reject CR and LF in argv-derived fields before starting the SMTP dialogue
enqueue interpolates the sender, recipients and DSN options straight into
MAIL FROM / RCPT TO command lines. an embedded CR or LF split the command
boundary and injected additional SMTP commands over the local session, so
refuse any such field up front.
from Andrew Griffiths (fixed by me), ok op@
free the copied envelope on the smarthost lookup failure path
mta_on_smarthost() frees the malloc'd envelope on success, but the
smarthost == NULL branch tempfailed the message and returned without
freeing it, leaking a struct envelope per failed lookup.
from Andrew Griffiths, ok op@
free mda_subaddress in mda_envelope_free()
mda_envelope() duplicates the subaddress with xstrdup() when present but
mda_envelope_free() never released it, leaking one bounded string per
subaddressed local delivery.
from Andrew Griffiths, ok op@
use inflateEnd() to tear down the inflate stream in uncompress_gzip_chunk()
the decompression path sets up the stream with inflateInit2() but the
cleanup block called deflateEnd(), mismatching the zlib inflate/deflate
APIs and leaking the stream state on every gzip queue read.
from Andrew Griffiths, ok op@
stop parsing DNS answers once unpack_rr() reports failure
the MX, MX-preference and spf walkers looped on the attacker-controlled
ancount calling unpack_rr() without checking its return, processing stale
or uninitialized rr contents on malformed or truncated replies. break out
of the loop as soon as unpack_rr() fails.
from Andrew Griffiths, ok op@
sysv: Recheck message queue limit after malloc
que_create() allocates with M_WAIT and may sleep after sys_msgget()
checks num_ques against msgmni. The kernel lock is released while the
thread sleeps, allowing concurrent creators to pass the same check and
exceed the queue limit.
OK: mvs@
sysv: Use zero-based message queue indices
que_ix starts at one, while KERN_SYSVIPC_MSG_INFO allocates msgmni
entries and uses que_ix directly as an array index. The last permitted
queue therefore makes sysctl_sysvmsg() copy one struct msqid_ds past the
allocation, which KASAN detects.
OK: mvs@
IPComp decompression must not overflow mbuf cluster.
Check after decompressing an IPComp packet, that the content fits
into a mbuf cluster. m_copyback() assumes that it can allocate a
single mbuf cluster to enlarge the mbuf chain. That means the
decompressed data must not exceed MAXMCLBYTES. Prevent panic:
m_clget: request for 67948 byte cluster.
reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
IPsec AH must contain replay counter.
Before reading the replay counter from packet header in ah_input(),
make sure that the mbuf is long enough. Prevents panic: m_copydata:
null mbuf.
reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
Move SysV sysctl(2) handlers out of sysctl_vslock(). They don't need to
wire userland pages, but have sleeping malloc() calls which could block
the locked sysctl(2) paths. Introduce rwlocks to serialize access to
`seminfo' and `shminfo' respectively. The whole SysV IPC layer relies on
kernel lock, but sysctl_sysvsem() and sysctl_sysvshm() paths have
context switch requires the extra serialization.
Joint work with and OK from kirill.
Update HTTP::Tiny to 0.096
This is mostly to pick up the fix for CVE-2026-7017 since we already
had the fixes for the earlier bugs. However, applying the patches
just for the fix was being painful so instead pull in the full update.
vmd(8): fix qcow2 refcounts on lazy allocated refcnt blocks.
Lazy-allocated refcount blocks, such as those created when growing the
disk past 2 GiB, should have refcount initialized to 1. While the disk
is functional, operations on the metadata (such as resizing) fail as
the reference counting is corrupt.
From Chris Cunningham.
"looks right to me" from @ori (original author of vioqcow2.c)
Use ENTRY_NB() for sig{set,long}jmp
Like on arm, the END_WEAK() trigger "changed binding to STB_WEAK"
warnings on sparc64 when compiled with clang.
ok kettenis
Encrypt swap pages "inline" instead of going through a bounce buffer. This
means we no longer need to reserve bounce pages for the pagdaemon. Instead
we can use the complete set of psegs to swap out pages. Note that there is
another important consequence of this diff. Before the old page remaines
unencrypted and on the inactive queue, where it will sit until the
pagedaemon runs again and kills it. With this diff, pages will be freed
as soon as the I/O completes. This is probably an improvement in itself.
This is simplified version of a diff posted by mpi@ earlier this year.
These simplifications were possible because we no longer bounce pages to
meet DMA constraints in the swap code.
ok deraadt@
Restructure the SSHFP test in preparation for adding other key types:
- change the DNS names to be rsa.* for the existing RSA fingerprints.
- verify that all required SSHFP records exist in DNS.
- only run the RSA tests if the build supports RSA.
Change the fusefs_node i_ump member name to i_fmp to better reflect
that it is a struct fusefs_mount pointer and not a struct ufsmount
pointer. There is also no need to cast it each time.
OK claudio@
Replace the notification system with events. Events can carry a payload of
additional payload (to reduce problems with lifetime of objects) and are
delivered to one or more event sinks. This is more powerful and reduces the
complex dependencies between control mode and hooks. Events are now used for
hooks, control mode notifications and for monitors (set-hook -B).
wait-for can now wait for an event to fire (-E flag, with -F to for filter),
with -v to print the payload, as well as listing (-l) waiting clients on an
event and forcing one to wake (-w).
A few additional hooks are also now available (pane-created, pane-resized, etc)
and some of the existing ones have additional format variables available.