aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Louis Fuchs <jean-louis.fuchs@adfinis-sygroup.ch>2020-05-20 18:26:13 +0200
committerRasmus Thomsen <oss@cogitri.dev>2020-05-21 19:28:27 +0000
commit5264821309e0e7518a9f7673ad12a4efbfc1db60 (patch)
tree4c45109bae9322270753ac9493a9b2a62810b42f
parentcd674aad38af0782fedf5e2ad8760b08470e4f13 (diff)
downloadaports-5264821309e0e7518a9f7673ad12a4efbfc1db60.tar.gz
aports-5264821309e0e7518a9f7673ad12a4efbfc1db60.tar.bz2
aports-5264821309e0e7518a9f7673ad12a4efbfc1db60.tar.xz
community/tinc-pre: add patch to prevent UDP probes flood
-rw-r--r--community/tinc-pre/APKBUILD13
-rw-r--r--community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch70
2 files changed, 78 insertions, 5 deletions
diff --git a/community/tinc-pre/APKBUILD b/community/tinc-pre/APKBUILD
index ab17d51197..03653364eb 100644
--- a/community/tinc-pre/APKBUILD
+++ b/community/tinc-pre/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=tinc-pre
-_realver="1.1pre17"
-pkgver=${_realver/pre/.}
-pkgrel=1
+_distver="1.1pre17"
+pkgver=${_distver/pre/.}
+pkgrel=2
pkgdesc="Virtual Private Network (VPN) daemon (pre-release)"
url="https://tinc-vpn.org/"
# s390x: tests hang
@@ -14,13 +14,15 @@ makedepends="linux-headers ncurses-dev readline-dev
zlib-dev lzo-dev openssl-dev texinfo
automake autoconf libtool bash"
subpackages="$pkgname-doc"
-source="http://tinc-vpn.org/packages/tinc-$_realver.tar.gz
+# TODO remove prevent-large-amounts-of-UDP-probes.patch on next release
+source="http://tinc-vpn.org/packages/tinc-$_distver.tar.gz
tinc-1.1-fix-paths.patch
+ prevent-large-amounts-of-UDP-probes.patch
$pkgname.initd
$pkgname.confd
$pkgname.networks
"
-builddir="$srcdir/tinc-$_realver"
+builddir="$srcdir/tinc-$_distver"
prepare() {
default_prepare
@@ -65,6 +67,7 @@ package() {
sha512sums="b966dbfa522e12ff6766c4deb54a9da29cddc15c3a1df0f0e084df27ee5f1421ffbebc0e29472b1bcd79ea8b41f8c0ef904172e333dcba0b85bafe4654a63b30 tinc-1.1pre17.tar.gz
bb6f9a1fedf6ffab21f6bfa65c8d977b24453a5d667229eec995b979bbe8dcdaa0617f076a3d9081c4580068b385f7595b80856d5abcf9c928b866eb9c6f4910 tinc-1.1-fix-paths.patch
+ce2ff7c57798bfb85f6b382552e31cd1f79ddcc3a1ecc6b823b51103a480d7ccf43475d0e4511b0aa48f4f1515d0e544a1af65a170caf3b6aacc084b391a4855 prevent-large-amounts-of-UDP-probes.patch
59811c3e5241d08ebdfbd539556b7cee0dfaab89727ad503512c98f1a696fae143ecdf2682a652c5d71d077ed254ffe2e1c442b1c305c7e7ea94d9af9a1d385e tinc-pre.initd
f8d9354af5ebc07420ced98059262751bffef434b61c6333964338f327e2ac01ae676e375954efa794a1bccf8b939c78387b9fb7261f675f1237b0d946b529c9 tinc-pre.confd
f7cb459c170898e51176bd92c642335386db90b7bca2abb3f6eb2514546efbd74e5fd2c8845060111dd48a0dd2cc1890717a03315c9b86185047c259cdc27135 tinc-pre.networks"
diff --git a/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch b/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch
new file mode 100644
index 0000000000..6701b2a919
--- /dev/null
+++ b/community/tinc-pre/prevent-large-amounts-of-UDP-probes.patch
@@ -0,0 +1,70 @@
+Upstream: Yes, merged
+Reason: Prevent large amounts of UDP probes being sent consecutively
+Url: http://git.tinc-vpn.org/git/browse?p=tinc;a=commit;h=2b0aeec02d64bb4724da9ff1dbc19b7d35d7c904
+
+From 017a7fb57655d9b1d706ee78f7e3d0000411b883 Mon Sep 17 00:00:00 2001
+From: Guus Sliepen <guus@tinc-vpn.org>
+Date: Tue, 18 Dec 2018 17:44:08 +0100
+Subject: [PATCH] Prevent large amounts of UDP probes being sent consecutively.
+
+We cannot reset udp_ping_sent to zero when we receive a valid reply to
+an UDP probe, because that would cause a new one to be sent immediately
+in try_udp(). Instead, add a bit to node_status_t to keep track of whether we
+have a UDP probe that's waiting for a reply.
+
+Thanks to Ronny Nilsson for spotting the source of the problem.
+---
+ src/net_packet.c | 7 ++++---
+ src/node.h | 3 ++-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/net_packet.c b/src/net_packet.c
+index 5a856429..31c66d32 100644
+--- a/src/net_packet.c
++++ b/src/net_packet.c
+@@ -152,11 +152,12 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+ len = ntohs(len16);
+ }
+
+- if(n->udp_ping_sent.tv_sec != 0) { // a probe in flight
++ if(n->status.ping_sent) { // a probe in flight
+ gettimeofday(&now, NULL);
+ struct timeval rtt;
+ timersub(&now, &n->udp_ping_sent, &rtt);
+ n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
++ n->status.ping_sent = false;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
+ } else {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
+@@ -175,8 +176,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+ reset_address_cache(n->address_cache, &n->address);
+ }
+
+- // Reset the UDP ping timer. (no probe in flight)
+- n->udp_ping_sent.tv_sec = 0;
++ // Reset the UDP ping timer.
+
+ if(udp_discovery) {
+ timeout_del(&n->udp_ping_timeout);
+@@ -1132,6 +1132,7 @@ static void try_udp(node_t *n) {
+ if(ping_tx_elapsed.tv_sec >= interval) {
+ gettimeofday(&now, NULL);
+ n->udp_ping_sent = now; // a probe in flight
++ n->status.ping_sent = true;
+ send_udp_probe_packet(n, MIN_PROBE_SIZE);
+
+ if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
+diff --git a/src/node.h b/src/node.h
+index 3daffd4a..1b33789e 100644
+--- a/src/node.h
++++ b/src/node.h
+@@ -41,7 +41,8 @@ typedef struct node_status_t {
+ unsigned int udppacket: 1; /* 1 if the most recently received packet was UDP */
+ unsigned int validkey_in: 1; /* 1 if we have sent a valid key to him */
+ unsigned int has_address: 1; /* 1 if we know an external address for this node */
+- unsigned int unused: 20;
++ unsigned int ping_sent: 1; /* 1 if we sent a UDP probe but haven't received the reply yet */
++ unsigned int unused: 19;
+ } node_status_t;
+
+ typedef struct node_t {