smtpd was already fork+exec privsep, and starts 6 copies which are
the same binary.
I first decided to random-relink smtpd because of some recent close
calls (in the IPC codepaths, which could have played part in lateral
movement following a primary hole). Then it dawned on me that I can
random relink each of the privsep binaries to be unique, in the same
style as sshd.
Each binary now contains a lot of code it does not need (and is not
reached, but the code remains). That can be refactored as a later
step.
The new /etc/rc relink code will automaticall pick these up.
vague approval martijn, gilles, millert
httpd worries me a bit, so I want to random-relink it at boot.
The new /etc/rc relinking components will automatically pick up this
new directory and process it.
amd64: Place the direct map at a random location
Places the direct map at a 512GB-aligned random location selected from
a 16TB VA window.
With help and suggestions from deraadt@. Tested by many.
add signature malleability and pubkey validity checks to ed25519
verification (SSH doesn't depend on these properties)
Pointed out by Soatok Dreamseeker
Add an explicit-seed variant of the keygen function.
feedback / "looks fine" tb@
relayd: strip Content-Length for chunked messages
RFC 9112 section 6.1 requires an intermediary that forwards a message
carrying Transfer-Encoding to remove any received Content-Length first.
relayd already parses the body as chunked in this case, but previously
left Content-Length in the header tree, so the backend could receive
both framing fields and choose a different message boundary.
When chunked framing is selected, remove Content-Length before header
emission; this preserves relayd's chunked body handling while avoiding
CL.TE ambiguity downstream.
Reproted by: Stuart Thomas
OK: rsaodwski@
httpd: reject CL.TE request framing
RFC 9112 sections 6.1 and 6.3 identify a request containing both
Transfer-Encoding and Content-Length as ambiguous request smuggling
input. httpd is the origin server, not an intermediary, so it should not
rewrite the message and continue processing it.
Reject chunked requests that also carry Content-Length before method
specific body handling or FastCGI parameter generation; this avoids
exposing inconsistent framing metadata to applications.
Reproted by: Stuart Thomas
OK: rsaodwski@
relayd: reject obs-fold to prevent parser differentials (RFC 9112 5.2)
Replace silent kv_extend normalisation with an unconditional reject.
RFC 9112 5.2 permits rejection; it is safer than SP replacement
for a forwarding proxy and handles both request and response direction.
kv_extend is therefore no longer required.
Reported by Stuart Thomas, OK kirill@
httpd: reject obs-fold with 400 (RFC 9112 5.2)
Replace silent kv_extend normalisation with an unconditional 400.
RFC 9112 5.2 explicitly permits rejection; it is the safer choice
over SP replacement, which hides parser ambiguity downstream.
Reported by Stuart Thomas, OK kirill@
Set MT_HW_EMI_CTL_SLPPROT_EN on 7925 in mwx_attach and then do a
WF sys reset.
From kevlo@
VS: ----------------------------------------------------------------------
Fix roaming between APs with qwx(4).
Implement a custom bgscan_done() handler which waits for Tx queues to
drain and handles the AP switch properly by disassociating the device
from our old AP while we still have the old AP's MAC address available
in ic_bss.
Previously, the qwx_newstate task would run a firmware disassociation
sequence with the _new_ AP's MAC address before trying to associate.
The firmware didn't like this and we ran into errors such as:
qwx0: delete key 3 failed: error 58
qwx0: failed to delete peer vdev_id 0 addr xx:xx:xx:xx:xx:xx ret 58
qwx0: unable to delete BSS peer: 58
tested by ajacoutot@ and myself on amd64, and by phessler@ on arm64
ok phessler@, "it works great" ajacoutot@
always allow data frame interrupts in qwx(4) while the interface is UP
This helps with situations where we would fail to receive the initial
EAPOL frame during WPA handshakes with the AP, in particular when
roaming between APs.
tested by ajacoutot@ and myself on amd64, and by phessler@ on arm64
Delete __tmpfd(2) which is not used. There was no libc stub, so no
pinsyscalls table entry is ever created, so a pecululiar flaw in this
subsystem wasn't reachable.
ok millert kettenis
sys/uvideo: fix UVIDEO_FLAG_VENDOR_CLASS attach
UVIDEO_FLAG_VENDOR_CLASS has been broken since r1.147: attach selected
only UICLASS_VIDEO interfaces, even after match accepted a device whose
video control interface incorrectly reports UICLASS_VENDOR.
Restore the vendor class path in attach, and add the remaining Logitech
vendor class UVC devices listed by Linux for which usbdevs already has
product IDs.
Issue reported and tested by "requiem." on Logitech QuickCam Pro5000
OK: mglocker@
