clear userinfo before sending over imsg.
This is not an issue by itself but it weakens compartmentalization and may assist
lateral movement inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Reject oversized sockaddr payloads received over privsep IPC.
This is not an issue on its own but may permit lateral movement or memory corruption
inside the privsep environment after another bug.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping stack residue
in these transient buffers unnecessarily weakens compartmentalization and may aid
lateral movement inside the privsep environment after another bug.
The diff also fixes a theoretical double close race bug which can't really happen in
smtpd due to requiring concurrency in our single threaded event loop, and which would
have very limited reliability impact if it was triggered (forcing a mail to fail on a
schedule tick and be retried at next tick). This is still incorrect so let's avoid a
copy of this code in more problematic places.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session references after teardown.
This is mainly a robustness fix inside the privsep model:
stale references may permit lateral effects between smtpd processes after another compromise.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
validate encrypted queue buffer sizes before processing auth tag and IV data:
current callers already treat malformed input as a decrypt failure but rejecting
truncated buffers earlier makes boundary conditions more explicit.
diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Pass correct argument to m_tag_delete() in ip_srcroute()
When the ip_srcroute function was redone to follow what FreeBSD did
the m_tag_delete() call was not correctly adjusted. In FreeBSD the
tag data structs always start with a struct m_tag while in OpenBSD
this wrapping is not done.
ip_srcroute is disabled by default and nobody sane turns it on.
From a report by Frank Denis
OK dlg@ deraadt@
Correct ICMPv6 parameter problem in IPv6 destination option.
If the destination option is placed in a different mbuf than the
IPv6 header, the calculation of the parameter problem offset was
wrong.
found by Quarkslab Vulnerability Reports
OK deraadt@
sys/ufs: make ufs_readdir() use UFS_BUFATOFF()
Read directory data through UFS_BUFATOFF() instead of routing the
operation through VOP_READ() into a temporary kernel buffer; this keeps
directory entry decoding on the buffer cache path, bounds each transfer
by the buffer size, file size, and caller supplied count, and releases
each buffer after complete entries are converted.
Since VOP_READ() no longer provides the access time side effect, mark
IN_ACCESS under the same MNT_NOATIME rule used by ffs_read().
OK: deraadt@
sys/qwz: add AMPDU callbacks
Add the same BlockAck task and AMPDU callback plumbing used by qwx.
This wires net80211 ADDBA/DELBA handling into the existing qwz RX
TID/reorder setup code, while leaving TX aggregation to firmware as qwx.
OK: stsp@
Our kernel uses the medany code model, so we don't need the GP in the
kernel. GP relaxation requires the medlow code model, which we don't want
because it will limit future kernel address space randomization.
Should fix linking the riscv64 kernel with llvm 22.
ok jca@
the relink binaries are always a .tar file. scan for them using
find, rather than having to list them. This will make it easier
to add new ones.
help from jsg
iked: Avoid NULL-deref in ocsp_connect_finish()
Several error path in ocsp_connect() can call ocsp_connect_finish()
with oc == NULL. This will result in a NULL-deref. To recover
gracefully the child requesting the OCSP file descriptor needs to
be notified, otherwise the stale request will exist in the child
forever. To accomplish this, provide struct iked_sahdr *sh directly
to ocsp_connect_finish() as a parameter. So sh is guaranteed to
be valid even when oc is NULL.
While there, avoid a potential double-free on oc_path when a strdup(3)
fails.
ok tobhe@
Add samsabi(4), a driver for the Samsung Advanced BIOS Interface (SABI),
a vendor command interface of the embedded controller found in Samsung
laptops.
For now we support keyboard backlight control, as tested on the Samsung
Galaxy Book4 Edge.
Feedback and ok kettenis@
