Fail if the mrt message length is larger than MRT_MAX_LEN (1MB).
No message should have such a large size.
Ensure the dump callback is never called with a mrt peer table
that is NULL.
Reported by 7Asecurity
OK tb@
GNU libc has this stupid behaviour of allowing options in any order
and so one needs to terminate the option parsing to be sure none of
the later user supplied arguments could be interpreted as an option.
Reported by 7Asecurity
OK tb@
Replace the lerrx on version mismatch with a lwarnx and error return.
Switch to ssize_t return for that so that slowcgi_request() can properly
fail when this happens.
Also do not execute multiple bgplgd commands when extra end-of-params
messages are received. Once a command is executed fail to start a 2nd
one.
Reported by Frank Denis
OK tb@
Ext communities are split over the 3 data fields of struct community.
All ext communities put the first 2 bytes (type and subtype) into data3.
For EXT_COMMUNITY_TRANS_IPV4 and EXT_COMMUNITY_TRANS_FOUR_AS a 2-4-2 split
is used. All other types use a 2-2-4 split this should include all unknown
types. So add default cases into the various switch statements to make this
happen.
Reported by 7Asecurity
OK tb@
Dumping messages from peers with extended message capability would fail
since the MRT code was still limited to the old 4096byte size.
Reported by 7Asecurity
OK tb@
In error cases using YYERROR data is freed but the global pointer is not
reset (to NULL or in the case of curpeer to curgroup). On YYERROR yacc
still moves on and so any rules using e.g. curpeer do a use-after-free.
Reported by 7Asecurity
OK tb@
prevent use-after-free.
rib_remove calls pt_unref() before the RB_REMOVE() call which also uses
re_rib(). re_rib() evaluates re->prefix but pt_unref() could free the
prefix if the refcount drops to 0.
Reported by 7Asecurity
OK tb@
Allow glob patterns in the logfile_name field of newsyslog.conf(5),
so that entries like /var/log/app/*.log are expanded at parse time.
From Alvar Penning, feedback and OK jan@
This is not an issue by itself but it weakens compartmentalization and may assist
lateral movement inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>
This is not an issue on its own but may permit lateral movement or memory corruption
inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>
While current parsing paths do not expose uninitialized data, keeping stack residue
in these transient buffers unnecessarily weakens compartmentalization and may aid
lateral movement inside the privsep environment after another bug.
The diff also fixes a theoretical double close race bug which can't really happen in
smtpd due to requiring concurrency in our single threaded event loop, and which would
have very limited reliability impact if it was triggered (forcing a mail to fail on a
schedule tick and be retried at next tick). This is still incorrect so let's avoid a
copy of this code in more problematic places.
diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>
This is mainly a robustness fix inside the privsep model:
stale references may permit lateral effects between smtpd processes after another compromise.
diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>
current callers already treat malformed input as a decrypt failure but rejecting
truncated buffers earlier makes boundary conditions more explicit.
diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>
When the ip_srcroute function was redone to follow what FreeBSD did
the m_tag_delete() call was not correctly adjusted. In FreeBSD the
tag data structs always start with a struct m_tag while in OpenBSD
this wrapping is not done.
ip_srcroute is disabled by default and nobody sane turns it on.
From a report by Frank Denis
OK dlg@ deraadt@
If the destination option is placed in a different mbuf than the
IPv6 header, the calculation of the parameter problem offset was
wrong.
found by Quarkslab Vulnerability Reports
OK deraadt@
Read directory data through UFS_BUFATOFF() instead of routing the
operation through VOP_READ() into a temporary kernel buffer; this keeps
directory entry decoding on the buffer cache path, bounds each transfer
by the buffer size, file size, and caller supplied count, and releases
each buffer after complete entries are converted.
Since VOP_READ() no longer provides the access time side effect, mark
IN_ACCESS under the same MNT_NOATIME rule used by ffs_read().
OK: deraadt@
Add the same BlockAck task and AMPDU callback plumbing used by qwx.
This wires net80211 ADDBA/DELBA handling into the existing qwz RX
TID/reorder setup code, while leaving TX aggregation to firmware as qwx.
OK: stsp@
kernel. GP relaxation requires the medlow code model, which we don't want
because it will limit future kernel address space randomization.
Should fix linking the riscv64 kernel with llvm 22.
ok jca@
Several error path in ocsp_connect() can call ocsp_connect_finish()
with oc == NULL. This will result in a NULL-deref. To recover
gracefully the child requesting the OCSP file descriptor needs to
be notified, otherwise the stale request will exist in the child
forever. To accomplish this, provide struct iked_sahdr *sh directly
to ocsp_connect_finish() as a parameter. So sh is guaranteed to
be valid even when oc is NULL.
While there, avoid a potential double-free on oc_path when a strdup(3)
fails.
ok tobhe@
a vendor command interface of the embedded controller found in Samsung
laptops.
For now we support keyboard backlight control, as tested on the Samsung
Galaxy Book4 Edge.
Feedback and ok kettenis@
uvm_constraint_range bounds are physical addresses, as is
VM_PAGE_TO_PHYS(). Do not apply atop() before comparing them, otherwise
the pagedaemon matches page frame numbers against byte address ranges.
OK: kettenis@, deraadt@
nicm