Re: [patch] ssh: null pointer dereference
On Sat, 27 Mar 2010, Matthew Haub wrote:
Hello,
If channel_by_id() in mux_master_control_cleanup_cb() fails to find the
session channel then pointer sc will be NULL when dereferenced.
Applied - thanks. This case shouldn't happen, if you are able to hit
this code then please tell me how you do it :|
Index: usr.bin/ssh/mux.c
===
RCS file: /cvs/src/usr.bin/ssh/mux.c,v
retrieving revision 1.14
diff -u usr.bin/ssh/mux.c
--- usr.bin/ssh/mux.c 30 Jan 2010 02:54:53 - 1.14
+++ usr.bin/ssh/mux.c 27 Mar 2010 09:42:44 -
@@ -189,7 +189,7 @@
fatal(%s: channel_by_id(%i) == NULL, __func__, cid);
if (c-remote_id != -1) {
if ((sc = channel_by_id(c-remote_id)) == NULL)
- debug2(%s: channel %d n session channel %d,
+ fatal(%s: channel %d missing session channel %d,
__func__, c-self, c-remote_id);
c-remote_id = -1;
sc-ctl_chan = -1;
Re: disklabel - 'P' option
This diff includes the 'P' option in the manpage and interactive helptext.
The install floppys are here:
http://www.cyodesigns.com/diffs/floppy47.fs
http://www.cyodesigns.com/diffs/floppyB47.fs
http://www.cyodesigns.com/diffs/floppyC47.fs
If you take one for a spin, could you let me know pls. I have only
tested floppyB47.fs on a vm since the my machine with a floppy drive is
transit in a 40ft container somewhere.
-mark
Index: editor.c
===
RCS file: /cvs/src/sbin/disklabel/editor.c,v
retrieving revision 1.231
diff -u -p -r1.231 editor.c
--- editor.c4 Apr 2010 14:12:12 - 1.231
+++ editor.c9 Apr 2010 22:45:03 -
@@ -150,6 +150,7 @@ static u_int64_t starting_sector;
static u_int64_t ending_sector;
static int expert;
static int overlap;
+static int auto_print = 0;
/*
* Simple partition editor.
@@ -164,7 +165,8 @@ editor(struct disklabel *lp, int f)
char buf[BUFSIZ], *cmd, *arg;
char **omountpoints = NULL;
char **origmountpoints = NULL, **tmpmountpoints = NULL;
- int i, error = 0;
+ int i, error = 0, print_info = 0;
+ static char *argcpy;
/* Alloc and init mount point info */
if (!(omountpoints = calloc(MAXPARTITIONS, sizeof(char *))) ||
@@ -305,8 +307,19 @@ editor(struct disklabel *lp, int f)
editor_name(label, arg);
break;
+ case 'P':
+ free(argcpy);
+ argcpy = NULL;
+ if (arg) {
+ if ((argcpy = strdup(arg)) == NULL)
+ err(1, strdup);
+ auto_print = 1;
+ } else
+ auto_print = !auto_print;
+ break;
+
case 'p':
- display_edit(label, arg ? *arg : 0,
editor_countfree(label));
+ print_info = 1;
break;
case 'l':
@@ -475,6 +488,19 @@ editor(struct disklabel *lp, int f)
break;
}
+ if ((print_info || auto_print)
+ (*cmd != 'h' *cmd != '?')) {
+ if (auto_print) {
+ printf(-- \
+ --\n);
+ if (!print_info)
+ arg = argcpy;
+ }
+ display_edit(label, arg ? *arg : 0,
+ editor_countfree(label));
+ print_info = 0;
+ }
+
/*
* If no changes were made to label or mountpoints, then
* restore undo info.
@@ -1734,6 +1760,11 @@ editor_help(char *arg)
/* XXX - put these strings in a table instead? */
switch (*arg) {
+ case 'P':
+ puts(
+The 'P' command will print disklabel information after every command.\n
+The information displayed and arguments accepted are equivalent to 'p'\n
+(see below).\n);
case 'p':
puts(
The 'p' command prints the current partitions. By default, it prints size\n
@@ -1887,7 +1918,7 @@ editor_help(char *arg)
default:
puts(Available commands:);
puts(
- ? [cmd] - show help n [part] - set mount point\n
+ ? [cmd] - show help P [unit] - always print partitions\n
A- auto partition all space p [unit] - print partitions\n
a [part] - add partition q- quit save changes\n
b- set OpenBSD boundaries R [part] - resize a partition\n
@@ -1899,6 +1930,7 @@ editor_help(char *arg)
l [unit] - print disk label headerX- toggle expert mode\n
M- disklabel(8) man page x- exit lose changes\n
m [part] - modify partition z- delete all partitions\n
+ n [part] - set mount point\n
\n
Suffixes can be used to indicate units other than sectors:\n
\t'b' (bytes), 'k' (kilobytes), 'm' (megabytes), 'g' (gigabytes)\n
Index: disklabel.8
===
RCS file: /cvs/src/sbin/disklabel/disklabel.8,v
retrieving revision 1.88
diff -u -p -r1.88 disklabel.8
--- disklabel.8 23 Mar 2010 18:43:06 - 1.88
+++ disklabel.8 9 Apr 2010 22:45:03 -
@@ -183,6 +183,8 @@ Disallow writing of the pack label area
.It Fl n
Make no permanent changes to the disklabel
.Pq useful for debugging purposes .
+.It Fl P Ar unit
+Equivalent to 'p' (see below) but print information after every command.
.It Fl p Ar unit
Print partition sizes in
.Ar unit
Re: [patch] ssh: null pointer dereference
Hello, On Sat, Apr 10, 2010 at 03:49:07PM +1000, Damien Miller wrote: Applied - thanks. This case shouldn't happen, if you are able to hit this code then please tell me how you do it :| I haven't hit this code, it was just something suspicious that I found. I've been looking for bugs to fix and when I noticed the large rewrite of ssh multiplexing code that you committed two months ago I thought I might take a closer look. Matthew
bge(4) diff needs testing.
Please test the following diff with any bge(4) adapters. Just checking to
ensure no regressions with known working adapters. Just check that things
are working as usual. Just bringing in some fixes for some of the newer
chipsets soon to appear. Nothing changed with existing chipsets though.
Index: if_bge.c
===
RCS file: /cvs/src/sys/dev/pci/if_bge.c,v
retrieving revision 1.293
diff -u -p -r1.293 if_bge.c
--- if_bge.c6 Apr 2010 15:27:51 - 1.293
+++ if_bge.c10 Apr 2010 19:27:19 -
@@ -1352,9 +1375,12 @@ bge_blockinit(struct bge_softc *sc)
/* Configure mbuf pool watermarks */
/* new Broadcom docs strongly recommend these: */
- if (BGE_IS_5705_PLUS(sc)
- BGE_ASICREV(sc-bge_chipid) != BGE_ASICREV_BCM5717
- BGE_ASICREV(sc-bge_chipid) != BGE_ASICREV_BCM57765) {
+ if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5717 ||
+ BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM57765) {
+ CSR_WRITE_4(sc, BGE_BMAN_MBUFPOOL_READDMA_LOWAT, 0x0);
+ CSR_WRITE_4(sc, BGE_BMAN_MBUFPOOL_MACRX_LOWAT, 0x2a);
+ CSR_WRITE_4(sc, BGE_BMAN_MBUFPOOL_HIWAT, 0xa0);
+ } else if (BGE_IS_5705_PLUS(sc)) {
CSR_WRITE_4(sc, BGE_BMAN_MBUFPOOL_READDMA_LOWAT, 0x0);
if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5906) {
@@ -1660,11 +1686,17 @@ bge_blockinit(struct bge_softc *sc)
if (BGE_IS_5755_PLUS(sc))
val |= BGE_WDMAMODE_STATUS_TAG_FIX;
+ if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5785)
+ val |= BGE_WDMAMODE_BURST_ALL_DATA;
+
/* Turn on write DMA state machine */
CSR_WRITE_4(sc, BGE_WDMA_MODE, val);
val = BGE_RDMAMODE_ENABLE|BGE_RDMAMODE_ALL_ATTNS;
+ if (BGE_ASICREV(sc-bge_chipi) == BGE_ASICREV_BCM5717)
+ val |= BGE_RDMAMODE_MULT_DMA_RD_DIS;
+
if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5784 ||
BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5785 ||
BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM57780)
@@ -2116,10 +2148,12 @@ bge_attach(struct device *parent, struct
sc-bge_tx_max_coal_bds = 400;
/* 5705 limits RX return ring to 512 entries. */
- if (BGE_IS_5705_PLUS(sc))
- sc-bge_return_ring_cnt = BGE_RETURN_RING_CNT_5705;
- else
+ if (BGE_IS_5700_FAMILY(sc) ||
+ BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5717 ||
+ BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM57765)
sc-bge_return_ring_cnt = BGE_RETURN_RING_CNT;
+ else
+ sc-bge_return_ring_cnt = BGE_RETURN_RING_CNT_5705;
/* Set up ifnet structure */
ifp = sc-arpcom.ac_if;
@@ -2188,7 +,8 @@ bge_attach(struct device *parent, struct
/* The SysKonnect SK-9D41 is a 1000baseSX card. */
if (PCI_PRODUCT(subid) == SK_SUBSYSID_9D41 ||
(hwcfg BGE_HWCFG_MEDIA) == BGE_MEDIA_FIBER) {
- if (BGE_IS_5714_FAMILY(sc))
+ if (BGE_IS_5714_FAMILY(sc) ||
+ BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5717)
sc-bge_flags |= BGE_PHY_FIBER_MII;
else
sc-bge_flags |= BGE_PHY_FIBER_TBI;
Index: if_bgereg.h
===
RCS file: /cvs/src/sys/dev/pci/if_bgereg.h,v
retrieving revision 1.100
diff -u -p -r1.100 if_bgereg.h
--- if_bgereg.h 9 Jan 2010 06:19:01 - 1.100
+++ if_bgereg.h 10 Apr 2010 19:27:19 -
@@ -1517,6 +1517,7 @@
#define BGE_RDMAMODE_MBUF_SBD_CRPT_ATTN0x2000
#define BGE_RDMAMODE_FIFO_SIZE_128 0x0002
#define BGE_RDMAMODE_FIFO_LONG_BURST 0x0003
+#define BGE_RDMAMODE_MULT_DMA_RD_DIS 0x0100
/* Read DMA status register */
#define BGE_RDMASTAT_PCI_TGT_ABRT_ATTN 0x0004
@@ -1548,6 +1549,7 @@
#define BGE_WDMAMODE_ALL_ATTNS 0x03FC
#define BGE_WDMAMODE_RX_ACCEL 0x0400
#define BGE_WDMAMODE_STATUS_TAG_FIX0x2000
+#define BGE_WDMAMODE_BURST_ALL_DATA0xc000
/* Write DMA status register */
#define BGE_WDMASTAT_PCI_TGT_ABRT_ATTN 0x0004
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
ifconfig.8 trunk section
Quite a bit of redundant text here, this makes it cleaner I think. Index: ifconfig.8 === RCS file: /home/tedu/cvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.192 diff -u -r1.192 ifconfig.8 --- ifconfig.8 23 Nov 2009 19:58:10 - 1.192 +++ ifconfig.8 10 Apr 2010 18:52:20 - @@ -1370,29 +1370,22 @@ .Op Oo Fl Oc Ns Cm trunkport Ar child-iface .Op Cm trunkproto Ar proto .Pp -The options are as follows: -.Bl -tag -width Ds -.It Cm trunkport Ar child-iface If the driver is a .Xr trunk 4 -pseudo-device, add the +pseudo-device, the following options are available: +.Bl -tag -width Ds +.It Cm trunkport Ar child-iface +Add .Ar child-iface as a trunk port. .It Fl trunkport Ar child-iface -If the driver is a -.Xr trunk 4 -pseudo-device, remove the trunk port +Remove the trunk port .Ar child-iface . .It Cm trunkproto Ar proto -If the driver is a +Set the trunk protocol. +Refer to .Xr trunk 4 -pseudo-device, set the trunk protocol. -Refer to the interface's driver-specific man page for a complete -list of the available protocols, -or use the following for a listing of choices: -.Pp -.Dl $ ifconfig interface media -.El +for a complete list of the available protocols, .\ TUNNEL .Sh TUNNEL .Nm ifconfig
[patch] ldp ldpctl implicit null
Hi.
I played around a bit with ospfd and ldpd against real cisco routers, and
noticed some strange things.
ldpctl
--
First of all I saw that the output from ldpctl show lib and lfib showed
label 3 instead of the well-known implicit null. I've patched ldpctl
to show what I think is more appropriate output. Attached as
ldpctl-impnull.patch.
Apologies if this isn't the output you had in mind.
ldpd
Then I saw that any packet *using* the implicit null label actually
went out over the wire with a label of 3. That's not very implicit. In
fact, that's explicit.
I added a check to ldpd if it's about to tell the kernel to place an
imp-null label (swap or push, for MPLS and IP) and if so change it
to skipping that label (using pop or return instead).
Also, I'm not quite sure what In use is supposed to mean, since if I
take this line for example:
123.0.0.1/32 123.0.0.1 23 - no
It's obviously in use and being announced over LDP to the other routers.
c3640-2#show mpls ldp bindings 123.0.0.1 32
tib entry: 123.0.0.1/32, rev 30
remote binding: tsr: 1.0.0.100:0, tag: 23
So I changed the in use bit to be yes even if there's no outgoing
label. As long as there's an incoming label the entry is, in my eyes, in
use.
One more issue that my patches don't address is that the local label of
loopbacks aren't imp-null. I take it this is because loopbacks don't get
the C flag in the routing table.
Oh, and one last thing: that 123.0.0.1/32 above is actually a
loopback 123.0.0.1/24. And while they can both be found in the routing
table, lib and lfib, the /32 is not announced by ospfd and should
therefore not be in LDP either.
-
typedef struct me_s {
char name[] = { Thomas Habets };
char email[] = { tho...@habets.pp.se };
char kernel[]= { Linux };
char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; };
char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 };
char coolcmd[] = { echo '. ./_. ./_'_;. ./_ };
} me_t;
[demime 1.01d removed an attachment of type TEXT/x-diff which had a name of
ldpd-impnull.patch]
[demime 1.01d removed an attachment of type TEXT/x-diff which had a name of
ldpctl-impnull.patch]
systrace vs realapth
systrace uses realpath to find the files it wants to allow/deny. But in
doing so, it changes the filenames, sometimes creating valid names out of
invalid names. In particular, realpath strips trailing slashes, and some
syscalls aren't supposed to work on such filenames. When using systrace,
such illegal names *do* work. This is not the expected result that
configure tests are looking for, and possibly wrong in other ways as well.
Patch below from NetBSD fixes the bug. Still trouble with NOFOLLOW and
open though.
Index: intercept.c
===
RCS file: /home/tedu/cvs/src/bin/systrace/intercept.c,v
retrieving revision 1.55
diff -u -r1.55 intercept.c
--- intercept.c 15 Jun 2007 11:43:08 - 1.55
+++ intercept.c 10 Apr 2010 17:44:55 -
@@ -51,6 +51,7 @@
#include intercept.h
void simplify_path(char *);
+char *intercept_realpath(const char *, char *);
struct intercept_syscall {
SPLAY_ENTRY(intercept_syscall) node;
@@ -669,7 +670,7 @@
/* If realpath fails then the filename does not exist,
* or we are supposed to not resolve the last component */
- if (realpath(cwd, rcwd) == NULL) {
+ if (intercept_realpath(cwd, rcwd) == NULL) {
char *dir, last_char;
struct stat st;
int base_is_dir;
@@ -694,7 +695,7 @@
goto error;
/* So, try again */
- if (realpath(dir, rcwd) == NULL) {
+ if (intercept_realpath(dir, rcwd) == NULL) {
failed = 1;
goto out;
}
@@ -1013,4 +1014,144 @@
intercept_policy_free(int policynr)
{
(*intercept_pfreecb)(policynr, intercept_pfreearg);
+}
+
+char *
+intercept_realpath(const char *path, char *resolved)
+{
+ struct stat sb;
+ int idx = 0, n, nlnk = 0, serrno = errno;
+ const char *q;
+ char *p, wbuf[2][MAXPATHLEN];
+ size_t len;
+
+ /*
+* Build real path one by one with paying an attention to .,
+* .. and symbolic link.
+*/
+
+ /*
+* `p' is where we'll put a new component with prepending
+* a delimiter.
+*/
+ p = resolved;
+
+ if (*path == 0) {
+ *p = 0;
+ errno = ENOENT;
+ return (NULL);
+ }
+
+ /* If relative path, start from current working directory. */
+ if (*path != '/') {
+ if (getcwd(resolved, MAXPATHLEN) == NULL) {
+ p[0] = '.';
+ p[1] = 0;
+ return (NULL);
+ }
+ len = strlen(resolved);
+ if (len 1)
+ p += len;
+ }
+
+loop:
+ /* Skip any slash. */
+ while (*path == '/')
+ path++;
+
+ if (*path == 0) {
+ if (p == resolved)
+ *p++ = '/';
+ *p = 0;
+ return (resolved);
+ }
+
+ /* Find the end of this component. */
+ q = path;
+ do
+ q++;
+ while (*q != '/' *q != 0);
+
+ /* Test . or .. */
+ if (path[0] == '.') {
+ if (q - path == 1) {
+ path = q;
+ goto loop;
+ }
+ if (path[1] == '.' q - path == 2) {
+ /* Trim the last component. */
+ if (p != resolved)
+ while (*--p != '/')
+ ;
+ path = q;
+ goto loop;
+ }
+ }
+
+ /* Append this component. */
+ if (p - resolved + 1 + q - path + 1 MAXPATHLEN) {
+ errno = ENAMETOOLONG;
+ if (p == resolved)
+ *p++ = '/';
+ *p = 0;
+ return (NULL);
+ }
+ p[0] = '/';
+ memcpy(p[1], path,
+ /* LINTED We know q path. */
+ q - path);
+ p[1 + q - path] = 0;
+
+ /*
+* If this component is a symlink, toss it and prepend link
+* target to unresolved path.
+*/
+ if (lstat(resolved, sb) == -1) {
+ /* Allow nonexistent component if this is the last one. */
+ while (*q == '/')
+ q++;
+
+ if (*q == 0 errno == ENOENT) {
+ errno = serrno;
+ return (resolved);
+ }
+
+ return (NULL);
+ }
+ if (S_ISLNK(sb.st_mode)) {
+ if (nlnk++ = MAXSYMLINKS) {
+ errno = ELOOP;
+ return (NULL);
+ }
+ n = readlink(resolved, wbuf[idx], sizeof(wbuf[0]) - 1);
+
re(4) diff needs testing.
Please test the following diff with any re(4) adapters.
This is an adaption of some code from FreeBSD to help with
identification of certain chipsets. Just make sure the
driver still attaches Ok. There should be no change
with the dmesg info printed. Let me know if there is.
Please provide me with a dmesg.
Index: re.c
===
RCS file: /cvs/src/sys/dev/ic/re.c,v
retrieving revision 1.117
diff -u -p -r1.117 re.c
--- re.c17 Feb 2010 22:16:34 - 1.117
+++ re.c3 Apr 2010 22:27:49 -
@@ -804,10 +804,28 @@ re_attach(struct rl_softc *sc, const cha
struct ifnet*ifp;
u_int16_t re_did = 0;
int error = 0, i;
+ u_int32_t hwrev;
const struct re_revision *rr;
const char *re_name = NULL;
- sc-sc_hwrev = CSR_READ_4(sc, RL_TXCFG) RL_TXCFG_HWREV;
+ hwrev = CSR_READ_4(sc, RL_TXCFG);
+
+ DPRINTF(( Chip rev. ));
+
+ switch (hwrev 0x7000) {
+ case 0x:
+ case 0x1000:
+ DPRINTF((0x%08x, hwrev 0xfc80));
+ hwrev = (RL_TXCFG_HWREV | 0x8000);
+ break;
+ default:
+ DPRINTF((0x%08x, hwrev 0x7c80));
+ hwrev = RL_TXCFG_HWREV;
+ }
+
+ DPRINTF(( MAC rev. 0x%08x, hwrev 0x0070));
+
+ sc-sc_hwrev = hwrev;
switch (sc-sc_hwrev) {
case RL_HWREV_8139CPLUS:
Index: rtl81x9reg.h
===
RCS file: /cvs/src/sys/dev/ic/rtl81x9reg.h,v
retrieving revision 1.67
diff -u -p -r1.67 rtl81x9reg.h
--- rtl81x9reg.h10 Aug 2009 20:29:54 - 1.67
+++ rtl81x9reg.h3 Apr 2010 20:23:26 -
@@ -151,7 +151,7 @@
#define RL_TXCFG_LOOPBKTST 0x0006 /* loopback test */
#define RL_TXCFG_IFG2 0x0008 /* 8169 only */
#define RL_TXCFG_IFG 0x0300 /* interframe gap */
-#define RL_TXCFG_HWREV 0x7C80
+#define RL_TXCFG_HWREV 0x7CC0
#define RL_LOOPTEST_OFF0x
#define RL_LOOPTEST_ON 0x0002
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: ifconfig.8 trunk section
On Sat, Apr 10, 2010 at 02:54:22PM -0400, Ted Unangst wrote: Quite a bit of redundant text here, this makes it cleaner I think. this looks like a good improvement to me. unfortunately a huge number of subsections in this page use that exact syntax, so any diff should address this for the entire page. can of worms for breakfast? jmc Index: ifconfig.8 === RCS file: /home/tedu/cvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.192 diff -u -r1.192 ifconfig.8 --- ifconfig.823 Nov 2009 19:58:10 - 1.192 +++ ifconfig.810 Apr 2010 18:52:20 - @@ -1370,29 +1370,22 @@ .Op Oo Fl Oc Ns Cm trunkport Ar child-iface .Op Cm trunkproto Ar proto .Pp -The options are as follows: -.Bl -tag -width Ds -.It Cm trunkport Ar child-iface If the driver is a .Xr trunk 4 -pseudo-device, add the +pseudo-device, the following options are available: +.Bl -tag -width Ds +.It Cm trunkport Ar child-iface +Add .Ar child-iface as a trunk port. .It Fl trunkport Ar child-iface -If the driver is a -.Xr trunk 4 -pseudo-device, remove the trunk port +Remove the trunk port .Ar child-iface . .It Cm trunkproto Ar proto -If the driver is a +Set the trunk protocol. +Refer to .Xr trunk 4 -pseudo-device, set the trunk protocol. -Refer to the interface's driver-specific man page for a complete -list of the available protocols, -or use the following for a listing of choices: -.Pp -.Dl $ ifconfig interface media -.El +for a complete list of the available protocols, .\ TUNNEL .Sh TUNNEL .Nm ifconfig
