we use lazy masking INTREN()/INTRDIS() might be called with INTs enabled.
This means another higher prio INT to the same cpu could attempt to
re-enter the critical region, but would spin waiting for the lock. Since
it is the owner, it would deadlock.
diffes with NetBSD/OpenBSD. These changes seem to predate the NetBSD/OpenBSD
split, so it is hard to give proper credit for them.
Obtained from: OpenBSD.
- s_lock_init()
- s_lock()
- s_lock_try()
- s_unlock()
Created lock for IO APIC and apic_imen (SMP version of imen)
- imen_lock
Code to use imen_lock for access from apic_ipl.s and apic_vector.s.
Moved this code *outside* of mp_lock.
It seems to work!!!
overflow patches that were "near" to where these operations are taking
place. The buffer overflows are from OpenBSD. The setuid/seteuid patches
are from NetBSD by way of OpenBSD (they changed them a little), at least from
my read of the tree.
This is the first of a series of OpenBSD lpr/et al merges. It (and them)
should be merged back into 2.2 and/or 2.1 (if requested) branches when they
have been shaken out in -current.
Obtained from: OpenBSD
and he says he's happy to see forward movement in aligning our defaults
with a 16 bit world, the 8 bit folk already being veterans by this
point who know how to use userconfig.
In any case, perhaps Warner will soon come to save us all with his Dynamic
Probing(tm) feature and this will all become totally moot in any case,
so it's probably not worth arguing about either way.
we decide to do a DNS lookup, we NUL terminate the key string provided
by the client before passing it into the DNS lookup module. This is
actually wrong. Assume the key is 'foo.com'. In this case, key.keydat_val
will be "foo.com" and key.keydat_len will be 7 (seven characters; the
string is not NUL-terminated so it is not 8 as you might expect).
The string "foo.com" is actually allocated by the XDR routines when the
RPC request is decoded; exactly 7 bytes are allocated. By adding a NUL,
the string becomes "foo.com\0", but the '\0' goes into an 8th byte which
was never allocated for this string and which could be anywhere. The result
is that while the initial request may succeed, we could trash other
dynamically allocated structures (like, oh, I dunno, the circular map
cache queue?) and SEGV later. This is in fact what happens.
The fix is to copy the string into a larger local buffer and NUL-terminate
that buffer instead.
Crash first reported by: Ricky Chan <ricky@come.net.uk>
Bug finally located with: Electric Fence 2.0.5
