frag6_input(): must always decrement counter when dropping fragment
Currently frag6_input() does not decrement counter in one case:
- it is processing fragment with offset 0 which arrives after
the last fragment (fragment with max. offset)
- there are more IPv6 extension headers between IPv6 header
and IPv6 fragment header
- re-assembled packet exceeds IPV6_MAXPACKET size limit
if conditions above are met, then fragment gets dropped without
decrementing counters. This commit fixes that.
The issue was pointed out by Frank Denis.
OK bluhm@
Make __pledge_open(2) of /etc/localtime and /usr/share/zoneinfo much
more strict. If /etc/localtime is a symbolic link, allow one translation
which must land cleanly in /usr/share/zoneinfo (.. is checked for) otherwise
error with EACCES. In /usr/share/zoneinfo, do not allow symbolic links and
error with ELOOP.
Alfredo Ortega observed the non-strict handling, but agrees no specific
exploitability exists. Changing this took almost a month with many
discarded prototypes.
ok beck dgl
If the main process receives an oversized passwd or group entry message from
the ldap client process, discard it rather than overflowing the struct
idm_req on the stack.
Pointed out by Frank Denis
ok claudio@
Rework the re-evaluation of a prefix if PREFIX_FLAG_FILTERED changed.
The fix committed in rev 1.291 is not quite right. The problem is that
prefix_evaluate() uses prefix_best() which calls prefix_eligible().
It is wrong to alter the eligible state of a prefix while it is still
on the rib list.
Instead remove the prefix first, toggle the state, then readd it again.
Even though prefix_evaluate() is called twice the code complexity is
about the same since the 2 calls only do half the work.
OK tb@
If either tcp_md5_set() or pfkey_establish() fail then also fail the
ongoing connect.
The old graceful failure mode was added for strange cases like kernels
without TCP MD5 support but there is honestly no good reason to limp along.
The correct way to handle this on such broken systems is to edit the config
and remove the auth settings. After that a bgpctl reload will fix the problem
by skipping the TCP MD5 or IPSec setup.
Reported by Frank Denis
OK tb@
In log_evpnaddr() the labellen for EVPN_ROUTE_TYPE_2 can either be 3 or 6.
Currently only the first label is printed so only take the first 3 bytes
of addr->labelstack to build the VNI. Do this by hand with a few shifts
and or opertations instead of the memcpy and htonl() fumbling.
EVPN is still experimental and disabled by default.
Found by myself and also reported by Frank Denis
OK denis@ tb@
Sync cert.pem with mozilla roots; quite a few CA certificates were
either removed or distrusted for web so are removed here. ok tb@
Common policies (moz, google, ca/b) are now to distrust roots with key
material created before a certain time (currently 2008, this rolls
forwards by 2 years each April until 2029 when it moves to '15 years
from creation'), and also roots used for TLS are not permitted to be
shared with other purposes (Secure Email, Code Signing, or others).
This removes all root certificates from the following CA operators:
-AffirmTrust
- /C=US/O=AffirmTrust/CN=AffirmTrust Commercial
- /C=US/O=AffirmTrust/CN=AffirmTrust Networking
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
-Firmaprofesional SA
- /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB
[67 lines not shown]
dhcpleased: Make sure to use VIS_NL with stravis()
Various DHCP fields could include newlines, these were written to the lease file as-is. Nothing in base reads them, but it could confuse other tools.
ok florian@
dhcpleased: Validate size of imsg_dhcp.len
If the frontend manages to write something bad to imsg (bypassing the frontend's validation), where imsg_dhcp.len is > sizeof(imsg_dhcp.packet) it is possible for an OOB read to be forced in the engine. Make this fatal.
ok florian@
mitigate AMD Zen-2 operation cache corruption
On Zen 2, the operation cache can be used to change instructions
of a different privilege level.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
The mitigation is setting a chicken bit in an MSR. This is not documented
publicly, even in the security bulletin. The value comes from a patch
submitted to Linux by AMD employees.
ok deraadt@ brynet@
Limit the maximum value of shminfo.shmseg to prevent `size' overflow in
sys_shmat(). The default value of 128 is safe, but overflow could happen
on 32 bits machine while the value of shminfo.shmseg was raised too high.
Discussed with deraadt.
Add const void *data to attr_optadd()
Doing this requires that attr_alloc() and attr_lookup() also use const.
For attr_alloc() this is no problem but attr_lookup() is a bit more tricky
since the data field in sturct attr is deliberatly not const.
So instead use CH_LOCATE and a new attr_match() function to do the lookup
with a helper type that uses const.
OK tb@
Introduce ch_ext a struct holding the table an meta data pointers for
the extendible hash.
Doing this removes the need for handling two arrays in resize operations
and also keeps the two pointers together. The code becomes simpler and
with some reshuffling ch_table_resize() is now less problematic.
The initial allocation of the extendible table is increased from one entry
to two.
OK tb@
In the disklabel check for specific fields with value 0, and return
early before trying to check for a byte-swapped label. This avoids
a /0 in the byte-swapped partition check.
ok krw, also discussed with krw
Do not fatal in pt_fill() instead return an error object that can never exist.
pt_fill() is in some cases used by semi-trusted content (e.g. from
bgpctl). The fatalx calls in that function are therefor a problem.
This alters pt_fill to instead return a pt_entry object that can not
exist in the tree. This error object is simply initalised with 0xff.
Also if the prefixlen is too large for the address family just clip it down
to the maximum (with a log message).
In pt_add(), the only place a pt_fill() object would be added to the tree,
check if the returned object is valid. There it is ok to fatal (at least
for now) since the code previous to pt_add() should validate the prefix.
Uniform some error messages and switch the prefixlen argument to u_int.
OK tb@
