If either tcp_md5_set() or pfkey_establish() fail then also fail the
ongoing connect.
The old graceful failure mode was added for strange cases like kernels
without TCP MD5 support but there is honestly no good reason to limp along.
The correct way to handle this on such broken systems is to edit the config
and remove the auth settings. After that a bgpctl reload will fix the problem
by skipping the TCP MD5 or IPSec setup.
Reported by Frank Denis
OK tb@
In log_evpnaddr() the labellen for EVPN_ROUTE_TYPE_2 can either be 3 or 6.
Currently only the first label is printed so only take the first 3 bytes
of addr->labelstack to build the VNI. Do this by hand with a few shifts
and or opertations instead of the memcpy and htonl() fumbling.
EVPN is still experimental and disabled by default.
Found by myself and also reported by Frank Denis
OK denis@ tb@
Sync cert.pem with mozilla roots; quite a few CA certificates were
either removed or distrusted for web so are removed here. ok tb@
Common policies (moz, google, ca/b) are now to distrust roots with key
material created before a certain time (currently 2008, this rolls
forwards by 2 years each April until 2029 when it moves to '15 years
from creation'), and also roots used for TLS are not permitted to be
shared with other purposes (Secure Email, Code Signing, or others).
This removes all root certificates from the following CA operators:
-AffirmTrust
- /C=US/O=AffirmTrust/CN=AffirmTrust Commercial
- /C=US/O=AffirmTrust/CN=AffirmTrust Networking
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
-Firmaprofesional SA
- /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB
[67 lines not shown]
dhcpleased: Make sure to use VIS_NL with stravis()
Various DHCP fields could include newlines, these were written to the lease file as-is. Nothing in base reads them, but it could confuse other tools.
ok florian@
dhcpleased: Validate size of imsg_dhcp.len
If the frontend manages to write something bad to imsg (bypassing the frontend's validation), where imsg_dhcp.len is > sizeof(imsg_dhcp.packet) it is possible for an OOB read to be forced in the engine. Make this fatal.
ok florian@
mitigate AMD Zen-2 operation cache corruption
On Zen 2, the operation cache can be used to change instructions
of a different privilege level.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
The mitigation is setting a chicken bit in an MSR. This is not documented
publicly, even in the security bulletin. The value comes from a patch
submitted to Linux by AMD employees.
ok deraadt@ brynet@
Limit the maximum value of shminfo.shmseg to prevent `size' overflow in
sys_shmat(). The default value of 128 is safe, but overflow could happen
on 32 bits machine while the value of shminfo.shmseg was raised too high.
Discussed with deraadt.
Add const void *data to attr_optadd()
Doing this requires that attr_alloc() and attr_lookup() also use const.
For attr_alloc() this is no problem but attr_lookup() is a bit more tricky
since the data field in sturct attr is deliberatly not const.
So instead use CH_LOCATE and a new attr_match() function to do the lookup
with a helper type that uses const.
OK tb@
Introduce ch_ext a struct holding the table an meta data pointers for
the extendible hash.
Doing this removes the need for handling two arrays in resize operations
and also keeps the two pointers together. The code becomes simpler and
with some reshuffling ch_table_resize() is now less problematic.
The initial allocation of the extendible table is increased from one entry
to two.
OK tb@
In the disklabel check for specific fields with value 0, and return
early before trying to check for a byte-swapped label. This avoids
a /0 in the byte-swapped partition check.
ok krw, also discussed with krw
Do not fatal in pt_fill() instead return an error object that can never exist.
pt_fill() is in some cases used by semi-trusted content (e.g. from
bgpctl). The fatalx calls in that function are therefor a problem.
This alters pt_fill to instead return a pt_entry object that can not
exist in the tree. This error object is simply initalised with 0xff.
Also if the prefixlen is too large for the address family just clip it down
to the maximum (with a log message).
In pt_add(), the only place a pt_fill() object would be added to the tree,
check if the returned object is valid. There it is ok to fatal (at least
for now) since the code previous to pt_add() should validate the prefix.
Uniform some error messages and switch the prefixlen argument to u_int.
OK tb@
Return error on unhandled imsg types in the adj-rib-out case.
In rde_dump_ctx_new() the adj-rib-out case only covers some of the
possible imsg types rde_dump_ctx_new() can be called with. So ship back an
error instead of the fatalx() call.
OK tb@
Fix a couple of bugs in tty_draw_line: do not loop forever if orphan
padding appears, or if a wide character is trimmed at the right of the
region. Much help with testing from qingliu at alauda dot io in GitHub
issue 5024.
Add missing memcpy calls for auth_key_in / out in merge_auth_conf()
This was broken when refactoring the code for RTR and only affects
manual IPSec setups which are very uncommon.
OK tb@
Error handling the double reallocarray in ch_table_resize() is tricky.
In case of a realloc failure for the meta tables the ch_tables arrays
was already successfully reallocated. Doing the free(tables) in the error
path results in a use-after-free scenario and instead on error ch_tables
just needs to be updated to this new table. Since the ch_level is not
adjusted the next time, reallocarray will be called on a memory block
that is already big enough which is a NOP and so this is safe.
Further cleanup will follow.
OK tb@
