Pull up following revision(s) (requested by maxv in ticket #540):
sys/dist/pf/net/pf.c: 1.77-1.78
PR/52682: David Binderman: Fix wrong assignment (in the !__NetBSD__ code)
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.
It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.
This bug was reported 8 years ago by Lucio Albornoz in PR/44059.

(snj)

make it compile without MULTIPROCESSOR (xen?)

(christos)

fix BN_to_integer to get rid of  __UNCONST. Trick question:
How many BN_to_integer implementations does Heimdal contain (I only fixed 2).

(christos)

Use the magic FILESBUILD variable so that it builds with BUILD/UPDATE unset.
Why again FILESBUILD is not the default and needs to be set?

(christos)

Explain what may seem to be a non-sensical assignment, but isn't.

closes PR 53000

(jakllsch)

Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.

It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.

This bug was reported 8 years ago by Lucio Albornoz in PR/44059.

(maxv)

Disable XSAVEOPT, until it is clear what's wrong with it (PR/52966).

(maxv)

Remove dead code.

(maxv)

update nsd, fix typo for acpica

(christos)

fix for OpenSSL 1.0 and 1.1 co-existance, merge conflicts.

(christos)

add reset, needed by nsd.

(christos)

XXX: use /dev/stdout because OpenSSL changed the params for i386!!?!?

(christos)

On Milan, also explicitly disable MBIRQ1 on PIIX.

Milan's ROM bootloader v1.2 and v1.4 incorrectly set MBIRQ0 connected
to the secondary IDE to IRQ14 (not 15) and unused MBIRQ1 to IRQ15,
so both IDE channels don't work properly.

(tsutsui)

Ticket #1526

(martin)

Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

Ticket #1526

(martin)

Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

Ticket #1526

(martin)

Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

Ticket #1563

(martin)

Pull up following revision(s) (requested by maxv in ticket #1563):
sys/netinet/ip_input.c: revision 1.366 (via patch)

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

Style, and move the 'ip_srcroute' call after 'tcp_dooptions', otherwise
we're leaking 'ipopts'. (Harmless, since TCP_SIGNATURE is disabled.)

(maxv)

Ticket #1563

(martin)

Pull up following revision(s) (requested by maxv in ticket #1563):
sys/netinet/ip_input.c: revision 1.366 (via patch)

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

Ticket #1563

(martin)

more file

(christos)

Pull up following revision(s) (requested by maxv in ticket #1563):
sys/netinet/ip_input.c: revision 1.366 (via patch)

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
        source = 0.0.0.0
        destination = public address of the server
        LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.

(martin)

i386 provides "partial words" assembly support.

(christos)

new script does not know -D, regen

(christos)

Reset ddb_regp to NULL. Reported by David Binderman in PR/52964.

(maxv)

Use UVM_PROT_RW instead of UVM_PROT_ALL. This doesn't change anything,
since the protection code is not applied: the pages are manually kentered
as RW.

But fix it anyway, so that "pmap 0" does not say the map is executable.

(maxv)

Force a reload of CW in fpu_set_default_cw(). This function is used only
in COMPAT_FREEBSD, it really needs to die.

(maxv)

Don't restore segment registers when leaving NMIs. In nmitrap (and the
functions it later calls), we are not allowing the trap frame to change;
so the segregs don't change since we are running with interrupts disabled
and there is no rescheduling in this case.

(maxv)

Define INTRSTUB_ARRAY, simplifies a lot.

(maxv)

Style (realign everything correctly), and fix a typo.

(maxv)

missing backslash

(christos)

fix openssl-1.1

(christos)

Fix ping_opts_gateway and ping_opts_recordroute

We need to enable the options of source routing on all rump kernels.

(ozaki-r)

put .PATH after the variable is defined.

(christos)

No RC5 for OpenSSL-1.1

(christos)

disable compat api setting for openssl 1.1

(christos)

only set api compat for 1.0

(christos)

only set the compat version for OpenSSL-1.0

(christos)

fix 1.0 build; thanks ODE make.

(christos)

include the right test directory for the right openssl version

(christos)

adjust to renamed file

(christos)

need openssl/dh.h

(christos)

use the right map file

(christos)

Add a linker script

(christos)

fix the man pages, add a linker script

(christos)

adjust tests for 1.1

(christos)

update build glue

(christos)

merged conflicts

(christos)

Remove ovbcopy. It's long dead; only sparc has a reference to a function
of the same name, which too should be removed.

(maxv)

Remove unused net_osdep.h include.

(maxv)

try to make this match what I believe is current reality

(jakllsch)

Style, rename a variable, and remove an unreachable case.

(maxv)

Move the IPv4 multicast check earlier; we want to kick multicast packets
all the time, and not just when they are SYNs.

The IPv6 multicast check is already done earlier, so this block of code
can be removed.

(maxv)

Remove the unused 'multicast' argument from tcp_vtw_input, and remove
the now-unused multicast detection code. It couldn't have been correct on
IPv6, since multicast packets are kicked at the beginning of the function.

(maxv)

Add ASN1_STRING_get0_data() glue for OPENSSL_API_COMPAT >= 0x10100000L

(jakllsch)

Remove the default case, the beginning of the function already ensures
af == AF_INET || af == AF_INET6.

(maxv)

Dedup code.

(maxv)

Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol functions. They
are useless, because the IPv6 entry point (ip6_input) already performs
them.

The checks were first added in the protocol functions:

Wed Dec 22 04:03:02 1999 UTC (18 years, 1 month ago) by itojun

"drop IPv6 packets with v4 mapped address on src/dst.  they are illegal
and may be used to fool IPv6 implementations (by using ::ffff:127.0.0.1 as
source you may be able to pretend the packet is from local node)"

Shortly afterwards they were also added in the IPv6 entry point, but
where not removed from the protocol functions:

Mon Jan 31 10:33:22 2000 UTC (18 years ago) by itojun

"be proactive about malicious packet on the wire.  we fear that v4 mapped
address to be used as a tool to hose security filters (like bypassing
"local host only" filter by using ::ffff:127.0.0.1)."

OpenBSD did the same a few months ago. FreeBSD has never had these checks.

(maxv)

Style, and remove outdated comments.

(maxv)

adjust the list of subdirs to elide.  don't need libitm, gnattools
or gotools.

(mrg)

Remove this check, it is already done at the beginning of the function.

(maxv)

Allow kdbpeek() to return failure. If it does, stop the stack trace.
Prevents an infinite loop in ddb if something goes wrong.

(bouyer)

Reduce the indentation level of this huge block (without realigning yet,
for proofreadability). No functional change.

(maxv)

Move the SO_DEBUG block earlier, to reduce the indentation level.

(maxv)

define OPENSSL_API_COMPAT

(doesn't entirely unbreak build yet)

(jakllsch)

include dh.h in the right spot.

(christos)

pr_send can be given a NULL lwp. It looks like the

control != NULL && lwp == NULL

condition is never supposed to happen, but add a panic for safety.

(maxv)

Move udp6_output() into udp6_usrreq.c, and remove udp6_output.c. This is
more consistent with IPv4, and there is no good reason for keeping a
separate file only for one function. FreeBSD did the same.

(maxv)

Style, no functional change.

(maxv)

update for GCC 6:

kbd_input_wskbd() has a missing {} issue.

(mrg)

Use C99 types - in particular, stop using n_time and n_short -, style, and
remove prototype of icmp_sysctl (does not exist). No functional change.

(maxv)

Style, and remove prototype of udp_sysctl (does not exist).

(maxv)

More style, no functional change.

(maxv)

Don't call lltable_purge_entries from in_if_down if ARP isn't enabled

Reported by bouyer@

(ozaki-r)

Convert inter.phone from iso-8859-1 to utf-8.

Suggested by Eitan Adler in PR 52990.

(wiz)

Change the error stat from IP_STAT_BADFRAGS to IP_STAT_TOOLONG. The
ping_of_death ATF test expects this counter to get increased.

(maxv)

Now that we don't allow source-routed packets by default, set allowsrcrt=1
and forwsrcrt=1. Should fix the ATF failure.

(maxv)

Fix a possible buffer overflow in the IPv4 _ctlinput functions.

In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.

ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36

But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:

(uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)

which can be crafted to be:

(uint8_t *)icp + 68

So we end up reading 'icp+68' while the valid area ended at 'icp+36'.

Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.

The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.

Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.

(maxv)

Typos.

(dholland)

Typo fixes from Eitan Adler.

(dholland)

typo from 2008

(dholland)

updates for GCC 6:

- frentry_4_1_0_to_current() has duplicated code section, found via
  the indent checker.  didn't setup a test to confirm the bug/fix,
  but the other 2 similar functions are similar here now.

(mrg)

update for GCC 6:

- fix an array bounds violation and pass the right address to ether_crc32_be().

(i assume this actually makes et(4) multicast work.)

(mrg)

update for GCC 6:
- nand_bbt_block_mark() has a left-shift of negative value issue.
  this change avoids it, but reviewers indicate this function has
  other problems.

(mrg)

Style, and remove printfs.

(maxv)

Fix three pretty bad mistakes in NAT-T:

* If we got a keepalive packet, we need to call m_freem, not m_free.
  Here the next mbufs in the chain are not freed. Seems easy to remotely
  DoS the system by sending fragmented keepalives in a loop.

* If !ipsec_used, free the mbuf.

* In udp_input, we need to update 'uh', because udp4_realinput may have
  modified the chain. Perhaps we also need to re-enforce alignment, so
  add an XXX.

(maxv)

add openssl to the list of selectable variables for sets and fix the sets.

(christos)

Revert previous changes due to popular demand.  Instead, add a note at
the bottom of each document to provide the original ASCII characters'
names.

(pgoyette)

While here, also update 014 - it's name is "ff" ("form feed"), and not
"np" ("new page").

(pgoyette)

Since this is the ASCII charactger set, use the ASCII name for the
012 character - "lf" for "line feed", not "nl" for "new line".

Follow-on from PR misc/52989 (from Eitab Adler)

(pgoyette)

Bump date for previous

(pgoyette)

Since this is describing the ASCII character set, use the correct
ASCII abbreviation for character 012.  All references I can find
which seem to be even remotely authoritative and/or definitive use
"lf" (for "line feed") rather than "nl" (for "new line").

See https://www.ascii-code.com and https://en.wikipedia.org/wiki/ASCII

From Eitan Adler in PR misc/52989

(pgoyette)

Move Rockchip port to the attic. It is not very useful.

(jmcneill)

Oops forgot one openssl version name change

(christos)

stopgap fix: restrict XSAVEOPT to Intel CPUs

The current code causes floating point miscalculations on AMD Ryzen.
PR port-amd64/52966: amd64 FPU handling broken on AMD

(maya)

PR# port-evbarm/49468: Cortex GIC assertion triggered on Allwinner A80 SoC

The priority level is changed by writing to GICC_PMR with interrupts
disabled. However, interrupts are enabled/disabled downstream of the GICC
at the CPU. When raising priority level, there is a window between the time
that interrupts are disabled and the GICC_PMR register is written. If an
interrupt occurs at a previously allowed priority before GICC_PMR is
changed, the CPU will receive the signal when interrupts are re-enabled.
At this time, GICC_PMR is now the new priority level, so reads of
GICC_IAR will report a spurious IRQ.

Move the "old_ipl != IPL_HIGH" test until after we have confirmed that
there is at least one pending IRQ.

(jmcneill)

xhci.c: avoid unused variable in non-DIAGNOSTIC build

(prlw1)

Fix md(4) double attachment in TFTPROOT option

The mdattach() call in tftproot_dhcpboot() has probably always been
useless, but it seems it became harmful, as it causes 7.1.1 to deadlock
during boot.

(manu)

Fix uninitialized variable use:
if there is an error, or if we are using a SPI controller,
sdmmc_mem_send_op_cond() doens't assign a value to *ocrp,
but it is used unconditionally in sdmmc_mem_enable() to see if we can switch
to low voltage.

In sdmmc_mem_send_op_cond(), if the new ocr is not returned by the
card for whatever reason, set *ocrp to the orig value.

(bouyer)

Keep /dev/ksyms open in _kvm_open(). This way /dev/ksyms can be put into
$g_kmem without breaking the tools that need kmem+ksyms.

Discussed on tech-kern@ three weeks ago. The original issue was reported
by maya@, the patch was written by Tom Ivar Helbekkmo, ok christos@.

(maxv)

Style and constify.

(maxv)

md2 has been deprecated in OpenSSL-1.1

(christos)

needs the OpenSSL-1.1 api to build

(christos)

add set0_key needed by racoon

(christos)

More style. No functional change.

(maxv)

Remove parentheses in return statements. No functional change.

(maxv)

Style and remove unused macros. More to come.

(maxv)

Remove RSVP_ISI, that's mostly dead code. FreeBSD and OpenBSD too removed
it; FreeBSD kept some pieces but they are mostly no-opts.

Sent on tech-net@, no comment.

(maxv)

Fix typos, as reported by Eitan Adler.  Update dates.

(pgoyette)

Style, and localify IPV6FORWARDING. No functional change.

(maxv)

Change ip6_hdrnestlimit to be 15 instead of 50. I couldn't find any
reference in RFCs about what a correct limit should be, but FreeBSD already
uses 15.

If an IPv6 packet has 50 options, there is clearly something wrong with it.

(maxv)

Bump date for previous

(martin)

Fix typo, from Eitan Adler.

(martin)

Rename back to ip6af_mff. It was actually clearer than ip6af_more.

(maxv)

Remove unnecessary assertions

KASSERT(!rw_lock_held()) just before rw_destroy() is useless because
rw_destroy does more strict check and provides better information on
failure.

(ozaki-r)

Remove null check on ip, it can't be null. (Confuses code scanners.)

(maxv)

ip_add_membership() has an missing {} issue, but solve it by
dropping the "goto out" that would have happened immediately
next anyway, ie, should be NFC.

(mrg)

ppprcvframe() has indentation issues.

(mrg)

XXX: add a NULL init to avoid a GCC 6 maybe uninit warning.

(mrg)

avoid an indentation issue by adding "if (1)".

(mrg)

update for GCC 6:

ignore -Wframe-address warnings for the ppc hack.

(mrg)

update for GCC 6:

do_process has vfork() vs clobber issues

(mrg)

for now, turn off biarch support in ppc64.  it ends up enabling
secureplt support for 64 bit mode, which doesn't exist (or need it.)

(mrg)

Spinkle ASSERT_SLEEPABLE to xcall functions

(ozaki-r)

regen mknative gcc 6.4 for mipsel.  sort of do it for vax, ia64 and ppc64.

(mrg)

Welcome to the 21st century Buck Rogers: OpenSSL-1.1

(christos)

Fix PR misc/52890

(knakahara)

make this actually work:
- use ${G_OBJS} directly, it avoids issues with .c vs .cc files.
- add a method to not rm -rf .ab for inspection.
- fix and add missing depends for many things.
- use -Wno-error for mips and arm insn-recog.c, due to eg:
    insn-recog.c:10304:7: error: this decimal constant is unsigned only in ISO C90 [-Werror]
    mips.md:3474:11: error: this decimal constant is unsigned only in ISO C90 [-Werror]

(mrg)

some more/changed files need -O1 for vax.

(mrg)

port to hppa, m68k, m68000, vax, and sh3.  this should complete
our list of ports.  it's only about obtaining some pointers in
this code, really.

(mrg)

handle MKPICLIB=no builds.

(mrg)

regen mknative-gcc 6 for:
  arm armeb earm earmeb earmhf earmhfeb earmv4eb earmv6 earmv6eb
  earmv6hf earmv6hfeb earmv7 earmv7eb earmv7hf earmv7hfeb

mipsel, ppc64 and ia64 didn't work properly this time, and vax
has a problem with libstdc++.

(mrg)

fix alpha gcc 6.4 mknative.  now works.

(mrg)

build and install gcov-dump.

(mrg)

Correct misleading indentation.

(maya)

Adjust to OpenSSL-1.1

(christos)

Restore default paths to what they were before prior import.

(roy)

amend 524

(snj)

Pull up following revision(s) (requested by pgoyette in ticket #524):
sys/modules/Makefile: revision 1.199
sys/modules/amdsmn/Makefile: revision 1.1
sys/modules/amdsmn/amdsmn.ioconf: revision 1.1
sys/modules/amdzentemp/Makefile: revision 1.1
Create amdsmn(4) amd amdzentemp(4) modules for X86

(snj)

fix typo

(christos)

fix duplicate declaration of pthread_atfork in unistd.h

(christos)

detect duplicate declaration of pthread_atfork() in pthread.h

(christos)

mark old compat functions.

(christos)

use OPENSSL_API_COMPAT

(christos)

use OPENSSL_API_COMPAT

(christos)

use OPENSSL_API_COMPAT instead of hacking the version

(christos)

more mknative-gcc 6.4 for m68k, mips*, powerpc, sh*, sparc* and amd64.

(mrg)

added 1.1 api

(christos)

use OpenSSL-1.1 apis

(christos)