Set IFXF_MBUF_64BIT so mbufs are allocated in high memory if only
64 bit DMA interfaces exist. Also pass BUS_DMA_64BIT to the
bus_dmamem_alloc() for the kstat counter buffer (rge_ks_sc_seg).
ok bluhm@
cal: drop obsolete parsemonth return value checks
These became redundant since month range checks were implemented in parsemonth
in revision 1.15.
ok jca@
ucom: fix OOB write in sysctl_ucominit with no ucom devices
cd_ndevs==0 makes ucomslen 0, so malloc(0) returns unzeroed storage
(M_ZERO memsets osize==0 bytes). strlen(ucoms) then walks garbage and
ucoms[strlen-1]=0 stores out of bounds (KASAN: __asan_store1, hw.ucomnames).
Size the buffer for one extra slot so it is never zero-sized.
KASAN#2, with a murmur of agreement in the hackroom
Don't bounce unless we're doing encrypted writes. Drivers for hardware
that doesn't support 64-bit DMA will take care of bouncing now.
ok deraadt@, jca@
Fix CVE-2026-12244, CVE-2026-12245, CVE-2026-12246 and CVE-2026-12490
- CVE-2026-12244: A specially crafted SVCB RR can cause a heap
overflow of up to 65509 attacker controlled bytes.
- CVE-2026-12245: If NSD is configured with DNS over TLS, a
client that performs a TLS action, closing the connection early,
causes a crash and restart of the server process. An attacker can
keep all children in a crash-restart loop denying DoT service.
- CVE-2026-12246: The RR type APL rdata address, if too large,
causes out of bounds write on the stack, when the zonefile is written
out.
- CVE-2026-12490: Secondaries authenticated by a client
certificate to transfer a zone over TLS, can bypass verification by
transferring over TCP.
OK sthen
Return statically built addresses when hostname == NULL It always
returns IPv4 and IPv6 addresses when hostname == NULL; previously, it
returned only the address of the selected address family defined by
"family" in resolv.conf.
ok florian
x509_vfy: sync get_crl_sk() with BoringSSL and OpenSSL
Among CRLs with the same score prefer the one with the most recent
lastUpdate (RFC 5280 thisUpdate). This pulls in OpenSSL commits
626aa248, e032117d, 8b7c51a0 from 2016, so before the license change.
This uses the annoying ASN1_TIME_diff() API, but there is no better
way, really. Every other ASN1_TIME API will be just as awkward.
This fixes the currently failing x509_crl test cases.
ok kenjiro