Add checks to make sure that the ELF header and program header fit into
the data we read from the on-disk shared library. These checks should
only fail for malformed shared libraries, but failing to load a shared
library is better than crashing the program because of an out-of-bounds
access.
Issue found by Frank Denis using the Swival Security Scanner.
ok guenther@
Fix a regression in rev. 1.269 reported by anton@.
Due to unveil(2), mansearch() can no longer change back to the initial
working directory. But check_xr() calls mansearch(), so the main program
needs to change back if -T lint or -W style is requested, such that these
work even when multiple relative file names are given on the command line.
Size is the number of wide characters, not the number of bytes.
The correct amount of memory was allocated but the stored size did
not match the allocation due to being multiplied by sizeof(wchar_t).
Spotted by Frank Denis using the Swival Security Scanner
OK deraadt@
When I added UF_PLEDGEOPEN in the sys_fchflags() chunk I mistakenly
used the wrong vnode operation.
spotted by Frank Denis using the Swival Security Scanner
ok claudio
Frank Denis using the Swival Security Scanner concludes that
kill(0,sig) should not be allowed because of a source code comment.
Actually, kill of the default pgid 0 MUST be allowed or large amounts
of userland software won't work. What pledge prevents is playing with
other process groups (ie. -pid where pid is not 0) which require
permission from the "proc" pledge. Killing the default pgrp 0 is a
common way for privsep (and other) software to tear itself down it's
process trees, for cases where a pipe read of 0 doesn't work.
The current behaviour is intentional, and the proposed diff was not
considered nor tested for consequences.
Change the comment very subtly to see which AI/human collaboration fails next.
Use the correct struct itemerval when recording the old value for ktrace.
This fixes a potential information leak from an uninitializes stack
variable.
Found by Frank Denis using the Swival Security Scanner.
ok deraadt@
Discard queued data and clear offsets when turning pane off to prevent
later read of data that has been removed. From Aaron Campbell in GitHub
issue 5054.
In eigrp the TLV encoding includes the header length in the length encoding.
So check that the minimal length is at least that of the TLV header.
OK renato@
Unlike all other TLV encodings in ldp the sub-tlv includes the header size
in its length. Therefore check that the size is at least that of the header.
OK renato@
rpki-client: convert ip.c and mft.c to ASN1_BIT_STRING_get_length()
This isn't the greatest of APIs, but we're going to be stuck with it
since better APIs depend on libcrypto not doing the implicit truncation
nonsense, which only OpenSSL 4 and BoringSSL dropped by now.
Some of the error checks become now unreachable. This will be cleaned
up another time.
ok claudio job
rpki-client: convert ccr.c to ASN1_BIT_STRING_set1()
This becomes slightly simpler and more correct with this change.
In particular, this now makes sure that the unused bits are set
to 0 as required by the DER.
ok claudio job
Limit all from of ASPATH attributes to 750 elements
Having super long ASPATH attributes can lead to various issues including
attribute length overflows. Especially the transformation of 2-byte ASPATH
attributes to 4-byte ones can trigger overflows. Because of this limit the
number and therefor the maximum size of an ASPATH.
Our default config has a limit of 100 elements on paths. That limit is
already much larger then what is seen in the DFZ (max ~20). The limit of
750 is again much larger and is really just a safeguard.
OK tb@
Prevent overflow of the uint8_t length value in attr_optadd.
bin_of_attrs() jumps from 240 to 256 elements but the length of the
others attributes array is limited to a uint8_t type and overflows.
Switch type of the local length value to int and make sure that the
maximum length of UCHAR_MAX is not exceeded.
OK tb@
Re-evaluate prefixes if just PREFIX_FLAG_FILTERED changed
With the introduction of 'rde rib Loc-RIB include filtered' it is possible
that prefixes change from filtered to unfiltered state during a filter
reload. In that case prefix_update() takes a shortcut path since no other
attributes change and that path is missing a call to prefix_evaluate().
Add the missing prefix_evaluate() call in this codepath so that prefixes
are correctly redistributed in that case.
OK tb@
openssl: centralize speed benchmark timer handling
The speed benchmark currently arms alarm() from print_message() and
pkey_print_message(), making the output helpers also control benchmark
lifetime. This hidden coupling makes the code harder to maintain and led to
missing alarm cleanup on Windows, as reported in #1245.
Move alarm setup and run-state initialization into speed-specific timer
helpers so benchmark timing is controlled explicitly at the start and stop
points.
ok tb joshua
