Add an explict "--" argument for portable.
GNU libc getopt allows options out of order with other arguments
so force getopt to stop option parsing using "--".
OK tb@
Add a "--" argv to the execvp of bgpctl for portable.
GNU libc has this stupid behaviour of allowing options in any order
and so one needs to terminate the option parsing to be sure none of
the later user supplied arguments could be interpreted as an option.
Reported by 7Asecurity
OK tb@
Don't fail hard on version mismatch and ignore extra end-of-params messages.
Replace the lerrx on version mismatch with a lwarnx and error return.
Switch to ssize_t return for that so that slowcgi_request() can properly
fail when this happens.
Also do not execute multiple bgplgd commands when extra end-of-params
messages are received. Once a command is executed fail to start a 2nd
one.
Reported by Frank Denis
OK tb@
Improve handling of unknown extended communities
Ext communities are split over the 3 data fields of struct community.
All ext communities put the first 2 bytes (type and subtype) into data3.
For EXT_COMMUNITY_TRANS_IPV4 and EXT_COMMUNITY_TRANS_FOUR_AS a 2-4-2 split
is used. All other types use a 2-2-4 split this should include all unknown
types. So add default cases into the various switch statements to make this
happen.
Reported by 7Asecurity
OK tb@
Increase the MRT attribute buffer to MAX_EXT_PKTSIZE so it works in all cases.
Dumping messages from peers with extended message capability would fail
since the MRT code was still limited to the old 4096byte size.
Reported by 7Asecurity
OK tb@
Fix use-after-free problems in parse.y
In error cases using YYERROR data is freed but the global pointer is not
reset (to NULL or in the case of curpeer to curgroup). On YYERROR yacc
still moves on and so any rules using e.g. curpeer do a use-after-free.
Reported by 7Asecurity
OK tb@
Move pt_unref() after the RB_REMOVE() call in rib_remove() to
prevent use-after-free.
rib_remove calls pt_unref() before the RB_REMOVE() call which also uses
re_rib(). re_rib() evaluates re->prefix but pt_unref() could free the
prefix if the refcount drops to 0.
Reported by 7Asecurity
OK tb@
newsyslog: add glob(3) support for logfile names
Allow glob patterns in the logfile_name field of newsyslog.conf(5),
so that entries like /var/log/app/*.log are expanded at parse time.
From Alvar Penning, feedback and OK jan@
clear userinfo before sending over imsg.
This is not an issue by itself but it weakens compartmentalization and may assist
lateral movement inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Reject oversized sockaddr payloads received over privsep IPC.
This is not an issue on its own but may permit lateral movement or memory corruption
inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping stack residue
in these transient buffers unnecessarily weakens compartmentalization and may aid
lateral movement inside the privsep environment after another bug.
The diff also fixes a theoretical double close race bug which can't really happen in
smtpd due to requiring concurrency in our single threaded event loop, and which would
have very limited reliability impact if it was triggered (forcing a mail to fail on a
schedule tick and be retried at next tick). This is still incorrect so let's avoid a
copy of this code in more problematic places.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session references after teardown.
This is mainly a robustness fix inside the privsep model:
stale references may permit lateral effects between smtpd processes after another compromise.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
validate encrypted queue buffer sizes before processing auth tag and IV data:
current callers already treat malformed input as a decrypt failure but rejecting
truncated buffers earlier makes boundary conditions more explicit.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Pass correct argument to m_tag_delete() in ip_srcroute()
When the ip_srcroute function was redone to follow what FreeBSD did
the m_tag_delete() call was not correctly adjusted. In FreeBSD the
tag data structs always start with a struct m_tag while in OpenBSD
this wrapping is not done.
ip_srcroute is disabled by default and nobody sane turns it on.
From a report by Frank Denis
OK dlg@ deraadt@
Correct ICMPv6 parameter problem in IPv6 destination option.
If the destination option is placed in a different mbuf than the
IPv6 header, the calculation of the parameter problem offset was
wrong.
found by Quarkslab Vulnerability Reports
OK deraadt@
sys/ufs: make ufs_readdir() use UFS_BUFATOFF()
Read directory data through UFS_BUFATOFF() instead of routing the
operation through VOP_READ() into a temporary kernel buffer; this keeps
directory entry decoding on the buffer cache path, bounds each transfer
by the buffer size, file size, and caller supplied count, and releases
each buffer after complete entries are converted.
Since VOP_READ() no longer provides the access time side effect, mark
IN_ACCESS under the same MNT_NOATIME rule used by ffs_read().
OK: deraadt@
sys/qwz: add AMPDU callbacks
Add the same BlockAck task and AMPDU callback plumbing used by qwx.
This wires net80211 ADDBA/DELBA handling into the existing qwz RX
TID/reorder setup code, while leaving TX aggregation to firmware as qwx.
OK: stsp@
