ipfwpcap: Fix build after libpcap 1.10.6 update
pcap-int.h now references SIZEOF_TIME_T from libpcap's config.h, which
is not available to consumers of the internal header outside of the
libpcap build. Switch to the public <pcap.h> header and replace the
direct FILE* casts and ferror()/fflush() calls with pcap_dump_flush(3),
which is the correct public API for flushing a pcap dump file.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a0b3ef1952603ebf0307ca723b03e5a71598dd5a)
installer: Add download.freebsd.org to mirror list
download.freebsd.org is backed by project mirrors and a CDN, which
should benefit most users.
Sponsored by: The FreeBSD Foundation
Reviewed by: delphij (releng)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54849
(cherry picked from commit 45079cdf8b517adf803db7dc7aa85e5728cfeb2f)
routing: Fix use-after-free in finalize_nhop
FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
`nh->nh_priv->nh_upper_family` for failure logging.
Call FIB_NH_LOG before freeing nh so failures are logged
without causing a panic.
MFC after: 3 days
(cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0)
ixgbe: Fix MRQC register value.
Focus on the MRQE field of the MRQC register, which is 4 bits wide,
and we use these 3 types of values.
- IXGBE_MRQC_RSSEN 0x1 (non VF mode)
- IXGBE_MRQC_VMDQRSS32EN 0xA (less than 33 VFs)
- IXGBE_MRQC_VMDQRSS64EN 0xB (less than 65 VFs)
If we always take a bitwise OR with IXGBE_MRQC_RSSEN,
IXGBE_MRQC_VMDQRSS32EN will never be chosen.
Select these 3 types of values for the proper case.
Signed-off-by: Yuichiro NAITO <naito.yuichiro at gmail.com>
Pull Request: https://github.com/freebsd/freebsd-src/pull/2132
(cherry picked from commit 938c076b9b0bc458a3877b52535527d37199fc09)
linuxkpi: Fix an off-by-one error in the kfifo implementation
"total" is the number of slots in the array, so wraparound needs to be
done when "first" or "last" is greater than or equal to the number of
slots.
Note that no consumers of the code are currently connected to the kernel
build.
Reported by: Stanislav Fort <stanislav.fort at aisle.com>
Reviewed by: bz, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56371
(cherry picked from commit 52d2fc702b85d56b35f8828fe7efca3cde0d25b7)
in_mcast: Fix a lock leak in inp_set_source_filters()
MFC after: 3 days
Reported by: Claude Opus 4.6
(cherry picked from commit bebc1a5b09e358b420077a1b5c0f85f8e7f0812f)
chore: replace {0, 0} with {DEV,KOBJ}METHOD_END
Both of the aforementioned macros have been present in FreeBSD
for well over a decade: 2009 for `KOBJMETHOD_END`; 2011 for
`DEVMETHOD_END`.
Adapt all hardcoded references of `{0, 0}` with `DEVMETHOD_END`
and `KOBJMETHOD_END` as appropriate. This helps ensure that
future adaptations to drivers following patterns documented
in driver(9) can be made more easily/without issue.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D55414
MFC notes:
All conflicts were dropped as they didn't apply to code in branch.
Conflicts:
sys/dev/flash/w25n.c
[7 lines not shown]
crypto/openssl: remove autogenerated files
These files contain build host paths and other configuration details
that can be regenerated via the standard vendor import process. Don't
clutter up the FreeBSD tree with these files.
Add the paths to .gitignore to prevent them from accidentally being
added in a future update.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53044
Conflicts:
crypto/openssl/libcrypto.pc
crypto/openssl/libssl.pc
crypto/openssl/openssl.pc
(cherry picked from commit d271d2ce152435b14e309bd8b25f47a0f4a2040f)
OpenSSL: update build artifacts to match 3.0.16 release
The files committed match the output of the new vendor process. Much of
this involves regenerating manpages to catch up to content from the
initial 3.0 import.
This is a direct commit to stable/14.
crypto/openssl: update vendor update instructions
This change fills out the requirements for doing vendor updates,
documents the new vendor update process, and guides whoever needs to do
the next version update a bit better than the documentation did prior to
this change so everyone can pitch in with version updates a bit better.
Convert the document to Markdown while here to make it easier to
render/print out the directions in a structured format.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D53190
Conflicts:
crypto/openssl/FREEBSD-upgrade
(cherry picked from commit 08cdcff58acb2aec881e42c7f097d6492d864898)
crypto/openssl: fix importing new versions from pristine trees
Prior to this change, CC was not being passed through to Configure,
which was resulting in failures when Configure was running compiler
checks.
Pass through CC via `WRK_ENV` to Configure so the compiler is defined
properly as part of the initial build.
MFC after: 1 month
Fixes: d18058b7b850 ("crypto/openssl: apply polish to new vendor import process")
Differential Revision: https://reviews.freebsd.org/D52595
(cherry picked from commit 52c4b76d1dd385fbe33b78172e39a10749b83d13)
crypto/openssl: update from 3.0.16 to 3.0.20
### Description
This particular change contains all functional and security fixes made
between 3.0.16 and 3.0.20, with the net-resulting security issues being
the ones addressed in 3.0.20 [1] [2].
This is a direct commit to stable/14 as stable/15 and later use OpenSSL
3.5, as of writing, and thus this change could not have been merged
through main and stable/15 since the 3.0.17+ was released after :main
switched to OpenSSL 3.5.
This does not contain any merge commits as any MFV changes are banned
unless they go through :main.
### Process used when updating the component
1. Run the subtree merge command in a staging tree.
[12 lines not shown]
OpenSSL: install .pc files from the exporters subdir
The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).
Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.
This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].
References:
1. https://github.com/openssl/openssl/issues/28803
[6 lines not shown]
crypto/openssl: apply polish to new vendor import process
This change does the following 2 things:
- Makes the build more repeatable by isolating the environment. This
prevents bmake from leaking variables into gmake and makes the overall
process a bit more robust.
- Add debug printouts to make the process more straightforward to the
reader and whoever is executing doing the current vendor import.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D52420
(cherry picked from commit d18058b7b850c78f2ca1be746ab411c0bed5acc9)
pf: fix duplicate rule detection for automatic tables
We should look at the table name for automatic tables as well. These
are different tables, so the rules using them are (or can be) different
as well.
MFC after: 3 days
Reported by: Michael Sinatra <michael at burnttofu.net>
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit fb838352751767e756bd45cd2040fa464ed4de20)
pfctl: parser must not ignore error from pfctl_optimize_ruleset()
Ignoring the error may cause pfctl(8) to load inconsistent ruleset
preventing pf(4) to enforce desired policy.
Issue reported and fix suggested by berts _from_ fastmail _dot_ com
'Looks good.' @deraadt
MFC after: 1 week
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, 9fd28a8cca
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 343ace42f82a629374af4dc3a72da5f46f2c3feb)
crypto/openssl: make vendor imports easier/less error prone
This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.
The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
`CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
manpages is fresh.
Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).
All dynamic configuration previously captured in
[21 lines not shown]
pf: improve SCTP validation
As per RFC5061 "4.2. New Parameter Types" the add/delete IP address
parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK
chunk. They are only allowed to be present in an ASCONF chunk.
This also prevents unbounded recursion while parsing an SCTP packet.
Approved by: so
Security: FreeBSD-SA-26:14.pf
Security: CVE-2026-7164
PR: 294799
Reported by: Igor Gabriel Sousa e Souza
MFC after: 3 days
Sponsored by: Orange Business Services
if_tuntap: make SIOCIFDESTROY interruptible
There's no good justification to permanently hang a thread until the
tunnel can be destroyed. Make it interruptible so that the admin can
^C it and remedy the situation if something erroneously has the tunnel
open, rather than forcing them to open another shell to resolve it.
Reviewed by: markj
(cherry picked from commit 274bf7c8ae7e7b51853cd541481985f0e687f10e)
ipfw_nptv6: fix handling the ifaddr removal event
The result of IN6_ARE_MASKED_ADDR_EQUAL() macro is not an integer, so
threat it as a boolean value.
PR: 294114
Reported by: Peter Much <pmc citylink dinoex sub org>
(cherry picked from commit d9d7b59486499615a5fdce54443ce62aecf557e8)
libnv: fix heap overflow in nvlist_recv()
nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.
Approved by: so
Security: FreeBSD-SA-26:17.libnv
Security: CVE-2026-35547
Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56342
libnv: switch fd_wait() from select(2) to poll(2)
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).
Approved by: so
Security: FreeBSD-SA-26:16.libnv
Security: CVE-2026-39457
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56689
