Skip to content

limit child allocation depth to MAX_TLV_STACK #7737

limit child allocation depth to MAX_TLV_STACK

limit child allocation depth to MAX_TLV_STACK #7737

Workflow file for this run

name: CI
on:
push:
branches-ignore:
- coverity_scan
- run-fuzzer**
- debug-fuzzer-**
pull_request:
env:
ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1
LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50
UBSAN_OPTIONS: print_stacktrace=1
M_PERTURB: "0x42"
PANIC_ACTION: "gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0"
# Stops the utilities forking on every call to check if they're running under GDB/LLDB
DEBUGGER_ATTACHED: no
ANALYZE_C_DUMP: 1
FR_GLOBAL_POOL: 4M
TEST_CERTS: yes
NO_PERFORMANCE_TESTS: yes
DO_BUILD: yes
HOSTAPD_BUILD_DIR: eapol_test.ci
HOSTAPD_GIT_TAG: hostap_2_10
ALT_OPENSSL: "3.0.2"
DEBIAN_FRONTEND: noninteractive
CI: 1
GH_ACTIONS: 1
jobs:
pre-ci:
runs-on: ubuntu-latest
# Map a step output to a job output
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
selfhosted: ${{ github.repository_owner == 'FreeRADIUS' && '1' || '0' }}
docker_prefix: ${{ github.repository_owner == 'FreeRADIUS' && 'docker.internal.networkradius.com/' || '' }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
ci:
timeout-minutes: 150
needs: pre-ci
if: ${{ needs.pre-ci.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.os.runs_on }}
container:
image: ${{ matrix.os.docker }}
# "privileged" is needed for Samba install
# "memory-swap -1" enables full use of host swap and may help
# with containers randomly quitting with "The operation was
# canceled"
options: >-
--privileged
--memory-swap -1
strategy:
fail-fast: false
matrix:
# runs_on - where GitHub will spin up the runner, either
# "self-hosted", or the name of a GitHub VM image
# e.g. ubuntu-20.04 or ubuntu-latest
# see: https://github.com/actions/runner-images
# code - the name/version of the OS (for step evaluations below)
# docker - the docker image name, if containers are being used
# name - used in the job name only
os:
- runs_on: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self-hosted' || 'ubuntu-20.04' }}"
docker: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'docker.internal.networkradius.com/self-hosted' || 'ubuntu:20.04' }}"
name: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self' || 'gh' }}-ubuntu20"
code: "ubuntu2004"
imageos: "ubuntu20"
env:
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-lean }
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc }
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-O2-g3 }
- { CC: gcc, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-ndebug }
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-lean }
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang }
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-O2-g3 }
- { CC: clang, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-ndebug }
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: yes, TEST_TYPE: fixtures, NAME: linux-clang-altlibs }
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fuzzing, NAME: linux-fuzzer }
env: ${{ matrix.env }}
# If branch protection is in place with status checks enabled, ensure
# names are updated if new matrix entries are added or the name format
# changes.
name: "master-${{ matrix.os.name }}-${{ matrix.env.NAME}}"
# The standard GitHub environment contains PostgreSQL and
# MySQL already. However when running on hosted GitHub runners
# we need to run separate database containers to provide these.
services:
mariadb:
image: ${{ needs.pre-ci.outputs.docker_prefix }}mariadb
env:
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes
ports:
- 3306:3306
options: >-
--health-cmd="mariadb-admin ping"
--health-interval 10s
--health-timeout 5s
--health-retries 10
postgres:
image: ${{ needs.pre-ci.outputs.docker_prefix }}postgres
env:
POSTGRES_HOST_AUTH_METHOD: trust
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
threeds:
image: ${{ needs.pre-ci.outputs.docker_prefix }}4teamwork/389ds
ports:
- 3389:3389
- 3636:3636
options: >-
-e SUFFIX_NAME=dc=example,dc=com
-e DS_DM_PASSWORD=secret123
--health-cmd "dsctl localhost healthcheck --check backends:localhost:search"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
# Need git installed for checkout to behave normally
- name: Install checkout prerequisites
run: apt-get update && apt-get install -y --no-install-recommends git git-lfs ca-certificates
# Checkout, but defer pulling LFS objects until we've restored the cache
- uses: actions/checkout@v3
with:
lfs: false
# Docker image does not have same environment as the
# standard GitHub actions image, so use this to bring them
# more in line.
- name: Prepare Docker environment
uses: ./.github/actions/docker-prep
- name: Install build dependencies
uses: ./.github/actions/freeradius-deps
with:
use_docker: true
cc: ${{ matrix.env.CC }}
- name: Install alternative dependencies
if: ${{ matrix.env.LIBS_ALT == 'yes' }}
uses: ./.github/actions/freeradius-alt-deps
- name: Build FreeRADIUS
uses: ./.github/actions/build-freeradius
with:
use_sanitizers: false
cc: ${{ matrix.env.CC }}
test_type: ${{ matrix.env.TEST_TYPE }}
- name: Run main CI tests
uses: ./.github/actions/ci-tests
if: ${{ matrix.env.TEST_TYPE == 'fixtures' }}
with:
use_docker: true
sql_mysql_test_server: mariadb
sql_postgresql_test_server: postgres
redis_test_server: 127.0.0.1
ldap_test_server: 127.0.0.1
ldap_test_server_port: 3890
ldaps_test_server_port: 6361
ldap389_test_server: threeds
ldap389_test_server_port: 3389
active_directory_test_server: 127.0.0.1
rest_test_server: 127.0.0.1
rest_test_port: 8080
rest_test_ssl_port: 8443
imap_test_server: 127.0.0.1
imap_test_server_port: 1430
imap_test_server_ssl_port: 1432
smtp_test_server: 127.0.0.1
smtp_test_server_port: 2525
- name: Run fuzzer
uses: ./.github/actions/fuzzer
#
# If the CI has failed and the branch is ci-debug then we start a tmate
# session to provide interactive shell access to the session.
#
# The SSH rendezvous point will be emited continuously in the job output,
# which will look something like:
#
# SSH: ssh VfuX8SrNuU5pGPMyZcz7TpJTa@sfo2.tmate.io
#
# For example:
#
# git push origin ci-debug --force
#
# Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions
#
# ssh VfuX8SrNuU5pGPMyZcz7TpJTa@sfo2.tmate.io
#
# Access requires that you have the private key corresponding to the
# public key of the GitHub user that initiated the job.
#
- name: "Debug: Start tmate"
uses: mxschmitt/action-tmate@v3
with:
limit-access-to-actor: true
if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }}
##########################################################################################
# FREERADIUS CORE DEVELOPERS ONLY
##########################################################################################
#
# Direct push access to the main freeradius-server repo will be disabled in an attempt
# to keep CI passing reliably.
#
# If the above CI checks pass then we auto-merge into the same upstream branch
# (only on push) if a PERSONAL_ACCESS_TOKEN secret is defined, i.e. when
# the actor claims to be a FreeRADIUS developer with push access.
#
# Personal access tokens can be generated via the GitHub website:
#
# - Click on the Profile menu (top right)
# > Settings
# > Developer settings
# > Personal access tokens
# > Generate New Token
# - Next, add the following settings and scopes:
# Note: FreeRADIUS CI Push
# repo (checked)
# workflow (checked)
#
# This will allow any git operations using this PERSONAL_ACCESS_TOKEN to commit code to any
# public repository you have access to.
#
# As this PERSONAL_ACCESS_TOKEN will only ever be accessible from GitHub actions when they are
# running from your fork of the FreeRADIUS repo, this shouldn't be a security issue.
#
# After generating your PERSONAL_ACCESS_TOKEN you will need to add it as a secret to your
# repository.
#
# - Copy your new token
# - Click on the Profile menu (top right)
# > Your repositories
# - Search for freeradius-server
# > Click freeradius-server
# - Click settings in the tabs on the left
# - Click secrets in the menu items on the left
# - Click New repository secret
# - Name: PERSONAL_ACCESS_TOKEN
# Value: <value you copied>
# - Click Add secret
#
# You may also wish to set a different pushurl for your local repository to make integration
# more seamless:
#
# git config remote.origin.pushurl git@github.com:<github_user>/freeradius-server.git
#
# git pull will then pull from the upstream repo, whilst git push will be directed to your fork.
#
#
# Needed because secrets are not available for evaluation in if conditions
# at the job level, so we evaluate the existence of the PERSONAL_ACCESS_TOKEN secret
# within a step and export the result instead. We also extract the short
# branch name here because it's convenient to do so.
#
merge-preflight:
needs:
- ci
if: ( github.event_name == 'push' ) && ( github.repository_owner != 'FreeRADIUS' ) && ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/v3.0.x' )
name: "Merge preflight"
runs-on: ubuntu-latest
steps:
- name: "Report whether PERSONAL_ACCESS_TOKEN secret exists"
id: merge-preflight
run: |
if [ -n "$PERSONAL_ACCESS_TOKEN" ]; then echo "PERSONAL_ACCESS_TOKEN_EXISTS=1" >> $GITHUB_OUTPUT; fi
env:
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
outputs:
PERSONAL_ACCESS_TOKEN_EXISTS: ${{ steps.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS }}
merge-upstream:
needs:
- ci
- merge-preflight
if: needs.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS == '1'
runs-on: ubuntu-latest
name: "Merge into upstream"
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
lfs: false
persist-credentials: false
# Note: This also opportunistically updates the developer's branch with commits from
# the main repository.
# This update may fail if the developer has pushed additional commits since the
# workflow started. This is normal, and we ignore the failure.
#
# We fixup the origin URL as the default remote fails on push with:
# fatal: could not read Username for 'https://github.com': No such device or address
- name: "Merge into upstream dev branch and update local branch"
run: |
BRANCH=${GITHUB_REF#refs/heads/}
git config --local user.name "github-actions[bot]"
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
git remote add upstream https://$USERNAME:$REPO_KEY@github.com/FreeRADIUS/freeradius-server.git
git remote set-url origin https://$USERNAME:$REPO_KEY@github.com/$REPO_NAME
git fetch --no-recurse-submodules upstream +refs/heads/*:refs/remotes/upstream/* +refs/tags/*:refs/tags/upstream/*
git checkout --progress --force -B upstream-branch "refs/remotes/upstream/$BRANCH"
git merge "$BRANCH" --ff-only
git push upstream "upstream-branch:$BRANCH"
git push origin "upstream-branch:$BRANCH" || true
env:
USERNAME: ${{ github.repository_owner }}
REPO_NAME: ${{ github.repository }}
REPO_KEY: ${{ secrets.PERSONAL_ACCESS_TOKEN }}