 +0100

Message-id: <d5f7111b-e88c-324a-4eeb-62b847e90ad6@debian.org>

In-reply-to: <[🔎] 20210222034323.GA14769@aron-workstation>

References: <[🔎] 20210222034323.GA14769@aron-workstation>
Hi Aron,

On 22-02-2021 04:43, Aron Xu wrote:
> This is a pre-approval request that please unblock package ocserv/1.1.2-2, which
> is a version with cherry picked upstream bug fixes.

I wonder if you confused the phase we're [1] in as ocserv isn't blocked,
it's just not permitted to migrate because you uploaded a binary package
along with the source. We can schedule a binNMU for that (will do
shortly), but please next time just do a source-only upload.

> unblock ocserv/1.1.2-2

Nothing to unblock at this moment.

Paul

[1] https://release.debian.org/bullseye/freeze_policy.html#soft
Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#983298: unblock: ocserv/1.1.2-2
  - From: Aron Xu <aron@debian.org>

Prev by Date: Bug#983340: unblock/preapproval: perl/5.32.1-3 with cross build fixes
Next by Date: Bug#983407: Pam: Multiple issues Affecting Upgrades
Previous by thread: Bug#983298: unblock: ocserv/1.1.2-2
Next by thread: Processed: your mail
Index(es):
- Date
- Thread