deraadt [Sun, 20 Apr 2014 14:03:55 +0000 (14:03 +0000)]
calloc() rather than malloc+memset
guenther [Sun, 20 Apr 2014 14:03:04 +0000 (14:03 +0000)]
Fix indentation, adding braces and combining a nested if to reduce depth
mlarkin [Sun, 20 Apr 2014 14:02:57 +0000 (14:02 +0000)]
More dead stores removal in subr_hibernate.c
jsing [Sun, 20 Apr 2014 13:54:10 +0000 (13:54 +0000)]
KNF.
jsing [Sun, 20 Apr 2014 13:42:57 +0000 (13:42 +0000)]
KNF.
deraadt [Sun, 20 Apr 2014 12:51:18 +0000 (12:51 +0000)]
sync
guenther [Sun, 20 Apr 2014 12:48:19 +0000 (12:48 +0000)]
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.
ok tedu@
tedu [Sun, 20 Apr 2014 12:30:41 +0000 (12:30 +0000)]
return after error instead of plowing ahead. noticed by mancha1 at zoho
claudio [Sun, 20 Apr 2014 12:22:16 +0000 (12:22 +0000)]
Cleanup a bit, switch on bcopy to memcpy and move a function a bit up
claudio [Sun, 20 Apr 2014 11:25:18 +0000 (11:25 +0000)]
When switching rdomains the sadl needs to be removed and re-added from the
RB lookup tree because the rdomain id is part of the lookup key.
Without this the RB tree gets corrupted and in the worst case a use after
free can happen when the interface is destroyed.
Why the sadl addresses are added to the tree in the first place is something
to reconsider.
OK henning@, mpi@, sthen@
rpe [Sun, 20 Apr 2014 10:51:59 +0000 (10:51 +0000)]
Simplify shell pattern.
OK krw@
reyk [Sun, 20 Apr 2014 10:46:20 +0000 (10:46 +0000)]
Partially revert the previous: snmp_agentx_ping() didn't leak the pdu
because it is added to a list on the handle and eventually released
later with the handle itself. This confuses leak detection tools like
clang, so at least add a comment that it is not a leak.
ok blambert@
deraadt [Sun, 20 Apr 2014 10:43:15 +0000 (10:43 +0000)]
sync
deraadt [Sun, 20 Apr 2014 10:31:43 +0000 (10:31 +0000)]
Use calloc(a,b) instead of malloc(a*b) + memset(a*b). I don't know if
this instance is integer-overflowable, but we cannot keep hand-auditing
every instance (or apathetically ignoring these issues) when the simple
calloc idiom is better in the presence of a good calloc(). It is simply
unfeasible to always enter correct range checks before the aggregate
size calculation, just go find some 4000 lines of code, REPAIR THEM ALL,
then come back and tell me I am wrong.
This only works on systems where calloc() does the integer overflow
check, but if your system doesn't do this, you need to ask your vendor
WHY THEY ARE 10 YEARS BEHIND IN BEST PRACTICE? This is the kind of
problem that needs to be solved at the right layer.
malloc integer-overflow was implicated in the 2002 OpenSSH hole. OpenSSH
and much other code is now written to use calloc(), for instance OpenSSH
has 103 calls to it. We feel safer with our use of calloc(). It is a
natural approach for us to use calloc(). How safe do you feel on systems
which lack that range check in their calloc()?
Good writeup from 2006: http://undeadly.org/cgi?action=article&sid=
20060330071917
jmatthew [Sun, 20 Apr 2014 09:49:23 +0000 (09:49 +0000)]
Update hotplug. Add qle_get_port_name_list, use it to discover local
loop ports and other fabric ports that have logged in to us, and check
that we're still logged in to other fabric ports. Rearrange the update
processing loop so we attach and detach targets last, since we need to get
all the way through before we've identified what's gone missing. Handle
fabric port login errors a bit more usefully too.
deraadt [Sun, 20 Apr 2014 09:40:37 +0000 (09:40 +0000)]
Undo a calloc() replacement. It lacks the integer overflow check that
the system one has.
henning [Sun, 20 Apr 2014 09:38:19 +0000 (09:38 +0000)]
move in_cksum_phdr from in.h (under #ifdef _KERNEL, at least) to ip_output.c
nothing except in_proto_cksum_out() uses it any more, and that's a good
thing. was on tech for 3 months, discussed with many
henning [Sun, 20 Apr 2014 09:30:56 +0000 (09:30 +0000)]
nuke in_cksum_addword()
don't we all love functions implemented in header files? was under #ifdef
_KERNEL at least.
incremental checksum updates don't really make sense any more, this is
incredibly hard to get right, and doesn't fit the way our kernel deals
with the checksums these days. consequently, nothing uses in_cksum_addword
any more.
was on tech for 3 months, tested by & discussed with many.
deraadt [Sun, 20 Apr 2014 09:29:36 +0000 (09:29 +0000)]
Remove more commentary about recently removed des support
from Daniel Dickman
reyk [Sun, 20 Apr 2014 09:29:22 +0000 (09:29 +0000)]
Fix a small leak in the error path.
logan [Sun, 20 Apr 2014 09:24:26 +0000 (09:24 +0000)]
Add support for SSHFP DNS records for
ED25519 key types.
OK from djm@
jsing [Sun, 20 Apr 2014 09:04:56 +0000 (09:04 +0000)]
KNF.
tedu [Sun, 20 Apr 2014 04:45:09 +0000 (04:45 +0000)]
reset imprint to NULL to avoid double free. from mancha1 at zoho
djm [Sun, 20 Apr 2014 02:49:32 +0000 (02:49 +0000)]
add a canonical 6.6 + curve25519 bignum fix fake version that I can
recommend people use ahead of the openssh-6.7 release
djm [Sun, 20 Apr 2014 02:30:25 +0000 (02:30 +0000)]
use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
strict-alignment architectures; reported by and ok stsp@
dlg [Sun, 20 Apr 2014 00:50:18 +0000 (00:50 +0000)]
make the status handler more like rdac and emc. the big functional change
is to check xs->status on completion to make sure it worked.
dlg [Sun, 20 Apr 2014 00:08:26 +0000 (00:08 +0000)]
emc on my cx500 works as well as rdac on all my rebadged engenio kit.
naddy [Sat, 19 Apr 2014 19:44:23 +0000 (19:44 +0000)]
Hardware receive IP checksum offload for IPv4 is no longer supported.
tedu [Sat, 19 Apr 2014 19:40:11 +0000 (19:40 +0000)]
release buffers fix was lost in merge. put it back.
tedu [Sat, 19 Apr 2014 18:44:25 +0000 (18:44 +0000)]
remove hosts.equiv xr
tedu [Sat, 19 Apr 2014 18:42:19 +0000 (18:42 +0000)]
delete .xr to hosts.equiv. there's still an unfortunate amount of
documentation referring to rhosts equivalency in here.
tedu [Sat, 19 Apr 2014 18:39:51 +0000 (18:39 +0000)]
stop talking about hosts.equiv
claudio [Sat, 19 Apr 2014 18:31:33 +0000 (18:31 +0000)]
COnveret the bcopy() to memcpy()
rpe [Sat, 19 Apr 2014 18:31:24 +0000 (18:31 +0000)]
populateusrlocal() is used only once in finish_up(). Just fold it in there.
OK krw@ halex@
henning [Sat, 19 Apr 2014 18:29:39 +0000 (18:29 +0000)]
kill checksum offloading in sk.
it was RX only, nothing on the TX side
rather complex, might eat up (or more) offloading benefits in many cases
the hardware miscomputes the cksums sometimes, so we don't trust it
claiming a cksum is bad and re-do the cksum verification in sw then...
(but we trust it to not mark bad ones good? hmmmmmmmmm.)
diff was on tech for 3 months, nobody disagreed, everybody who spoke up
agrees or doesn't care.
pretty exactly a revert of the cksum offloading addition years ago, tested
by several, the only report i quickly find now is from David Higgs <higgsd
at gmail dot com>, thanks!
claudio [Sat, 19 Apr 2014 18:19:57 +0000 (18:19 +0000)]
Replace a magic number.
tedu [Sat, 19 Apr 2014 18:15:16 +0000 (18:15 +0000)]
remove some really old rsh references
tedu [Sat, 19 Apr 2014 18:11:19 +0000 (18:11 +0000)]
change some rsh references to ssh. poke by jmc
jsing [Sat, 19 Apr 2014 18:02:36 +0000 (18:02 +0000)]
More KNF.
gilles [Sat, 19 Apr 2014 18:01:01 +0000 (18:01 +0000)]
these snprintf() calls can't possibly truncate because they copy data from
buffers that are already protected against truncation and that do not
exceed the destination buffer size when copied together ...
however, i think we should add checks here too because it'll help us catch
errors in table backends when adding new ones if we miss a truncation check
there.
jsing [Sat, 19 Apr 2014 17:56:49 +0000 (17:56 +0000)]
More KNF.
gilles [Sat, 19 Apr 2014 17:47:40 +0000 (17:47 +0000)]
(void) cast snprintf() that cannot truncate
gilles [Sat, 19 Apr 2014 17:45:05 +0000 (17:45 +0000)]
(void) cast snprintf() call used to craft fatalx() message from within
smtpd, buffer is large enough and truncation harmless, we want to
avoid memory allocation in that case and use a best-effort
gilles [Sat, 19 Apr 2014 17:42:18 +0000 (17:42 +0000)]
(void) cast snprintf calls that cannot truncate or for which earlier checks
ensure the copy won't fail
tedu [Sat, 19 Apr 2014 17:40:49 +0000 (17:40 +0000)]
another attempt at fixing stale x509 data. since we don't know where the
initial storage came from, we can't free it. just memset in the sequence
case. probably ok beck
gilles [Sat, 19 Apr 2014 17:36:54 +0000 (17:36 +0000)]
(void) cast snprintf() calls that cannot truncate (and would be harmless
otherwise)
gilles [Sat, 19 Apr 2014 17:35:48 +0000 (17:35 +0000)]
remove dead code ... in code that's not plugged in yet ;-)
gilles [Sat, 19 Apr 2014 17:32:58 +0000 (17:32 +0000)]
(void) cast snprintf that cannot truncate
gilles [Sat, 19 Apr 2014 17:31:35 +0000 (17:31 +0000)]
(void) cast snprintf calls that cannot truncate
gilles [Sat, 19 Apr 2014 17:29:56 +0000 (17:29 +0000)]
(void) cast snprintf call that cannot truncate
gilles [Sat, 19 Apr 2014 17:27:40 +0000 (17:27 +0000)]
(void) cast snprintf() calls that cannot truncate
gilles [Sat, 19 Apr 2014 17:24:59 +0000 (17:24 +0000)]
replace warnx message
gilles [Sat, 19 Apr 2014 17:23:19 +0000 (17:23 +0000)]
add missing strlcpy() check in create_filter_chain() that would cause smtpd
to fatal at startup if truncation occured and we had enabled filters
(void) cast a strlcpy() that cannot truncate
gilles [Sat, 19 Apr 2014 17:21:19 +0000 (17:21 +0000)]
add missing strlcpy() checks in create_filter() that would cause smtpd to
fatal at startup if truncation occured and we had enabled filters
gilles [Sat, 19 Apr 2014 17:18:58 +0000 (17:18 +0000)]
add missing strlcpy() check in is_if_in_group() to detect and warn about
the truncation rather than failing the ioctl() call that follows.
gilles [Sat, 19 Apr 2014 17:12:02 +0000 (17:12 +0000)]
add missing strlcpy() check when parsing "backup hostname" in smtpd.conf,
it could lead to smtpd not finding itself in a MX lookup if a hostname is
specified that exceeds the max hostname len.
while at it, add a missing free()
gilles [Sat, 19 Apr 2014 17:08:49 +0000 (17:08 +0000)]
(void) cast strlcpy() calls that cannot truncate
gilles [Sat, 19 Apr 2014 17:04:42 +0000 (17:04 +0000)]
knf
gilles [Sat, 19 Apr 2014 17:03:42 +0000 (17:03 +0000)]
add a missing strlcpy() check in MAIL FROM's DSN parameters parsing, the
truncation would lead to a failure later in the code path but we can fail
earlier with a nice enhanced status code
jsing [Sat, 19 Apr 2014 17:03:41 +0000 (17:03 +0000)]
More KNF.
gilles [Sat, 19 Apr 2014 16:56:34 +0000 (16:56 +0000)]
(void) cast strlcpy() calls that cannot truncate (copies between buffers of
same size with a truncation check on the initial buffer)
gilles [Sat, 19 Apr 2014 16:55:15 +0000 (16:55 +0000)]
certs are looked up by hostname, the size of the buffer should use the
max hostname len, not max pathname len as before
gilles [Sat, 19 Apr 2014 16:52:20 +0000 (16:52 +0000)]
(void) cast a strlcpy() that cannot truncate because lka.c ensures the
reply will fit in the buffer before returning the answer
rpe [Sat, 19 Apr 2014 16:50:52 +0000 (16:50 +0000)]
Simplify things by using the return code of ask_yn() directly instead
of looking in resp. No need to specify 'no' as default answer. It's
the default for ask_yn() anyway.
OK krw@ halex@
jsing [Sat, 19 Apr 2014 16:50:47 +0000 (16:50 +0000)]
More KNF.
jmc [Sat, 19 Apr 2014 16:50:46 +0000 (16:50 +0000)]
tweak previous;
gilles [Sat, 19 Apr 2014 16:50:28 +0000 (16:50 +0000)]
(void) cast strlcpy() that cannot truncate, dns.c ensures the reply will
fit in the buffer before returning the answer
henning [Sat, 19 Apr 2014 16:49:13 +0000 (16:49 +0000)]
stop "advertising" disabling pmtud and window size increasing
very rarely if ever needed any more. we should not trick people into
thinking they are impoving sth doing so, it's rather the opposite
these days.
ok claudio
jmc [Sat, 19 Apr 2014 16:48:41 +0000 (16:48 +0000)]
need to escape %U, since it is used in Re/Rs blocks;
deraadt [Sat, 19 Apr 2014 16:48:06 +0000 (16:48 +0000)]
sync
jmc [Sat, 19 Apr 2014 16:46:32 +0000 (16:46 +0000)]
zap trailing whitespace;
deraadt [Sat, 19 Apr 2014 16:46:08 +0000 (16:46 +0000)]
remove the openssl_fdset wrapper, and a variety of VMS'ism's like
crazy (void *) casts all over the place
ok beck jsing
gilles [Sat, 19 Apr 2014 16:44:01 +0000 (16:44 +0000)]
(void) cast strlcpy() calls that cannot truncate or where the source data
has a length check right before the copy
jsing [Sat, 19 Apr 2014 16:42:26 +0000 (16:42 +0000)]
KNF.
deraadt [Sat, 19 Apr 2014 16:38:04 +0000 (16:38 +0000)]
Remove a gethostbyname() cache layer. The internet works better these
days. Initially fixed this, but Ted asked for it to die.
deraadt [Sat, 19 Apr 2014 16:31:51 +0000 (16:31 +0000)]
ReadFile() and GetStdHandle() are not very POSIX.
ok beck jsing
gilles [Sat, 19 Apr 2014 16:26:23 +0000 (16:26 +0000)]
(void) cast a snprintf() call that cannot truncate
logan [Sat, 19 Apr 2014 16:20:08 +0000 (16:20 +0000)]
Add missing description for IPv6 mtudisctimeout sysctl and
rework the wording for both IPv4 and IPv6.
OK from sthen@, henning@ and claudio@
mlarkin [Sat, 19 Apr 2014 16:19:07 +0000 (16:19 +0000)]
Dead stores in subr_hibernate.c
deraadt [Sat, 19 Apr 2014 16:18:22 +0000 (16:18 +0000)]
truncation check some snprintf calls (over-cautiously in case)
ok jsing beck
tedu [Sat, 19 Apr 2014 16:12:39 +0000 (16:12 +0000)]
can't actually do this. cause unknown.
henning [Sat, 19 Apr 2014 16:08:14 +0000 (16:08 +0000)]
bye bye
henning [Sat, 19 Apr 2014 16:07:09 +0000 (16:07 +0000)]
use "!received-on any" to absolutely ensure that we're not forwarding
carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler
henning [Sat, 19 Apr 2014 16:02:17 +0000 (16:02 +0000)]
disgusting altq compat hack goes away
henning [Sat, 19 Apr 2014 16:01:36 +0000 (16:01 +0000)]
altq includes are gone
yes, we normally leave this for theo, but this triggered my final
"any altq bits left" check and I had to wait for a build anyway...
henning [Sat, 19 Apr 2014 15:58:56 +0000 (15:58 +0000)]
stop installing altq includes
henning [Sat, 19 Apr 2014 15:58:12 +0000 (15:58 +0000)]
now that if_snd is a proper ifqueue, this cast dies
henning [Sat, 19 Apr 2014 15:57:25 +0000 (15:57 +0000)]
ifnet's if_snd becomes a regular ifqueue instead of ifaltq, the need to
keep ifqueue and ifaltq in sync is gone and thus the comment obsolete,
and finally there is no more need to include if_altq.h either
henning [Sat, 19 Apr 2014 15:54:39 +0000 (15:54 +0000)]
minus altq tentacles, plus missing IF_DROP here as well
claudio [Sat, 19 Apr 2014 15:43:17 +0000 (15:43 +0000)]
Try to be clear why struct mrt_config nodes are allocated and
assigned to struct mrt pointers. I may need to rethink this later
but lets hope this does not confuse more people and analyzers.
beck [Sat, 19 Apr 2014 15:37:35 +0000 (15:37 +0000)]
Fix some serious pointer-arithmatic-magic-number-unchecked-return eyebleed
that I stumbled into here and got stuck with. If modern society can get past
selling daughters for cows, surely we can decide to write modern C code in
an "application" that is probably 3 lines of shell/python/cgi away from
talking to the internet in a lot of places.. (This file still needs a lot
more love though)
"oh god yuck" deraadt@
ok tedu@
jsing [Sat, 19 Apr 2014 15:30:17 +0000 (15:30 +0000)]
KNF.
deraadt [Sat, 19 Apr 2014 15:29:35 +0000 (15:29 +0000)]
sync
deraadt [Sat, 19 Apr 2014 15:27:10 +0000 (15:27 +0000)]
Repair some indent to be more KNF, and break instead of fallthrough to
default which does break
tedu [Sat, 19 Apr 2014 15:19:20 +0000 (15:19 +0000)]
one small tweak to avoid ever going off the end of a string.
tedu [Sat, 19 Apr 2014 15:17:59 +0000 (15:17 +0000)]
improved checking for invalid hashes. from solar designer
tedu [Sat, 19 Apr 2014 14:58:50 +0000 (14:58 +0000)]
Once great men lived here... giants... gods... once, but long ago.
tedu [Sat, 19 Apr 2014 14:56:17 +0000 (14:56 +0000)]
the valkyries have come for rsh as well
tedu [Sat, 19 Apr 2014 14:53:48 +0000 (14:53 +0000)]
Delete futile calls to RAND_seed. ok djm
henning [Sat, 19 Apr 2014 14:47:51 +0000 (14:47 +0000)]
sigh, another driver fiddling with altq outside #ifdef ALTQ