Prevent integer overflow in regex repetition count
Limit the repetition count to 255 like POSIX does. Also avoid a
crash when the repetition is the first atom parsed.
From Renaud Allard.
relayd: error check bsearch in relay_httperror_byid()
If relay_httperror_byid() is passed a HTTP error code not in the table
this would result in a NULL deref. The intent is that the code fall back
to "Unknown error" on NULL return.
From Jan Schreiber
sys/iwx: align antenna patterns and STBC with iwlwifi
Follow iwlwifi for antenna pattern and STBC advertisement. Advertise RX
antenna pattern only when RX is effectively 1x1; advertise HT and VHT
STBC unconditionally, and VHT TX antenna pattern only when TX is
effectively 1x1, and program the firmware TLC STBC flag when the peer
advertises RX STBC and the device has more than one valid TX antenna.
OK: stsp@
move username validity check for usernames specified on the
commandline to earlier in main(), specifically before some
contexts where a username with shell characters might be
expanded by a %u directive in ssh_config.
We continue to recommend against using untrusted input on
the SSH commandline. Mitigations like this are not 100%
guarantees of safety because we can't control every
combination of user shell and configuration where they are
used.
Reported by Florian Kohnhäuser
correctly match ECDSA signature algorithms against algorithm
allowlists: HostKeyAlgorithms, PubkeyAcceptedAlgorithms and
HostbasedAcceptedAlgorithms.
Previously, if any ECDSA type (say "ecdsa-sha2-nistp521") was
present in one of these lists, then all ECDSA algorithms would
be permitted.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
when downloading files as root in legacy (-O) mode and without the
-p (preserve modes) flag set, clear setuid/setgid bits from
downloaded files as one might expect.
AFAIK this bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
Fix possible sshd crash when sshd_config set MaxStartups to a
value <10 using the single-argument form of MaxStartups (e.g.
MaxStartups=3). This doesn't affect the three-argument form
of the directive (e.g. MaxStartups 3:20:5).
Patch from Peter Kaestle via bz3941
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
If we receive a response it must have the exact same msgid as the last
request we sent, so make sure they match exactly rather than allowing
higher msgids.
We can't handle out of order responses and if we don't receive a response
in time we retransmit our request until we get one or run into a timeout.
Found by Dirk Loss
ok markus@ hshoexer@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
ok markus@ hshoexer@
