Remove IPv6 source routing from output path.
Routing header type 0 has been deprecated by RFC 5095 and we do not
support any other type. While OpenBSD blocks routing header in pf
and during the input path, IPv6 output still allowed the user to
generate them.
Remove the code to set IPV6_RTHDR with setsockopt(2) and return
"Protocol not available" error instead. Also delete the code in
ip6_output() to insert the routing header.
Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from
Tsinghua University using the GLM model from Z.ai.
reported that a regular user could attach deprecated routing header.
OK claudio@ florian@
Use ffs and slots &= slots - 1 to walk over the slots in a way to only
look at matches. Kills another branch in the hot path and reduces the
loop form 7 to the number of hits (which is close to 1).
On systems without native ffs instruction this can be a tiny bit slower
but modern systems have native ffs and there the speedup can be noticable.
Even systems without ffs benefit on lookup misses since the loop is skipped.
Based on a diff from Rango (kombucha at mm.st)
OK tb@
Allocate mbufs in high memory if only 64 bit DMA interfaces exist.
Mbufs on amd64 were allocated below 4 GB so that devices not capable
of 64 bit DMA can access the memory. Interface drivers use
BUS_DMA_64BIT to allow the DMA layer doing 64 bit transfers. Now
flag interfaces with IFXF_MBUF_64BIT that are capable of 64 bit DMA
on all their mbuf rings.
If only such interfaces exist in the system during amd64 boot,
allocate mbufs and mbuf clusters also in high memory. Other
architectures may be limited to 32 bit memory anyway or use an
IOMMU. On riscv64 or arm64 busses may exists that support less
than 64 bit, this will be handled later.
Hotplug devices that do not support 64 bit DMA will use bounce
buffering. By changing the flags in device drivers we can force
bounce buffering and find missing calls to bus_dmamap_sync().
OK kettenis@ deraadt@
isakmpd: Bound check ID-payload memcmp()
Make sure the ID supplied by the peer is the size anticipated from
the configuration. Only apply memcmp() if the size matches.
Otherwise, reject the ID right away.
ok markus@
isakmpd: Bound check decode_* in policy_callback() and attribute_unacceptable()
Before decoding 16-bit or 32-bit TLV values, verify that the provided
values have proper minimum size.
ok markus@
isakmpd: Bound check decode_16() in ipsec_decode_attribute()
Before decoding a 16 bit TLV value verify that the provided value
is at least 16 bit in size.
The LIFE_DURATION attributes will already be validated individually,
so just pass them on.
ok markus@
isakmpd: Bound check decode_16() in ipsec_is_attribute_incompatible()
Before decoding a 16 bit TLV value verify that the provided value
is at least 16 bit in size.
ok markus@
Implement ch_meta_locate() using some bit tricks to avoid branches and loops.
ch_haszero() first sets the high bit for every byte in lookup that is 0
and then uses a multiplaction plus shift to compact this bits into the
output.
Also use a multiplication with 0x0101010101010101 instead of the memset().
Modern compilers produce the same code but older ones produce a bit simpler
code this way.
Based on a diff from Rango (kombucha at mm.st)
OK tb@
isakmpd: Only call sa_isakmp_upgrade() when ISAKMP SAs actually exist
Informational and transactional exchanges do not have ISAKMP SAs.
Therefore only upgrade ISAKMP SAs when these actually exist.
ok markus@
Address CVE-2025-10263. This requires doing the TLB invalidation twice.
However, this has a considerable cost on some CPU cores (such as Apple's
M1/M2 and Qualcomm Snapdragon X) that aren't vulnerable. So bring over
the code patching infrastructure from amd64 and use it to NOP out the
additional TLB invalidation on CPUs that aren't vulnerable.
This also addresses errata on some older ARM CPU cores (that are
classified as unlikely to happen) on some cores that aren't vulnerable to
this particular CVE.
ok jca@, deraadt@
Check for errors returned by _asr_unpack_{header,query,rr}
dname_expand() is the main parsing function for DNS labels. Its errors
are propagated via unpack_dname() to _asr_unpack_query() and
_asr_unpack_rr().
Those two functions would also propagate the errors, but they were
then ignored by the callers which would continue parsing invalid DNS
data.
_asr_unpack_header has the same issue but the call chain is shorter.
input & OK deraadt
Import clang-scan-deps
Computes deps so that build systems may rebuild only what's needed after
changing a C++20 module. Needed by a small (4) but growing number of
ports and expected to be needed by a lot more in the future. Working
around the lack of it in base is especially awkward.
ok tb@ sthen@
Make msg_copyout() to check the remaining space within userland buffer.
Otherwise, if the userland buffer size is smaller than the message size,
we write data beyond its end.
Use `xfer' for chunk size like msg_copyin() does.
ok cludwig
crl_cb(): fix EXFLAG_CRITICAL mishandling
The EXFLAG_CRITICAL should be set on encountering a critical CRL
extension unsupported by the library. The current loop does the
opposite: it stops looking as soon as it finds the first critical
extension the library supports...
ok kenjiro
libcrypto/x509 regress: x509_crl regress from Boring via OpenSSL #1775
Currently expected to fail due to mishandling of unknown critical
extensions in x_crl.c, to be fixed shortly.
don't increment scatterlist length twice
this occurs as sg_dma_len() returns the length member of struct scatterlist
where as on x86 linux it returns a dma_length member of the struct
Problem reported by Ryan Fahy in FreeBSD drm-kmod PR 468.
Avoids a 'Data modified on freelist' panic on boot when using discrete
Intel cards (DG2). DG2 has other issues, so remains disabled for now.
