Prevents a lockup when queried a deliberately constructed combination
of records. [CVE-2012-5166]
For more information: https://kb.isc.org/article/AA-00801
doesn't mean supporting IFT_PFSYNC (which I hope will eventually
die). This means decoding packets with IP protocol of 240 caught
on any normal interface like Ethernet.
The code is based on couple of files from OpenBSD, significantly
modified by myself.
Parser differentiates for four levels of verbosity: no -v, -v,
-vv and -vvv.
We don't yet forward this code upstream, because currently it
strongly relies on if_pfsync.h and even on pfvar.h. I hope that
this can be fixed in future.
Reviewed by: gnn, delphij
- Set IP_RECVDSTADDR sockopt on the socket only in case if
it is INADDR_ANY bound.
- Supply IP_SENDSRCADDR control message only if we did receive
IP_RECVDSTADDR control message.
This fixes operation of snmpd bound to a specific local IP address.
PR: bin/171279
Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.
Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.
ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.
A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.
For more information: https://kb.isc.org/article/AA-00788
X86: Emitting x87 fsin/fcos for sinf/cosf is not safe without unsafe
fp math.
This should make clang emit calls to libm for sinf/cosf by default.
MFC after: 1 week
reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.
Discussed with: bz, luigi
- Pacific/Fiji will go into DST from 21 October 2012 till 20 January 2013.
- Fix offset for Pacific/Tokelau.
- Gaza and West Bank had DST from 29 March to 28 September 2012.
- Syria has DST from April till October
- Morocco had DST from April to September 2012 except for 20 July to 20 August.
- Cuba changed to DST from 1 April 2012 only.
- Haiti has DST between 8 March and 1 November in 2012.
Obtained from: ftp://ftp.iana.org/tz/releases/
IP_SENDSRCADDR control with datagram message we reply with. This makes
bsnmpd reply from exactly same address that request was sent to, thus
successfully bypassing stateful firewalls or other kinds of strict checking.
PR: bin/171279
from the control message, actually never worked. This means check_priv()
didn't work for local dgram sockets.
The SCM_CREDS control messages is received only in two cases:
1) If we did setsockopt(LOCAL_CREDS) on our socket, and in this case
the message is struct sockcred.
2) If sender did supplied SCM_CREDS control message in his sendmsg()
syscall. In this case the message is struct cmsgcred.
We can't rely on 2), so we will use 1) for dgram sockets. For stream
sockets it is more reliable to obtain accept-time credentials, since
SCM_CREDS control message is attached only on first read. Thus:
o Do setsockopt(LOCAL_CREDS) on local dgram sockets.
o Split check_priv() into check_priv_stream() and check_priv_dgram(),
and call them from recv_stream() and recv_dgram() respectively.
o Don't provide space for SCM_CREDS control message in recv_stream().
o Provide space for SCM_CREDS control message in recv_dgram(), but there
is no need to initialize anything in it.
o In recv_dgram() do not blindly expect that first message is SCM_CREDS,
instead use correct search cycle through control messages.
encounters a DT_RUNPATH entry, the global dynamic_info[] array is
overrun, causing some other global variable to be overwritten.
In my testcase, this was the section_headers variable, leading to
segfaults or jemalloc assertions when it was freed later on.
Thanks to Koop Mast for providing samples of a few "bad" .so files.
MFC after: 1 week
Merge existing attributes before processing pragmas in friend template
declarations.
Fixes pr13662.
This should help when building Firefox with libc++.
Magic tests containing "search" or "regex" directives were incorrectly
compiled by "mkmagic" and were effectively ignored. This caused troff
files (for example) to be detected as simply "ASCII text" instead of
as "troff or preprocessor input, ASCII text".
PR: bin/170415
Approved by: consensus on developers@
MFC after: 3 days
r238211:
Support TARGET_ARCH=armv6 and TARGET_ARCH=armv6eb
This adds a new TARGET_ARCH for building on ARM
processors that support the ARMv6K multiprocessor
extensions. In particular, these processors have
better support for TLS and mutex operations.
This mostly touches a lot of Makefiles to extend
existing patterns for inferring CPUARCH from ARCH.
It also configures:
* GCC to default to arm1176jz-s
* GCC to predefine __FreeBSD_ARCH_armv6__
* gas to default to ARM_ARCH_V6K
* uname -p to return 'armv6'
* make so that MACHINE_ARCH defaults to 'armv6'
It also changes a number of headers to use
the compiler __ARM_ARCH_XXX__ macros to configure
processor-specific support routines.
Submitted by: Tim Kientzle <kientzle@freebsd.org>
folding to 64 bits, while SHA1 code is big endian. Therefore, a bswap32
is required before using the value.
Without this change, the implementation does not conform to test vector
found in RFC 2289.
PR: bin/170519
Submitted by: Arthur Mesh <arthurmesh gmail com> (with changes)
MFC after: 1 week
This is mostly a no-op other than for ARM where it adds missing
__aeabi_mem* and __aeabi_*divmod functions. Even on ARM these will remain
unused until the rest of the ARM EABI code is merged.
unused -g, -emit-llvm or -w arguments when doing linking. E.g. invoking
"clang -g foo.o -o foo" will now be silent.
Reported by: Jakub Lach <jakub_lach@mailplus.pl>
MFC after: 1 week
in BIND9
High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.
CVE: CVE-2012-3817
Posting date: 24 July, 2012