Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping stack residue
in these transient buffers unnecessarily weakens compartmentalization and may aid
lateral movement inside the privsep environment after another bug.
The diff also fixes a theoretical double close race bug which can't really happen in
smtpd due to requiring concurrency in our single threaded event loop, and which would
have very limited reliability impact if it was triggered (forcing a mail to fail on a
schedule tick and be retried at next tick). This is still incorrect so let's avoid a
copy of this code in more problematic places.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session references after teardown.
This is mainly a robustness fix inside the privsep model:
stale references may permit lateral effects between smtpd processes after another compromise.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
validate encrypted queue buffer sizes before processing auth tag and IV data:
current callers already treat malformed input as a decrypt failure but rejecting
truncated buffers earlier makes boundary conditions more explicit.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Pass correct argument to m_tag_delete() in ip_srcroute()
When the ip_srcroute function was redone to follow what FreeBSD did
the m_tag_delete() call was not correctly adjusted. In FreeBSD the
tag data structs always start with a struct m_tag while in OpenBSD
this wrapping is not done.
ip_srcroute is disabled by default and nobody sane turns it on.
From a report by Frank Denis
OK dlg@ deraadt@
Correct ICMPv6 parameter problem in IPv6 destination option.
If the destination option is placed in a different mbuf than the
IPv6 header, the calculation of the parameter problem offset was
wrong.
found by Quarkslab Vulnerability Reports
OK deraadt@
sys/ufs: make ufs_readdir() use UFS_BUFATOFF()
Read directory data through UFS_BUFATOFF() instead of routing the
operation through VOP_READ() into a temporary kernel buffer; this keeps
directory entry decoding on the buffer cache path, bounds each transfer
by the buffer size, file size, and caller supplied count, and releases
each buffer after complete entries are converted.
Since VOP_READ() no longer provides the access time side effect, mark
IN_ACCESS under the same MNT_NOATIME rule used by ffs_read().
OK: deraadt@
sys/qwz: add AMPDU callbacks
Add the same BlockAck task and AMPDU callback plumbing used by qwx.
This wires net80211 ADDBA/DELBA handling into the existing qwz RX
TID/reorder setup code, while leaving TX aggregation to firmware as qwx.
OK: stsp@
audio/gmpc: blindly add a #pragma to fix build errors with llvm 22
#pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
is already found in many source files for gmpc, which is on life support
anyway :)