isakmpd: Fix NULL dereference in message_validate_sa()
When the responder cookie is non-zero but sa_lookup_by_header()
finds no matching SA, msg->isakmp_sa is NULL. Thus check before
dereferencing.
Allow rectangle selection to extend past end of current line to behave
the same as vi with virtualedit=block set. From Mark Kelly in GitHub
issue 5227.
Fix behavior of ')' used in a range when setence reaches EOF.
For a sentence spanning more than one line at the end of the file,
when the cursor is placed at the first character of any line except
for the last one, running '!)<cmd>' won't affect the last line.
From Walter Alejandro Iglesias
Check for E_CLRFLAG in ecp->cmd->flags, not ecp->iflags.
Fixes a problem where an extra line is printed at the end of the
output when the "number" command is given the "l" (literal display)
flag.
From Jeremy Mates Walter Alejandro Iglesias and
Be more strict about what names and titles we allow and reject them
immediately when possible, but allow # again for those directly set by
commands (but not escape sequences). From Barrett Ruth in GitHub issue
5175.
rpki-client: reject certs with duplicate extension OIDs
We check this for extensions we know about in cert_parse_extensions().
We keep doing it there since we need to keep track of the extensions we
encountered anyway.
While cert_parse_extensions() rejects certs with critical extensions we
don't know about, we allow duplicate non-critical ones mainly because
that's annoying to keep track of. LibreSSL's libcrypto checks for this
and rejects the cert when caching the extensions, OpenSSL 4 adds a new
EXFLAG_DUPLICATE flag and accepts the cert, and OpenSSL 3 simply ignores
duplicates. In short: we get to do it ourselves.
This check is basically lifted from libcrypto's x509_purp.c with a few
extra contortions due to const sprinkling and making things opaque. The
warnx is the same as the one already present in cert_parse_extensions().
We do not NULL check X509_EXTENSION_get_object() because the extension
parsed, so an OID is present.
[2 lines not shown]
Make sure UDP header length field at least covers the UDP header.
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.
Pointed out and diff provided by Andrew Griffiths, thanks!
Tighten well-formedness checks on AIA & SIA extensions in certs
Valid Rsync URIs always contain a module component.
To avoid duplication of URI validation code, refactor rsync_base_uri()
to optionally allocate & dup the base URI portion.
Thanks to Ties de Kock for reporting.
OK tb@ claudio@
sys/sparc64: accept ide nodes in IDE bootpaths
OpenBIOS reports QEMU IDE disks with an intermediate ide node, while the
sparc64 bootpath code only treats ata as a channel node.
The disk is attached as wd0, but the final disk component is not nailed
as the boot device, so the kernel asks for the root device.
No QEMU level option seems possible to enforce ata disk.
OK: claudio@
