Remove adjout_prefix_free() and its use in adjout_prefix_unlink() instead
use tombstones in the adjout array for empty/unlinked entries and collect
them later via adjout_prefix_collect().
adjout_prefix_first() and adjout_prefix_next() return direct pointers
into the adjout prefix array and adjout_prefix_free() reshuffles entries
so the pointers returned by first/next are no longer valid. By using
tombstones the array pointers remain intact and it is possible to walk
the array.
Once done with the pt_entry adjout_prefix_collect() is called and it will
collect all tombstones. Again after calling adjout_prefix_collect() any
pointer into the adjout array is most probably invalid.
While this solves the problem with prefix withdraw it does not solve
addition of new entries. The good thing is that there is no code path
that would require such an operation.
On top of this the adjout_prefix_dump_r() has to walk all prefixes since
[3 lines not shown]
rpki-client: simplify absence of SIA handling for BRK and RSC
While RFC 6487, 4.8.8.2 clearly mandates the presence of the SIA extension
for all EE certificates, there are two exceptions. BGPsec router keys are
known to be special for no good rason, and they uphold this tradition and
the EE cert of RSCs doesn't have a SIA since that makes sense for things
that aren't distributed via the RPKI repository system.
The logic allowing these special snowflakes is currently quite contorted.
Simplify the comment to omit unnecesary fluff and implement the logic to
match the comment precisely, also suppressing a duplicated warnx(). This
does not really change anything but is much easier to follow.
ok claudio
more cleanup on close to avoid a use after free
In Linux, some driver specific cleanup is handled with the release
function pointer in struct file_operations.
For amdgpu, this was changed in Linux 6.16 from drm_release() to
amdgpu_drm_release(). Add a file_close function pointer to
struct drm_driver so we can call a function that does the same cleanup.
found by gnezdo@ with KASAN
ok gnezdo@
fix "ifconfig vebX -tagged ifX"
it was wired up in the code to expect an extra argument, which isn't
needed or expected as it is meant to clear all the tags on the
interface.
found by and fix identified by scott colby on bugs@
thanks scott
unlink the transformed temporary file on every commit failure
queue_message_commit() left the .comp/.enc temporary behind on an ENOSPC
rename failure and on the shared err path, so repeatedly triggering
transform or out-of-space failures accumulated orphaned files. unlink
tmppath on all of those paths.
from Andrew Griffiths, ok op@
reject empty or slash-bearing usernames before building the mbox path
mda_mbox_init() builds _PATH_MAILDIR/username and creates and chowns it as
root. the username comes from K_USERINFO table data, which is not checked
for slashes, so a dynamic userbase returning a slashed username could make
root create a path outside the mailbox namespace. in practice, it does not
affect default userbase which goes through getpwnam(), and it requires the
admin to voluntarily create a badly crafted username in the userbase.
from Andrew Griffiths (fixed by me), ok op@
reject CR and LF in argv-derived fields before starting the SMTP dialogue
enqueue interpolates the sender, recipients and DSN options straight into
MAIL FROM / RCPT TO command lines. an embedded CR or LF split the command
boundary and injected additional SMTP commands over the local session, so
refuse any such field up front.
from Andrew Griffiths (fixed by me), ok op@
free the copied envelope on the smarthost lookup failure path
mta_on_smarthost() frees the malloc'd envelope on success, but the
smarthost == NULL branch tempfailed the message and returned without
freeing it, leaking a struct envelope per failed lookup.
from Andrew Griffiths, ok op@
free mda_subaddress in mda_envelope_free()
mda_envelope() duplicates the subaddress with xstrdup() when present but
mda_envelope_free() never released it, leaking one bounded string per
subaddressed local delivery.
from Andrew Griffiths, ok op@
use inflateEnd() to tear down the inflate stream in uncompress_gzip_chunk()
the decompression path sets up the stream with inflateInit2() but the
cleanup block called deflateEnd(), mismatching the zlib inflate/deflate
APIs and leaking the stream state on every gzip queue read.
from Andrew Griffiths, ok op@
stop parsing DNS answers once unpack_rr() reports failure
the MX, MX-preference and spf walkers looped on the attacker-controlled
ancount calling unpack_rr() without checking its return, processing stale
or uninitialized rr contents on malformed or truncated replies. break out
of the loop as soon as unpack_rr() fails.
from Andrew Griffiths, ok op@
sysv: Recheck message queue limit after malloc
que_create() allocates with M_WAIT and may sleep after sys_msgget()
checks num_ques against msgmni. The kernel lock is released while the
thread sleeps, allowing concurrent creators to pass the same check and
exceed the queue limit.
OK: mvs@
sysv: Use zero-based message queue indices
que_ix starts at one, while KERN_SYSVIPC_MSG_INFO allocates msgmni
entries and uses que_ix directly as an array index. The last permitted
queue therefore makes sysctl_sysvmsg() copy one struct msqid_ds past the
allocation, which KASAN detects.
OK: mvs@
IPComp decompression must not overflow mbuf cluster.
Check after decompressing an IPComp packet, that the content fits
into a mbuf cluster. m_copyback() assumes that it can allocate a
single mbuf cluster to enlarge the mbuf chain. That means the
decompressed data must not exceed MAXMCLBYTES. Prevent panic:
m_clget: request for 67948 byte cluster.
reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
IPsec AH must contain replay counter.
Before reading the replay counter from packet header in ah_input(),
make sure that the mbuf is long enough. Prevents panic: m_copydata:
null mbuf.
reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@