make ifconfig build without trunklacp.h
The only used part of trunklacp.h in ifconfig is LACP_STATE_BITS.
Add it to if_trunk.h so trunklacp.h can be removed.
ok dlg@
Use unsigned int for the length variable when traversing the others array.
Doing this in all places now after fixing an overflow in attr_optadd().
OK tb@ deraadt@
A collection of AI-assisted reports come from Frank Denis, which says that
the YP getgrent code when doing YP operations has a group of buffer
mismanagement issues which in the reports are labelled 'high severity'.
This fixes the buffer checks.
The big question to ask is this: Is a malicious YP server going to
send you messages that exercise a buffer overflow codepath, or are
they going to send you perfectly correct messages containing wrong group members?
The old-school ypserv model was that you run ypserv on a "trusted network"
segment, which today is laughable but it matched operations in that era.
(Our) new operational model is that ypbind is reached with a custom system call
and provides trusted path to a an on-host ypserv, which is more likely to be
the ypldap(8) LDAP schema to YP protocol converter.
If a YP server is broken and sending bad messages, THIS code is the least
of your worries. High severity? No.
ok millert jmatthew
A collection of AI-assisted reports come from Frank Denis, which says that
the YP getpwent code when doing YP operations has a group of buffer
mismanagement issues which in the reports are labelled 'high severity'.
This fixes the buffer checks.
In reality, the memory being operated on is always a full page so the
overflow onto unmanagement memory is hard to see as a risk.
The big question to ask is this: Is a malicious YP server going to
send you messages that exercise a buffer overflow codepath, or are
they going to send you perfectly correct messages containing :0:0: ?
The old-school ypserv model was that you run ypserv on a "trusted network"
segment, which today is laughable but it matched operations in that era.
(Our) new operational model is that ypbind is reached with a custom system call
and provides trusted path to a an on-host ypserv, which is more likely to be
the ypldap(8) LDAP schema to YP protocol converter.
If a YP server is broken and sending bad messages, THIS code is the least
of your worries. High severity? No.
ok millert jmatthew
In session_graceful_restart() also arm the SessionDown timer
session_graceful_restart() does more or less the same as session_down()
and therefor needs to arm the SessionDown timer and on top of that
update stats.last_updown. The interval for the SessionDown timer needs
to depend on the graceful restart timer, since that one needs to fire
first.
OK tb@
Add checks for invalid dir count and max size for readdir/readdirplus.
A zero count or max size value is now rejected early instead of
relying on VOP_GETATTR to return an error. Also verify that the
max size after rounding up to a multiple of DIRBLKSIZ is positive.
A negative value would turn into a large allocation, causing the
malloc() to fail.
From an LLM bug report. With help from miod@ and kirill@.
from millert@
this is errata/7.7/041_nfs.patch.sig
Add checks for invalid dir count and max size for readdir/readdirplus.
A zero count or max size value is now rejected early instead of
relying on VOP_GETATTR to return an error. Also verify that the
max size after rounding up to a multiple of DIRBLKSIZ is positive.
A negative value would turn into a large allocation, causing the
malloc() to fail.
From an LLM bug report. With help from miod@ and kirill@.
from millert@
this is errata/7.8/035_nfs.patch.sig
Backport fixes from libexpat version 2.8.0.
Relevant for OpenBSD are security fixes #47 #1183. Library bump
is not necessary. CVE-2026-41080
OK tb@
this is errata/7.7/040_expat.patch.sig
Backport fixes from libexpat version 2.8.0.
Relevant for OpenBSD are security fixes #47 #1183. Library bump
is not necessary. CVE-2026-41080
OK tb@
this is errata/7.8/034_expat.patch.sig
Use macros for global functions and objects within SHA assembly.
This lets us remove some of the repetitive statements and allows for them
to be adjusted for various platforms.
ok kenjiro@ tb@
Use a define based instruction separator in SHA assembly.
Unfortunately, not all assemblers use the same instruction separator.
In particular, LLVM on macOS uses %% as an instruction separator, while
most other assemblers use a semi-colon.
ok kenjiro@ tb@
In ipsec_common_input_cb() ensure that the packet size does not overflow
the maximum packet size before writing the value back to the IP header.
IPv4 and IPv6 have slightly different rules and so do it per AF.
OK millert@
Include the padding length when testing the remaining bytes in an octet
string, to prevent a size_t underflow on a malformed packet and make us run
into infinity.
Same diff as for snmpd
Template peers need to check xp->rdesession to know if the RDE has the
session running or not. Right now it checks the template itself which
is never synced.
OK tb@
Include the padding length when testing the remaining bytes in an octet
string, to prevent a size_t underflow on a malformed packet and make us run
into infinity.
OK deraadt@
Typecast idx to size_t so that the comparison is safe on 32bit arch.
idx < 0 was already checked so casting this value from signed to unsigned
is safe.
OK tb@
