Use the correct struct itemerval when recording the old value for ktrace.
This fixes a potential information leak from an uninitializes stack
variable.
Found by Frank Denis using the Swival Security Scanner.
ok deraadt@
Discard queued data and clear offsets when turning pane off to prevent
later read of data that has been removed. From Aaron Campbell in GitHub
issue 5054.
In eigrp the TLV encoding includes the header length in the length encoding.
So check that the minimal length is at least that of the TLV header.
OK renato@
Unlike all other TLV encodings in ldp the sub-tlv includes the header size
in its length. Therefore check that the size is at least that of the header.
OK renato@
rpki-client: convert ip.c and mft.c to ASN1_BIT_STRING_get_length()
This isn't the greatest of APIs, but we're going to be stuck with it
since better APIs depend on libcrypto not doing the implicit truncation
nonsense, which only OpenSSL 4 and BoringSSL dropped by now.
Some of the error checks become now unreachable. This will be cleaned
up another time.
ok claudio job
rpki-client: convert ccr.c to ASN1_BIT_STRING_set1()
This becomes slightly simpler and more correct with this change.
In particular, this now makes sure that the unused bits are set
to 0 as required by the DER.
ok claudio job
Limit all from of ASPATH attributes to 750 elements
Having super long ASPATH attributes can lead to various issues including
attribute length overflows. Especially the transformation of 2-byte ASPATH
attributes to 4-byte ones can trigger overflows. Because of this limit the
number and therefor the maximum size of an ASPATH.
Our default config has a limit of 100 elements on paths. That limit is
already much larger then what is seen in the DFZ (max ~20). The limit of
750 is again much larger and is really just a safeguard.
OK tb@
Prevent overflow of the uint8_t length value in attr_optadd.
bin_of_attrs() jumps from 240 to 256 elements but the length of the
others attributes array is limited to a uint8_t type and overflows.
Switch type of the local length value to int and make sure that the
maximum length of UCHAR_MAX is not exceeded.
OK tb@
Re-evaluate prefixes if just PREFIX_FLAG_FILTERED changed
With the introduction of 'rde rib Loc-RIB include filtered' it is possible
that prefixes change from filtered to unfiltered state during a filter
reload. In that case prefix_update() takes a shortcut path since no other
attributes change and that path is missing a call to prefix_evaluate().
Add the missing prefix_evaluate() call in this codepath so that prefixes
are correctly redistributed in that case.
OK tb@
openssl: centralize speed benchmark timer handling
The speed benchmark currently arms alarm() from print_message() and
pkey_print_message(), making the output helpers also control benchmark
lifetime. This hidden coupling makes the code harder to maintain and led to
missing alarm cleanup on Windows, as reported in #1245.
Move alarm setup and run-state initialization into speed-specific timer
helpers so benchmark timing is controlled explicitly at the start and stop
points.
ok tb joshua
Handle HCR_EL2.E2H RES1 behaviour
An implementation is allowed to make HCR_EL2.E2H RES1, which means
that the CPU behaves as if this bit was 1, even if it reads as 0
or can be written with 0.
While the architecture advertises this via ID_AA64MMFR4_EL1.E2H0,
hypervisors cannot always expose this to a guest if the hardware
doesn't implemtn FEAT_FGT.
Instead, detect the effects of HCR_EL2.E2H being RES1 by checking
for the aliasing property between accessors targetting the same
register (FAR_ELx in this case). This gives a reliable litmus test
for CPUs that are stuck in VHE mode.
From Marc Zyngier <maz at kernel.org>
When running in VHE host mode, HCR_EL2.TGE must be set, as otherwise
a bunch of problems occur:
- EL0 is guest EL0, not host, and the kernel will catch fire on the
first ERET to EL0
- EL1 TLB invalidations target the guest, and not the host
Make sure that HCR_EL2.TGE is set, instead of relying on firmware
to have set it (when booting with UEFI, only the first CPU is
correctly configured).
From Marc Zyngier <maz at kernel.org>
When printing a CCR's ManifestState, sort the entries by AKI
Sorting this particular listing by AKI (instead of by hash of the
Manifest object) makes diffs between CCRs much more readable.
With & OK tb@
Add checks for invalid dir count and max size for readdir/readdirplus.
A zero count or max size value is now rejected early instead of
relying on VOP_GETATTR to return an error. Also verify that the
max size after rounding up to a multiple of DIRBLKSIZ is positive.
A negative value would turn into a large allocation, causing the
malloc() to fail.
From an LLM bug report. With help from miod@ and kirill@.
