openwrt-bot
commented
2 years ago svlobanov:
Can you try to build firmware from trunk for your xiaomi ac2100 with this patch https://github.com/openwrt/openwrt/pull/4910 ? If you use ustream-ssl, then you will also need this patch http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037485.html
Alozxy:
Recently I found that the libwolfssl could not authenticate some ip address ssl certificates.A strange thing is that some URLs(like https://1.1.1.1/) can be authenticated successfully, but others cannot(like https://223.5.5.5/),and it just happen on my mt7621 router Xiaomi Redmi AC2100 but cannot be reproduced on ipq4019 router MobiPromo CM520-79F.
And then i dig deeper into the source code and found the bug.
[[https://raw.githubusercontent.com/wolfSSL/wolfssl/v4.8.1-stable/src/internal.c]]
In line 10097,macro XSNPRINTF would expand to snprintf,and altName->name[i] has a char type. on different platforms,char is not alway unsigned,if altName->name[i] is signed char and is larger than 127,it will then be convert into unsigned int incorrectly and print the wrong string.
The problem seems be sloved in wolfssl v5.0 because i saw some changes of relevant code,but the wolfssl in openwrt 21.02 is still v4.8.1-stable.I think maybe we can either upgrade the package or add a path to exist code?