rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
Fix length validation of RTA_MULTIPATH attributes in
nlattr_get_multipath() by making sure the user request is align.
PR: 295102
Reported by: Robert Morris <rtm at lcs.mit.edu>
Reviewed by: markj
Fixes: 7e5bf68495cc ("netlink: add netlink support")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56963
(cherry picked from commit 4329663a861ef74796b79b6b0872cfe10d31c591)
(cherry picked from commit 2c6617658f0cabb1e83a47da02882454e4210bd9)
pf: do not reject rules with colliding hashes
We insert rules in pf_krule_global solely for the benefit of the
'keepcounters' feature. Failing to insert (beause the rule hash
collides, or an identical rule already exists) would be worse than
restoring counts to the wrong rule (or failing to restore them at all).
PR: 282863, 294860, 294859, 294858
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D56745
(cherry picked from commit a0e4c65f1814a7a677364dc29bb703f84323d175)
pfsync: reject invalid SCTP states
SCTP states should always have a src scrub object associated with them.
Crafted pfsync packets might not have this, leading to us derferencing a
NULL pointer on cleanup.
Validate the pfsync state insertion packet to make sure this is correct.
PR: 294989
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit bf6d00afdb6171ba04a1c5a7fde904cde87d212d)
routing: Initialize V_rt_numfibs earlier during boot
V_rt_numfibs can be set at compile time (with the ROUTETABLES kernel
config option) or boot time (with the net.fibs tunable).
vnet_rtables_init(), running during SI_PROTO_DOMAIN, was checking the
tunable and updating V_rt_numfibs accordingly, but that means that
earlier SYSINITs, such as vnet_mroute_init(), see the compile-time value
for V_rt_numfibs before it gets corrected in vnet_rtables_init().
Fix this by initializing V_rt_numfibs earlier, so that SYSINITs are less
likely to use the wrong value.
Add a comment describing the weird, preexisting semantic of resetting
rt_numfibs to 1 in VNET jails.
PR: 294510
Reviewed by: glebius, zlei, pouria
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56473
[2 lines not shown]
routing: Use a better error number in sysctl_fibs()
ENOTCAPABLE is for capsicum and its use here is inappropriate. In
particular, note that syscallret() treats this value specially.
Reviewed by: glebius, pouria, zlei
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56481
(cherry picked from commit 8de0fc10a1c2d65bdb39eff862266ab1f87902c8)
if_vxlan: Update *m0 after a pullup
vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after
the function returns. vxlan_input() failed to update *m0 after the
pullup however, so if it hits an error case after the pullup, we'll free
the mbuf twice. Currently this can happen only if the interface is
brought down or due to a packet loop.
Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by: pouria, zlei
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56944
(cherry picked from commit a6c4fe2d1a38885914b1c3e85508b965ccdb7874)
igmp: Avoid leaving dangling pointers in the state-change queue
When igmp_v3_merge_state_changes() is iterating over state-change
packets, there is a case where it'll free a queued packet but will fail
to remove it from the queue. Fix that.
Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by: pouria, glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56947
(cherry picked from commit beab4a237a45aea809e81802b9e1e9ff30f3d929)
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D57091
(cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
if_ovpn.c: fix use of uninitialized variable
In case we use OVPN_CIPHER_ALG_NONE, the memcpy will attempt to copy 0
bytes from an uninitialized pointer. While the memcpy() implementation
will treat this as a no-op and not actually dereferece the undefined
variable it is still undefined behaviour to the compiler and should be
fixed. Found by building with clang HEAD
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52543
(cherry picked from commit 969be39fb3caf4272f128dbf3267ceba5966a6ce)
netmap: silence -Wdefault-const-init-field-unsafe warning
The netmap_ring struct starts with various const members and rencent
clang warns about leaving them uninitialized. Having them const in the
first place is highly suspicious since they are updated with various
macros but using hand-coded __DECONST(). But fixing that is a more
invasive change that I am unable to test.
```
.../freebsd/sys/dev/netmap/netmap_kloop.c:320:21: error: default initialization of an object of type 'struct netmap_ring' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe]
320 | struct netmap_ring shadow_ring; /* shadow copy of the netmap_ring */
| ^
.../freebsd/sys/net/netmap.h:290:16: note: member 'buf_ofs' declared 'const' here
290 | const int64_t buf_ofs;
| ^
```
Test Plan: Compiles
[5 lines not shown]
cap_net: do not allow new limits to drop keys from the old ones
If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.
Approved by: so
Security: FreeBSD-SA-26:24.cap_net
Security: CVE-2026-45254
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D56991
(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
(cherry picked from commit b79faca1c5964d89c125d02de35928b733041f3f)
bsdconfig: Make sure that SSID names are properly escaped
The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan. The untrusted network names are evaluated in
f_dialog_menu_wireless_edit. The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.
Pass the SSID names through f_shell_escape to work around this. Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.
I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
[2 lines not shown]
bsdinstall: Avoid invoking eval on the wlan SSID list
The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters. Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des, asiciliano
Differential Revision: https://reviews.freebsd.org/D56973
libcasper: switch from select(2) to poll(2)
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).
poll(2) takes an array indexed by slot rather than by fd value, so it
has no FD_SETSIZE limit.
Approved by: so
Security: FreeBSD-SA-26:22.libcasper
Security: CVE-2026-39461
Reported by: Joshua Rogers
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56695
ptrace: Fix validation of PT_SC_REMOTE arguments
- Fix an off-by-one in the system call number check. A value of
SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
syscall(2)/__syscall(2), since they pass the syscall number as an
argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
make sure that nargs > 0 to avoid an underflow when shifting arguments
down.
Add regression tests.
Approved by: so
Security: FreeBSD-SA-26:21.ptrace
Security: CVE-2026-45253
Fixes: 140ceb5d956b ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D56978
fusefs: Handle buggy servers' LISTXATTR response
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string. If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.
Approved by: so
Security: FreeBSD-SA-26:20.fusefs
Security: CVE-2026-45252
admbugs: 1039
Reported by: Joshua Rogers
Sponsored by: ConnectWise
procdesc: Make sure to drain selinfo sleepers in procdesc_free()
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f7686588 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
setcred: Fix buffer overflow
Since groups is a pointer to a pointer to an array of gid_t, we should
use sizeof(**groups) or sizeof(gid_t) when calculating how much to
allocate and copy in. We were using sizeof(*groups) instead, which
meant that on 64-bit platforms, we would allocate and copy in twice as
much as we should. Unfortunately, in the smallgroups case, we copy
into a preallocated buffer which has the correct size, which means that
if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups.
This is a direct commit to stable/14.
Approved by: so
Security: FreeBSD-SA-26:18.setcred
Reported by: Ryan of Calif.io
Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")
freebsd-update: Skip /etc/ssl/cert.pem
We already run `certctl rehash` at the end, there is no point in asking
users upgrading from 15.0 to 15.1 to manually merge the trust store.
Approved by: so
Security: FreeBSD-EN-26:13.freebsd-update
MFC after: 3 days
Reviewed by: cperciva
Differential Revision: https://reviews.freebsd.org/D57028
(cherry picked from commit 2509ddee9bdb2240ba2f622e3a55a98ebc2aa4ae)
(cherry picked from commit 7d9c1d3895b307085131f922d7e46a4812f04675)
dhclient: Improve server and filename validation
* Don't iterate over each string three times; once is enough.
* Reject control characters (anything below space) in addition to the
double quote and backslash.
* If an unsafe character is encountered, discard the string instead of
rejecting the entire lease.
* If backslashes are encountered in the file name option, convert them
to forward slashes instead of rejecting the option.
* Tweak the warning messages a bit. Looking through the rest of the
code, it seems to me that notes generally end with a period while
warnings generally don't.
Approved by: so
Security: FreeBSD-EN-26:11.dhclient
[8 lines not shown]
ipfwpcap: Fix build after libpcap 1.10.6 update
pcap-int.h now references SIZEOF_TIME_T from libpcap's config.h, which
is not available to consumers of the internal header outside of the
libpcap build. Switch to the public <pcap.h> header and replace the
direct FILE* casts and ferror()/fflush() calls with pcap_dump_flush(3),
which is the correct public API for flushing a pcap dump file.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a0b3ef1952603ebf0307ca723b03e5a71598dd5a)
installer: Add download.freebsd.org to mirror list
download.freebsd.org is backed by project mirrors and a CDN, which
should benefit most users.
Sponsored by: The FreeBSD Foundation
Reviewed by: delphij (releng)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54849
(cherry picked from commit 45079cdf8b517adf803db7dc7aa85e5728cfeb2f)
routing: Fix use-after-free in finalize_nhop
FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
`nh->nh_priv->nh_upper_family` for failure logging.
Call FIB_NH_LOG before freeing nh so failures are logged
without causing a panic.
MFC after: 3 days
(cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0)
