Add const void *data to attr_optadd()
Doing this requires that attr_alloc() and attr_lookup() also use const.
For attr_alloc() this is no problem but attr_lookup() is a bit more tricky
since the data field in sturct attr is deliberatly not const.
So instead use CH_LOCATE and a new attr_match() function to do the lookup
with a helper type that uses const.
OK tb@
Introduce ch_ext a struct holding the table an meta data pointers for
the extendible hash.
Doing this removes the need for handling two arrays in resize operations
and also keeps the two pointers together. The code becomes simpler and
with some reshuffling ch_table_resize() is now less problematic.
The initial allocation of the extendible table is increased from one entry
to two.
OK tb@
In the disklabel check for specific fields with value 0, and return
early before trying to check for a byte-swapped label. This avoids
a /0 in the byte-swapped partition check.
ok krw, also discussed with krw
Do not fatal in pt_fill() instead return an error object that can never exist.
pt_fill() is in some cases used by semi-trusted content (e.g. from
bgpctl). The fatalx calls in that function are therefor a problem.
This alters pt_fill to instead return a pt_entry object that can not
exist in the tree. This error object is simply initalised with 0xff.
Also if the prefixlen is too large for the address family just clip it down
to the maximum (with a log message).
In pt_add(), the only place a pt_fill() object would be added to the tree,
check if the returned object is valid. There it is ok to fatal (at least
for now) since the code previous to pt_add() should validate the prefix.
Uniform some error messages and switch the prefixlen argument to u_int.
OK tb@
Return error on unhandled imsg types in the adj-rib-out case.
In rde_dump_ctx_new() the adj-rib-out case only covers some of the
possible imsg types rde_dump_ctx_new() can be called with. So ship back an
error instead of the fatalx() call.
OK tb@
Fix a couple of bugs in tty_draw_line: do not loop forever if orphan
padding appears, or if a wide character is trimmed at the right of the
region. Much help with testing from qingliu at alauda dot io in GitHub
issue 5024.
Add missing memcpy calls for auth_key_in / out in merge_auth_conf()
This was broken when refactoring the code for RTR and only affects
manual IPSec setups which are very uncommon.
OK tb@
Error handling the double reallocarray in ch_table_resize() is tricky.
In case of a realloc failure for the meta tables the ch_tables arrays
was already successfully reallocated. Doing the free(tables) in the error
path results in a use-after-free scenario and instead on error ch_tables
just needs to be updated to this new table. Since the ch_level is not
adjusted the next time, reallocarray will be called on a memory block
that is already big enough which is a NOP and so this is safe.
Further cleanup will follow.
OK tb@
avoid validating bad cipher or mac lists in config files / commandline
arguments as valid.
Identified by SUSE and reported by Camila Camargo de Matos
ok deraadt@ tb@
fix hard-to-reach NULL deref during pubkey auth
To hit this, the user must be using a PEM style private key with no
corresponding .pub key adjacent to it.
rpki-client: fix incomplete strncmp() check
The directory path in rp->repouri doesn't end in a '/' itself, so check
that the uri containing an unused file points at something below it.
Pointed out by Frank Denis
ok claudio job
Fix bad sizes in certain graceful restart imsgs.
The move to use more u_int for aid also changed the imsgs
IMSG_SESSION_STALE, IMSG_SESSION_NOGRACE, IMSG_SESSION_FLUSH, and
IMSG_SESSION_RESTARTED. The problem was that not all senders were
adjusted.
OK tb@
Update libexpat to version 2.8.1.
Relevant for OpenBSD are security fixes #1216, other changes #1209.
Library bump is not necessary. CVE-2026-45186
OK tb@
getservice() needs to return the port in host byte order but
getservbyname() returns the value in network byte order. Add some ntohs()
for those poor little endian systems.
OK tb@
ibuf_set_maxsize() need to ensure that the invariants are upheld by
checking also that wpos and size are not bigger then the new max.
If wpos is bigger fail hard, for size the allocation may have been used
before and so do an explicit_bzero() to clear the extra memory out.
OK tb@
Add a guarded .note.GNU-stack section to crypto assembly files.
Add a .note.GNU-stack section to avoid ending up with an executable stack
on toolchains that believe we should have an executable stack by default.
Reported by ruuda on Github.
Discussed with tb@
