CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: riz Date: Wed Nov 14 20:15:37 UTC 2012 Modified Files: src/sys/kern [netbsd-4-0]: vfs_lookup.c src/sys/miscfs/genfs [netbsd-4-0]: layer_vnops.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1466): sys/kern/vfs_lookup.c: revision 1.195 sys/miscfs/genfs/layer_vnops.c: revision 1.51 In layer_lookup(), clear *vpp before returning EROFS, as otherwise a stale value can be returned and this causes a diagnostic panic in namei. In relookup(), clear *vpp before calling VOP_LOOKUP, as is done in lookup_once(), as an additional precautionary measure. (in theory both of these fixes are not required together) Should fix PR 47040. To generate a diff of this commit: cvs rdiff -u -r1.72.2.3 -r1.72.2.3.6.1 src/sys/kern/vfs_lookup.c cvs rdiff -u -r1.28.2.2 -r1.28.2.2.6.1 src/sys/miscfs/genfs/layer_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_lookup.c diff -u src/sys/kern/vfs_lookup.c:1.72.2.3 src/sys/kern/vfs_lookup.c:1.72.2.3.6.1 --- src/sys/kern/vfs_lookup.c:1.72.2.3 Sat Feb 17 23:27:47 2007 +++ src/sys/kern/vfs_lookup.c Wed Nov 14 20:15:36 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_lookup.c,v 1.72.2.3 2007/02/17 23:27:47 tron Exp $ */ +/* $NetBSD: vfs_lookup.c,v 1.72.2.3.6.1 2012/11/14 20:15:36 riz Exp $ */ /* * Copyright (c) 1982, 1986, 1989, 1993 @@ -37,7 +37,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: vfs_lookup.c,v 1.72.2.3 2007/02/17 23:27:47 tron Exp $); +__KERNEL_RCSID(0, $NetBSD: vfs_lookup.c,v 1.72.2.3.6.1 2012/11/14 20:15:36 riz Exp $); #include opt_ktrace.h #include opt_systrace.h @@ -941,6 +941,7 @@ relookup(struct vnode *dvp, struct vnode /* * We now have a segment name to search for, and a directory to search. */ + *vpp = NULL; if ((error = VOP_LOOKUP(dvp, vpp, cnp)) != 0) { #ifdef DIAGNOSTIC if (*vpp != NULL) Index: src/sys/miscfs/genfs/layer_vnops.c diff -u src/sys/miscfs/genfs/layer_vnops.c:1.28.2.2 src/sys/miscfs/genfs/layer_vnops.c:1.28.2.2.6.1 --- src/sys/miscfs/genfs/layer_vnops.c:1.28.2.2 Mon Apr 16 20:01:13 2007 +++ src/sys/miscfs/genfs/layer_vnops.c Wed Nov 14 20:15:37 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: layer_vnops.c,v 1.28.2.2 2007/04/16 20:01:13 bouyer Exp $ */ +/* $NetBSD: layer_vnops.c,v 1.28.2.2.6.1 2012/11/14 20:15:37 riz Exp $ */ /* * Copyright (c) 1999 National Aeronautics Space Administration @@ -67,8 +67,8 @@ * * Ancestors: * @(#)lofs_vnops.c 1.2 (Berkeley) 6/18/92 - * $Id: layer_vnops.c,v 1.28.2.2 2007/04/16 20:01:13 bouyer Exp $ - * $Id: layer_vnops.c,v 1.28.2.2 2007/04/16 20:01:13 bouyer Exp $ + * $Id: layer_vnops.c,v 1.28.2.2.6.1 2012/11/14 20:15:37 riz Exp $ + * $Id: layer_vnops.c,v 1.28.2.2.6.1 2012/11/14 20:15:37 riz Exp $ * ...and... * @(#)null_vnodeops.c 1.20 92/07/07 UCLA Ficus project */ @@ -233,7 +233,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: layer_vnops.c,v 1.28.2.2 2007/04/16 20:01:13 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: layer_vnops.c,v 1.28.2.2.6.1 2012/11/14 20:15:37 riz Exp $); #include sys/param.h #include sys/systm.h @@ -436,8 +436,10 @@ layer_lookup(v) dvp = ap-a_dvp; if ((flags ISLASTCN) (dvp-v_mount-mnt_flag MNT_RDONLY) - (cnp-cn_nameiop == DELETE || cnp-cn_nameiop == RENAME)) + (cnp-cn_nameiop == DELETE || cnp-cn_nameiop == RENAME)) { + *ap-a_vpp = NULL; return (EROFS); + } ldvp = LAYERVPTOLOWERVP(dvp); ap-a_dvp = ldvp;
CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: riz Date: Wed Nov 14 20:15:37 UTC 2012 Modified Files: src/sys/kern [netbsd-4-0]: vfs_lookup.c src/sys/miscfs/genfs [netbsd-4-0]: layer_vnops.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1466): sys/kern/vfs_lookup.c: revision 1.195 sys/miscfs/genfs/layer_vnops.c: revision 1.51 In layer_lookup(), clear *vpp before returning EROFS, as otherwise a stale value can be returned and this causes a diagnostic panic in namei. In relookup(), clear *vpp before calling VOP_LOOKUP, as is done in lookup_once(), as an additional precautionary measure. (in theory both of these fixes are not required together) Should fix PR 47040. To generate a diff of this commit: cvs rdiff -u -r1.72.2.3 -r1.72.2.3.6.1 src/sys/kern/vfs_lookup.c cvs rdiff -u -r1.28.2.2 -r1.28.2.2.6.1 src/sys/miscfs/genfs/layer_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/arch/amd64/amd64
Module Name:src Committed By: bouyer Date: Wed Aug 22 19:52:40 UTC 2012 Modified Files: src/sys/arch/amd64/amd64 [netbsd-4-0]: trap.c Log Message: Apply patch, requested by spz in ticket #1454: sys/arch/amd64/amd64/trap.c:patch Fix potential stack frame corruption To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.27.14.1 src/sys/arch/amd64/amd64/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/arch/amd64/amd64
Module Name:src Committed By: riz Date: Tue Jun 12 23:21:42 UTC 2012 Modified Files: src/sys/arch/amd64/amd64 [netbsd-4-0]: machdep.c netbsd32_machdep.c Log Message: Pull up following revision(s) (requested by spz in ticket #1450): sys/arch/amd64/amd64/machdep.c: revision 1.184 sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.77 If the user process provided a bogus signal handler address, kill it now instead of trying to jump to the bogus address. To generate a diff of this commit: cvs rdiff -u -r1.44.2.3 -r1.44.2.3.6.1 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.30.2.1 -r1.30.2.1.6.1 \ src/sys/arch/amd64/amd64/netbsd32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.44.2.3 src/sys/arch/amd64/amd64/machdep.c:1.44.2.3.6.1 --- src/sys/arch/amd64/amd64/machdep.c:1.44.2.3 Fri Apr 20 20:31:25 2007 +++ src/sys/arch/amd64/amd64/machdep.c Tue Jun 12 23:21:42 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.44.2.3 2007/04/20 20:31:25 bouyer Exp $ */ +/* $NetBSD: machdep.c,v 1.44.2.3.6.1 2012/06/12 23:21:42 riz Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000 The NetBSD Foundation, Inc. @@ -72,7 +72,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.44.2.3 2007/04/20 20:31:25 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: machdep.c,v 1.44.2.3.6.1 2012/06/12 23:21:42 riz Exp $); #include opt_user_ldt.h #include opt_ddb.h @@ -522,6 +522,16 @@ sendsig(const ksiginfo_t *ksi, const sig /* Remember that we're now on the signal stack. */ if (onstack) p-p_sigctx.ps_sigstk.ss_flags |= SS_ONSTACK; + + if ((vaddr_t)catcher = VM_MAXUSER_ADDRESS) { + /* + * process has given an invalid address for the + * handler. Stop it, but do not do it before so + * we can return the right info to userland (or in core dump) + */ + sigexit(l, SIGILL); + /* NOTREACHED */ + } } void Index: src/sys/arch/amd64/amd64/netbsd32_machdep.c diff -u src/sys/arch/amd64/amd64/netbsd32_machdep.c:1.30.2.1 src/sys/arch/amd64/amd64/netbsd32_machdep.c:1.30.2.1.6.1 --- src/sys/arch/amd64/amd64/netbsd32_machdep.c:1.30.2.1 Sat Jan 6 13:18:16 2007 +++ src/sys/arch/amd64/amd64/netbsd32_machdep.c Tue Jun 12 23:21:42 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_machdep.c,v 1.30.2.1 2007/01/06 13:18:16 bouyer Exp $ */ +/* $NetBSD: netbsd32_machdep.c,v 1.30.2.1.6.1 2012/06/12 23:21:42 riz Exp $ */ /* * Copyright (c) 2001 Wasabi Systems, Inc. @@ -36,7 +36,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: netbsd32_machdep.c,v 1.30.2.1 2007/01/06 13:18:16 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: netbsd32_machdep.c,v 1.30.2.1.6.1 2012/06/12 23:21:42 riz Exp $); #include opt_compat_netbsd.h #include opt_coredump.h @@ -256,6 +256,16 @@ netbsd32_sendsig_sigcontext(const ksigin /* Remember that we're now on the signal stack. */ if (onstack) p-p_sigctx.ps_sigstk.ss_flags |= SS_ONSTACK; + + if ((vaddr_t)catcher = VM_MAXUSER_ADDRESS) { + /* + * process has given an invalid address for the + * handler. Stop it, but do not do it before so + * we can return the right info to userland (or in core dump) + */ + sigexit(l, SIGILL); + /* NOTREACHED */ + } } #endif @@ -337,6 +347,16 @@ netbsd32_sendsig_siginfo(const ksiginfo_ /* Remember that we're now on the signal stack. */ if (onstack) p-p_sigctx.ps_sigstk.ss_flags |= SS_ONSTACK; + + if ((vaddr_t)catcher = VM_MAXUSER_ADDRESS) { + /* + * process has given an invalid address for the + * handler. Stop it, but do not do it before so + * we can return the right info to userland (or in core dump) + */ + sigexit(l, SIGILL); + /* NOTREACHED */ + } } void
CVS commit: [netbsd-4-0] src/sys/arch/amd64/amd64
Module Name:src Committed By: riz Date: Tue Jun 12 23:21:42 UTC 2012 Modified Files: src/sys/arch/amd64/amd64 [netbsd-4-0]: machdep.c netbsd32_machdep.c Log Message: Pull up following revision(s) (requested by spz in ticket #1450): sys/arch/amd64/amd64/machdep.c: revision 1.184 sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.77 If the user process provided a bogus signal handler address, kill it now instead of trying to jump to the bogus address. To generate a diff of this commit: cvs rdiff -u -r1.44.2.3 -r1.44.2.3.6.1 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.30.2.1 -r1.30.2.1.6.1 \ src/sys/arch/amd64/amd64/netbsd32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/netsmb
Module Name:src Committed By: riz Date: Sat May 19 17:07:50 UTC 2012 Modified Files: src/sys/netsmb [netbsd-4-0]: subr_mchain.c Log Message: Pull up following revision(s) (requested by nakayama in ticket #1445): sys/netsmb/subr_mchain.c: revision 1.21 Since len has changed to (unsinged) size_t, the while loop condition (len 0) became less able to detect its underflow. So check the subtrahend to avoid the underflow. Should fix PR kern/44092. To generate a diff of this commit: cvs rdiff -u -r1.13.28.1 -r1.13.28.2 src/sys/netsmb/subr_mchain.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netsmb/subr_mchain.c diff -u src/sys/netsmb/subr_mchain.c:1.13.28.1 src/sys/netsmb/subr_mchain.c:1.13.28.2 --- src/sys/netsmb/subr_mchain.c:1.13.28.1 Thu Jul 22 20:34:16 2010 +++ src/sys/netsmb/subr_mchain.c Sat May 19 17:07:50 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_mchain.c,v 1.13.28.1 2010/07/22 20:34:16 riz Exp $ */ +/* $NetBSD: subr_mchain.c,v 1.13.28.2 2012/05/19 17:07:50 riz Exp $ */ /* * Copyright (c) 2000, 2001 Boris Popov @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: subr_mchain.c,v 1.13.28.1 2010/07/22 20:34:16 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: subr_mchain.c,v 1.13.28.2 2012/05/19 17:07:50 riz Exp $); #include sys/param.h #include sys/systm.h @@ -70,7 +70,7 @@ m_getm(struct mbuf *m, size_t len, int h } } mp-m_len = 0; -len -= M_TRAILINGSPACE(mp); +len -= min(len, M_TRAILINGSPACE(mp)); if (m != NULL) for (mtail = m; mtail-m_next != NULL; mtail = mtail-m_next); @@ -92,7 +92,7 @@ m_getm(struct mbuf *m, size_t len, int h } mp-m_len = 0; -len -= M_TRAILINGSPACE(mp); +len -= min(len, M_TRAILINGSPACE(mp)); } if (mtail != NULL)
CVS commit: [netbsd-4-0] src/sys/netsmb
Module Name:src Committed By: riz Date: Sat May 19 17:07:50 UTC 2012 Modified Files: src/sys/netsmb [netbsd-4-0]: subr_mchain.c Log Message: Pull up following revision(s) (requested by nakayama in ticket #1445): sys/netsmb/subr_mchain.c: revision 1.21 Since len has changed to (unsinged) size_t, the while loop condition (len 0) became less able to detect its underflow. So check the subtrahend to avoid the underflow. Should fix PR kern/44092. To generate a diff of this commit: cvs rdiff -u -r1.13.28.1 -r1.13.28.2 src/sys/netsmb/subr_mchain.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/uvm
Module Name:src Committed By: bouyer Date: Sat Nov 19 14:21:43 UTC 2011 Modified Files: src/sys/uvm [netbsd-4-0]: uvm_meter.c Log Message: Pull up following revision(s) (requested by christos in ticket #1436): sys/uvm/uvm_meter.c: revision 1.57 via patch if you are going to dereference a variable, check the variable itself, not it cousin. To generate a diff of this commit: cvs rdiff -u -r1.43.2.1 -r1.43.2.1.4.1 src/sys/uvm/uvm_meter.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/uvm/uvm_meter.c diff -u src/sys/uvm/uvm_meter.c:1.43.2.1 src/sys/uvm/uvm_meter.c:1.43.2.1.4.1 --- src/sys/uvm/uvm_meter.c:1.43.2.1 Fri Oct 12 22:36:07 2007 +++ src/sys/uvm/uvm_meter.c Sat Nov 19 14:21:43 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_meter.c,v 1.43.2.1 2007/10/12 22:36:07 riz Exp $ */ +/* $NetBSD: uvm_meter.c,v 1.43.2.1.4.1 2011/11/19 14:21:43 bouyer Exp $ */ /* * Copyright (c) 1997 Charles D. Cranor and Washington University. @@ -41,7 +41,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uvm_meter.c,v 1.43.2.1 2007/10/12 22:36:07 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: uvm_meter.c,v 1.43.2.1.4.1 2011/11/19 14:21:43 bouyer Exp $); #include sys/param.h #include sys/proc.h @@ -148,7 +148,7 @@ sysctl_vm_uvmexp(SYSCTLFN_ARGS) struct sysctlnode node; node = *rnode; - if (oldp) + if (oldlenp) node.sysctl_size = min(*oldlenp, node.sysctl_size); return (sysctl_lookup(SYSCTLFN_CALL(node)));
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Nov 19 14:37:09 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: kern_event.c Log Message: Pull up following revision(s) (requested by christos in ticket #1438): sys/kern/kern_event.c: revision 1.73 PR/45618: Motoyuki OHMORI: kqueue EVFILT_TIMER with smaller timeout value makes DIAGNOSTIC kernel panic: KASSERT((c-c_flags CALLOUT_PENDING) !=3D 0); If the computed ticks are = 0 set it to 1 To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.33.8.1 src/sys/kern/kern_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_event.c diff -u src/sys/kern/kern_event.c:1.33 src/sys/kern/kern_event.c:1.33.8.1 --- src/sys/kern/kern_event.c:1.33 Wed Nov 1 10:17:58 2006 +++ src/sys/kern/kern_event.c Sat Nov 19 14:37:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_event.c,v 1.33 2006/11/01 10:17:58 yamt Exp $ */ +/* $NetBSD: kern_event.c,v 1.33.8.1 2011/11/19 14:37:09 bouyer Exp $ */ /*- * Copyright (c) 1999,2000,2001 Jonathan Lemon jle...@freebsd.org @@ -29,7 +29,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_event.c,v 1.33 2006/11/01 10:17:58 yamt Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_event.c,v 1.33.8.1 2011/11/19 14:37:09 bouyer Exp $); #include sys/param.h #include sys/systm.h @@ -505,6 +505,8 @@ filt_timerexpire(void *knx) if ((kn-kn_flags EV_ONESHOT) == 0) { tticks = mstohz(kn-kn_sdata); + if (tticks = 0) + tticks = 1; callout_schedule((struct callout *)kn-kn_hook, tticks); } }
CVS commit: [netbsd-4-0] src/sys/uvm
Module Name:src Committed By: bouyer Date: Sat Nov 19 14:21:43 UTC 2011 Modified Files: src/sys/uvm [netbsd-4-0]: uvm_meter.c Log Message: Pull up following revision(s) (requested by christos in ticket #1436): sys/uvm/uvm_meter.c: revision 1.57 via patch if you are going to dereference a variable, check the variable itself, not it cousin. To generate a diff of this commit: cvs rdiff -u -r1.43.2.1 -r1.43.2.1.4.1 src/sys/uvm/uvm_meter.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Nov 19 14:37:09 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: kern_event.c Log Message: Pull up following revision(s) (requested by christos in ticket #1438): sys/kern/kern_event.c: revision 1.73 PR/45618: Motoyuki OHMORI: kqueue EVFILT_TIMER with smaller timeout value makes DIAGNOSTIC kernel panic: KASSERT((c-c_flags CALLOUT_PENDING) !=3D 0); If the computed ticks are = 0 set it to 1 To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.33.8.1 src/sys/kern/kern_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/netinet
Module Name:src Committed By: riz Date: Sun Apr 3 15:06:14 UTC 2011 Modified Files: src/sys/netinet [netbsd-4-0]: tcp_output.c Log Message: Pull up following revision(s) (requested by spz in ticket #1424): sys/netinet/tcp_output.c: revision 1.170 Clean up setting ECN bit in TOS. Fixes PR 44742 To generate a diff of this commit: cvs rdiff -u -r1.153.2.1 -r1.153.2.1.4.1 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_output.c diff -u src/sys/netinet/tcp_output.c:1.153.2.1 src/sys/netinet/tcp_output.c:1.153.2.1.4.1 --- src/sys/netinet/tcp_output.c:1.153.2.1 Thu May 24 19:13:14 2007 +++ src/sys/netinet/tcp_output.c Sun Apr 3 15:06:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_output.c,v 1.153.2.1 2007/05/24 19:13:14 pavel Exp $ */ +/* $NetBSD: tcp_output.c,v 1.153.2.1.4.1 2011/04/03 15:06:14 riz Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -142,7 +142,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.153.2.1 2007/05/24 19:13:14 pavel Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.153.2.1.4.1 2011/04/03 15:06:14 riz Exp $); #include opt_inet.h #include opt_ipsec.h @@ -571,6 +571,7 @@ boolean_t alwaysfrag; int sack_rxmit; int sack_bytes_rxmt; + int ecn_tos; struct sackhole *p; #ifdef TCP_SIGNATURE int sigoff = 0; @@ -697,6 +698,7 @@ txsegsize_nosack = txsegsize; again: + ecn_tos = 0; use_tso = has_tso; if ((tp-t_flags (TF_ECN_SND_CWR|TF_ECN_SND_ECE)) != 0) { /* don't duplicate CWR/ECE. */ @@ -1294,18 +1296,7 @@ */ if (len 0 SEQ_GEQ(tp-snd_nxt, tp-snd_max) !(tp-t_force len == 1)) { - switch (af) { -#ifdef INET - case AF_INET: -tp-t_inpcb-inp_ip.ip_tos |= IPTOS_ECN_ECT0; -break; -#endif -#ifdef INET6 - case AF_INET6: -ip6-ip6_flow |= htonl(IPTOS_ECN_ECT0 20); -break; -#endif - } + ecn_tos = IPTOS_ECN_ECT0; tcpstat.tcps_ecn_ect++; } @@ -1519,12 +1510,12 @@ packetlen = m-m_pkthdr.len; if (tp-t_inpcb) { ip-ip_ttl = tp-t_inpcb-inp_ip.ip_ttl; - ip-ip_tos = tp-t_inpcb-inp_ip.ip_tos; + ip-ip_tos = tp-t_inpcb-inp_ip.ip_tos | ecn_tos; } #ifdef INET6 else if (tp-t_in6pcb) { ip-ip_ttl = in6_selecthlim(tp-t_in6pcb, NULL); /*XXX*/ - ip-ip_tos = 0; /*XXX*/ + ip-ip_tos = ecn_tos; /*XXX*/ } #endif break; @@ -1543,7 +1534,8 @@ ip6-ip6_hlim = in6_selecthlim(tp-t_in6pcb, ro-ro_rt ? ro-ro_rt-rt_ifp : NULL); } - /* ip6-ip6_flow = ??? */ + ip6-ip6_flow |= htonl(ecn_tos 20); + /* ip6-ip6_flow = ??? (from template) */ /* ip6_plen will be filled in ip6_output(). */ break; #endif
CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: riz Date: Sun Apr 3 15:15:09 UTC 2011 Modified Files: src/sys/netinet6 [netbsd-4-0]: ipcomp_input.c src/sys/netipsec [netbsd-4-0]: xform_ipcomp.c Log Message: Pull up following revision(s) (requested by spz in ticket #1425): sys/netipsec/xform_ipcomp.c: revision 1.26 sys/netinet6/ipcomp_input.c: revision 1.37 mitigation for CVE-2011-1547 this should really be solved by counting nested headers (like in the inet6 case) instead mitigation for CVE-2011-1547 To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.12.1 src/sys/netinet6/ipcomp_input.c cvs rdiff -u -r1.8.2.1 -r1.8.2.1.4.1 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.30 src/sys/netinet6/ipcomp_input.c:1.30.12.1 --- src/sys/netinet6/ipcomp_input.c:1.30 Thu Nov 16 01:33:45 2006 +++ src/sys/netinet6/ipcomp_input.c Sun Apr 3 15:15:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.30.12.1 2011/04/03 15:15:09 riz Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: ipcomp_input.c,v 1.30.12.1 2011/04/03 15:15:09 riz Exp $); #include opt_inet.h #include opt_ipsec.h @@ -140,6 +140,14 @@ ipcomp = mtod(md, struct ipcomp *); ip = mtod(m, struct ip *); nxt = ipcomp-comp_nxt; + if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) { + /* nested ipcomp - possible attack, not likely useful */ + ipseclog((LOG_DEBUG, IPv4 IPComp input: nested ipcomp + (bailing)\n)); + ipsecstat.in_inval++; + goto fail; + } + #ifdef _IP_VHL hlen = IP_VHL_HL(ip-ip_vhl) 2; #else Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.8.2.1 src/sys/netipsec/xform_ipcomp.c:1.8.2.1.4.1 --- src/sys/netipsec/xform_ipcomp.c:1.8.2.1 Thu May 24 19:13:13 2007 +++ src/sys/netipsec/xform_ipcomp.c Sun Apr 3 15:15:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.8.2.1.4.1 2011/04/03 15:15:09 riz Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $); +__KERNEL_RCSID(0, $NetBSD: xform_ipcomp.c,v 1.8.2.1.4.1 2011/04/03 15:15:09 riz Exp $); /* IP payload compression protocol (IPComp), see RFC 2393 */ #include opt_inet.h @@ -297,6 +297,14 @@ /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; nproto = ((struct ipcomp *) addr)-comp_nxt; + if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { + ipcompstat.ipcomps_hdrops++; + DPRINTF((ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n, + ipsec_address(sav-sah-saidx.dst), + (u_long) ntohl(sav-spi))); + error = EINVAL; + goto bad; + } /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen);
CVS commit: [netbsd-4-0] src/sys/netinet
Module Name:src Committed By: riz Date: Sun Apr 3 15:06:14 UTC 2011 Modified Files: src/sys/netinet [netbsd-4-0]: tcp_output.c Log Message: Pull up following revision(s) (requested by spz in ticket #1424): sys/netinet/tcp_output.c: revision 1.170 Clean up setting ECN bit in TOS. Fixes PR 44742 To generate a diff of this commit: cvs rdiff -u -r1.153.2.1 -r1.153.2.1.4.1 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: riz Date: Sun Apr 3 15:15:09 UTC 2011 Modified Files: src/sys/netinet6 [netbsd-4-0]: ipcomp_input.c src/sys/netipsec [netbsd-4-0]: xform_ipcomp.c Log Message: Pull up following revision(s) (requested by spz in ticket #1425): sys/netipsec/xform_ipcomp.c: revision 1.26 sys/netinet6/ipcomp_input.c: revision 1.37 mitigation for CVE-2011-1547 this should really be solved by counting nested headers (like in the inet6 case) instead mitigation for CVE-2011-1547 To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.12.1 src/sys/netinet6/ipcomp_input.c cvs rdiff -u -r1.8.2.1 -r1.8.2.1.4.1 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Mar 20 20:37:27 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: vfs_syscalls.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1417): sys/kern/vfs_syscalls.c: revision 1.415 via patch Check for bogus flags to access() up front. Otherwise we end up calling VOP_ACCESS with flags 0 and something asserts deep in the bowels of kauth. PR 44648 from Taylor Campbell. (I moved the check earlier relative to the suggested patch.) Pullup candidate. To generate a diff of this commit: cvs rdiff -u -r1.279.2.5 -r1.279.2.5.6.1 src/sys/kern/vfs_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_syscalls.c diff -u src/sys/kern/vfs_syscalls.c:1.279.2.5 src/sys/kern/vfs_syscalls.c:1.279.2.5.6.1 --- src/sys/kern/vfs_syscalls.c:1.279.2.5 Wed Feb 28 22:47:44 2007 +++ src/sys/kern/vfs_syscalls.c Sun Mar 20 20:37:27 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls.c,v 1.279.2.5 2007/02/28 22:47:44 pavel Exp $ */ +/* $NetBSD: vfs_syscalls.c,v 1.279.2.5.6.1 2011/03/20 20:37:27 bouyer Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: vfs_syscalls.c,v 1.279.2.5 2007/02/28 22:47:44 pavel Exp $); +__KERNEL_RCSID(0, $NetBSD: vfs_syscalls.c,v 1.279.2.5.6.1 2011/03/20 20:37:27 bouyer Exp $); #include opt_compat_netbsd.h #include opt_compat_43.h @@ -2373,6 +2373,11 @@ int error, flags; struct nameidata nd; + if ((SCARG(uap, flags) ~(R_OK | W_OK | X_OK)) != 0) { + /* nonsense flags */ + return EINVAL; + } + cred = kauth_cred_dup(l-l_cred); kauth_cred_seteuid(cred, kauth_cred_getuid(l-l_cred)); kauth_cred_setegid(cred, kauth_cred_getgid(l-l_cred));
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Mar 20 20:52:01 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by spz in ticket #1421): sys/kern/kern_exec.c: revision 1.269 via patch Check for number of processes resource violation in execve(). To generate a diff of this commit: cvs rdiff -u -r1.232.2.2.6.1 -r1.232.2.2.6.2 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.232.2.2.6.1 src/sys/kern/kern_exec.c:1.232.2.2.6.2 --- src/sys/kern/kern_exec.c:1.232.2.2.6.1 Sat Sep 5 13:45:28 2009 +++ src/sys/kern/kern_exec.c Sun Mar 20 20:52:01 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.232.2.2.6.1 2009/09/05 13:45:28 bouyer Exp $ */ +/* $NetBSD: kern_exec.c,v 1.232.2.2.6.2 2011/03/20 20:52:01 bouyer Exp $ */ /*- * Copyright (C) 1993, 1994, 1996 Christopher G. Demetriou @@ -33,7 +33,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.232.2.2.6.1 2009/09/05 13:45:28 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.232.2.2.6.2 2011/03/20 20:52:01 bouyer Exp $); #include opt_ktrace.h #include opt_syscall_debug.h @@ -428,18 +428,40 @@ int szsigcode; struct exec_vmcmd *base_vcp; int oldlwpflags; + uid_t uid; #ifdef SYSTRACE int wassugid = ISSET(p-p_flag, P_SUGID); char pathbuf[MAXPATHLEN]; size_t pathbuflen; #endif /* SYSTRACE */ + p = l-l_proc; + + /* + * Check if we have exceeded our number of processes limit. + * This is so that we handle the case where a root daemon + * forked, ran setuid to become the desired user and is trying + * to exec. The obvious place to do the reference counting check + * is setuid(), but we don't do the reference counting check there + * like other OS's do because then all the programs that use setuid() + * must be modified to check the return code of setuid() and exit(). + * It is dangerous to make setuid() fail, because it fails open and + * the program will continue to run as root. If we make it succeed + * and return an error code, again we are not enforcing the limit. + * The best place to enforce the limit is here, when the process tries + * to execute a new image, because eventually the process will need + * to call exec in order to do something useful. + */ + + if ((p-p_flag P_SUGID) (uid = kauth_cred_getuid(l-l_cred)) != 0 + chgproccnt(uid, 0) p-p_rlimit[RLIMIT_NPROC].rlim_cur) + return EAGAIN; + /* Disable scheduler activation upcalls. */ oldlwpflags = l-l_flag (L_SA | L_SA_UPCALL); if (l-l_flag L_SA) l-l_flag = ~(L_SA | L_SA_UPCALL); - p = l-l_proc; /* * Lock the process and set the P_INEXEC flag to indicate that * it should be left alone until we're done here. This is
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sun Mar 20 20:37:27 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: vfs_syscalls.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1417): sys/kern/vfs_syscalls.c: revision 1.415 via patch Check for bogus flags to access() up front. Otherwise we end up calling VOP_ACCESS with flags 0 and something asserts deep in the bowels of kauth. PR 44648 from Taylor Campbell. (I moved the check earlier relative to the suggested patch.) Pullup candidate. To generate a diff of this commit: cvs rdiff -u -r1.279.2.5 -r1.279.2.5.6.1 src/sys/kern/vfs_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: snj Date: Mon Mar 7 17:07:27 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: init_sysctl.c Log Message: Apply patch (requested by joerg in ticket 1419): Sanitize arguments before memory allocation. To generate a diff of this commit: cvs rdiff -u -r1.93.2.1.6.1 -r1.93.2.1.6.2 src/sys/kern/init_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/init_sysctl.c diff -u src/sys/kern/init_sysctl.c:1.93.2.1.6.1 src/sys/kern/init_sysctl.c:1.93.2.1.6.2 --- src/sys/kern/init_sysctl.c:1.93.2.1.6.1 Fri Mar 27 03:43:59 2009 +++ src/sys/kern/init_sysctl.c Mon Mar 7 17:07:26 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: init_sysctl.c,v 1.93.2.1.6.1 2009/03/27 03:43:59 msaitoh Exp $ */ +/* $NetBSD: init_sysctl.c,v 1.93.2.1.6.2 2011/03/07 17:07:26 snj Exp $ */ /*- * Copyright (c) 2003 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: init_sysctl.c,v 1.93.2.1.6.1 2009/03/27 03:43:59 msaitoh Exp $); +__KERNEL_RCSID(0, $NetBSD: init_sysctl.c,v 1.93.2.1.6.2 2011/03/07 17:07:26 snj Exp $); #include opt_sysv.h #include opt_multiprocessor.h @@ -2296,6 +2296,11 @@ #endif len = sizeof(char *) * nargv; + if (nargv 0 || len ARG_MAX || len (size_t)nargv) { + error = EINVAL; + goto done; + } + argv = malloc(len, M_TEMP, M_WAITOK); aiov.iov_base = argv;
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: snj Date: Mon Mar 7 17:07:27 UTC 2011 Modified Files: src/sys/kern [netbsd-4-0]: init_sysctl.c Log Message: Apply patch (requested by joerg in ticket 1419): Sanitize arguments before memory allocation. To generate a diff of this commit: cvs rdiff -u -r1.93.2.1.6.1 -r1.93.2.1.6.2 src/sys/kern/init_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/coda
Module Name:src Committed By: bouyer Date: Wed Aug 4 11:01:23 UTC 2010 Modified Files: src/sys/coda [netbsd-4-0]: coda.h coda_venus.c coda_vnops.c Log Message: Pull up following revision(s) (requested by christos in ticket #1400): sys/coda/coda_venus.c: revision 1.28 sys/coda/coda_vnops.c: revision 1.76 sys/coda/coda.h: revision 1.16 Correct incomplete size checks for the coda ioctls. From Dan Rosenberg. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.28.1 src/sys/coda/coda.h cvs rdiff -u -r1.24 -r1.24.22.1 src/sys/coda/coda_venus.c cvs rdiff -u -r1.50.8.3 -r1.50.8.3.4.1 src/sys/coda/coda_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/coda/coda.h diff -u src/sys/coda/coda.h:1.13 src/sys/coda/coda.h:1.13.28.1 --- src/sys/coda/coda.h:1.13 Thu Mar 2 14:24:57 2006 +++ src/sys/coda/coda.h Wed Aug 4 11:01:23 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: coda.h,v 1.13 2006/03/02 14:24:57 gdt Exp $ */ +/* $NetBSD: coda.h,v 1.13.28.1 2010/08/04 11:01:23 bouyer Exp $ */ /* @@ -793,8 +793,8 @@ #define PIOCPARM_MASK 0x struct ViceIoctl { caddr_t in, out;/* Data to be transferred in, or out */ -short in_size; /* Size of input buffer = 2K */ -short out_size; /* Maximum size of output buffer, = 2K */ +unsigned short in_size; /* Size of input buffer = 2K */ +unsigned short out_size;/* Maximum size of output buffer, = 2K */ }; struct PioctlData { Index: src/sys/coda/coda_venus.c diff -u src/sys/coda/coda_venus.c:1.24 src/sys/coda/coda_venus.c:1.24.22.1 --- src/sys/coda/coda_venus.c:1.24 Sun May 14 21:24:49 2006 +++ src/sys/coda/coda_venus.c Wed Aug 4 11:01:23 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: coda_venus.c,v 1.24 2006/05/14 21:24:49 elad Exp $ */ +/* $NetBSD: coda_venus.c,v 1.24.22.1 2010/08/04 11:01:23 bouyer Exp $ */ /* * @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: coda_venus.c,v 1.24 2006/05/14 21:24:49 elad Exp $); +__KERNEL_RCSID(0, $NetBSD: coda_venus.c,v 1.24.22.1 2010/08/04 11:01:23 bouyer Exp $); #include sys/param.h #include sys/systm.h @@ -308,7 +308,7 @@ tmp = ((com 16) IOCPARM_MASK) - sizeof (char *) - sizeof (int); inp-cmd |= (tmp IOCPARM_MASK) 16; -if (iap-vi.in_size 0 || iap-vi.in_size VC_MAXMSGSIZE) { +if (iap-vi.in_size VC_MAXMSGSIZE || iap-vi.out_size VC_MAXMSGSIZE) { CODA_FREE(inp, coda_ioctl_size); return (EINVAL); } Index: src/sys/coda/coda_vnops.c diff -u src/sys/coda/coda_vnops.c:1.50.8.3 src/sys/coda/coda_vnops.c:1.50.8.3.4.1 --- src/sys/coda/coda_vnops.c:1.50.8.3 Wed Jun 6 21:11:18 2007 +++ src/sys/coda/coda_vnops.c Wed Aug 4 11:01:23 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: coda_vnops.c,v 1.50.8.3 2007/06/06 21:11:18 bouyer Exp $ */ +/* $NetBSD: coda_vnops.c,v 1.50.8.3.4.1 2010/08/04 11:01:23 bouyer Exp $ */ /* * @@ -46,7 +46,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: coda_vnops.c,v 1.50.8.3 2007/06/06 21:11:18 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: coda_vnops.c,v 1.50.8.3.4.1 2010/08/04 11:01:23 bouyer Exp $); #include sys/param.h #include sys/systm.h @@ -546,7 +546,7 @@ return(EINVAL); } -if (iap-vi.in_size VC_MAXDATASIZE) { +if (iap-vi.in_size VC_MAXDATASIZE || iap-vi.out_size VC_MAXDATASIZE) { vrele(tvp); return(EINVAL); }
CVS commit: [netbsd-4-0] src/sys/netsmb
Module Name:src Committed By: riz Date: Thu Jul 22 20:34:17 UTC 2010 Modified Files: src/sys/netsmb [netbsd-4-0]: mchain.h smb_dev.h smb_subr.c smb_subr.h subr_mchain.c Log Message: Pull up following revision(s) (requested by christos in ticket #1398): sys/netsmb/subr_mchain.c: revision 1.19 via patch sys/netsmb/smb_subr.c: revision 1.35 sys/netsmb/smb_subr.h: revision 1.19 sys/netsmb/mchain.h: revision 1.9 via patch sys/netsmb/smb_dev.h: revision 1.7 Convert sizes/lengths to unsigned (size_t) or uint32_t (for binary compatibility). To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.6.34.1 src/sys/netsmb/mchain.h cvs rdiff -u -r1.6 -r1.6.52.1 src/sys/netsmb/smb_dev.h cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/netsmb/smb_subr.c cvs rdiff -u -r1.16 -r1.16.46.1 src/sys/netsmb/smb_subr.h cvs rdiff -u -r1.13 -r1.13.28.1 src/sys/netsmb/subr_mchain.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netsmb/mchain.h diff -u src/sys/netsmb/mchain.h:1.6 src/sys/netsmb/mchain.h:1.6.34.1 --- src/sys/netsmb/mchain.h:1.6 Sun Dec 11 00:06:21 2005 +++ src/sys/netsmb/mchain.h Thu Jul 22 20:34:17 2010 @@ -59,8 +59,8 @@ struct mbchain { struct mbuf * mb_top; /* head of mbufs chain */ struct mbuf * mb_cur; /* current mbuf */ - int mb_mleft; /* free space in the current mbuf */ - int mb_count; /* total number of bytes */ + size_t mb_mleft; /* free space in the current mbuf */ + size_t mb_count; /* total number of bytes */ mb_copy_t * mb_copy; /* user defined copy function */ void * mb_udata; /* user data */ }; @@ -78,7 +78,7 @@ void mb_done(struct mbchain *mbp); struct mbuf *mb_detach(struct mbchain *mbp); int mb_fixhdr(struct mbchain *mbp); -caddr_t mb_reserve(struct mbchain *mbp, int size); +caddr_t mb_reserve(struct mbchain *mbp, size_t size); int mb_put_uint8(struct mbchain *mbp, u_int8_t x); int mb_put_uint16be(struct mbchain *mbp, u_int16_t x); @@ -87,9 +87,9 @@ int mb_put_uint32le(struct mbchain *mbp, u_int32_t x); int mb_put_int64be(struct mbchain *mbp, int64_t x); int mb_put_int64le(struct mbchain *mbp, int64_t x); -int mb_put_mem(struct mbchain *mbp, const char * source, int size, int type); +int mb_put_mem(struct mbchain *mbp, const char * source, size_t size, int type); int mb_put_mbuf(struct mbchain *mbp, struct mbuf *m); -int mb_put_uio(struct mbchain *mbp, struct uio *uiop, int size); +int mb_put_uio(struct mbchain *mbp, struct uio *uiop, size_t size); int md_init(struct mdchain *mdp); void md_initm(struct mdchain *mbp, struct mbuf *m); @@ -106,9 +106,9 @@ int md_get_int64(struct mdchain *mdp, int64_t *x); int md_get_int64be(struct mdchain *mdp, int64_t *x); int md_get_int64le(struct mdchain *mdp, int64_t *x); -int md_get_mem(struct mdchain *mdp, caddr_t target, int size, int type); +int md_get_mem(struct mdchain *mdp, caddr_t target, size_t size, int type); int md_get_mbuf(struct mdchain *mdp, int size, struct mbuf **m); -int md_get_uio(struct mdchain *mdp, struct uio *uiop, int size); +int md_get_uio(struct mdchain *mdp, struct uio *uiop, size_t size); #endif /* ifdef _KERNEL */ Index: src/sys/netsmb/smb_dev.h diff -u src/sys/netsmb/smb_dev.h:1.6 src/sys/netsmb/smb_dev.h:1.6.52.1 --- src/sys/netsmb/smb_dev.h:1.6 Sun May 14 21:20:13 2006 +++ src/sys/netsmb/smb_dev.h Thu Jul 22 20:34:17 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_dev.h,v 1.6 2006/05/14 21:20:13 elad Exp $ */ +/* $NetBSD: smb_dev.h,v 1.6.52.1 2010/07/22 20:34:17 riz Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -67,9 +67,9 @@ struct smbioc_ossn { int ioc_opt; - int ioc_svlen; /* size of ioc_server address */ + uint32_t ioc_svlen; /* size of ioc_server address */ struct sockaddr*ioc_server; - int ioc_lolen; /* size of ioc_local address */ + uint32_t ioc_lolen; /* size of ioc_local address */ struct sockaddr*ioc_local; char ioc_srvname[SMB_MAXSRVNAMELEN + 1]; int ioc_timeout; Index: src/sys/netsmb/smb_subr.c diff -u src/sys/netsmb/smb_subr.c:1.29 src/sys/netsmb/smb_subr.c:1.29.8.1 --- src/sys/netsmb/smb_subr.c:1.29 Thu Nov 16 01:33:51 2006 +++ src/sys/netsmb/smb_subr.c Thu Jul 22 20:34:16 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.c,v 1.29 2006/11/16 01:33:51 christos Exp $ */ +/* $NetBSD: smb_subr.c,v 1.29.8.1 2010/07/22 20:34:16 riz Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: smb_subr.c,v 1.29 2006/11/16 01:33:51 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: smb_subr.c,v 1.29.8.1 2010/07/22 20:34:16 riz Exp $); #include sys/param.h #include sys/systm.h @@ -93,7 +93,7 @@ smb_strdup(const char *s) { char *p; - int len; + size_t len; len = s ? strlen(s) + 1 : 1; p = malloc(len, M_SMBSTR, M_WAITOK); @@ -108,10 +108,10 @@ * duplicate string from a user space. */ char * -smb_strdupin(char
CVS commit: [netbsd-4-0] src/sys/netsmb
Module Name:src Committed By: riz Date: Thu Jul 22 20:34:17 UTC 2010 Modified Files: src/sys/netsmb [netbsd-4-0]: mchain.h smb_dev.h smb_subr.c smb_subr.h subr_mchain.c Log Message: Pull up following revision(s) (requested by christos in ticket #1398): sys/netsmb/subr_mchain.c: revision 1.19 via patch sys/netsmb/smb_subr.c: revision 1.35 sys/netsmb/smb_subr.h: revision 1.19 sys/netsmb/mchain.h: revision 1.9 via patch sys/netsmb/smb_dev.h: revision 1.7 Convert sizes/lengths to unsigned (size_t) or uint32_t (for binary compatibility). To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.6.34.1 src/sys/netsmb/mchain.h cvs rdiff -u -r1.6 -r1.6.52.1 src/sys/netsmb/smb_dev.h cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/netsmb/smb_subr.c cvs rdiff -u -r1.16 -r1.16.46.1 src/sys/netsmb/smb_subr.h cvs rdiff -u -r1.13 -r1.13.28.1 src/sys/netsmb/subr_mchain.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/netinet6
Module Name:src Committed By: riz Date: Fri Jul 16 19:40:11 UTC 2010 Modified Files: src/sys/netinet6 [netbsd-4-0]: udp6_output.c Log Message: Pull up following revision(s) (requested by dyoung in ticket #1397): sys/netinet6/udp6_output.c: revision 1.41 Under some circumstances, udp6_output() would call ip6_clearpktopts() with an uninitialized struct ip6_pktopts on the stack, opt. ip6_clearpktopts(opt, ...) could dereference dangling pointers, leading to memory corruption or a crash. Now, udp6_output() calls ip6_clearpktopts(opt, ...) only if opt was initialized. Thanks to Clement LECIGNE for reporting this bug. Fix a potential memory leak: it is udp6_output()'s responsibility to free its mbuf arguments on error. In the unlikely event that sa6_embedscope() failed, udp6_output() would not free its mbuf arguments. I will ask for this to be pulled up to -4, -5, and -5-0. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.14.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/udp6_output.c diff -u src/sys/netinet6/udp6_output.c:1.26 src/sys/netinet6/udp6_output.c:1.26.14.1 --- src/sys/netinet6/udp6_output.c:1.26 Sun Jul 23 22:06:13 2006 +++ src/sys/netinet6/udp6_output.c Fri Jul 16 19:40:10 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: udp6_output.c,v 1.26 2006/07/23 22:06:13 ad Exp $ */ +/* $NetBSD: udp6_output.c,v 1.26.14.1 2010/07/16 19:40:10 riz Exp $ */ /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: udp6_output.c,v 1.26 2006/07/23 22:06:13 ad Exp $); +__KERNEL_RCSID(0, $NetBSD: udp6_output.c,v 1.26.14.1 2010/07/16 19:40:10 riz Exp $); #include opt_inet.h @@ -126,7 +126,8 @@ int scope_ambiguous = 0; u_int16_t fport; int error = 0; - struct ip6_pktopts *optp, opt; + struct ip6_pktopts *optp = NULL; + struct ip6_pktopts opt; int priv; int af = AF_INET6, hlen = sizeof(struct ip6_hdr); #ifdef INET @@ -167,7 +168,7 @@ if (sin6-sin6_scope_id == 0 !ip6_use_defzone) scope_ambiguous = 1; if ((error = sa6_embedscope(sin6, ip6_use_defzone)) != 0) - return (error); + goto release; } if (control) { @@ -410,7 +411,8 @@ releaseopt: if (control) { - ip6_clearpktopts(opt, -1); + if (optp == opt) + ip6_clearpktopts(opt, -1); m_freem(control); } return (error);
CVS commit: [netbsd-4-0] src/sys/netinet6
Module Name:src Committed By: riz Date: Fri Jul 16 19:40:11 UTC 2010 Modified Files: src/sys/netinet6 [netbsd-4-0]: udp6_output.c Log Message: Pull up following revision(s) (requested by dyoung in ticket #1397): sys/netinet6/udp6_output.c: revision 1.41 Under some circumstances, udp6_output() would call ip6_clearpktopts() with an uninitialized struct ip6_pktopts on the stack, opt. ip6_clearpktopts(opt, ...) could dereference dangling pointers, leading to memory corruption or a crash. Now, udp6_output() calls ip6_clearpktopts(opt, ...) only if opt was initialized. Thanks to Clement LECIGNE for reporting this bug. Fix a potential memory leak: it is udp6_output()'s responsibility to free its mbuf arguments on error. In the unlikely event that sa6_embedscope() failed, udp6_output() would not free its mbuf arguments. I will ask for this to be pulled up to -4, -5, and -5-0. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.14.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/lib/libkern
Module Name:src Committed By: snj Date: Thu Jan 21 08:32:25 UTC 2010 Modified Files: src/sys/lib/libkern [netbsd-4-0]: arc4random.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1374): sys/lib/libkern/arc4random.c: revision 1.21 Keep arc4_i and arc4_j synchronised after a rekeying. This prevents accidentally ending up in a short ARC4 cycle. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.22.1 src/sys/lib/libkern/arc4random.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/dev/pci
Module Name:src Committed By: snj Date: Thu Jan 21 08:35:56 UTC 2010 Modified Files: src/sys/dev/pci [netbsd-4-0]: azalia.c Log Message: Apply patch (requested by tonnerre in ticket #1375): Signedness bug/crash in azalia. Fixes PR 42604. To generate a diff of this commit: cvs rdiff -u -r1.42.2.1 -r1.42.2.1.4.1 src/sys/dev/pci/azalia.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/lib/libkern
Module Name:src Committed By: snj Date: Thu Jan 21 08:32:25 UTC 2010 Modified Files: src/sys/lib/libkern [netbsd-4-0]: arc4random.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1374): sys/lib/libkern/arc4random.c: revision 1.21 Keep arc4_i and arc4_j synchronised after a rekeying. This prevents accidentally ending up in a short ARC4 cycle. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.18.22.1 src/sys/lib/libkern/arc4random.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/lib/libkern/arc4random.c diff -u src/sys/lib/libkern/arc4random.c:1.18 src/sys/lib/libkern/arc4random.c:1.18.22.1 --- src/sys/lib/libkern/arc4random.c:1.18 Sun Nov 5 14:13:56 2006 +++ src/sys/lib/libkern/arc4random.c Thu Jan 21 08:32:24 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: arc4random.c,v 1.18 2006/11/05 14:13:56 christos Exp $ */ +/* $NetBSD: arc4random.c,v 1.18.22.1 2010/01/21 08:32:24 snj Exp $ */ /*- * Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -141,6 +141,7 @@ arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256; arc4_swap(arc4_sbox[n], arc4_sbox[arc4_j]); } + arc4_i = arc4_j; /* Reset for next reseed cycle. */ arc4_nextreseed = time_uptime + ARC4_RESEED_SECONDS;
CVS commit: [netbsd-4-0] src/sys/dev/pci
Module Name:src Committed By: snj Date: Thu Jan 21 08:35:56 UTC 2010 Modified Files: src/sys/dev/pci [netbsd-4-0]: azalia.c Log Message: Apply patch (requested by tonnerre in ticket #1375): Signedness bug/crash in azalia. Fixes PR 42604. To generate a diff of this commit: cvs rdiff -u -r1.42.2.1 -r1.42.2.1.4.1 src/sys/dev/pci/azalia.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/azalia.c diff -u src/sys/dev/pci/azalia.c:1.42.2.1 src/sys/dev/pci/azalia.c:1.42.2.1.4.1 --- src/sys/dev/pci/azalia.c:1.42.2.1 Sun May 20 09:57:08 2007 +++ src/sys/dev/pci/azalia.c Thu Jan 21 08:35:55 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: azalia.c,v 1.42.2.1 2007/05/20 09:57:08 jdc Exp $ */ +/* $NetBSD: azalia.c,v 1.42.2.1.4.1 2010/01/21 08:35:55 snj Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -48,7 +48,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: azalia.c,v 1.42.2.1 2007/05/20 09:57:08 jdc Exp $); +__KERNEL_RCSID(0, $NetBSD: azalia.c,v 1.42.2.1.4.1 2010/01/21 08:35:55 snj Exp $); #include sys/param.h #include sys/device.h @@ -2137,7 +2137,7 @@ az = v; co = az-codecs[az-codecno]; - if (mdev-index = co-nmixers) + if (mdev-index 0 || mdev-index = co-nmixers) return ENXIO; *mdev = co-mixers[mdev-index].devinfo; return 0;
CVS commit: [netbsd-4-0] src/sys/netbt
Module Name:src Committed By: jdc Date: Sun Jan 3 17:12:50 UTC 2010 Modified Files: src/sys/netbt [netbsd-4-0]: rfcomm_session.c Log Message: Pull up revision 1.16 (requested by plunky in ticket #1372). when receiving a MCC PN response, the max frame size that the remote party requests must be less than the one we asked for which will not be greater than the max acceptable value so no need to test for that but make sure that it is not smaller than minimum acceptable value. To generate a diff of this commit: cvs rdiff -u -r1.4.2.1 -r1.4.2.1.4.1 src/sys/netbt/rfcomm_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-4-0] src/sys/netbt
Module Name:src Committed By: jdc Date: Sun Jan 3 17:12:50 UTC 2010 Modified Files: src/sys/netbt [netbsd-4-0]: rfcomm_session.c Log Message: Pull up revision 1.16 (requested by plunky in ticket #1372). when receiving a MCC PN response, the max frame size that the remote party requests must be less than the one we asked for which will not be greater than the max acceptable value so no need to test for that but make sure that it is not smaller than minimum acceptable value. To generate a diff of this commit: cvs rdiff -u -r1.4.2.1 -r1.4.2.1.4.1 src/sys/netbt/rfcomm_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netbt/rfcomm_session.c diff -u src/sys/netbt/rfcomm_session.c:1.4.2.1 src/sys/netbt/rfcomm_session.c:1.4.2.1.4.1 --- src/sys/netbt/rfcomm_session.c:1.4.2.1 Thu Jul 19 16:04:18 2007 +++ src/sys/netbt/rfcomm_session.c Sun Jan 3 17:12:50 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: rfcomm_session.c,v 1.4.2.1 2007/07/19 16:04:18 liamjfoy Exp $ */ +/* $NetBSD: rfcomm_session.c,v 1.4.2.1.4.1 2010/01/03 17:12:50 jdc Exp $ */ /*- * Copyright (c) 2006 Itronix Inc. @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: rfcomm_session.c,v 1.4.2.1 2007/07/19 16:04:18 liamjfoy Exp $); +__KERNEL_RCSID(0, $NetBSD: rfcomm_session.c,v 1.4.2.1.4.1 2010/01/03 17:12:50 jdc Exp $); #include sys/param.h #include sys/kernel.h @@ -1356,7 +1356,8 @@ callout_stop(dlc-rd_timeout); - if (pn.mtu RFCOMM_MTU_MAX || pn.mtu dlc-rd_mtu) { + /* reject invalid or unacceptable MTU */ + if (pn.mtu RFCOMM_MTU_MIN || pn.mtu dlc-rd_mtu) { dlc-rd_state = RFCOMM_DLC_WAIT_DISCONNECT; err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, pn.dlci);
CVS commit: [netbsd-4-0] src/sys/kern
Module Name:src Committed By: bouyer Date: Sat Sep 5 13:45:28 UTC 2009 Modified Files: src/sys/kern [netbsd-4-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by dsl in ticket #1352): sys/kern/kern_exec.c: patch Fix ktrace of data from iovec based system calls. Fixes PR/41819 To generate a diff of this commit: cvs rdiff -u -r1.232.2.2 -r1.232.2.2.6.1 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.232.2.2 src/sys/kern/kern_exec.c:1.232.2.2.6.1 --- src/sys/kern/kern_exec.c:1.232.2.2 Sat Dec 30 05:22:43 2006 +++ src/sys/kern/kern_exec.c Sat Sep 5 13:45:28 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.232.2.2 2006/12/30 05:22:43 riz Exp $ */ +/* $NetBSD: kern_exec.c,v 1.232.2.2.6.1 2009/09/05 13:45:28 bouyer Exp $ */ /*- * Copyright (C) 1993, 1994, 1996 Christopher G. Demetriou @@ -33,7 +33,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.232.2.2 2006/12/30 05:22:43 riz Exp $); +__KERNEL_RCSID(0, $NetBSD: kern_exec.c,v 1.232.2.2.6.1 2009/09/05 13:45:28 bouyer Exp $); #include opt_ktrace.h #include opt_syscall_debug.h @@ -518,7 +518,11 @@ cp = *tmpfap; while (*cp) *dp++ = *cp++; - dp++; + *dp++ = 0; +#ifdef KTRACE + if (KTRPOINT(p, KTR_EXEC_ARG)) +ktrkmem(l, KTR_EXEC_ARG, *tmpfap, cp - *tmpfap); +#endif FREE(*tmpfap, M_EXEC); tmpfap++; argc++;
CVS commit: [netbsd-4-0] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sat Sep 5 13:58:52 UTC 2009 Modified Files: src/sys/netinet [netbsd-4-0]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1358): sys/netinet/tcp_usrreq.c: revision 1.148 via patch Make the sysctl routines take raise to splnet() before dealing with any data structures. To generate a diff of this commit: cvs rdiff -u -r1.129 -r1.129.8.1 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_usrreq.c diff -u src/sys/netinet/tcp_usrreq.c:1.129 src/sys/netinet/tcp_usrreq.c:1.129.8.1 --- src/sys/netinet/tcp_usrreq.c:1.129 Fri Nov 10 13:19:16 2006 +++ src/sys/netinet/tcp_usrreq.c Sat Sep 5 13:58:52 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_usrreq.c,v 1.129 2006/11/10 13:19:16 yamt Exp $ */ +/* $NetBSD: tcp_usrreq.c,v 1.129.8.1 2009/09/05 13:58:52 bouyer Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -102,7 +102,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.129 2006/11/10 13:19:16 yamt Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.129.8.1 2009/09/05 13:58:52 bouyer Exp $); #include opt_inet.h #include opt_ipsec.h @@ -1230,6 +1230,7 @@ u_int op, arg; size_t len, needed, elem_size, out_size; int error, elem_count, pf, proto, pf2; + int s; if (namelen != 4) return (EINVAL); @@ -1262,6 +1263,7 @@ proto = oname[2]; pf2 = (oldp != NULL) ? pf : 0; + s = splnet(); CIRCLEQ_FOREACH(inph, pcbtbl-inpt_queue, inph_queue) { #ifdef INET inp = (const struct inpcb *)inph; @@ -1384,6 +1386,7 @@ elem_count--; } } + splx(s); *oldlenp = needed; if (oldp == NULL)
CVS commit: [netbsd-4-0] src/sys/dev/pci
Module Name:src Committed By: snj Date: Tue Aug 25 18:21:31 UTC 2009 Modified Files: src/sys/dev/pci [netbsd-4-0]: twa.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1349): sys/dev/pci/twa.c: revision 1.32 Disable completely bogus DIAGNOSTIC check. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.12.1 src/sys/dev/pci/twa.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/twa.c diff -u src/sys/dev/pci/twa.c:1.16 src/sys/dev/pci/twa.c:1.16.12.1 --- src/sys/dev/pci/twa.c:1.16 Thu Nov 16 01:33:10 2006 +++ src/sys/dev/pci/twa.c Tue Aug 25 18:21:31 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: twa.c,v 1.16 2006/11/16 01:33:10 christos Exp $ */ +/* $NetBSD: twa.c,v 1.16.12.1 2009/08/25 18:21:31 snj Exp $ */ /* $wasabi: twa.c,v 1.27 2006/07/28 18:17:21 wrstuden Exp $ */ /*- @@ -74,7 +74,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: twa.c,v 1.16 2006/11/16 01:33:10 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: twa.c,v 1.16.12.1 2009/08/25 18:21:31 snj Exp $); #include sys/param.h #include sys/systm.h @@ -1239,7 +1239,7 @@ } -#ifdef DIAGNOSTIC +#if 0 static void twa_check_response_q(struct twa_request *tr, int clear) { @@ -1260,6 +1260,7 @@ req = tr; if ((tr-tr_cmd_pkt_type TWA_CMD_PKT_TYPE_EXTERNAL) != 0) { + XXX this is bogus ! req can't be anything else but tr ! if (req-tr_request_id == tr-tr_request_id) panic(req id: %d on controller queue twice, tr-tr_request_id); @@ -1293,7 +1294,7 @@ rq = (union twa_response_queue)twa_inl(sc, TWA_RESPONSE_QUEUE_OFFSET); tr = sc-sc_twa_request + rq.u.response_id; -#ifdef DIAGNOSTIC +#if 0 twa_check_response_q(tr, 0); #endif /* Unmap the command packet, and any associated data buffer. */ @@ -1307,7 +1308,7 @@ } (void)twa_drain_pending_queue(sc); -#ifdef DIAGNOSTIC +#if 0 twa_check_response_q(NULL, 1); #endif return(rv);
CVS commit: [netbsd-4-0] src/sys/compat/linux/common
Module Name:src Committed By: bouyer Date: Sun Jun 21 11:22:41 UTC 2009 Modified Files: src/sys/compat/linux/common [netbsd-4-0]: linux_sched.c Log Message: Pull up following revision(s) (requested by njoly in ticket #1328): sys/compat/linux/common/linux_sched.c: revision 1.59 In linux_sys_sched_getaffinity(), do not leak memory on error. To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.1.6.1 \ src/sys/compat/linux/common/linux_sched.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_sched.c diff -u src/sys/compat/linux/common/linux_sched.c:1.37.2.1 src/sys/compat/linux/common/linux_sched.c:1.37.2.1.6.1 --- src/sys/compat/linux/common/linux_sched.c:1.37.2.1 Wed Mar 28 20:38:41 2007 +++ src/sys/compat/linux/common/linux_sched.c Sun Jun 21 11:22:41 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_sched.c,v 1.37.2.1 2007/03/28 20:38:41 jdc Exp $ */ +/* $NetBSD: linux_sched.c,v 1.37.2.1.6.1 2009/06/21 11:22:41 bouyer Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -42,7 +42,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: linux_sched.c,v 1.37.2.1 2007/03/28 20:38:41 jdc Exp $); +__KERNEL_RCSID(0, $NetBSD: linux_sched.c,v 1.37.2.1.6.1 2009/06/21 11:22:41 bouyer Exp $); #include sys/param.h #include sys/mount.h @@ -557,12 +557,11 @@ retp = (int *)data[SCARG(uap, len) - sizeof(ret)]; *retp = ret; - if ((error = copyout(data, SCARG(uap, mask), SCARG(uap, len))) != 0) - return error; + error = copyout(data, SCARG(uap, mask), SCARG(uap, len)); free(data, M_TEMP); - return 0; + return error; }
CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: snj Date: Fri Jun 5 16:21:52 UTC 2009 Modified Files: src/sys/net80211 [netbsd-4-0]: ieee80211_netbsd.h src/sys/sys [netbsd-4-0]: queue.h Log Message: Pull up following revision(s) (requested by joerg in ticket #1321): sys/net80211/ieee80211_netbsd.h: revision 1.15 sys/sys/queue.h: revision 1.49 move TAILQ_FOREACH_SAFE - sys/queue.h To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.10.28.1 src/sys/net80211/ieee80211_netbsd.h cvs rdiff -u -r1.45.14.1 -r1.45.14.1.4.1 src/sys/sys/queue.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net80211/ieee80211_netbsd.h diff -u src/sys/net80211/ieee80211_netbsd.h:1.10 src/sys/net80211/ieee80211_netbsd.h:1.10.28.1 --- src/sys/net80211/ieee80211_netbsd.h:1.10 Thu Mar 2 03:38:48 2006 +++ src/sys/net80211/ieee80211_netbsd.h Fri Jun 5 16:21:52 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: ieee80211_netbsd.h,v 1.10 2006/03/02 03:38:48 dyoung Exp $ */ +/* $NetBSD: ieee80211_netbsd.h,v 1.10.28.1 2009/06/05 16:21:52 snj Exp $ */ /*- * Copyright (c) 2003-2005 Sam Leffler, Errno Consulting * All rights reserved. @@ -256,11 +256,6 @@ #define ticks hardclock_ticks #define ovbcopy(__src, __dst, __n) ((void)memmove(__dst, __src, __n)) -#define TAILQ_FOREACH_SAFE(var, head, field, nextvar) \ - for (var = TAILQ_FIRST(head); \ - var != NULL (nextvar = TAILQ_NEXT(var, field), 1); \ - var = nextvar) - void if_printf(struct ifnet *, const char *, ...); void m_align(struct mbuf *, int); int m_append(struct mbuf *, int, const caddr_t); Index: src/sys/sys/queue.h diff -u src/sys/sys/queue.h:1.45.14.1 src/sys/sys/queue.h:1.45.14.1.4.1 --- src/sys/sys/queue.h:1.45.14.1 Wed Jul 18 20:13:24 2007 +++ src/sys/sys/queue.h Fri Jun 5 16:21:52 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: queue.h,v 1.45.14.1 2007/07/18 20:13:24 liamjfoy Exp $ */ +/* $NetBSD: queue.h,v 1.45.14.1.4.1 2009/06/05 16:21:52 snj Exp $ */ /* * Copyright (c) 1991, 1993 @@ -497,6 +497,11 @@ (var); \ (var) = ((var)-field.tqe_next)) +#define TAILQ_FOREACH_SAFE(var, head, field, next) \ + for ((var) = ((head)-tqh_first);\ + (var) != NULL ((next) = TAILQ_NEXT(var, field), 1); \ + (var) = (next)) + #define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ for ((var) = (*(((struct headname *)((head)-tqh_last))-tqh_last)); \ (var); \
CVS commit: [netbsd-4-0] src/sys/arch/sparc/include
Module Name:src Committed By: bouyer Date: Mon May 18 18:23:47 UTC 2009 Modified Files: src/sys/arch/sparc/include [netbsd-4-0]: psl.h Log Message: Pull up following revision(s) (requested by martin in ticket #1317): sys/arch/sparc/include/psl.h: revision 1.45 Add memory clobbers to the inline assembler modifying/testing the %psr register, to avoid the compiler reordering instructions out of critical sections. Should fix PR port-sparc/41372. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.40.18.1 src/sys/arch/sparc/include/psl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/include/psl.h diff -u src/sys/arch/sparc/include/psl.h:1.40 src/sys/arch/sparc/include/psl.h:1.40.18.1 --- src/sys/arch/sparc/include/psl.h:1.40 Thu May 4 12:21:18 2006 +++ src/sys/arch/sparc/include/psl.h Mon May 18 18:23:47 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: psl.h,v 1.40 2006/05/04 12:21:18 yamt Exp $ */ +/* $NetBSD: psl.h,v 1.40.18.1 2009/05/18 18:23:47 bouyer Exp $ */ /* * Copyright (c) 1992, 1993 @@ -252,7 +252,7 @@ static __inline void setpsr(int newpsr) { - __asm volatile(wr %0,0,%%psr : : r (newpsr)); + __asm volatile(wr %0,0,%%psr : : r (newpsr) : memory); __asm volatile(nop; nop; nop); } @@ -266,7 +266,7 @@ * which gives us the same value as the old psr but with all * the old PIL bits turned off. */ - __asm volatile(rd %%psr,%0 : =r (psr)); + __asm volatile(rd %%psr,%0 : =r (psr) : : memory); oldipl = psr PSR_PIL; __asm volatile(wr %0,%1,%%psr : : r (psr), r (oldipl)); @@ -291,7 +291,7 @@ psr = ~oldipl; \ __asm volatile(wr %0,%1,%%psr : : \ r (psr), n ((newipl) 8)); \ - __asm volatile(nop; nop; nop); \ + __asm volatile(nop; nop; nop : : : memory); \ } _SPLSET(spllowersoftclock, IPL_SOFTCLOCK) @@ -313,7 +313,7 @@ psr = (psr ~oldipl) | newipl; __asm volatile(wr %0,0,%%psr : : r (psr)); - __asm volatile(nop; nop; nop); + __asm volatile(nop; nop; nop : : : memory); return (oldipl); } @@ -334,7 +334,7 @@ { int psr; - __asm volatile(rd %%psr,%0 : =r (psr)); + __asm volatile(rd %%psr,%0 : =r (psr) : : memory); __asm volatile(wr %0,%1,%%psr : : \ r (psr ~PSR_PIL), rn (newipl)); __asm volatile(nop; nop; nop);
CVS commit: [netbsd-4-0] src/sys/dist/pf/net
Module Name:src Committed By: snj Date: Wed Apr 15 20:40:25 UTC 2009 Modified Files: src/sys/dist/pf/net [netbsd-4-0]: pf.c Log Message: Pull up following revision(s) (requested by christos in ticket #1305): sys/dist/pf/net/pf.c: revision 1.54 via patch Fix http://www.securityfocus.com/archive/1/502634, from OpenBSD. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/dist/pf/net/pf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dist/pf/net/pf.c diff -u src/sys/dist/pf/net/pf.c:1.28 src/sys/dist/pf/net/pf.c:1.28.8.1 --- src/sys/dist/pf/net/pf.c:1.28 Thu Nov 16 01:33:34 2006 +++ src/sys/dist/pf/net/pf.c Wed Apr 15 20:40:25 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: pf.c,v 1.28 2006/11/16 01:33:34 christos Exp $ */ +/* $NetBSD: pf.c,v 1.28.8.1 2009/04/15 20:40:25 snj Exp $ */ /* $OpenBSD: pf.c,v 1.487 2005/04/22 09:53:18 dhartmei Exp $ */ /* @@ -6036,6 +6036,15 @@ break; } +#ifdef INET6 + case IPPROTO_ICMPV6: { + action = PF_DROP; + DPFPRINTF(PF_DEBUG_MISC, + (pf: dropping IPv4 packet with ICMPv6 payload\n)); + goto done; + } +#endif + default: action = pf_test_state_other(s, dir, kif, pd); if (action == PF_PASS) { @@ -6384,6 +6393,15 @@ break; } +#ifdef INET + case IPPROTO_ICMP: { + action = PF_DROP; + DPFPRINTF(PF_DEBUG_MISC, + (pf: dropping IPv6 packet with ICMPv4 payload\n)); + goto done; + } +#endif + default: action = pf_test_state_other(s, dir, kif, pd); if (action == PF_PASS) {
CVS commit: [netbsd-4-0] src/sys/arch/mvme68k/stand
Module Name:src Committed By: snj Date: Wed Apr 15 21:05:16 UTC 2009 Modified Files: src/sys/arch/mvme68k/stand [netbsd-4-0]: Makefile.booters src/sys/arch/mvme68k/stand/bootst [netbsd-4-0]: dev_tape.c version Log Message: Pull up following revision(s) (requested by scw in ticket #1304): sys/arch/mvme68k/stand/Makefile.booters: revision 1.18 sys/arch/mvme68k/stand/bootst/dev_tape.c: revision 1.11 sys/arch/mvme68k/stand/bootst/version: revision 1.5 Fix for install/40961: The RAMDISK kernel has grown significantly since bootst was written. Grab 3MB of the kernel image from tape in hackprom_diskrd() instead of 2MB. Bump bootst version on account of the above fix. While here, use -Os instead of -O2 to compile mvme68k stand code. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.14.68.1 src/sys/arch/mvme68k/stand/Makefile.booters cvs rdiff -u -r1.7 -r1.7.34.1 src/sys/arch/mvme68k/stand/bootst/dev_tape.c cvs rdiff -u -r1.4 -r1.4.112.1 src/sys/arch/mvme68k/stand/bootst/version Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/mvme68k/stand/Makefile.booters diff -u src/sys/arch/mvme68k/stand/Makefile.booters:1.14 src/sys/arch/mvme68k/stand/Makefile.booters:1.14.68.1 --- src/sys/arch/mvme68k/stand/Makefile.booters:1.14 Sat Dec 24 22:22:33 2005 +++ src/sys/arch/mvme68k/stand/Makefile.booters Wed Apr 15 21:05:16 2009 @@ -1,10 +1,10 @@ -# $NetBSD: Makefile.booters,v 1.14 2005/12/24 22:22:33 tsutsui Exp $ +# $NetBSD: Makefile.booters,v 1.14.68.1 2009/04/15 21:05:16 snj Exp $ S?= ${.CURDIR}/../../../.. MDEC_DIR?= /usr/mdec RELOC?= 0x3F -COPTS?= -O2 -Wall -Wno-main -Wmissing-prototypes -Wstrict-prototypes \ - -ffreestanding +COPTS?= -Os -Wall -Wno-main -Wmissing-prototypes -Wstrict-prototypes \ + -ffreestanding -fomit-frame-pointer DEFS?= STRIPFLAG?= Index: src/sys/arch/mvme68k/stand/bootst/dev_tape.c diff -u src/sys/arch/mvme68k/stand/bootst/dev_tape.c:1.7 src/sys/arch/mvme68k/stand/bootst/dev_tape.c:1.7.34.1 --- src/sys/arch/mvme68k/stand/bootst/dev_tape.c:1.7 Sun Dec 11 12:18:19 2005 +++ src/sys/arch/mvme68k/stand/bootst/dev_tape.c Wed Apr 15 21:05:16 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: dev_tape.c,v 1.7 2005/12/11 12:18:19 christos Exp $ */ +/* $NetBSD: dev_tape.c,v 1.7.34.1 2009/04/15 21:05:16 snj Exp $ */ /*- * Copyright (c) 1998 The NetBSD Foundation, Inc. @@ -185,7 +185,7 @@ static int blkoffset = 0; #define hackload_addr ((char *) 0x08) /* Load tape segment here */ -#define hackload_blocks 0x2000 /* 2Mb worth */ +#define hackload_blocks 0x3000 /* 3Mb worth */ if ( (ti-flag IGNORE_FILENUM) == 0 ) { /* Index: src/sys/arch/mvme68k/stand/bootst/version diff -u src/sys/arch/mvme68k/stand/bootst/version:1.4 src/sys/arch/mvme68k/stand/bootst/version:1.4.112.1 --- src/sys/arch/mvme68k/stand/bootst/version:1.4 Fri Nov 9 19:53:14 2001 +++ src/sys/arch/mvme68k/stand/bootst/version Wed Apr 15 21:05:16 2009 @@ -1,7 +1,8 @@ -$NetBSD: version,v 1.4 2001/11/09 19:53:14 scw Exp $ +$NetBSD: version,v 1.4.112.1 2009/04/15 21:05:16 snj Exp $ 1.1: Initial bootst (from Dale Rahn) 1.2: Update based on sun3 tapeboot (by Chuck Cranor) 1.3: Support verbose/quiet boot. 1.4: loadfile() update: ELF symbols no longer need backward seeks. 1.5: loadfile() update to avoid backwards seeks for ELF Program Headers. +1.6: hackprom_diskrd() needs loads up to 3MB from tape for current kernels.
CVS commit: [netbsd-4-0] src/sys
Module Name:src Committed By: snj Date: Fri Apr 10 20:35:24 UTC 2009 Modified Files: src/sys/kern [netbsd-4-0]: uipc_usrreq.c src/sys/sys [netbsd-4-0]: file.h Log Message: Apply patch (requested by mlelstv in ticket #1303): Avoid deep recursion and file descriptor exhaustion. 1. unp_detach: go not call unp_gc directly for descriptors that are unixdomain sockets themselves. Instead mark them for cleanup during garbage collection. 2. unp_gc: handle detach of descriptors that were marked earlier. 3. prohibit transfer of descriptors within SCM_RIGHTS messages if (num_files_in_transit maxfiles / unp_rights_ratio) To generate a diff of this commit: cvs rdiff -u -r1.94.2.1 -r1.94.2.1.4.1 src/sys/kern/uipc_usrreq.c cvs rdiff -u -r1.56 -r1.56.30.1 src/sys/sys/file.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_usrreq.c diff -u src/sys/kern/uipc_usrreq.c:1.94.2.1 src/sys/kern/uipc_usrreq.c:1.94.2.1.4.1 --- src/sys/kern/uipc_usrreq.c:1.94.2.1 Tue Aug 21 19:33:57 2007 +++ src/sys/kern/uipc_usrreq.c Fri Apr 10 20:35:24 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_usrreq.c,v 1.94.2.1 2007/08/21 19:33:57 liamjfoy Exp $ */ +/* $NetBSD: uipc_usrreq.c,v 1.94.2.1.4.1 2009/04/10 20:35:24 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2004 The NetBSD Foundation, Inc. @@ -103,7 +103,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: uipc_usrreq.c,v 1.94.2.1 2007/08/21 19:33:57 liamjfoy Exp $); +__KERNEL_RCSID(0, $NetBSD: uipc_usrreq.c,v 1.94.2.1.4.1 2009/04/10 20:35:24 snj Exp $); #include sys/param.h #include sys/systm.h @@ -538,6 +538,7 @@ u_long unpdg_recvspace = 4*1024; int unp_rights; /* file descriptors in flight */ +int unp_rights_ratio = 2; /* limit, fraction of maxfiles */ int unp_attach(struct socket *so) @@ -976,6 +977,7 @@ int i, fd, *fdp; int nfds; u_int neededspace; + u_int maxmsg; /* Sanity check the control message header */ if (cm-cmsg_type != SCM_RIGHTS || cm-cmsg_level != SOL_SOCKET || @@ -984,6 +986,11 @@ /* Verify that the file descriptors are valid */ nfds = (cm-cmsg_len - CMSG_ALIGN(sizeof(*cm))) / sizeof(int); + + maxmsg = maxfiles / unp_rights_ratio; + if (unp_rights + nfds maxmsg) + return (EAGAIN); + fdp = (int *)CMSG_DATA(cm); for (i = 0; i nfds; i++) { fd = *fdp++; @@ -1167,6 +1174,8 @@ if (fp-f_count == fp-f_msgcount) continue; } + if (fp-f_iflags FIF_DISCARDED) +continue; fp-f_flag |= FMARK; if (fp-f_type != DTYPE_SOCKET || @@ -1272,6 +1281,14 @@ for (i = nunref, fpp = extra_ref; --i = 0; ++fpp) { fp = *fpp; simple_lock(fp-f_slock); + if (fp-f_iflags FIF_DISCARDED) { + fp-f_usecount++; + fp-f_msgcount--; + simple_unlock(fp-f_slock); + unp_rights--; + (void) closef(fp, (struct lwp *)0); + simple_lock(fp-f_slock); + } FILE_USE(fp); (void) closef(fp, (struct lwp *)0); } @@ -1356,7 +1373,24 @@ { if (fp == NULL) return; + simple_lock(fp-f_slock); + /* + * closing unix domain sockets may cause a deep + * recursion, so leave them open and mark them + * for the garbage collector to discard them safely. + */ + if (fp-f_type == DTYPE_SOCKET fp-f_count == 1) { + struct socket *so; + + so = (struct socket *)fp-f_data; + if (so so-so_proto-pr_domain == unixdomain + (so-so_proto-pr_flagsPR_RIGHTS) != 0) { + fp-f_iflags |= FIF_DISCARDED; + simple_unlock(fp-f_slock); + return; + } + } fp-f_usecount++; /* i.e. FILE_USE(fp) sans locking */ fp-f_msgcount--; simple_unlock(fp-f_slock); Index: src/sys/sys/file.h diff -u src/sys/sys/file.h:1.56 src/sys/sys/file.h:1.56.30.1 --- src/sys/sys/file.h:1.56 Sun May 14 21:38:18 2006 +++ src/sys/sys/file.h Fri Apr 10 20:35:24 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: file.h,v 1.56 2006/05/14 21:38:18 elad Exp $ */ +/* $NetBSD: file.h,v 1.56.30.1 2009/04/10 20:35:24 snj Exp $ */ /* * Copyright (c) 1982, 1986, 1989, 1993 @@ -96,9 +96,10 @@ #define FIF_WANTCLOSE 0x01 /* a close is waiting for usecount */ #define FIF_LARVAL 0x02 /* not fully constructed; don't use */ +#define FIF_DISCARDED 0x04 /* file is discarded, pending close */ #define FILE_IS_USABLE(fp) (((fp)-f_iflags \ - (FIF_WANTCLOSE|FIF_LARVAL)) == 0) + (FIF_WANTCLOSE|FIF_LARVAL|FIF_DISCARDED)) == 0) #define FILE_SET_MATURE(fp) \ do { \