tests/ndp: fix ndp_routeinfo_option testcase flakiness
Since we are sleeping for an indefinite period of time waiting
for the default route to appear, the expire times may be gone
past 1+ seconds, causing the Expire column to show <1800 or <600.
Fixes: f6bcc0925f0ea838da5183dc503f847e56d15cc8
Reviewed by: pouria
Approved by: lwhsu (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56712
universe: emit warning instead of error for bad/missing KERNCONF
When doing a large `make universe` build with multiple KERNCONFS,
it should not be an error when a particular target has a missing
KERNCONF.
In this example,
```
$ make universe TARGETS='arm64 riscv' KERNCONFS='QEMU VIRT'
```
Currently, arm64 does not have a QEMU conf, and riscv
does not have a VIRT conf. However, this command should still
succeed instead of failing with the following message:
```
make[2]: /usr/src/Makefile:767: Target architecture for riscv/conf/VIRT unknown. config(8) likely too old.
in .for loop from /usr/src/Makefile:761 with kernel = VIRT
[13 lines not shown]
Revert "loopback: Clear hash unconditionally."
This reverts commit 2fe37927d41990abe8d1c336e75fd75873285e90.
This turns out to have been misguided. First, clearing the
hash results in all loopback ip/ip6 traffic being hashed
to the netisr queue associated with the if_index of the loopback
interface. Eg, it bottlenecks loopback traffic. When the
hash is kept, traffic is spread evenly among netisrs.
Also, it is safe to keep the hash here. The clearing was only
needed when RSS core selection is enabled; we only enabled the
consistent hashing parts of RSS globally, not the cpuid mapping
stuff. So there is no need to clear it.
Reviewed by: glebius
Sponsored by: Netflix
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D57091
(cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
MFC after: immediately
Differential Revision: https://reviews.freebsd.org/D57091
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D57091
(cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
ping6: convert receive loop from pselect(2) to ppoll(2)pselect(2) might overflow if the desciptor number is above
FD_SETSIZE and silently corrupt the stack. Switch to ppoll(2) so
the receive socket fd is no longer constrained by FD_SETSIZE.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D56721
15.1: Bump version to BETA3-p1
Since we had a conveniently timed batch of security issues, I'm going
to use this opportunity to test pkgbase update tooling.
Approved by: re (cperciva)
netstat(1): Show metric value for routes
Add metric support and show its value in wide flag and
libxo output.
Also, add metric to the description of wide flag (`-w`) in
routing display (`-r`) section of manual page.
Reviewed by: markj (manpage)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D57011
netlink: Add RTA_PRIORITY support (metric)
* Use our new 32-bit metric for RTA_PRIORITY support.
* Update snl library for new RTA_PRIORITY support.
* return RTA_PRIORITY for both MPATH and non-MPATH routes.
Reviewed by: glebius (previous version)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D56323
routing: Add support for metric
In our routing stack implementation, metric is an attribute
of the nexthop, not the route itself.
Store metric in nhop_priv which is control-plane data of
nexthop, filter the nexthops by metric and populate the mpath
slots in nexthop group with only the lowest metric nexthops
for use in the forwarding path.
`cmp_priv()` compares nhops based on priv hash.
Add metric compare logic to it and only return nexthops
with different metrics if the input nexthop's metric is
zero (wildcard).
Also, add support for metric via rtsock by introducing rmx_metric.
Finally, remove the upper 8-bit reservation of weight for
administrative distance.
Reviewed by: adrian
[3 lines not shown]
bsdconfig: Make sure that SSID names are properly escaped
The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan. The untrusted network names are evaluated in
f_dialog_menu_wireless_edit. The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.
Pass the SSID names through f_shell_escape to work around this. Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.
I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
[2 lines not shown]
libcasper: switch from select(2) to poll(2)
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).
poll(2) takes an array indexed by slot rather than by fd value, so it
has no FD_SETSIZE limit.
Approved by: so
Security: FreeBSD-SA-26:22.libcasper
Security: CVE-2026-39461
Reported by: Joshua Rogers
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56695
fusefs: Handle buggy servers' LISTXATTR response
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string. If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.
Approved by: so
Security: FreeBSD-SA-26:20.fusefs
Security: CVE-2026-45252
admbugs: 1039
Reported by: Joshua Rogers
Sponsored by: ConnectWise
procdesc: Make sure to drain selinfo sleepers in procdesc_free()
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f7686588 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
setcred: Fix buffer overflow
Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in. We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should. Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
This is a direct commit to stable/14.
Approved by: so
Security: FreeBSD-SA-26:18.setcred
Reported by: Ryan of Calif.io
Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
bsdinstall: Avoid invoking eval on the wlan SSID list
The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters. Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des, asiciliano
Differential Revision: https://reviews.freebsd.org/D56973
