Re: sndiod hangs
On Mon, Jul 13, 2015 at 12:52:14PM +0200, Alexandre Ratchov wrote: On Sat, Jul 11, 2015 at 02:23:03PM +0200, Mark Kettenis wrote: Every now and then sndiod hangs on me. Usually I discover this as mplayer hangs while playing a video or hangs while opening the audio device on startup. Restarting sndiod using the /etc/rc.d/sndiod script doesn't work; it blocks trying to stop the running sndiod. I have to use kill -9 to get rid of it. Happened again last night and I investigated a bit. This was after I tried restarting it using /etc/rc.d/sndiod, but before resorting to kill -9. Attaching with gdb revealed that it was stuck in poll(2) with the 2nd argument being 0 and the last argument being -1. Since no file descriptors are being monitored and the timeout is infinite, the process just blocks forevere. noemally it gets periodic SIGALRM which interrupt poll(2) with EINTR. Now this is fixed (interval timers aren't copied by fork(2), so after the call to daemon(3), periodic timers appeared as stopped). The hang (now fixed) occurred in the exit code-path when a hardware inconsistency was detected.
Re: [patch] Disklabel message tweak
On Fri, Jul 17, 2015 at 03:53:09PM +0200, Benny Lofgren wrote: On 2015-07-17 08:57, Theo de Raadt wrote: The phrase No label changes. was selected because it is true (there is nothing to save). I don't see what further adds to make this more accurate or understandable. Perhaps phrasing the message No unsaved label changes instead would make both camps happy? In my mind that wording clearly explains what just went on, while also taking into account what might likely have been done earlier in the edit session. Good call. I wasn't really happy with the phrasing I suggested either - yours sounds much better. I should probably cut out my bikeshedding, though.
Re: Fix socketpair(2) handling of unix datagram sockets using cloexec/nonblock
On 07/16 05:05, Philip Guenther wrote:
On Thu, Jul 16, 2015 at 4:54 PM, Jeremy Evans jer...@openbsd.org wrote:
Fix socketpair(2) on Unix datagram sockets that use SOCK_CLOEXEC or
SOCK_NONBLOCK.
This fixes a failure in the ruby test suite.
OK?
No, that'll have false positives on SOCK_RAW sockets. You need to
mask things, perhaps a diff like this:
This works and is definitely more correct. OK jeremy@
Thanks,
Jeremy
--- sys/socket.h21 Jan 2015 02:23:14 - 1.87
+++ sys/socket.h17 Jul 2015 00:03:48 -
@@ -68,6 +68,9 @@ typedef __sa_family_t sa_family_t;/* so
#defineSOCK_RAW3 /* raw-protocol interface */
#defineSOCK_RDM4 /* reliably-delivered message
*/
#defineSOCK_SEQPACKET 5 /* sequenced packet stream */
+#ifdef _KERNEL
+#defineSOCK_TYPE_MASK 0x000F /* mask that covers the above
*/
+#endif
/*
* Socket creation flags
Index: kern/uipc_syscalls.c
===
RCS file: /data/src/openbsd/src/sys/kern/uipc_syscalls.c,v
retrieving revision 1.102
diff -u -p -r1.102 uipc_syscalls.c
--- kern/uipc_syscalls.c21 May 2015 13:35:15 - 1.102
+++ kern/uipc_syscalls.c17 Jul 2015 00:04:02 -
@@ -403,7 +403,7 @@ sys_socketpair(struct proc *p, void *v,
}
if ((error = soconnect2(so1, so2)) != 0)
goto free4;
- if (SCARG(uap, type) == SOCK_DGRAM) {
+ if ((SCARG(uap, type) SOCK_TYPE_MASK) == SOCK_DGRAM) {
/*
* Datagram socket connection is asymmetric.
*/
Re: [patch] Disklabel message tweak
On 2015-07-17 08:57, Theo de Raadt wrote: The phrase No label changes. was selected because it is true (there is nothing to save). I don't see what further adds to make this more accurate or understandable. I would even argue that adding further makes it more INaccurate and also adds confusion, since it introduces a worry in the user that whoops... what changes *did* I just make without noticing...?. However, I do agree with the OP that the original message is a bit confusing, especially given his example use case. I need only look to myself, used to /bin/ed as I am, I often just type w + enter + q + enter without thinking because it's in my muscle memory. Then I see the message and get slightly miffed at myself for forgetting that 'q' in disklabel actually asks me. :-) Perhaps phrasing the message No unsaved label changes instead would make both camps happy? In my mind that wording clearly explains what just went on, while also taking into account what might likely have been done earlier in the edit session. Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / Words must Benny Lofgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted. /email: benny -at- internetlabbet.se
Re: Ask for password for failed commands
I concur. Vadim I like the basic idea, but I do not like that in the bogus case we still run all the priviledged user auth code. On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst t...@tedunangst.com wrote: Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.
Re: Ask for password for failed commands
On 17 Jul 2015, at 16:18, Bob Beck b...@openbsd.org wrote: I concur. Vadim I like the basic idea, but I do not like that in the bogus case we still run all the priviledged user auth code. sudo also has the -l flag, which lists what commands you're allowed to run. however, it looks like if you arent allowed to run anything on the local machine sudo -l will make it look like you're entering your password incorrectly rather than report that you cant run anything. so a similar problem but different. or i cant type my password good today. dlg On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst t...@tedunangst.com wrote: Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.
Re: [patch] Disklabel message tweak
This is another trivial patch, but I've always found the disklabel
message No label changes confusing. For example, if you print (p), add
a label (a), write (w), print to check your changes (p), and then quit
(q), it seems odd to be told No label changes.
Index: sbin/disklabel/editor.c
===
RCS file: /cvs/src/sbin/disklabel/editor.c,v
retrieving revision 1.295
diff -u -p -r1.295 editor.c
--- sbin/disklabel/editor.c8 May 2015 12:15:50 - 1.295
+++ sbin/disklabel/editor.c17 Jul 2015 02:54:59 -
@@ -373,7 +373,7 @@ editor(int f)
*/
if (!dflag !aflag
memcmp(lab, newlab, sizeof(newlab)) == 0) {
- puts(No label changes.);
+ puts(No further label changes.);
/* Save mountpoint info. */
mpsave(newlab);
goto done;
The phrase No label changes. was selected because it is true
(there is nothing to save). I don't see what further adds to
make this more accurate or understandable.
merging usb_video_header_desc and usb_video_header_desc_all
Following yesterday feedback, I wrote a patch merging
usb_video_header_desc and usb_video_header_desc_all in uvideo.c .
Current kernel compile fine with it on amd64 and video display image.
At the moment, I can't test the patch on other platform. So I'm looking
for feedback, on the pattern used and if it change anything on
non-amd64. If those are positive, there is a couple of structure I would
alter in the same way.
Index: sys/dev/usb//uvideo.c
===
RCS file: /cvs/src/sys/dev/usb/uvideo.c,v
retrieving revision 1.181
diff -u -p -r1.181 uvideo.c
--- sys/dev/usb//uvideo.c 9 Jul 2015 14:58:32 - 1.181
+++ sys/dev/usb//uvideo.c 17 Jul 2015 11:03:48 -
@@ -84,7 +84,7 @@ struct uvideo_softc {
int sc_nframes;
struct usb_video_probe_commitsc_desc_probe;
- struct usb_video_header_desc_all sc_desc_vc_header;
+ struct usb_video_header_desc*sc_desc_vc_header;
struct usb_video_input_header_desc_all sc_desc_vs_input_header;
#define UVIDEO_MAX_PU 8
@@ -694,16 +694,15 @@ uvideo_vc_parse_desc_header(struct uvide
{
struct usb_video_header_desc *d;
- d = (struct usb_video_header_desc *)(uint8_t *)desc;
+ d = (struct usb_video_header_desc *)desc;
if (d-bInCollection == 0) {
printf(%s: no VS interface found!\n,
DEVNAME(sc));
return (USBD_INVAL);
}
-
- sc-sc_desc_vc_header.fix = d;
- sc-sc_desc_vc_header.baInterfaceNr = (uByte *)(d + 1);
+
+ sc-sc_desc_vc_header = d;
return (USBD_NORMAL_COMPLETION);
}
@@ -838,7 +837,7 @@ uvideo_vs_parse_desc(struct uvideo_softc
DPRINTF(1, %s: number of total interfaces=%d\n,
DEVNAME(sc), sc-sc_nifaces);
DPRINTF(1, %s: number of VS interfaces=%d\n,
- DEVNAME(sc), sc-sc_desc_vc_header.fix-bInCollection);
+ DEVNAME(sc), sc-sc_desc_vc_header-bInCollection);
usbd_desc_iter_init(sc-sc_udev, iter);
desc = usbd_desc_iter_next(iter);
@@ -874,8 +873,8 @@ uvideo_vs_parse_desc(struct uvideo_softc
return (error);
/* parse interface collection */
- for (i = 0; i sc-sc_desc_vc_header.fix-bInCollection; i++) {
- iface = sc-sc_desc_vc_header.baInterfaceNr[i];
+ for (i = 0; i sc-sc_desc_vc_header-bInCollection; i++) {
+ iface = sc-sc_desc_vc_header-baInterfaceNr[i];
id = usbd_get_interface_descriptor(sc-sc_udev-ifaces[iface]);
if (id == NULL) {
@@ -1500,12 +1499,12 @@ uvideo_vs_negotiation(struct uvideo_soft
* Some UVC 1.00 devices return dwMaxVideoFrameSize = 0.
* If so, fix it by format/frame descriptors.
*/
- hd = sc-sc_desc_vc_header.fix;
+ hd = sc-sc_desc_vc_header;
if (UGETDW(pc-dwMaxVideoFrameSize) == 0
UGETW(hd-bcdUVC) 0x0110 ) {
DPRINTF(1, %s: dwMaxVideoFrameSize == 0, fixed\n,
DEVNAME(sc));
- USETDW(pc-dwMaxVideoFrameSize,
+ USETDW(pc-dwMaxVideoFrameSize,
UGETDW(frame-dwMaxVideoFrameBufferSize));
}
}
Index: sys/dev/usb//uvideo.h
===
RCS file: /cvs/src/sys/dev/usb/uvideo.h,v
retrieving revision 1.57
diff -u -p -r1.57 uvideo.h
--- sys/dev/usb//uvideo.h 9 Jul 2015 14:58:32 - 1.57
+++ sys/dev/usb//uvideo.h 17 Jul 2015 11:03:48 -
@@ -162,13 +162,9 @@ struct usb_video_header_desc {
uWord wTotalLength;
uDWord dwClockFrequency;
uByte bInCollection;
+ uByte baInterfaceNr[1];
} __packed;
-struct usb_video_header_desc_all {
- struct usb_video_header_desc*fix;
- uByte *baInterfaceNr;
-};
-
/* Table 3-4: Input Terminal Descriptor */
struct usb_video_input_terminal_desc {
uByte bLength;
Re: sa_family_t is not always equal to u_int8_t
OK florian@ On Fri, Jul 17, 2015 at 01:41:17AM +0200, Alexandr Nedvedicky wrote: On Thu, Jul 16, 2015 at 11:10:06PM +, Miod Vallat wrote: cvs diff -p output: Please send unified diffs (diff -u). The easiest way is to have a diff -up line in your ~/.cvsrc file. Or diff -uNp if you want cvs diff to show new files as well. Miod Sorry, now I got it.. regards sasha Index: pfvar.h === RCS file: /cvs/src/sys/net/pfvar.h,v retrieving revision 1.416 diff -u -p -r1.416 pfvar.h --- pfvar.h 16 Jul 2015 21:14:21 - 1.416 +++ pfvar.h 16 Jul 2015 23:39:21 - @@ -1791,7 +1791,7 @@ extern void pf_print_flags(u_int8_t); extern struct ifnet*sync_ifp; extern struct pf_rule pf_default_rule; extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, - u_int8_t); + sa_family_t); voidpf_rm_rule(struct pf_rulequeue *, struct pf_rule *); voidpf_purge_rule(struct pf_ruleset *, @@ -1984,7 +1984,7 @@ struct pf_os_fingerprint * pf_osfp_validate(void); #ifdef _KERNEL -voidpf_print_host(struct pf_addr *, u_int16_t, u_int8_t); +voidpf_print_host(struct pf_addr *, u_int16_t, sa_family_t); int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *, struct pf_src_node **, struct pf_rule **); -- I'm not entirely sure you are real.
sed -i
Hi,
Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly
from FreeBSD with some adjustments to prevent a race with unlink() and fopen()
during the tempfile creation.
It's been tested in a full ports bulk (thanks aja), and went through a build
of base and xenocara.
Regress tests will also be added for this.
This diff is already OK millert@. Any more OKs?
Index: defs.h
===
RCS file: /cvs/src/usr.bin/sed/defs.h,v
retrieving revision 1.5
diff -u -p -r1.5 defs.h
--- defs.h 19 Jan 2015 15:30:52 - 1.5
+++ defs.h 16 Jul 2015 18:45:58 -
@@ -128,6 +128,7 @@ typedef struct {
char *space;/* Current space pointer. */
size_t len; /* Current length. */
int deleted;/* If deleted. */
+ int append_newline; /* If originally terminated by \n. */
char *back; /* Backing memory. */
size_t blen;/* Backing memory length. */
} SPACE;
Index: extern.h
===
RCS file: /cvs/src/usr.bin/sed/extern.h,v
retrieving revision 1.9
diff -u -p -r1.9 extern.h
--- extern.h13 Apr 2015 05:11:23 - 1.9
+++ extern.h16 Jul 2015 00:23:57 -
@@ -40,17 +40,19 @@ extern regmatch_t *match;
extern size_t maxnsub;
extern u_long linenum;
extern size_t appendnum;
-extern int lastline;
extern int Eflag, aflag, eflag, nflag;
-extern char *fname;
+extern const char *fname, *outfname;
+extern FILE *infile, *outfile;
voidcfclose(struct s_command *, struct s_command *);
voidcompile(void);
-voidcspace(SPACE *, char *, size_t, enum e_spflag);
+voidcspace(SPACE *, const char *, size_t, enum e_spflag);
char *cu_fgets(char **, size_t *);
voiderr(int, const char *, ...);
int mf_fgets(SPACE *, enum e_spflag);
+int lastline(void);
voidprocess(void);
+voidresetranges(void);
char *strregerror(int, regex_t *);
void *xmalloc(size_t);
void *xreallocarray(void *, size_t, size_t);
Index: main.c
===
RCS file: /cvs/src/usr.bin/sed/main.c,v
retrieving revision 1.18
diff -u -p -r1.18 main.c
--- main.c 26 Nov 2014 18:34:51 - 1.18
+++ main.c 16 Jul 2015 19:21:16 -
@@ -34,6 +34,7 @@
*/
#include sys/types.h
+#include sys/stat.h
#include ctype.h
#include errno.h
@@ -45,6 +46,7 @@
#include stdlib.h
#include string.h
#include unistd.h
+#include libgen.h
#include defs.h
#include extern.h
@@ -78,15 +80,23 @@ struct s_flist {
*/
static struct s_flist *files, **fl_nextp = files;
+FILE *infile; /* Current input file */
+FILE *outfile; /* Current output file */
+
int Eflag, aflag, eflag, nflag;
+static int rval; /* Exit status */
/*
* Current file and line number; line numbers restart across compilation
- * units, but span across input files.
+ * units, but span across input files. The latter is optional if editing
+ * in place.
*/
-char *fname; /* File name. */
+const char *fname; /* File name. */
+const char *outfname; /* Output file name */
+static char oldfname[PATH_MAX];/* Old file name (for in-place editing)
*/
+static char tmpfname[PATH_MAX];/* Temporary file name (for in-place
editing) */
+char *inplace; /* Inplace edit file extension */
u_long linenum;
-int lastline; /* TRUE on the last line of the last file */
static void add_compunit(enum e_cut, char *);
static void add_file(char *);
@@ -97,7 +107,8 @@ main(int argc, char *argv[])
int c, fflag;
fflag = 0;
- while ((c = getopt(argc, argv, Eae:f:nru)) != -1)
+ inplace = NULL;
+ while ((c = getopt(argc, argv, Eae:f:i::nru)) != -1)
switch (c) {
case 'E':
case 'r':
@@ -114,6 +125,9 @@ main(int argc, char *argv[])
fflag = 1;
add_compunit(CU_FILE, optarg);
break;
+ case 'i':
+ inplace = optarg ? optarg : ;
+ break;
case 'n':
nflag = 1;
break;
@@ -123,8 +137,8 @@ main(int argc, char *argv[])
default:
case '?':
(void)fprintf(stderr,
- usage: sed [-aEnru] command [file ...]\n
- sed [-aEnru] [-e command] [-f command_file]
[file ...]\n);
+ usage: sed [-aEnru] [-i [extension]] command [file
...]\n
+ sed [-aEnru] [-i [extension]] [-e command]
[-f command_file] [file ...]\n);
exit(1);
}
argc -= optind;
@@ -148,7 +162,7 @@ main(int argc, char *argv[])
Re: tcpdump: decode 802.11 country element
On Fri, Jul 17, 2015 at 03:59:12AM +0300, Vadim Zhukov wrote:
2015-07-17 2:53 GMT+03:00 Stefan Sperling s...@stsp.name:
I don't think we should bother with invalid data. If it's not valid,
we should silently skip it. Else tcpdump would have to print all sorts
of warnings.
I don't insist on explicit warning (invalid nchan or something like
that), no. But, IMHO, we should display data we gathered without
mangling; otherwise, we'll fool the user that nchan is 1 when it's 0
actually.
Fair enough. I figure we can roll this into the code path for operating
element IDs (which were also skipped because because I don't find them
very interesting) and print the data in raw form.
Like this?
Index: print-802_11.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-802_11.c,v
retrieving revision 1.19
diff -u -p -r1.19 print-802_11.c
--- print-802_11.c 16 Jul 2015 20:57:13 - 1.19
+++ print-802_11.c 17 Jul 2015 17:00:02 -
@@ -78,6 +78,7 @@ intieee80211_hdr(struct ieee80211_fram
int ieee80211_data(struct ieee80211_frame *, u_int);
voidieee80211_print_element(u_int8_t *, u_int);
voidieee80211_print_essid(u_int8_t *, u_int);
+voidieee80211_print_country(u_int8_t *, u_int);
voidieee80211_print_htcaps(u_int8_t *, u_int);
int ieee80211_elements(struct ieee80211_frame *, u_int);
int ieee80211_frame(struct ieee80211_frame *, u_int);
@@ -233,6 +234,48 @@ ieee80211_print_essid(u_int8_t *essid, u
/* Caller checks len */
void
+ieee80211_print_country(u_int8_t *data, u_int len)
+{
+ u_int8_t first_chan, nchan, maxpower;
+
+ if (len 6)
+ return;
+
+ /* country string */
+ printf( '%c%c%c', data[0], data[1], data[2]);
+
+ len -= 3;
+ data += 3;
+
+ /* channels and corresponding TX power limits */
+ while (len 0) {
+ if (len 3)
+ break;
+
+ /* no pretty-printing for nonsensical zero values,
+* nor for operating extension IDs (values = 201) */
+ if (data[0] == 0 || data[1] == 0 ||
+ data[0] = 201 || data[1] = 201) {
+ printf(, %d %d %d, data[0], data[1], data[2]);
+ continue;
+ }
+
+ first_chan = data[0];
+ nchan = data[1];
+ maxpower = data[2];
+
+ printf(, channel%s %d, nchan == 1 ? : s, first_chan);
+ if (nchan 1)
+ printf(-%d, first_chan + nchan - 1);
+ printf( limit %ddB, maxpower);
+
+ len -= 3;
+ data += 3;
+ }
+}
+
+/* Caller checks len */
+void
ieee80211_print_htcaps(u_int8_t *data, u_int len)
{
u_int16_t htcaps;
@@ -392,8 +435,7 @@ ieee80211_elements(struct ieee80211_fram
break;
case IEEE80211_ELEMID_COUNTRY:
printf(, country);
- for (i = len; i 0; i--, data++)
- printf( %u, data[0]);
+ ieee80211_print_country(data, len);
break;
case IEEE80211_ELEMID_CHALLENGE:
printf(, challenge);
@@ -436,6 +478,10 @@ ieee80211_elements(struct ieee80211_fram
printf(, htcaps);
if (vflag)
ieee80211_print_htcaps(data, len);
+ break;
+ case IEEE80211_ELEMID_POWER_CONSTRAINT:
+ ELEM_CHECK(1);
+ printf(, power constraint %udB, data[0]);
break;
case IEEE80211_ELEMID_VENDOR:
printf(, vendor);
Re: sed -i
On 07/17/15 12:10, Jasper Lievisse Adriaanse wrote:
Hi,
Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly
from FreeBSD with some adjustments to prevent a race with unlink() and fopen()
during the tempfile creation.
It's been tested in a full ports bulk (thanks aja), and went through a build
of base and xenocara.
Regress tests will also be added for this.
This diff is already OK millert@. Any more OKs?
Cool. This saves me having to install coreutils just to work on some
school projects.
ok bcallah@, fwiw.
Index: defs.h
===
RCS file: /cvs/src/usr.bin/sed/defs.h,v
retrieving revision 1.5
diff -u -p -r1.5 defs.h
--- defs.h19 Jan 2015 15:30:52 - 1.5
+++ defs.h16 Jul 2015 18:45:58 -
@@ -128,6 +128,7 @@ typedef struct {
char *space;/* Current space pointer. */
size_t len; /* Current length. */
int deleted;/* If deleted. */
+ int append_newline; /* If originally terminated by \n. */
char *back; /* Backing memory. */
size_t blen;/* Backing memory length. */
} SPACE;
Index: extern.h
===
RCS file: /cvs/src/usr.bin/sed/extern.h,v
retrieving revision 1.9
diff -u -p -r1.9 extern.h
--- extern.h 13 Apr 2015 05:11:23 - 1.9
+++ extern.h 16 Jul 2015 00:23:57 -
@@ -40,17 +40,19 @@ extern regmatch_t *match;
extern size_t maxnsub;
extern u_long linenum;
extern size_t appendnum;
-extern int lastline;
extern int Eflag, aflag, eflag, nflag;
-extern char *fname;
+extern const char *fname, *outfname;
+extern FILE *infile, *outfile;
void cfclose(struct s_command *, struct s_command *);
void compile(void);
-void cspace(SPACE *, char *, size_t, enum e_spflag);
+void cspace(SPACE *, const char *, size_t, enum e_spflag);
char *cu_fgets(char **, size_t *);
void err(int, const char *, ...);
int mf_fgets(SPACE *, enum e_spflag);
+int lastline(void);
void process(void);
+void resetranges(void);
char *strregerror(int, regex_t *);
void *xmalloc(size_t);
void *xreallocarray(void *, size_t, size_t);
Index: main.c
===
RCS file: /cvs/src/usr.bin/sed/main.c,v
retrieving revision 1.18
diff -u -p -r1.18 main.c
--- main.c26 Nov 2014 18:34:51 - 1.18
+++ main.c16 Jul 2015 19:21:16 -
@@ -34,6 +34,7 @@
*/
#include sys/types.h
+#include sys/stat.h
#include ctype.h
#include errno.h
@@ -45,6 +46,7 @@
#include stdlib.h
#include string.h
#include unistd.h
+#include libgen.h
#include defs.h
#include extern.h
@@ -78,15 +80,23 @@ struct s_flist {
*/
static struct s_flist *files, **fl_nextp = files;
+FILE *infile;/* Current input file */
+FILE *outfile; /* Current output file */
+
int Eflag, aflag, eflag, nflag;
+static int rval; /* Exit status */
/*
* Current file and line number; line numbers restart across compilation
- * units, but span across input files.
+ * units, but span across input files. The latter is optional if editing
+ * in place.
*/
-char *fname; /* File name. */
+const char *fname; /* File name. */
+const char *outfname;/* Output file name */
+static char oldfname[PATH_MAX]; /* Old file name (for in-place editing)
*/
+static char tmpfname[PATH_MAX]; /* Temporary file name (for in-place
editing) */
+char *inplace; /* Inplace edit file extension */
u_long linenum;
-int lastline;/* TRUE on the last line of the last
file */
static void add_compunit(enum e_cut, char *);
static void add_file(char *);
@@ -97,7 +107,8 @@ main(int argc, char *argv[])
int c, fflag;
fflag = 0;
- while ((c = getopt(argc, argv, Eae:f:nru)) != -1)
+ inplace = NULL;
+ while ((c = getopt(argc, argv, Eae:f:i::nru)) != -1)
switch (c) {
case 'E':
case 'r':
@@ -114,6 +125,9 @@ main(int argc, char *argv[])
fflag = 1;
add_compunit(CU_FILE, optarg);
break;
+ case 'i':
+ inplace = optarg ? optarg : ;
+ break;
case 'n':
nflag = 1;
break;
@@ -123,8 +137,8 @@ main(int argc, char *argv[])
default:
case '?':
(void)fprintf(stderr,
- usage: sed [-aEnru] command [file ...]\n
-sed [-aEnru] [-e command] [-f command_file]
[file ...]\n);
+ usage: sed [-aEnru] [-i [extension]] command [file
...]\n
+
Re: bridge(4) and etherip fix
I tested this patch and etherip is working.
ok goda
On 2015/07/16 17:52, Martin Pieuchot wrote:
goda@ found a regression due to the recent M_PROTO1 change. Apparently
gif(4) is using this flag to know that a packet comes from bridge(4) and
wants etherip encapsulation.
Instead of hiding another layer-violation (yeah for bridge!) make it
obvious. Diff below, any ok?
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.254
diff -u -p -r1.254 if_bridge.c
--- net/if_bridge.c 16 Jul 2015 21:14:21 - 1.254
+++ net/if_bridge.c 16 Jul 2015 23:13:33 -
@@ -91,6 +91,10 @@
#include net/if_vlan_var.h
#endif
+#if NGIF 0
+#include net/if_gif.h
+#endif
+
#include net/if_bridge.h
/*
@@ -1355,6 +1359,7 @@ bridge_input(struct ifnet *ifp, struct m
IF_ENQUEUE(sc-sc_if.if_snd, mc);
splx(s);
schednetisr(NETISR_BRIDGE);
+#if NGIF 0
if (ifp-if_type == IFT_GIF) {
TAILQ_FOREACH(ifl, sc-sc_iflist, next) {
if (ifl-ifp-if_type != IFT_ETHER)
@@ -1366,6 +1371,7 @@ bridge_input(struct ifnet *ifp, struct m
return (NULL);
}
}
+#endif /* NGIF */
return (m);
}
@@ -2556,8 +2562,12 @@ bridge_ifenqueue(struct bridge_softc *sc
/* Count packets input into the gif from outside */
ifp-if_ipackets++;
ifp-if_ibytes += m-m_pkthdr.len;
+
+ error = gif_encap(ifp, m, AF_LINK);
+ if (error)
+ return (error);
}
-#endif
+#endif /* NGIF */
len = m-m_pkthdr.len;
error = if_enqueue(ifp, m);
Index: net/if_gif.c
===
RCS file: /cvs/src/sys/net/if_gif.c,v
retrieving revision 1.76
diff -u -p -r1.76 if_gif.c
--- net/if_gif.c16 Jul 2015 21:21:49 - 1.76
+++ net/if_gif.c16 Jul 2015 23:09:57 -
@@ -169,39 +169,6 @@ gif_start(struct ifnet *ifp)
continue;
}
- /*
-* Check if the packet is coming via bridge and needs
-* etherip encapsulation or not. bridge(4) directly calls
-* the start function and bypasses the if_output function
-* so we need to do the encap here.
-*/
- if (ifp-if_bridgeport (m-m_flags M_PROTO1)) {
- int error = 0;
- /*
-* Remove multicast and broadcast flags or encapsulated
-* packet ends up as multicast or broadcast packet.
-*/
- m-m_flags = ~(M_BCAST|M_MCAST);
- switch (sc-gif_psrc-sa_family) {
- case AF_INET:
- error = in_gif_output(ifp, AF_LINK, m);
- break;
-#ifdef INET6
- case AF_INET6:
- error = in6_gif_output(ifp, AF_LINK, m);
- break;
-#endif
- default:
- error = EAFNOSUPPORT;
- m_freem(m);
- break;
- }
- if (error)
- continue;
- if (gif_checkloop(ifp, m))
- continue;
- }
-
#if NBPFILTER 0
if (ifp-if_bpf) {
int offset;
@@ -279,48 +246,58 @@ gif_start(struct ifnet *ifp)
}
int
-gif_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
-struct rtentry *rt)
+gif_encap(struct ifnet *ifp, struct mbuf **mp, sa_family_t af)
{
struct gif_softc *sc = (struct gif_softc*)ifp;
int error = 0;
-
- if (!(ifp-if_flags IFF_UP) ||
- sc-gif_psrc == NULL || sc-gif_pdst == NULL ||
- sc-gif_psrc-sa_family != sc-gif_pdst-sa_family) {
- m_freem(m);
- error = ENETDOWN;
- goto end;
- }
-
/*
* Remove multicast and broadcast flags or encapsulated packet
* ends up as multicast or broadcast packet.
*/
- m-m_flags = ~(M_BCAST|M_MCAST);
+ (*mp)-m_flags = ~(M_BCAST|M_MCAST);
/*
* Encapsulate packet. Add IP or IP6 header depending on tunnel AF.
*/
switch (sc-gif_psrc-sa_family) {
case AF_INET:
- error = in_gif_output(ifp, dst-sa_family, m);
+ error = in_gif_output(ifp, af, mp);
break;
#ifdef INET6
case AF_INET6:
- error = in6_gif_output(ifp, dst-sa_family, m);
+ error =
Re: sed -i
On Fri, Jul 17, 2015 at 06:10:46PM +0200, Jasper Lievisse Adriaanse wrote: Hi, Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly from FreeBSD with some adjustments to prevent a race with unlink() and fopen() during the tempfile creation. It's been tested in a full ports bulk (thanks aja), and went through a build of base and xenocara. Regress tests will also be added for this. This diff is already OK millert@. Any more OKs? I can not comment on the implementation itself, but I would love to have this feature in our sed. So fwiw, OK rpe -- -=[rpe]=-
Re: tcpdump: decode 802.11 country element
On Fri, Jul 17, 2015 at 09:05:28PM +0300, Vadim Zhukov wrote:
The tcpdump is hard. :(
indeed :-/
Index: print-802_11.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-802_11.c,v
retrieving revision 1.21
diff -u -p -r1.21 print-802_11.c
--- print-802_11.c 17 Jul 2015 17:41:41 - 1.21
+++ print-802_11.c 17 Jul 2015 18:57:14 -
@@ -29,6 +29,7 @@
#include net80211/ieee80211.h
#include net80211/ieee80211_radiotap.h
+#include ctype.h
#include pcap.h
#include stdio.h
#include string.h
@@ -78,6 +79,7 @@ intieee80211_hdr(struct ieee80211_fram
int ieee80211_data(struct ieee80211_frame *, u_int);
voidieee80211_print_element(u_int8_t *, u_int);
voidieee80211_print_essid(u_int8_t *, u_int);
+voidieee80211_print_country(u_int8_t *, u_int);
voidieee80211_print_htcaps(u_int8_t *, u_int);
int ieee80211_elements(struct ieee80211_frame *, u_int);
int ieee80211_frame(struct ieee80211_frame *, u_int);
@@ -233,6 +235,47 @@ ieee80211_print_essid(u_int8_t *essid, u
/* Caller checks len */
void
+ieee80211_print_country(u_int8_t *data, u_int len)
+{
+ u_int8_t first_chan, nchan, maxpower;
+
+ if (len 6)
+ return;
+
+ /* country string */
+ printf((isprint(data[0]) ? '%c : '\\%03o), data[0]);
+ printf((isprint(data[1]) ? %c : \\%03o), data[1]);
+ printf((isprint(data[2]) ? %c' : \\%03o'), data[2]);
+
+ len -= 3;
+ data += 3;
+
+ /* channels and corresponding TX power limits */
+ while (len 3) {
+ /* no pretty-printing for nonsensical zero values,
+* nor for operating extension IDs (values = 201) */
+ if (data[0] == 0 || data[1] == 0 ||
+ data[0] = 201 || data[1] = 201) {
+ printf(, %d %d %d, data[0], data[1], data[2]);
+ continue;
+ }
+
+ first_chan = data[0];
+ nchan = data[1];
+ maxpower = data[2];
+
+ printf(, channel%s %d, nchan == 1 ? : s, first_chan);
+ if (nchan 1)
+ printf(-%d, first_chan + nchan - 1);
+ printf( limit %ddB, maxpower);
+
+ len -= 3;
+ data += 3;
+ }
+}
+
+/* Caller checks len */
+void
ieee80211_print_htcaps(u_int8_t *data, u_int len)
{
u_int16_t htcaps;
@@ -392,8 +435,7 @@ ieee80211_elements(struct ieee80211_fram
break;
case IEEE80211_ELEMID_COUNTRY:
printf(, country);
- for (i = len; i 0; i--, data++)
- printf( %u, data[0]);
+ ieee80211_print_country(data, len);
break;
case IEEE80211_ELEMID_CHALLENGE:
printf(, challenge);
@@ -437,6 +479,10 @@ ieee80211_elements(struct ieee80211_fram
printf(, htcaps);
if (vflag)
ieee80211_print_htcaps(data, len);
+ break;
+ case IEEE80211_ELEMID_POWER_CONSTRAINT:
+ ELEM_CHECK(1);
+ printf(, power constraint %udB, data[0]);
break;
case IEEE80211_ELEMID_QBSS_LOAD:
ELEM_CHECK(5);
Re: Thinkpad active cooling
Tobias Ulmer schreef op 2015-07-15 05:42: On Wed, Jul 15, 2015 at 05:12:41AM +0300, Paul Irofti wrote: I am not familiar with all the fan hack specifics so please keep that in mind if my questions and comments seem trivial. This is an attempt to solve the problem slightly differently. - Hook into acpitz and only speed the fan up when it is requesting active cooling - Never set the fan to a mode that would endanger the hardware should we crash Your diff applies to all Thinkpad models. Is that okay? It applies to all Thinkpads that have a sensible value in THINKPAD_ECOFFSET_FANLEVEL, as you noticed. There is no flag or documentation indicating the existence of this register as far as I know. It's somewhat of a tradition, every TP I've owned had it. My hope is if they drop support or move the offset, the value will change and we won't do any damage. The Linux thinkpad-acpi driver suggests that accessing (and especially writing to) the THINKPAD_ECOFFSET_FANLEVEL register should not be done if the GFAN and/or SFAN ACPI method exists. The Linux driver also says that full blast mode might damage the fan.
Re: Kill arp_ifinit()?
On Tue, Jul 14, 2015 at 07:57:32PM +0200, Martin Pieuchot wrote:
On 07/07/15(Tue) 18:02, Martin Pieuchot wrote:
Maybe not yet but at least I'd like to do the ARP request a bit later.
We create a RTF_LOCAL route entry for every configured address. So
use this information to emit a who-has for the configured address.
This also has the advantage of *not* sending an ARP request if
something wrong happens between the SIOCSIFADDR ioctl and the
RTF_LOCAL route creation.
Anybody?
OK claudio@
Ok?
Index: netinet/if_ether.c
===
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.157
diff -u -p -r1.157 if_ether.c
--- netinet/if_ether.c 7 Jul 2015 14:22:25 - 1.157
+++ netinet/if_ether.c 7 Jul 2015 15:56:15 -
@@ -196,8 +196,11 @@ arp_rtrequest(int req, struct rtentry *r
if ((rt-rt_flags RTF_CLONING) != 0)
break;
}
- /* Announce a new entry if requested. */
- if (rt-rt_flags RTF_ANNOUNCE)
+ /*
+* Announce a new entry if requested or warn the user
+* if another station has this IP address.
+*/
+ if (rt-rt_flags (RTF_ANNOUNCE|RTF_LOCAL))
arprequest(ifp,
satosin(rt_key(rt))-sin_addr.s_addr,
satosin(rt_key(rt))-sin_addr.s_addr,
@@ -850,12 +853,6 @@ arpproxy(struct in_addr in, u_int rdomai
void
arp_ifinit(struct arpcom *ac, struct ifaddr *ifa)
{
-
- /* Warn the user if another station has this IP address. */
- arprequest(ac-ac_if,
- satosin(ifa-ifa_addr)-sin_addr.s_addr,
- satosin(ifa-ifa_addr)-sin_addr.s_addr,
- ac-ac_enaddr);
ifa-ifa_rtrequest = arp_rtrequest;
}
--
:wq Claudio
Re: tcpdump: decode 802.11 country element
17 июля 2015 г. 20:07 пользователь Stefan Sperling s...@stsp.name написал:
On Fri, Jul 17, 2015 at 03:59:12AM +0300, Vadim Zhukov wrote:
2015-07-17 2:53 GMT+03:00 Stefan Sperling s...@stsp.name:
I don't think we should bother with invalid data. If it's not valid,
we should silently skip it. Else tcpdump would have to print all sorts
of warnings.
I don't insist on explicit warning (invalid nchan or something like
that), no. But, IMHO, we should display data we gathered without
mangling; otherwise, we'll fool the user that nchan is 1 when it's 0
actually.
Fair enough. I figure we can roll this into the code path for operating
element IDs (which were also skipped because because I don't find them
very interesting) and print the data in raw form.
Like this?
Yeah, I like this. But I found one more issue. :)
Index: print-802_11.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-802_11.c,v
retrieving revision 1.19
diff -u -p -r1.19 print-802_11.c
--- print-802_11.c 16 Jul 2015 20:57:13 - 1.19
+++ print-802_11.c 17 Jul 2015 17:00:02 -
@@ -78,6 +78,7 @@ intieee80211_hdr(struct ieee80211_fram
int ieee80211_data(struct ieee80211_frame *, u_int);
voidieee80211_print_element(u_int8_t *, u_int);
voidieee80211_print_essid(u_int8_t *, u_int);
+voidieee80211_print_country(u_int8_t *, u_int);
voidieee80211_print_htcaps(u_int8_t *, u_int);
int ieee80211_elements(struct ieee80211_frame *, u_int);
int ieee80211_frame(struct ieee80211_frame *, u_int);
@@ -233,6 +234,48 @@ ieee80211_print_essid(u_int8_t *essid, u
/* Caller checks len */
void
+ieee80211_print_country(u_int8_t *data, u_int len)
+{
+ u_int8_t first_chan, nchan, maxpower;
+
+ if (len 6)
+ return;
+
+ /* country string */
+ printf( '%c%c%c', data[0], data[1], data[2]);
Looking here again, I see direct printing of untrusted data. Other
tcpdump parts use isprint() check for safety, and print either some
other character, or character code instead:
print-icmp6.c: printf((isprint(*cp) ? %c : \\%03o), *cp);
print-ike.c:printf(%c,(isprint(*p) ? *p : '.'));
The tcpdump is hard. :(
+
+ len -= 3;
+ data += 3;
+
+ /* channels and corresponding TX power limits */
+ while (len 0) {
+ if (len 3)
+ break;
BTW, you can just write while (len = 3) then. ;)
+ /* no pretty-printing for nonsensical zero values,
+* nor for operating extension IDs (values = 201) */
+ if (data[0] == 0 || data[1] == 0 ||
+ data[0] = 201 || data[1] = 201) {
+ printf(, %d %d %d, data[0], data[1], data[2]);
+ continue;
+ }
+
+ first_chan = data[0];
+ nchan = data[1];
+ maxpower = data[2];
+
+ printf(, channel%s %d, nchan == 1 ? : s, first_chan);
+ if (nchan 1)
+ printf(-%d, first_chan + nchan - 1);
+ printf( limit %ddB, maxpower);
+
+ len -= 3;
+ data += 3;
+ }
+}
+
+/* Caller checks len */
+void
ieee80211_print_htcaps(u_int8_t *data, u_int len)
{
u_int16_t htcaps;
@@ -392,8 +435,7 @@ ieee80211_elements(struct ieee80211_fram
break;
case IEEE80211_ELEMID_COUNTRY:
printf(, country);
- for (i = len; i 0; i--, data++)
- printf( %u, data[0]);
+ ieee80211_print_country(data, len);
break;
case IEEE80211_ELEMID_CHALLENGE:
printf(, challenge);
@@ -436,6 +478,10 @@ ieee80211_elements(struct ieee80211_fram
printf(, htcaps);
if (vflag)
ieee80211_print_htcaps(data, len);
+ break;
+ case IEEE80211_ELEMID_POWER_CONSTRAINT:
+ ELEM_CHECK(1);
+ printf(, power constraint %udB, data[0]);
break;
case IEEE80211_ELEMID_VENDOR:
printf(, vendor);
--
Vadim Zhukov
tcpdump mpls pseudowire support
This diff adds support for detection of pseudowires inside of MPLS tagged
packets. Basically it teaches MPLS to look for ethernet headers when there
is no sign of IP headers.
Index: interface.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
retrieving revision 1.65
diff -u -p -r1.65 interface.h
--- interface.h 5 Apr 2015 17:02:57 - 1.65
+++ interface.h 17 Jul 2015 18:16:43 -
@@ -205,6 +205,7 @@ extern void pfsync_if_print(u_char *, co
extern void pfsync_ip_print(const u_char *, u_int, const u_char *);
extern void ether_if_print(u_char *, const struct pcap_pkthdr *,
const u_char *);
+void ether_tryprint(const u_char *, u_int);
extern void fddi_if_print(u_char *, const struct pcap_pkthdr *, const u_char
*);
extern void ppp_ether_if_print(u_char *, const struct pcap_pkthdr *,
const u_char *);
Index: print-ether.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
retrieving revision 1.29
diff -u -p -r1.29 print-ether.c
--- print-ether.c 16 Jan 2015 06:40:21 - 1.29
+++ print-ether.c 17 Jul 2015 18:16:43 -
@@ -89,29 +89,34 @@ u_short extracted_ethertype;
void
ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
- u_int caplen = h-caplen;
- u_int length = h-len;
- struct ether_header *ep;
- u_short ether_type;
-
ts_print(h-ts);
- if (caplen sizeof(struct ether_header)) {
- printf([|ether]);
- goto out;
- }
-
/*
* Some printers want to get back at the ethernet addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
- packetp = p;
- snapend = p + caplen;
+ snapend = p + h-caplen;
+
+ ether_tryprint(p, h-len);
+}
+
+void
+ether_tryprint(const u_char *p, u_int length)
+{
+ u_int caplen = snapend - p;
+ struct ether_header *ep;
+ u_short ether_type;
+
+ if (caplen sizeof(struct ether_header)) {
+ printf([|ether]);
+ goto out;
+ }
if (eflag)
ether_print(p, length);
+ packetp = p;
length -= sizeof(struct ether_header);
caplen -= sizeof(struct ether_header);
ep = (struct ether_header *)p;
Index: print-mpls.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-mpls.c,v
retrieving revision 1.2
diff -u -p -r1.2 print-mpls.c
--- print-mpls.c30 Jun 2010 19:01:06 - 1.2
+++ print-mpls.c17 Jul 2015 18:16:43 -
@@ -31,6 +31,12 @@
#include interface.h
#include extract.h /* must come after interface.h */
+#define CW_ZERO_MASK (0xf000U)
+#define CW_FRAG_MASK (0x0fffU)
+#define CW_SEQUENCE_MASK (0xU)
+
+void controlword_print(const u_char **, u_int *);
+
void
mpls_print(const u_char *bp, u_int len)
{
@@ -56,6 +62,9 @@ mpls_print(const u_char *bp, u_int len)
if (!bottom)
goto again;
+ /* Handle pseudowire control word if any. */
+ controlword_print(bp, len);
+
/*
* guessing the underlying protocol is about all we can do if
* it's not explicitly defined.
@@ -99,15 +108,48 @@ mpls_print(const u_char *bp, u_int len)
switch (bp[0] 0xf0) {
case 0x40:
+ /*
+* IPv4 second nibble is the header length and its
+* value must be at least 5 bytes long.
+*/
+ if ((bp[0] 0x0f) 5) {
+ ether_tryprint(bp, len);
+ break;
+ }
+
ip_print(bp, len);
break;
case 0x60:
ip6_print(bp, len);
break;
+ default:
+ ether_tryprint(bp, len);
+ break;
}
}
return;
trunc:
printf([|mpls]);
+}
+
+void
+controlword_print(const u_char **bp, u_int *lenp)
+{
+ u_int32_t cw, frag, seq;
+
+ if (*lenp 4)
+ return;
+
+ cw = EXTRACT_32BITS(*bp);
+ if (cw CW_ZERO_MASK)
+ return;
+
+ *bp += sizeof(cw);
+ *lenp += sizeof(cw);
+
+ frag = (cw CW_FRAG_MASK) 16;
+ seq = cw CW_SEQUENCE_MASK;
+
+ printf(CW(frag %u, sequence %u) , frag, seq);
}
Re: sed -i
On 07/17/15 13:51, Antoine Jacoutot wrote:
On Fri, Jul 17, 2015 at 12:57:12PM -0400, Brian Callahan wrote:
On 07/17/15 12:10, Jasper Lievisse Adriaanse wrote:
Hi,
Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly
from FreeBSD with some adjustments to prevent a race with unlink() and
fopen()
during the tempfile creation.
It's been tested in a full ports bulk (thanks aja), and went through a build
of base and xenocara.
Regress tests will also be added for this.
This diff is already OK millert@. Any more OKs?
Cool. This saves me having to install coreutils just to work on some
school projects.
You mean gsed right?
Oh, heh. Yes. I mean gsed.
Either way, it's one less package I have to remember. (and clearly I'm
not so good at remembering them in the first place!)
ok bcallah@, fwiw.
Index: defs.h
===
RCS file: /cvs/src/usr.bin/sed/defs.h,v
retrieving revision 1.5
diff -u -p -r1.5 defs.h
--- defs.h 19 Jan 2015 15:30:52 - 1.5
+++ defs.h 16 Jul 2015 18:45:58 -
@@ -128,6 +128,7 @@ typedef struct {
char *space;/* Current space pointer. */
size_t len; /* Current length. */
int deleted;/* If deleted. */
+ int append_newline; /* If originally terminated by \n. */
char *back; /* Backing memory. */
size_t blen;/* Backing memory length. */
} SPACE;
Index: extern.h
===
RCS file: /cvs/src/usr.bin/sed/extern.h,v
retrieving revision 1.9
diff -u -p -r1.9 extern.h
--- extern.h13 Apr 2015 05:11:23 - 1.9
+++ extern.h16 Jul 2015 00:23:57 -
@@ -40,17 +40,19 @@ extern regmatch_t *match;
extern size_t maxnsub;
extern u_long linenum;
extern size_t appendnum;
-extern int lastline;
extern int Eflag, aflag, eflag, nflag;
-extern char *fname;
+extern const char *fname, *outfname;
+extern FILE *infile, *outfile;
voidcfclose(struct s_command *, struct s_command *);
voidcompile(void);
-voidcspace(SPACE *, char *, size_t, enum e_spflag);
+voidcspace(SPACE *, const char *, size_t, enum e_spflag);
char *cu_fgets(char **, size_t *);
voiderr(int, const char *, ...);
int mf_fgets(SPACE *, enum e_spflag);
+int lastline(void);
voidprocess(void);
+voidresetranges(void);
char *strregerror(int, regex_t *);
void *xmalloc(size_t);
void *xreallocarray(void *, size_t, size_t);
Index: main.c
===
RCS file: /cvs/src/usr.bin/sed/main.c,v
retrieving revision 1.18
diff -u -p -r1.18 main.c
--- main.c 26 Nov 2014 18:34:51 - 1.18
+++ main.c 16 Jul 2015 19:21:16 -
@@ -34,6 +34,7 @@
*/
#include sys/types.h
+#include sys/stat.h
#include ctype.h
#include errno.h
@@ -45,6 +46,7 @@
#include stdlib.h
#include string.h
#include unistd.h
+#include libgen.h
#include defs.h
#include extern.h
@@ -78,15 +80,23 @@ struct s_flist {
*/
static struct s_flist *files, **fl_nextp = files;
+FILE *infile; /* Current input file */
+FILE *outfile; /* Current output file */
+
int Eflag, aflag, eflag, nflag;
+static int rval; /* Exit status */
/*
* Current file and line number; line numbers restart across compilation
- * units, but span across input files.
+ * units, but span across input files. The latter is optional if editing
+ * in place.
*/
-char *fname; /* File name. */
+const char *fname; /* File name. */
+const char *outfname; /* Output file name */
+static char oldfname[PATH_MAX];/* Old file name (for in-place editing)
*/
+static char tmpfname[PATH_MAX];/* Temporary file name (for in-place
editing) */
+char *inplace; /* Inplace edit file extension */
u_long linenum;
-int lastline; /* TRUE on the last line of the last
file */
static void add_compunit(enum e_cut, char *);
static void add_file(char *);
@@ -97,7 +107,8 @@ main(int argc, char *argv[])
int c, fflag;
fflag = 0;
- while ((c = getopt(argc, argv, Eae:f:nru)) != -1)
+ inplace = NULL;
+ while ((c = getopt(argc, argv, Eae:f:i::nru)) != -1)
switch (c) {
case 'E':
case 'r':
@@ -114,6 +125,9 @@ main(int argc, char *argv[])
fflag = 1;
add_compunit(CU_FILE, optarg);
break;
+ case 'i':
+ inplace = optarg ? optarg : ;
+ break;
case 'n':
nflag = 1;
break;
@@ -123,8 +137,8 @@ main(int argc, char *argv[])
default:
case
Re: sed -i
On Fri, Jul 17, 2015 at 12:57:12PM -0400, Brian Callahan wrote:
On 07/17/15 12:10, Jasper Lievisse Adriaanse wrote:
Hi,
Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly
from FreeBSD with some adjustments to prevent a race with unlink() and
fopen()
during the tempfile creation.
It's been tested in a full ports bulk (thanks aja), and went through a build
of base and xenocara.
Regress tests will also be added for this.
This diff is already OK millert@. Any more OKs?
Cool. This saves me having to install coreutils just to work on some
school projects.
You mean gsed right?
ok bcallah@, fwiw.
Index: defs.h
===
RCS file: /cvs/src/usr.bin/sed/defs.h,v
retrieving revision 1.5
diff -u -p -r1.5 defs.h
--- defs.h 19 Jan 2015 15:30:52 - 1.5
+++ defs.h 16 Jul 2015 18:45:58 -
@@ -128,6 +128,7 @@ typedef struct {
char *space;/* Current space pointer. */
size_t len; /* Current length. */
int deleted;/* If deleted. */
+ int append_newline; /* If originally terminated by \n. */
char *back; /* Backing memory. */
size_t blen;/* Backing memory length. */
} SPACE;
Index: extern.h
===
RCS file: /cvs/src/usr.bin/sed/extern.h,v
retrieving revision 1.9
diff -u -p -r1.9 extern.h
--- extern.h13 Apr 2015 05:11:23 - 1.9
+++ extern.h16 Jul 2015 00:23:57 -
@@ -40,17 +40,19 @@ extern regmatch_t *match;
extern size_t maxnsub;
extern u_long linenum;
extern size_t appendnum;
-extern int lastline;
extern int Eflag, aflag, eflag, nflag;
-extern char *fname;
+extern const char *fname, *outfname;
+extern FILE *infile, *outfile;
voidcfclose(struct s_command *, struct s_command *);
voidcompile(void);
-voidcspace(SPACE *, char *, size_t, enum e_spflag);
+voidcspace(SPACE *, const char *, size_t, enum e_spflag);
char *cu_fgets(char **, size_t *);
voiderr(int, const char *, ...);
int mf_fgets(SPACE *, enum e_spflag);
+int lastline(void);
voidprocess(void);
+voidresetranges(void);
char *strregerror(int, regex_t *);
void *xmalloc(size_t);
void *xreallocarray(void *, size_t, size_t);
Index: main.c
===
RCS file: /cvs/src/usr.bin/sed/main.c,v
retrieving revision 1.18
diff -u -p -r1.18 main.c
--- main.c 26 Nov 2014 18:34:51 - 1.18
+++ main.c 16 Jul 2015 19:21:16 -
@@ -34,6 +34,7 @@
*/
#include sys/types.h
+#include sys/stat.h
#include ctype.h
#include errno.h
@@ -45,6 +46,7 @@
#include stdlib.h
#include string.h
#include unistd.h
+#include libgen.h
#include defs.h
#include extern.h
@@ -78,15 +80,23 @@ struct s_flist {
*/
static struct s_flist *files, **fl_nextp = files;
+FILE *infile; /* Current input file */
+FILE *outfile; /* Current output file */
+
int Eflag, aflag, eflag, nflag;
+static int rval; /* Exit status */
/*
* Current file and line number; line numbers restart across compilation
- * units, but span across input files.
+ * units, but span across input files. The latter is optional if editing
+ * in place.
*/
-char *fname; /* File name. */
+const char *fname; /* File name. */
+const char *outfname; /* Output file name */
+static char oldfname[PATH_MAX];/* Old file name (for in-place editing)
*/
+static char tmpfname[PATH_MAX];/* Temporary file name (for in-place
editing) */
+char *inplace; /* Inplace edit file extension */
u_long linenum;
-int lastline; /* TRUE on the last line of the last
file */
static void add_compunit(enum e_cut, char *);
static void add_file(char *);
@@ -97,7 +107,8 @@ main(int argc, char *argv[])
int c, fflag;
fflag = 0;
- while ((c = getopt(argc, argv, Eae:f:nru)) != -1)
+ inplace = NULL;
+ while ((c = getopt(argc, argv, Eae:f:i::nru)) != -1)
switch (c) {
case 'E':
case 'r':
@@ -114,6 +125,9 @@ main(int argc, char *argv[])
fflag = 1;
add_compunit(CU_FILE, optarg);
break;
+ case 'i':
+ inplace = optarg ? optarg : ;
+ break;
case 'n':
nflag = 1;
break;
@@ -123,8 +137,8 @@ main(int argc, char *argv[])
default:
case '?':
(void)fprintf(stderr,
-
Re: sed -i
On Fri, Jul 17, 2015 at 06:10:46PM +0200, Jasper Lievisse Adriaanse wrote: Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly from FreeBSD with some adjustments to prevent a race with unlink() and fopen() during the tempfile creation. \o/
Re: Thinkpad active cooling
Tobias Ulmer schreef op 2015-07-15 02:33:
As we all know, some Thinkpads have problems with their EC fan control.
EC is not spinning up the fans to maximum speed, let alone blast mode.
They also do not offer ACPI methods to spin the fan up.
Previous diffs doing manual fan control were always rejected because
hooking into the sensors framework with fixed temp limits is crude and
there are concerns with slowing the fan down and frying the hardware.
This is an attempt to solve the problem slightly differently.
- Hook into acpitz and only speed the fan up when it is requesting
active
cooling
- Never set the fan to a mode that would endanger the hardware should
we
crash
PS: It would be nice if there was a function to add cooling methods to
acpitz eg: acpitz_add(void (*fn)(struct acpitz_softc *, void *), void
*arg)
I tried but getting struct acpitz_softc into a header is a bit messy.
Does the AML define any active cooling trip points (_AC0, _AC1, etc)?
Index: acpithinkpad.c
===
RCS file: /home/vcs/cvs/openbsd/src/sys/dev/acpi/acpithinkpad.c,v
retrieving revision 1.44
diff -u -p -r1.44 acpithinkpad.c
--- acpithinkpad.c 24 Apr 2015 14:44:17 - 1.44
+++ acpithinkpad.c 14 Jul 2015 23:52:14 -
@@ -104,6 +104,11 @@
#define THINKPAD_ECOFFSET_FANLO0x84
#define THINKPAD_ECOFFSET_FANHI0x85
+#define THINKPAD_ECOFFSET_FANLEVEL 0x2f
+#define THINKPAD_ECFANLEVEL_MAX7
+#define THINKPAD_ECFANLEVEL_BLAST (16)
+#define THINKPAD_ECFANLEVEL_AUTO (17)
+
#defineTHINKPAD_ADAPTIVE_MODE_HOME 1
#defineTHINKPAD_ADAPTIVE_MODE_FUNCTION 3
@@ -119,6 +124,7 @@ struct acpithinkpad_softc {
};
extern void acpiec_read(struct acpiec_softc *, u_int8_t, int, u_int8_t
*);
+extern void (*acpitz_activecool)(int, int);
intthinkpad_match(struct device *, void *, void *);
void thinkpad_attach(struct device *, struct device *, void *);
@@ -134,6 +140,7 @@ int thinkpad_brightness_up(struct acpith
intthinkpad_brightness_down(struct acpithinkpad_softc *);
intthinkpad_adaptive_change(struct acpithinkpad_softc *);
intthinkpad_activate(struct device *, int);
+voidthinkpad_activecool(int, int);
voidthinkpad_sensor_attach(struct acpithinkpad_softc *sc);
voidthinkpad_sensor_refresh(void *);
@@ -228,6 +235,7 @@ thinkpad_attach(struct device *parent, s
{
struct acpithinkpad_softc *sc = (struct acpithinkpad_softc *)self;
struct acpi_attach_args *aa = aux;
+ u_int8_t level;
sc-sc_acpi = (struct acpi_softc *)parent;
sc-sc_devnode = aa-aaa_node;
@@ -241,6 +249,11 @@ thinkpad_attach(struct device *parent, s
/* Run thinkpad_hotkey on button presses */
aml_register_notify(sc-sc_devnode, aa-aaa_dev,
thinkpad_hotkey, sc, ACPIDEV_POLL);
+
+ /* Make sure fan is in auto mode, otherwise we're not sure of support
*/
+ acpiec_read(acpi_softc-sc_ec, THINKPAD_ECOFFSET_FANLEVEL, 1,
level);
+ if (level == THINKPAD_ECFANLEVEL_AUTO)
+ acpitz_activecool = thinkpad_activecool;
}
int
@@ -546,4 +559,30 @@ thinkpad_activate(struct device *self, i
break;
}
return (0);
+}
+
+void
+thinkpad_activecool(int tmp, int psv)
+{
+ static uint8_t level = THINKPAD_ECFANLEVEL_AUTO;
+ uint8_t nlevel;
+
+ if (tmp 0 || psv 0)
+ return;
+
+ if (tmp psv)
+ nlevel = THINKPAD_ECFANLEVEL_BLAST;
+ else if (tmp psv-50)
+ /* EC firmware fan control is too slow in some models. When
+* we're getting within 5C of active cooling mode, turn the
+* fan to MAX. Helps with oscillation between blast and auto */
+ nlevel = THINKPAD_ECFANLEVEL_MAX;
+ else
+ nlevel = THINKPAD_ECFANLEVEL_AUTO;
+
+ if (nlevel != level) {
+ acpiec_write(acpi_softc-sc_ec, THINKPAD_ECOFFSET_FANLEVEL, 1,
+ nlevel);
+ level = nlevel;
+ }
}
Index: acpitz.c
===
RCS file: /home/vcs/cvs/openbsd/src/sys/dev/acpi/acpitz.c,v
retrieving revision 1.49
diff -u -p -r1.49 acpitz.c
--- acpitz.c6 May 2015 01:41:55 - 1.49
+++ acpitz.c14 Jul 2015 23:52:14 -
@@ -86,6 +86,7 @@ int acpitz_setfan(struct acpitz_softc *,
void acpitz_init(struct acpitz_softc *, int);
void (*acpitz_cpu_setperf)(int);
+void(*acpitz_activecool)(int, int) = NULL;
intacpitz_perflevel = -1;
extern void(*cpu_setperf)(int);
extern int perflevel;
@@ -427,6 +428,11 @@ acpitz_refresh(void *arg)
acpitz_setfan(sc, i, _OFF);
}
}
+
+ /* active cooling hook */
+ if (acpitz_activecool)
+ acpitz_activecool(sc-sc_tmp, sc-sc_psv);
+
Re: tcpdump: decode 802.11 country element
17 июля 2015 г. 21:58 пользователь Stefan Sperling s...@stsp.name
написал:
On Fri, Jul 17, 2015 at 09:05:28PM +0300, Vadim Zhukov wrote:
The tcpdump is hard. :(
indeed :-/
Index: print-802_11.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-802_11.c,v
retrieving revision 1.21
diff -u -p -r1.21 print-802_11.c
--- print-802_11.c 17 Jul 2015 17:41:41 - 1.21
+++ print-802_11.c 17 Jul 2015 18:57:14 -
@@ -29,6 +29,7 @@
#include net80211/ieee80211.h
#include net80211/ieee80211_radiotap.h
+#include ctype.h
#include pcap.h
#include stdio.h
#include string.h
@@ -78,6 +79,7 @@ intieee80211_hdr(struct ieee80211_fram
int ieee80211_data(struct ieee80211_frame *, u_int);
voidieee80211_print_element(u_int8_t *, u_int);
voidieee80211_print_essid(u_int8_t *, u_int);
+voidieee80211_print_country(u_int8_t *, u_int);
voidieee80211_print_htcaps(u_int8_t *, u_int);
int ieee80211_elements(struct ieee80211_frame *, u_int);
int ieee80211_frame(struct ieee80211_frame *, u_int);
@@ -233,6 +235,47 @@ ieee80211_print_essid(u_int8_t *essid, u
/* Caller checks len */
void
+ieee80211_print_country(u_int8_t *data, u_int len)
+{
+ u_int8_t first_chan, nchan, maxpower;
+
+ if (len 6)
+ return;
+
+ /* country string */
+ printf((isprint(data[0]) ? '%c : '\\%03o), data[0]);
+ printf((isprint(data[1]) ? %c : \\%03o), data[1]);
+ printf((isprint(data[2]) ? %c' : \\%03o'), data[2]);
+
+ len -= 3;
+ data += 3;
+
+ /* channels and corresponding TX power limits */
+ while (len 3) {
+ /* no pretty-printing for nonsensical zero values,
+* nor for operating extension IDs (values = 201) */
+ if (data[0] == 0 || data[1] == 0 ||
+ data[0] = 201 || data[1] = 201) {
+ printf(, %d %d %d, data[0], data[1], data[2]);
+ continue;
+ }
+
+ first_chan = data[0];
+ nchan = data[1];
+ maxpower = data[2];
+
+ printf(, channel%s %d, nchan == 1 ? : s,
first_chan);
+ if (nchan 1)
+ printf(-%d, first_chan + nchan - 1);
+ printf( limit %ddB, maxpower);
+
+ len -= 3;
+ data += 3;
+ }
+}
+
+/* Caller checks len */
+void
ieee80211_print_htcaps(u_int8_t *data, u_int len)
{
u_int16_t htcaps;
@@ -392,8 +435,7 @@ ieee80211_elements(struct ieee80211_fram
break;
case IEEE80211_ELEMID_COUNTRY:
printf(, country);
- for (i = len; i 0; i--, data++)
- printf( %u, data[0]);
+ ieee80211_print_country(data, len);
break;
case IEEE80211_ELEMID_CHALLENGE:
printf(, challenge);
@@ -437,6 +479,10 @@ ieee80211_elements(struct ieee80211_fram
printf(, htcaps);
if (vflag)
ieee80211_print_htcaps(data, len);
+ break;
+ case IEEE80211_ELEMID_POWER_CONSTRAINT:
+ ELEM_CHECK(1);
+ printf(, power constraint %udB, data[0]);
break;
case IEEE80211_ELEMID_QBSS_LOAD:
ELEM_CHECK(5);
okay zhuk@
--
Vadim Zhukov
Re: sed -i
Jasper Lievisse Adriaanse jas...@openbsd.org writes:
Hi,
Here's a diff to add the '-i' flag to sed to do inplace edits. It's mostly
from FreeBSD with some adjustments to prevent a race with unlink() and fopen()
during the tempfile creation.
It's been tested in a full ports bulk (thanks aja), and went through a build
of base and xenocara.
Regress tests will also be added for this.
This diff is already OK millert@. Any more OKs?
I'm fine with the direction, this obviously helps the ports tree.
I haven't reviewed the code, but here's a small nit,
Index: sed.1
===
RCS file: /cvs/src/usr.bin/sed/sed.1,v
retrieving revision 1.44
diff -u -p -r1.44 sed.1
--- sed.1 22 Oct 2014 23:23:22 - 1.44
+++ sed.1 16 Jul 2015 19:15:14 -
@@ -47,6 +47,7 @@
.Op Fl aEnru
.Op Fl e Ar command
.Op Fl f Ar command_file
+.Op Fl i Op Ar extension
should be something like
+.Op Fl i Ns Op Ar extension
since there should be no whitespace between -i and the optional
suffix.
.Op Ar
.Sh DESCRIPTION
The
@@ -94,6 +95,16 @@ Append the editing commands found in the
.Ar command_file
to the list of commands.
The editing commands should each be listed on a separate line.
+.It Fl i Ar extension
Same here.
+Edit files in-place, saving backups with the specified
+.Ar extension .
+If a zero-length
+.Ar extension
+is given, no backup will be saved.
+It is not recommended to give a zero-length
+.Ar extension
+when in-place editing files, as you risk corruption or partial content
+in situations where disk space is exhausted, etc.
.It Fl r
An alias for
.Fl E ,
@@ -510,6 +521,12 @@ command,
squeezing excess empty lines from standard input:
.Bd -literal -offset indent
$ sed -n '
+.Pp
+The
+.Fl i
+option is a non-standard
+.Fx
+extension and may not be available on other operating systems.
# Write non-empty lines.
/./ {
p
@@ -543,7 +560,7 @@ utility is compliant with the
specification.
.Pp
The flags
-.Op Fl aEru
+.Op Fl aEiru
are extensions to that specification.
.Pp
The use of newlines to separate multiple commands on the command line
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
snmpd kroute diff
Anyone running snmpd that can test this diff?
It should help better report connected routes in -current.
Similar diffs were commited to various routing daemons already.
--
:wq Claudio
Index: kroute.c
===
RCS file: /cvs/src/usr.sbin/snmpd/kroute.c,v
retrieving revision 1.30
diff -u -p -r1.30 kroute.c
--- kroute.c16 Jan 2015 00:05:13 - 1.30
+++ kroute.c16 Jul 2015 22:10:18 -
@@ -1458,7 +1458,19 @@ dispatch_rtmsg_addr(struct ktable *kt, s
if ((sa = rti_info[RTAX_GATEWAY]) != NULL)
switch (sa-sa_family) {
+ case AF_INET:
+ case AF_INET6:
+ if (rtm-rtm_flags RTF_CONNECTED) {
+ flags |= F_CONNECTED;
+ ifindex = rtm-rtm_index;
+ }
+ mpath = 0; /* link local stuff can't be mpath */
+ break;
case AF_LINK:
+ /*
+* Traditional BSD connected routes have
+* a gateway of type AF_LINK.
+*/
flags |= F_CONNECTED;
ifindex = rtm-rtm_index;
mpath = 0; /* link local stuff can't be mpath */
Re: httpd: hsts (rfc 6797)
On Sat, Jul 18, 2015 at 12:14:37AM +, Florian Obser wrote:
OK?
As discussed, I like the implementation this way.
Comments below.
Reyk
diff --git httpd.conf.5 httpd.conf.5
index b3eaad8..bfca29f 100644
--- httpd.conf.5
+++ httpd.conf.5
@@ -262,6 +262,18 @@ root directory of
.Xr httpd 8
and defaults to
.Pa /run/slowcgi.sock .
+.It Ic hsts Oo Ar option Oc
+Enable HTTP Strict Transport Security.
+Valid options are:
+.Bl -tag -width Ds
+.It Ic max-age Ar seconds
+Set the maximum time in seconds a receiving user agent should regard
+this host as a HSTS host.
+The default is one year.
+.It Ic subdomains
+Signal to the receiving user agent that this host and all sub domains
+of the host's domain should be considered HSTS hosts.
+.El
.It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number
Set the listen address and port.
This statement can be specified multiple times.
diff --git httpd.h httpd.h
index 2cb7934..9596000 100644
--- httpd.h
+++ httpd.h
@@ -68,6 +68,7 @@
#define SERVER_OUTOF_FD_RETRIES 5
#define SERVER_MAX_PREFETCH 256
#define SERVER_MIN_PREFETCHED32
+#define SERVER_HSTS_DEFAULT_AGE 31536000
#define MEDIATYPE_NAMEMAX128 /* file name extension */
#define MEDIATYPE_TYPEMAX64 /* length of type/subtype */
@@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client);
#define SRVFLAG_NO_BLOCK 0x0008
#define SRVFLAG_LOCATION_MATCH 0x0010
#define SRVFLAG_SERVER_MATCH 0x0020
+#define SRVFLAG_SERVER_HSTS 0x0040
#define SRVFLAG_BITS \
\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX \
\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET \
\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG \
\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH \
- \26SERVER_MATCH
+ \26SERVER_MATCH\27SERVER_HSTS
#define TCPFLAG_NODELAY 0x01
#define TCPFLAG_NNODELAY 0x02
@@ -443,6 +445,9 @@ struct server_config {
char*return_uri;
off_treturn_uri_len;
+ int64_t hsts_max_age;
Do you really need int64_t instead of int here? How many years do you
want to enforce HSTS? Or, in the distant future we either entirely
switched to encrypted connections or the opposite and it became
illegal in a dystopian future.
+ int hsts_subdomains;
+
TAILQ_ENTRY(server_config) entry;
};
TAILQ_HEAD(serverhosts, server_config);
diff --git parse.y parse.y
index 0870819..8dfad1a 100644
--- parse.y
+++ parse.y
@@ -133,7 +133,7 @@ typedef struct {
%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY
LISTEN
%token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK
PROTOCOLS
%token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP
TIMEOUT
-%token TLS TYPES
+%token TLS TYPES HSTS MAXAGE SUBDOMAINS
%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS
%token v.string STRING
%token v.number NUMBER
@@ -256,6 +256,8 @@ server: SERVER optmatch STRING{
HTTPD_TLS_ECDHE_CURVE,
sizeof(s-srv_conf.tls_ecdhe_curve));
+ s-srv_conf.hsts_max_age = -1;
You could just initialize it to SERVER_HSTS_DEFAULT_AGE here.
+
if (last_server_id == INT_MAX) {
yyerror(too many servers defined);
free(s);
@@ -556,6 +558,30 @@ serveroptsl : LISTEN ON STRING opttls port {
parentsrv = NULL;
}
| include
+ | hsts {
+ if (parentsrv != NULL) {
+ yyerror(hsts inside location);
+ YYERROR;
+ }
+ srv-srv_conf.flags |= SRVFLAG_SERVER_HSTS;
+ }
+ ;
+
+hsts : HSTS '{' optnl hstsflags_l '}'
+ | HSTS hstsflags
+ | HSTS
+ ;
+
+hstsflags_l : hstsflags optcommanl hstsflags_l
+ | hstsflags optnl
+ ;
+
+hstsflags: MAXAGE NUMBER {
+ srv_conf-hsts_max_age = $2;
+ }
+ | SUBDOMAINS{
+ srv-srv_conf.hsts_subdomains = 1;
+ }
;
fastcgi : NO FCGI {
@@ -1115,6 +1141,7 @@ lookup(char *s)
{ ecdhe, ECDHE },
{ error, ERR },
{ fastcgi,FCGI },
+ { hsts, HSTS },
{ include,INCLUDE },
{ index, INDEX },
Re: Get Ruby 2.2 test suite passing
Ted Unangst wrote:
Jeremy Evans wrote:
As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not
sure if that's a security issue, but I think it is and we should fix it.
I'll see if I can get a patch for that and send it to tech@.
This is a weird edge case where niels decided to make bcrypt() work
differently than crypt(). i don't really know why. I think null is the safer
return, and we should probably switch. we don't have code that looks for :
(and certainly no third party code ever does), but there is code that checks
for null.
like this.
Index: bcrypt.c
===
RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
retrieving revision 1.52
diff -u -p -r1.52 bcrypt.c
--- bcrypt.c 28 Jan 2015 23:33:52 - 1.52
+++ bcrypt.c 18 Jul 2015 00:29:34 -
@@ -385,12 +385,9 @@ char *
bcrypt(const char *pass, const char *salt)
{
static chargencrypted[BCRYPT_HASHSPACE];
- static chargerror[2];
- /* How do I handle errors ? Return ':' */
- strlcpy(gerror, :, sizeof(gerror));
if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
- return gerror;
+ return NULL;
return gencrypted;
}
This feels so much safer
httpd: default type
Hi,
as requested by many, the following simple diff allows to change the
default media type globally or per location, eg.
default type text/plain
Note that this diff conflicts with florian's HSTS diff, we'll reassign
the flag in httpd.h based on which one goes in first.
OK?
Reyk
Index: config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.39
diff -u -p -u -p -r1.39 config.c
--- config.c15 Jul 2015 16:00:39 - 1.39
+++ config.c18 Jul 2015 00:54:45 -
@@ -436,6 +436,13 @@ config_getserver_config(struct httpd *en
goto fail;
}
+ f = SRVFLAG_DEFAULT_TYPE;
+ if ((srv_conf-flags f) == 0) {
+ srv_conf-flags |= parent-flags f;
+ memcpy(srv_conf-default_type,
+ parent-default_type, sizeof(struct media_type));
+ }
+
memcpy(srv_conf-timeout, parent-timeout,
sizeof(srv_conf-timeout));
srv_conf-maxrequests = parent-maxrequests;
Index: httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.37
diff -u -p -u -p -r1.37 httpd.c
--- httpd.c 3 Jun 2015 02:24:36 - 1.37
+++ httpd.c 18 Jul 2015 00:54:45 -
@@ -1217,7 +1217,7 @@ media_purge(struct mediatypes *types)
}
struct media_type *
-media_find(struct mediatypes *types, char *file)
+media_find(struct mediatypes *types, const char *file)
{
struct media_type *match, media;
char*p;
@@ -1239,6 +1239,21 @@ media_find(struct mediatypes *types, cha
match = RB_FIND(mediatypes, types, media);
return (match);
+}
+
+struct media_type *
+media_find_config(struct httpd *env, struct server_config *srv_conf,
+const char *file)
+{
+ struct media_type *match;
+
+ if ((match = media_find(env-sc_mediatypes, file)) != NULL)
+ return (match);
+ else if (srv_conf-flags SRVFLAG_DEFAULT_TYPE)
+ return (srv_conf-default_type);
+
+ /* fallback to the global default type */
+ return (env-sc_default_type);
}
int
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.64
diff -u -p -u -p -r1.64 httpd.conf.5
--- httpd.conf.515 Jul 2015 17:10:47 - 1.64
+++ httpd.conf.518 Jul 2015 00:54:45 -
@@ -112,6 +112,15 @@ directory.
If not specified, it defaults to
.Pa /var/www ,
the home directory of the www user.
+.It Ic default type Ar type/subtype
+Set the default media type that is used if the media type for a
+specified extension is not found in the configured types or for files
+without a file extension;
+see the
+.Sx TYPES
+section below.
+If not specified, the default type is set to
+.Ar application/octet-stream .
.It Ic logdir Ar directory
Specifies the full path of the directory in which log files will be written.
If not specified, it defaults to
@@ -236,6 +245,9 @@ Specify the inactivity timeout in second
The default timeout is 600 seconds (10 minutes).
The maximum is 2147483647 seconds (68 years).
.El
+.It Ic default type Ar type/subtype
+Set the default media type for the specified location,
+overwriting the global setting.
.It Ic directory Ar option
Set the specified options when serving or accessing directories.
Valid options are:
Index: httpd.h
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.88
diff -u -p -u -p -r1.88 httpd.h
--- httpd.h 16 Jul 2015 16:29:25 - 1.88
+++ httpd.h 18 Jul 2015 00:54:45 -
@@ -48,6 +48,7 @@
#define HTTPD_LOGROOT /logs
#define HTTPD_ACCESS_LOG access.log
#define HTTPD_ERROR_LOGerror.log
+#define HTTPD_DEFAULT_TYPE { bin, application, octet-stream, NULL }
#define HTTPD_LOGVIS VIS_NL|VIS_TAB|VIS_CSTYLE
#define HTTPD_TLS_CERT /etc/ssl/server.crt
#define HTTPD_TLS_KEY /etc/ssl/private/server.key
@@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client);
#define SRVFLAG_NO_BLOCK 0x0008
#define SRVFLAG_LOCATION_MATCH 0x0010
#define SRVFLAG_SERVER_MATCH 0x0020
+#define SRVFLAG_DEFAULT_TYPE 0x0040
#define SRVFLAG_BITS \
\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX \
\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET \
\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG \
\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH \
- \26SERVER_MATCH
+ \26SERVER_MATCH\27DEFAULT_TYPE
#define TCPFLAG_NODELAY0x01
#define
Patch to add -f flag to cat(1)
Hi,
Attached is a patch to add the -f flag to cat(1).
-f ensures that cat is opening a regular file in non blocking mode
aborts otherwise.
Obtained from NetBSD src/bin/cat/cat.c r1.22 r1.34
Sevan Janiyan
From NetBSD
cat.c r1.22, r1.34
cat.1 r1.18, r1.25
Index: bin/cat/cat.c
===
RCS file: /cvs/src/bin/cat/cat.c,v
retrieving revision 1.21
diff -u -r1.21 cat.c
--- bin/cat/cat.c 16 Jan 2015 06:39:28 - 1.21
+++ bin/cat/cat.c 18 Jul 2015 01:45:14 -
@@ -50,7 +50,7 @@
extern char *__progname;
-int bflag, eflag, nflag, sflag, tflag, vflag;
+int bflag, eflag, fflag, nflag, sflag, tflag, vflag;
int rval;
char *filename;
@@ -66,7 +66,7 @@
setlocale(LC_ALL, );
- while ((ch = getopt(argc, argv, benstuv)) != -1)
+ while ((ch = getopt(argc, argv, befnstuv)) != -1)
switch (ch) {
case 'b':
bflag = nflag = 1; /* -b implies -n */
@@ -74,6 +74,9 @@
case 'e':
eflag = vflag = 1; /* -e implies -v */
break;
+ case 'f':
+ fflag = 1;
+ break;
case 'n':
nflag = 1;
break;
@@ -91,7 +94,7 @@
break;
default:
(void)fprintf(stderr,
- usage: %s [-benstuv] [file ...]\n, __progname);
+ usage: %s [-befnstuv] [file ...]\n, __progname);
exit(1);
/* NOTREACHED */
}
@@ -118,7 +121,7 @@
if (*argv) {
if (!strcmp(*argv, -))
fp = stdin;
- else if ((fp = fopen(*argv, r)) == NULL) {
+ else if ((fp = fopen(*argv, rf)) == NULL) {
warn(%s, *argv);
rval = 1;
++argv;
@@ -202,8 +205,26 @@
if (*argv) {
if (!strcmp(*argv, -))
fd = fileno(stdin);
+ else if (fflag) {
+ struct stat st;
+ fd = open(*argv, O_RDONLY|O_NONBLOCK, 0);
+ if (fd 0)
+ goto skip;
+
+ if (fstat(fd, st) == -1) {
+ close(fd);
+ goto skip;
+ }
+ if (!S_ISREG(st.st_mode)) {
+ close(fd);
+ warnx(%s: not a regular file, *argv);
+ goto skipnomsg;
+ }
+ }
else if ((fd = open(*argv, O_RDONLY, 0)) 0) {
+skip:
warn(%s, *argv);
+skipnomsg:
rval = 1;
++argv;
continue;
Index: bin/cat/cat.1
===
RCS file: /cvs/src/bin/cat/cat.1,v
retrieving revision 1.34
diff -u -r1.34 cat.1
--- bin/cat/cat.1 15 Jan 2015 19:06:31 - 1.34
+++ bin/cat/cat.1 18 Jul 2015 02:02:23 -
@@ -33,7 +33,7 @@
.\
.\ @(#)cat.1 8.3 (Berkeley) 5/2/95
.\
-.Dd $Mdocdate: January 15 2015 $
+.Dd $Mdocdate: July 18 2015 $
.Dt CAT 1
.Os
.Sh NAME
@@ -41,7 +41,7 @@
.Nd concatenate and print files
.Sh SYNOPSIS
.Nm cat
-.Op Fl benstuv
+.Op Fl befnstuv
.Op Ar
.Sh DESCRIPTION
The
@@ -70,6 +70,8 @@
option and also prints a dollar sign
.Pq Ql \$
at the end of each line.
+.It Fl f
+Only attempt to display regular files.
.It Fl n
Number the output lines, starting at 1.
.It Fl s
indent ifconfig(8) bridge rules output
This diff indents the output of bridge rules in ifconfig or ifconfig bridgeX.
Old output:
$ ifconfig bridge0
bridge0: flags=41UP,RUNNING
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
designated: id 00:00:00:00:00:00 priority 0
tun1 flags=3LEARNING,DISCOVER
port 148 ifpriority 0 ifcost 0
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Addresses (max cache: 100, timeout: 240):
New output:
$ ifconfig bridge0
bridge0: flags=41UP,RUNNING
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
designated: id 00:00:00:00:00:00 priority 0
tun1 flags=3LEARNING,DISCOVER
port 148 ifpriority 0 ifcost 0
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Addresses (max cache: 100, timeout: 240):
Also I kept the 'ifconfig bridgeX rules interface' non-indented:
$ ifconfig bridge0 rules tun1
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Index: sbin/ifconfig//brconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/brconfig.c,v
retrieving revision 1.8
diff -u -p -r1.8 brconfig.c
--- sbin/ifconfig//brconfig.c 13 Oct 2013 12:18:18 - 1.8
+++ sbin/ifconfig//brconfig.c 18 Jul 2015 04:41:02 -
@@ -322,7 +322,7 @@ bridge_list(char *delim)
stpstates[reqp-ifbr_state],
stproles[reqp-ifbr_role]);
printf(\n);
- bridge_rules(buf, 0);
+ bridge_rules(buf, 1);
}
free(bifc.ifbic_buf);
}
@@ -742,7 +742,7 @@ bridge_flushrule(const char *ifname, int
}
void
-bridge_rules(const char *ifname, int d)
+bridge_rules(const char *ifname, int usetab)
{
char *inbuf = NULL, *inb;
struct ifbrlconf ifc;
@@ -766,6 +766,10 @@ bridge_rules(const char *ifname, int d)
ifrp = ifc.ifbrl_req;
for (i = 0; i ifc.ifbrl_len; i += sizeof(*ifrp)) {
ifrp = (struct ifbrlreq *)((caddr_t)ifc.ifbrl_req + i);
+
+ if (usetab)
+ printf(\t);
+
bridge_showrule(ifrp);
}
}
tcpdump wireless example
I've been asked to add an example to tcpdump(8) that shows how wireless frames can be printed. Do we want something like that in this man page? Index: tcpdump.8 === RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v retrieving revision 1.84 diff -u -p -r1.84 tcpdump.8 --- tcpdump.8 28 Feb 2015 21:51:57 - 1.84 +++ tcpdump.8 18 Jul 2015 04:55:36 - @@ -1053,6 +1053,9 @@ To print only echo request ICMP packets: To print and decrypt all ESP packets with SPI 0x1234: .Pp .Dl # tcpdump -E des3-hmac96:ab...def 'ip[20:4] = 0x1234' +.Pp +To print raw wireless frames passing the iwn0 interface: +.Dl # tcpdump -i iwn0 -y IEEE802_11_RADIO -v .Sh OUTPUT FORMAT The output of .Nm
syslogd TCP input with octet counting
Hi,
To accept all possible syslog over TCP framing methods, implement
octet couting. This makes our TCP receiving side compatible to the
sending format.
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.173
diff -u -p -r1.173 syslogd.c
--- usr.sbin/syslogd/syslogd.c 16 Jul 2015 23:29:14 - 1.173
+++ usr.sbin/syslogd/syslogd.c 18 Jul 2015 01:00:08 -
@@ -294,6 +294,8 @@ void klog_readcb(int, short, void *);
voidudp_readcb(int, short, void *);
voidunix_readcb(int, short, void *);
voidtcp_acceptcb(int, short, void *);
+int octet_counting(struct evbuffer *, char **, int);
+int non_transparent_framing(struct evbuffer *, char **);
voidtcp_readcb(struct bufferevent *, void *);
voidtcp_closecb(struct bufferevent *, short, void *);
int tcp_socket(struct filed *);
@@ -914,31 +916,120 @@ tcp_acceptcb(int fd, short event, void *
logmsg(LOG_SYSLOG|LOG_INFO, ebuf, LocalHostName, ADDDATE);
}
+/*
+ * Syslog over TCP RFC 6587 3.4.1. Octet Counting
+ */
+int
+octet_counting(struct evbuffer *evbuf, char **msg, int drain)
+{
+ char*p, *buf, *end;
+ int len;
+
+ buf = EVBUFFER_DATA(evbuf);
+ end = buf + EVBUFFER_LENGTH(evbuf);
+ /*
+* It can be assumed that octet-counting framing is used if a syslog
+* frame starts with a digit.
+*/
+ if (buf = end || !isdigit(*buf))
+ return (-1);
+ /*
+* SYSLOG-FRAME = MSG-LEN SP SYSLOG-MSG
+* MSG-LEN is the octet count of the SYSLOG-MSG in the SYSLOG-FRAME.
+* We support up to 5 digits in MSG-LEN, so the maximum is 9.
+*/
+ for (p = buf; p end p buf + 5; p++) {
+ if (!isdigit(*p))
+ break;
+ }
+ if (buf = p || p = end || *p != ' ')
+ return (-1);
+ p++;
+ /* Using atoi() is safe as buf starts with 1 to 5 digits and a space. */
+ len = atoi(buf);
+ if (drain)
+ dprintf( octet counting %d, len);
+ if (p + len end)
+ return (0);
+ if (drain)
+ evbuffer_drain(evbuf, p - buf);
+ if (msg)
+ *msg = p;
+ return (len);
+}
+
+/*
+ * Syslog over TCP RFC 6587 3.4.2. Non-Transparent-Framing
+ */
+int
+non_transparent_framing(struct evbuffer *evbuf, char **msg)
+{
+ char*p, *buf, *end;
+
+ buf = EVBUFFER_DATA(evbuf);
+ end = buf + EVBUFFER_LENGTH(evbuf);
+ /*
+* The TRAILER has usually been a single character and most often
+* is ASCII LF (%d10). However, other characters have also been
+* seen, with ASCII NUL (%d00) being a prominent example.
+*/
+ for (p = buf; p end; p++) {
+ if (*p == '\0' || *p == '\n')
+ break;
+ }
+ if (p + 1 - buf = INT_MAX)
+ return (-1);
+ dprintf( non transparent framing);
+ if (p = end)
+ return (0);
+ /*
+* Some devices have also been seen to emit a two-character
+* TRAILER, which is usually CR and LF.
+*/
+ if (buf p p[0] == '\n' p[-1] == '\r')
+ p[-1] = '\0';
+ if (msg)
+ *msg = buf;
+ return (p + 1 - buf);
+}
+
void
tcp_readcb(struct bufferevent *bufev, void *arg)
{
struct peer *p = arg;
- char*line;
+ char*msg, line[MAXLINE + 1];
+ int len;
- /*
-* Syslog over TCP RFC 6587 3.4.2. Non-Transparent-Framing
-* XXX Incompatible to ourself, should do: 3.4.1. Octet Counting
-*/
- while ((line = evbuffer_readline(bufev-input))) {
- dprintf(tcp logger \%s\ complete line\n, p-p_peername);
- printline(p-p_hostname, line);
- free(line);
- }
- if (EVBUFFER_LENGTH(bufev-input) = MAXLINE) {
- dprintf(tcp logger \%s\ incomplete line, use %zu bytes\n,
- p-p_peername, EVBUFFER_LENGTH(bufev-input));
+ while (EVBUFFER_LENGTH(bufev-input) 0) {
+ dprintf(tcp logger \%s\, p-p_peername);
+ msg = NULL;
+ len = octet_counting(bufev-input, msg, 1);
+ if (len 0)
+ len = non_transparent_framing(bufev-input, msg);
+ if (len 0)
+ dprintf(unknown method);
+ if (msg == NULL) {
+ dprintf(, incomplete frame);
+ break;
+ }
+ dprintf(, use %d bytes\n, len);
+ if (len 0 msg[len-1] == '\n')
+ msg[len-1] = '\0';
+ if (len == 0 || msg[len-1] != '\0') {
+
Re: indent ifconfig(8) bridge rules output
On Sat, Jul 18, 2015 at 01:54:39AM -0300, Rafael Zalamena wrote:
This diff indents the output of bridge rules in ifconfig or ifconfig bridgeX.
OK reyk@
Old output:
$ ifconfig bridge0
bridge0: flags=41UP,RUNNING
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
designated: id 00:00:00:00:00:00 priority 0
tun1 flags=3LEARNING,DISCOVER
port 148 ifpriority 0 ifcost 0
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Addresses (max cache: 100, timeout: 240):
New output:
$ ifconfig bridge0
bridge0: flags=41UP,RUNNING
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
designated: id 00:00:00:00:00:00 priority 0
tun1 flags=3LEARNING,DISCOVER
port 148 ifpriority 0 ifcost 0
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Addresses (max cache: 100, timeout: 240):
Also I kept the 'ifconfig bridgeX rules interface' non-indented:
$ ifconfig bridge0 rules tun1
block in on tun1 src 00:11:22:33:44:55
block in on tun1 src 00:11:22:33:44:56
block out on tun1 src 00:11:22:33:44:56
Index: sbin/ifconfig//brconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/brconfig.c,v
retrieving revision 1.8
diff -u -p -r1.8 brconfig.c
--- sbin/ifconfig//brconfig.c 13 Oct 2013 12:18:18 - 1.8
+++ sbin/ifconfig//brconfig.c 18 Jul 2015 04:41:02 -
@@ -322,7 +322,7 @@ bridge_list(char *delim)
stpstates[reqp-ifbr_state],
stproles[reqp-ifbr_role]);
printf(\n);
- bridge_rules(buf, 0);
+ bridge_rules(buf, 1);
}
free(bifc.ifbic_buf);
}
@@ -742,7 +742,7 @@ bridge_flushrule(const char *ifname, int
}
void
-bridge_rules(const char *ifname, int d)
+bridge_rules(const char *ifname, int usetab)
{
char *inbuf = NULL, *inb;
struct ifbrlconf ifc;
@@ -766,6 +766,10 @@ bridge_rules(const char *ifname, int d)
ifrp = ifc.ifbrl_req;
for (i = 0; i ifc.ifbrl_len; i += sizeof(*ifrp)) {
ifrp = (struct ifbrlreq *)((caddr_t)ifc.ifbrl_req + i);
+
+ if (usetab)
+ printf(\t);
+
bridge_showrule(ifrp);
}
}
--
Re: tcpdump mpls pseudowire support
On Fri, Jul 17, 2015 at 03:24:17PM -0300, Rafael Zalamena wrote:
This diff adds support for detection of pseudowires inside of MPLS tagged
packets. Basically it teaches MPLS to look for ethernet headers when there
is no sign of IP headers.
The addition of controlword_print() is for sure OK.
Not super happy about the guesswork to decide if it is an ethernet frame
or not. Wonder if the presence of the controlword could be used to give a
better hint.
Index: interface.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
retrieving revision 1.65
diff -u -p -r1.65 interface.h
--- interface.h 5 Apr 2015 17:02:57 - 1.65
+++ interface.h 17 Jul 2015 18:16:43 -
@@ -205,6 +205,7 @@ extern void pfsync_if_print(u_char *, co
extern void pfsync_ip_print(const u_char *, u_int, const u_char *);
extern void ether_if_print(u_char *, const struct pcap_pkthdr *,
const u_char *);
+void ether_tryprint(const u_char *, u_int);
extern void fddi_if_print(u_char *, const struct pcap_pkthdr *, const u_char
*);
extern void ppp_ether_if_print(u_char *, const struct pcap_pkthdr *,
const u_char *);
Index: print-ether.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
retrieving revision 1.29
diff -u -p -r1.29 print-ether.c
--- print-ether.c 16 Jan 2015 06:40:21 - 1.29
+++ print-ether.c 17 Jul 2015 18:16:43 -
@@ -89,29 +89,34 @@ u_short extracted_ethertype;
void
ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
- u_int caplen = h-caplen;
- u_int length = h-len;
- struct ether_header *ep;
- u_short ether_type;
-
ts_print(h-ts);
- if (caplen sizeof(struct ether_header)) {
- printf([|ether]);
- goto out;
- }
-
/*
* Some printers want to get back at the ethernet addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
- packetp = p;
- snapend = p + caplen;
+ snapend = p + h-caplen;
+
+ ether_tryprint(p, h-len);
+}
+
+void
+ether_tryprint(const u_char *p, u_int length)
+{
+ u_int caplen = snapend - p;
+ struct ether_header *ep;
+ u_short ether_type;
+
+ if (caplen sizeof(struct ether_header)) {
+ printf([|ether]);
+ goto out;
+ }
if (eflag)
ether_print(p, length);
+ packetp = p;
length -= sizeof(struct ether_header);
caplen -= sizeof(struct ether_header);
ep = (struct ether_header *)p;
Index: print-mpls.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-mpls.c,v
retrieving revision 1.2
diff -u -p -r1.2 print-mpls.c
--- print-mpls.c 30 Jun 2010 19:01:06 - 1.2
+++ print-mpls.c 17 Jul 2015 18:16:43 -
@@ -31,6 +31,12 @@
#include interface.h
#include extract.h /* must come after interface.h */
+#define CW_ZERO_MASK (0xf000U)
+#define CW_FRAG_MASK (0x0fffU)
+#define CW_SEQUENCE_MASK (0xU)
+
+void controlword_print(const u_char **, u_int *);
+
void
mpls_print(const u_char *bp, u_int len)
{
@@ -56,6 +62,9 @@ mpls_print(const u_char *bp, u_int len)
if (!bottom)
goto again;
+ /* Handle pseudowire control word if any. */
+ controlword_print(bp, len);
+
/*
* guessing the underlying protocol is about all we can do if
* it's not explicitly defined.
@@ -99,15 +108,48 @@ mpls_print(const u_char *bp, u_int len)
switch (bp[0] 0xf0) {
case 0x40:
+ /*
+ * IPv4 second nibble is the header length and its
+ * value must be at least 5 bytes long.
+ */
+ if ((bp[0] 0x0f) 5) {
+ ether_tryprint(bp, len);
+ break;
+ }
+
ip_print(bp, len);
break;
case 0x60:
ip6_print(bp, len);
break;
+ default:
+ ether_tryprint(bp, len);
+ break;
}
}
return;
trunc:
printf([|mpls]);
+}
+
+void
+controlword_print(const u_char **bp, u_int *lenp)
+{
+ u_int32_t cw, frag, seq;
+
+ if (*lenp 4)
+ return;
+
+ cw = EXTRACT_32BITS(*bp);
+ if (cw CW_ZERO_MASK)
+ return;
+
+ *bp += sizeof(cw);
+ *lenp += sizeof(cw);
+
+ frag = (cw CW_FRAG_MASK) 16;
+ seq = cw CW_SEQUENCE_MASK;
+
+ printf(CW(frag %u,
tcpdump: display 11n HT-operation element
Make tcpdump display the HT-operation element in 802.11n management frames.
Sample output from hackroom:
htop=40MHz channels 40:39,protect non-HT,non-greenfield STA,non-HT STA
ok?
Index: print-802_11.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-802_11.c,v
retrieving revision 1.22
diff -u -p -r1.22 print-802_11.c
--- print-802_11.c 17 Jul 2015 19:43:43 - 1.22
+++ print-802_11.c 17 Jul 2015 22:32:01 -
@@ -81,6 +81,7 @@ void ieee80211_print_element(u_int8_t *
voidieee80211_print_essid(u_int8_t *, u_int);
voidieee80211_print_country(u_int8_t *, u_int);
voidieee80211_print_htcaps(u_int8_t *, u_int);
+voidieee80211_print_htop(u_int8_t *, u_int);
int ieee80211_elements(struct ieee80211_frame *, u_int);
int ieee80211_frame(struct ieee80211_frame *, u_int);
int ieee80211_print(struct ieee80211_frame *, u_int);
@@ -350,6 +351,98 @@ ieee80211_print_htcaps(u_int8_t *data, u
printf();
}
+/* Caller checks len */
+void
+ieee80211_print_htop(u_int8_t *data, u_int len)
+{
+ u_int8_t primary_chan;
+ u_int8_t htopinfo[5];
+ u_int8_t basic_mcs[16];
+ int sco, prot;
+
+ if (len sizeof(primary_chan) + sizeof(htopinfo) + sizeof(basic_mcs)) {
+ ieee80211_print_element(data, len);
+ return;
+ }
+
+ htopinfo[0] = data[1];
+
+ printf(=);
+
+ /* primary channel and secondary channel offset */
+ primary_chan = data[0];
+ sco = ((htopinfo[0] IEEE80211_HTOP0_SCO_MASK)
+IEEE80211_HTOP0_SCO_SHIFT);
+ if (sco == 0)
+ printf(20Mhz channel %d, primary_chan);
+ else if (sco == 1)
+ printf(40MHz channels %d:%d, primary_chan, primary_chan + 1);
+ else if (sco == 3)
+ printf(40MHz channels %d:%d, primary_chan, primary_chan - 1);
+ else
+ printf(20Mhz channel %d [invalid secondary channel offset %d],
+ primary_chan, sco);
+
+ /* STA channel width */
+ if ((htopinfo[0] IEEE80211_HTOP0_CHW) == 0)
+ printf(,STA chanw 20MHz);
+
+ /* reduced interframe space (RIFS) permitted */
+ if (htopinfo[0] IEEE80211_HTOP0_RIFS)
+ printf(,RIFS);
+
+ htopinfo[1] = data[2];
+
+ /* protection requirements for HT transmissions */
+ prot = ((htopinfo[1] IEEE80211_HTOP1_PROT_MASK)
+IEEE80211_HTOP1_PROT_SHIFT);
+ if (prot == 1)
+ printf(,protect non-member);
+ else if (prot == 2)
+ printf(,protect 20MHz);
+ else if (prot == 3)
+ printf(,protect non-HT);
+
+ /* non-greenfield STA present */
+ if (htopinfo[1] IEEE80211_HTOP1_NONGF_STA)
+ printf(,non-greenfield STA);
+
+ /* non-HT STA present */
+ if (htopinfo[1] IEEE80211_HTOP1_OBSS_NONHT_STA)
+ printf(,non-HT STA);
+
+ htopinfo[3] = data[4];
+
+ /* dual-beacon */
+ if (htopinfo[3] IEEE80211_HTOP2_DUALBEACON)
+ printf(,dualbeacon);
+
+ /* dual CTS protection */
+ if (htopinfo[3] IEEE80211_HTOP2_DUALCTSPROT)
+ printf(,dualctsprot);
+
+ htopinfo[4] = data[5];
+
+ /* space-time block coding (STBC) beacon */
+ if ((htopinfo[4] 8) IEEE80211_HTOP2_DUALCTSPROT)
+ printf(,STBC beacon);
+
+ /* L-SIG (non-HT signal field) TX opportunity (TXOP) protection */
+ if ((htopinfo[4] 8) IEEE80211_HTOP2_LSIGTXOP)
+ printf(,lsigtxprot);
+
+ /* phased-coexistence operation (PCO) active */
+ if ((htopinfo[4] 8) IEEE80211_HTOP2_PCOACTIVE) {
+ /* PCO phase */
+ if ((htopinfo[4] 8) IEEE80211_HTOP2_PCOPHASE40)
+ printf(,pco40MHz);
+ else
+ printf(,pco20MHz);
+ }
+
+ printf();
+}
+
int
ieee80211_elements(struct ieee80211_frame *wh, u_int flen)
{
@@ -479,6 +572,11 @@ ieee80211_elements(struct ieee80211_fram
printf(, htcaps);
if (vflag)
ieee80211_print_htcaps(data, len);
+ break;
+ case IEEE80211_ELEMID_HTOP:
+ printf(, htop);
+ if (vflag)
+ ieee80211_print_htop(data, len);
break;
case IEEE80211_ELEMID_POWER_CONSTRAINT:
ELEM_CHECK(1);
Re: Get Ruby 2.2 test suite passing
Stuart Henderson wrote: On 2015/07/17 20:24, Ted Unangst wrote: Jeremy Evans wrote: As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not sure if that's a security issue, but I think it is and we should fix it. I'll see if I can get a patch for that and send it to tech@. This is a weird edge case where niels decided to make bcrypt() work differently than crypt(). i don't really know why. I think null is the safer return, and we should probably switch. we don't have code that looks for : (and certainly no third party code ever does), but there is code that checks for null. Solar had some concerns about crypt returning null in the past, there's a thread starting at http://www.openwall.com/lists/oss-security/2011/11/15/1 which might be worth a read. moving to tech. Programs may not be checking null, but they're definitely not checking for strange alternative strings. At least null is standard. Now, returning : or * or whatever works in some cases because that's not the input string. But what happens when a program takes the return and saves it to the database? Then you *do* have a string that matches. (i think solar then fixed this by alternating between *1 or *2 but now we're getting really deep into the rabbit hole.) my perspective is: absent clear knowledge of what programs are doing, attempts to second guess them in a library function are perilous. let us be standards compliant, and then at least any resulting holes are clearly the program's fault. have i mentioned that i think the whole crypt(3) api can die in a fire?
OpenNTPD: Remove _PATH_DEVNULL
/dev/null will be available on any POSIX system, but _PATH_DEVNULL may not, e.g. Solaris. There doesn't seem to be any advantage to using the define (and we don't use it much in the tree either.) http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap10.html --- src/usr.sbin/ntpd/ntp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c index b89ddf2..ddb9cf1 100644 --- a/src/usr.sbin/ntpd/ntp.c +++ b/src/usr.sbin/ntpd/ntp.c @@ -125,7 +125,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf, if ((se = getservbyname(ntp, udp)) == NULL) fatal(getservbyname); - if ((nullfd = open(_PATH_DEVNULL, O_RDWR, 0)) == -1) + if ((nullfd = open(/dev/null, O_RDWR, 0)) == -1) fatal(NULL); close(pipe_prnt[0]); -- 2.4.5
Re: Get Ruby 2.2 test suite passing
On Fri, Jul 17, 2015 at 06:48:31PM -0600, Theo de Raadt wrote: my perspective is: absent clear knowledge of what programs are doing, attempts to second guess them in a library function are perilous. let us be standards compliant, and then at least any resulting holes are clearly the program's fault. such programs always deference the pointer. So I agree strongly with a NULL error, rather than something hacky like errno modification. The only objection I can see is something stupid that does not check the error condition, derefs NULL, drops a core file in an insecure place, and therefore leaks information. To my mind this is a buggy program, combined with an insecure configuration, and we shouldn't be trying to save people from their own stupid and make it worse.. NULL sounds right to me.
Re: Get Ruby 2.2 test suite passing
The only objection I can see is something stupid that does not check the error condition, derefs NULL, drops a core file in an insecure place, and therefore leaks information. To my mind this is a buggy program, combined with an insecure configuration, and we shouldn't be trying to save people from their own stupid and make it worse.. I am hoping to see that happen!
Re: httpd: hsts (rfc 6797)
Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended.
Re: httpd: hsts (rfc 6797)
Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism.
Re: Get Ruby 2.2 test suite passing
my perspective is: absent clear knowledge of what programs are doing, attempts to second guess them in a library function are perilous. let us be standards compliant, and then at least any resulting holes are clearly the program's fault. such programs always deference the pointer. So I agree strongly with a NULL error, rather than something hacky like errno modification.
Re: Thinkpad active cooling
17 июля 2015 г. 22:24 пользователь Mark Kettenis mark.kette...@xs4all.nl написал: Tobias Ulmer schreef op 2015-07-15 05:42: On Wed, Jul 15, 2015 at 05:12:41AM +0300, Paul Irofti wrote: I am not familiar with all the fan hack specifics so please keep that in mind if my questions and comments seem trivial. This is an attempt to solve the problem slightly differently. - Hook into acpitz and only speed the fan up when it is requesting active cooling - Never set the fan to a mode that would endanger the hardware should we crash Your diff applies to all Thinkpad models. Is that okay? It applies to all Thinkpads that have a sensible value in THINKPAD_ECOFFSET_FANLEVEL, as you noticed. There is no flag or documentation indicating the existence of this register as far as I know. It's somewhat of a tradition, every TP I've owned had it. My hope is if they drop support or move the offset, the value will change and we won't do any damage. The Linux thinkpad-acpi driver suggests that accessing (and especially writing to) the THINKPAD_ECOFFSET_FANLEVEL register should not be done if the GFAN and/or SFAN ACPI method exists. The Linux driver also says that full blast mode might damage the fan. I've run my thinkpads in disengaged mode at least 30% of their life. Never had a problem with fans. Neither I heard a word about broken fans from people running my disengaged patches. And overheating damages CPU, which is much more expensive to replace. -- Vadim Zhukov
httpd: hsts (rfc 6797)
OK?
diff --git httpd.conf.5 httpd.conf.5
index b3eaad8..bfca29f 100644
--- httpd.conf.5
+++ httpd.conf.5
@@ -262,6 +262,18 @@ root directory of
.Xr httpd 8
and defaults to
.Pa /run/slowcgi.sock .
+.It Ic hsts Oo Ar option Oc
+Enable HTTP Strict Transport Security.
+Valid options are:
+.Bl -tag -width Ds
+.It Ic max-age Ar seconds
+Set the maximum time in seconds a receiving user agent should regard
+this host as a HSTS host.
+The default is one year.
+.It Ic subdomains
+Signal to the receiving user agent that this host and all sub domains
+of the host's domain should be considered HSTS hosts.
+.El
.It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number
Set the listen address and port.
This statement can be specified multiple times.
diff --git httpd.h httpd.h
index 2cb7934..9596000 100644
--- httpd.h
+++ httpd.h
@@ -68,6 +68,7 @@
#define SERVER_OUTOF_FD_RETRIES5
#define SERVER_MAX_PREFETCH256
#define SERVER_MIN_PREFETCHED 32
+#define SERVER_HSTS_DEFAULT_AGE31536000
#define MEDIATYPE_NAMEMAX 128 /* file name extension */
#define MEDIATYPE_TYPEMAX 64 /* length of type/subtype */
@@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client);
#define SRVFLAG_NO_BLOCK 0x0008
#define SRVFLAG_LOCATION_MATCH 0x0010
#define SRVFLAG_SERVER_MATCH 0x0020
+#define SRVFLAG_SERVER_HSTS0x0040
#define SRVFLAG_BITS \
\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX \
\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET \
\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG \
\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH \
- \26SERVER_MATCH
+ \26SERVER_MATCH\27SERVER_HSTS
#define TCPFLAG_NODELAY0x01
#define TCPFLAG_NNODELAY 0x02
@@ -443,6 +445,9 @@ struct server_config {
char*return_uri;
off_treturn_uri_len;
+ int64_t hsts_max_age;
+ int hsts_subdomains;
+
TAILQ_ENTRY(server_config) entry;
};
TAILQ_HEAD(serverhosts, server_config);
diff --git parse.y parse.y
index 0870819..8dfad1a 100644
--- parse.y
+++ parse.y
@@ -133,7 +133,7 @@ typedef struct {
%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN
%token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS
%token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT
-%token TLS TYPES
+%token TLS TYPES HSTS MAXAGE SUBDOMAINS
%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS
%token v.string STRING
%token v.number NUMBER
@@ -256,6 +256,8 @@ server : SERVER optmatch STRING{
HTTPD_TLS_ECDHE_CURVE,
sizeof(s-srv_conf.tls_ecdhe_curve));
+ s-srv_conf.hsts_max_age = -1;
+
if (last_server_id == INT_MAX) {
yyerror(too many servers defined);
free(s);
@@ -556,6 +558,30 @@ serveroptsl: LISTEN ON STRING opttls port {
parentsrv = NULL;
}
| include
+ | hsts {
+ if (parentsrv != NULL) {
+ yyerror(hsts inside location);
+ YYERROR;
+ }
+ srv-srv_conf.flags |= SRVFLAG_SERVER_HSTS;
+ }
+ ;
+
+hsts : HSTS '{' optnl hstsflags_l '}'
+ | HSTS hstsflags
+ | HSTS
+ ;
+
+hstsflags_l: hstsflags optcommanl hstsflags_l
+ | hstsflags optnl
+ ;
+
+hstsflags : MAXAGE NUMBER {
+ srv_conf-hsts_max_age = $2;
+ }
+ | SUBDOMAINS{
+ srv-srv_conf.hsts_subdomains = 1;
+ }
;
fastcgi: NO FCGI {
@@ -1115,6 +1141,7 @@ lookup(char *s)
{ ecdhe, ECDHE },
{ error, ERR },
{ fastcgi,FCGI },
+ { hsts, HSTS },
{ include,INCLUDE },
{ index, INDEX },
{ ip, IP },
@@ -1125,6 +1152,7 @@ lookup(char *s)
{ logdir, LOGDIR },
{ match, MATCH },
{ max,MAXIMUM },
+ { max-age,MAXAGE },
{ no, NO },
{ nodelay,NODELAY },
{ on, ON },
@@ -1141,6 +1169,7 @@ lookup(char *s)
{ socket, SOCKET },
Re: httpd: hsts (rfc 6797)
On Sat, 18 Jul 2015, at 12:14 PM, Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as a HSTS host. +The default is one year. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/
Re: OpenNTPD: Remove _PATH_DEVNULL
On Fri, Jul 17, 2015 at 07:43:11PM -0500, Brent Cook wrote: /dev/null will be available on any POSIX system, but _PATH_DEVNULL may not, e.g. Solaris. There doesn't seem to be any advantage to using the define (and we don't use it much in the tree either.) Also OK claudio@ http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap10.html --- src/usr.sbin/ntpd/ntp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c index b89ddf2..ddb9cf1 100644 --- a/src/usr.sbin/ntpd/ntp.c +++ b/src/usr.sbin/ntpd/ntp.c @@ -125,7 +125,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf, if ((se = getservbyname(ntp, udp)) == NULL) fatal(getservbyname); - if ((nullfd = open(_PATH_DEVNULL, O_RDWR, 0)) == -1) + if ((nullfd = open(/dev/null, O_RDWR, 0)) == -1) fatal(NULL); close(pipe_prnt[0]); -- 2.4.5 -- :wq Claudio
Re: OpenNTPD: replace bzero with memset
On Fri, Jul 17, 2015 at 07:41:11PM -0500, Brent Cook wrote:
This diff converts bzero calls to memset, which is more portable and
compilers can optimize as well.
OK claudio@
---
src/usr.sbin/ntpd/client.c | 2 +-
src/usr.sbin/ntpd/config.c | 6 +++---
src/usr.sbin/ntpd/control.c | 2 +-
src/usr.sbin/ntpd/ntp.c | 6 +++---
src/usr.sbin/ntpd/ntpd.c| 4 ++--
src/usr.sbin/ntpd/parse.y | 2 +-
src/usr.sbin/ntpd/server.c | 2 +-
7 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
index 1d982d6..eca2467 100644
--- a/src/usr.sbin/ntpd/client.c
+++ b/src/usr.sbin/ntpd/client.c
@@ -215,7 +215,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
double T1, T2, T3, T4;
time_t interval;
- bzero(somsg, sizeof(somsg));
+ memset(somsg, 0, sizeof(somsg));
iov[0].iov_base = buf;
iov[0].iov_len = sizeof(buf);
somsg.msg_iov = iov;
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 3945405..7e2ecb6 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -65,7 +65,7 @@ host_v4(const char *s)
struct sockaddr_in *sa_in;
struct ntp_addr *h;
- bzero(ina, sizeof(struct in_addr));
+ memset(ina, 0, sizeof(struct in_addr));
if (inet_pton(AF_INET, s, ina) != 1)
return (NULL);
@@ -86,7 +86,7 @@ host_v6(const char *s)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h = NULL;
- bzero(hints, sizeof(hints));
+ memset(hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
@@ -128,7 +128,7 @@ host_dns(const char *s, struct ntp_addr **hn)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h, *hh = NULL;
- bzero(hints, sizeof(hints));
+ memset(hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
/* ntpd MUST NOT use AI_ADDRCONFIG here */
diff --git a/src/usr.sbin/ntpd/control.c b/src/usr.sbin/ntpd/control.c
index 3662971..fa95504 100644
--- a/src/usr.sbin/ntpd/control.c
+++ b/src/usr.sbin/ntpd/control.c
@@ -45,7 +45,7 @@ control_init(char *path)
return (-1);
}
- bzero(sa, sizeof(sa));
+ memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, path, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 50fc468..b89ddf2 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -188,7 +188,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf
*nconf,
TAILQ_FOREACH(p, conf-ntp_peers, entry)
client_peer_init(p);
- bzero(conf-status, sizeof(conf-status));
+ memset(conf-status, 0, sizeof(conf-status));
conf-freq.num = 0;
conf-freq.samples = 0;
@@ -246,8 +246,8 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf
*nconf,
pfd_elms = new_cnt;
}
- bzero(pfd, sizeof(*pfd) * pfd_elms);
- bzero(idx2peer, sizeof(*idx2peer) * idx2peer_elms);
+ memset(pfd, 0, sizeof(*pfd) * pfd_elms);
+ memset(idx2peer, 0, sizeof(*idx2peer) * idx2peer_elms);
nextaction = getmonotime() + 3600;
pfd[PFD_PIPE_MAIN].fd = ibuf_main-fd;
pfd[PFD_PIPE_MAIN].events = POLLIN;
diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
index 045bdd4..3adf4dc 100644
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@@ -119,7 +119,7 @@ main(int argc, char *argv[])
conffile = CONFFILE;
- bzero(lconf, sizeof(lconf));
+ memset(lconf, 0, sizeof(lconf));
log_init(1);/* log to stderr until daemonized */
@@ -557,7 +557,7 @@ ctl_main(int argc, char *argv[])
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
err(1, ntpctl: socket);
- bzero(sa, sizeof(sa));
+ memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, sockname, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y
index 4b9ef49..999ff24 100644
--- a/src/usr.sbin/ntpd/parse.y
+++ b/src/usr.sbin/ntpd/parse.y
@@ -426,7 +426,7 @@ rtable: RTABLE NUMBER {
void
opts_default(void)
{
- bzero(opts, sizeof opts);
+ memset(opts, 0, sizeof opts);
opts.weight = 1;
opts.rtable = -1;
opts.stratum = 1;
diff --git a/src/usr.sbin/ntpd/server.c b/src/usr.sbin/ntpd/server.c
index ef448d3..9c71eed 100644
--- a/src/usr.sbin/ntpd/server.c
+++ b/src/usr.sbin/ntpd/server.c
@@ -175,7 +175,7 @@ server_dispatch(int fd, struct
Re: Get Ruby 2.2 test suite passing
Ted Unangst wrote:
Jeremy Evans wrote:
As an aside, crypt(passwd, $2) returns : instead of NULL. I'm not
sure if that's a security issue, but I think it is and we should fix it.
I'll see if I can get a patch for that and send it to tech@.
This is a weird edge case where niels decided to make bcrypt() work
differently than crypt(). i don't really know why. I think null is the safer
return, and we should probably switch. we don't have code that looks for :
(and certainly no third party code ever does), but there is code that checks
for null.
like this.
Index: bcrypt.c
===
RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
retrieving revision 1.52
diff -u -p -r1.52 bcrypt.c
--- bcrypt.c28 Jan 2015 23:33:52 - 1.52
+++ bcrypt.c18 Jul 2015 00:29:34 -
@@ -385,12 +385,9 @@ char *
bcrypt(const char *pass, const char *salt)
{
static chargencrypted[BCRYPT_HASHSPACE];
- static chargerror[2];
- /* How do I handle errors ? Return ':' */
- strlcpy(gerror, :, sizeof(gerror));
if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
- return gerror;
+ return NULL;
return gencrypted;
}
Re: httpd: hsts (rfc 6797)
On Fri, Jul 17, 2015 at 08:51:54PM -0400, Ted Unangst wrote: Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended. Sure, but how is this related to florian's diff? Do you say we cannot do HSTS now because we have to support all other popular headers or a generic mechanism first? That doesn't help us. HSTS is simply the most wanted. At least by our users and ourselves. Additionally, we also want to make it simple by hiding the complexity with good defaults and without the need that the users have to study the List_of_useful_HTTP_headers and their various buttons first to program their own custom HTTP configurations. Reyk
Call for testing for tty diff
While writing a virtio-console driver, I have found a bug in ttwrite()
that can cause hangs. Below is a fix and after talking to Theo, I would
like to know if the patch causes regressions for anyone, for example hangs
in pty input/output, serial ports, etc. Thanks in advance.
Cheers,
Stefan
- Introduce new defines TTHIWATMINSPACE, TTMINHIWAT for some magic values
that are used in tty.c.
- Remove hiwat adjustments in ttwrite(). This fixes the missing spltty().
- The above alone causs deadlocks with ptys. Change ttysetwater() to keep
at least TTHIWATMINSPACE space above the high water mark. This makes it
consistent with ttycheckoutq() and seems to fix the pty deadlocks.
--- sys/kern/tty.c
+++ sys/kern/tty.c
@@ -1688,7 +1688,7 @@ ttycheckoutq(struct tty *tp, int wait)
hiwat = tp-t_hiwat;
s = spltty();
oldsig = wait ? curproc-p_siglist : 0;
- if (tp-t_outq.c_cc hiwat + 200)
+ if (tp-t_outq.c_cc hiwat + TTHIWATMINSPACE)
while (tp-t_outq.c_cc hiwat) {
ttstart(tp);
if (wait == 0 || curproc-p_siglist != oldsig) {
@@ -1823,7 +1823,7 @@ loop:
tp-t_rocount = 0;
if (ttyoutput(*cp, tp) = 0) {
/* out of space */
- goto overfull;
+ goto ovhiwat;
}
cp++;
cc--;
@@ -1849,7 +1849,7 @@ loop:
tp-t_outcc += ce;
if (i 0) {
/* out of space */
- goto overfull;
+ goto ovhiwat;
}
if (ISSET(tp-t_lflag, FLUSHO) ||
tp-t_outq.c_cc hiwat)
@@ -1869,15 +1869,6 @@ done:
explicit_bzero(obuf, obufcc);
return (error);
-overfull:
- /*
-* Since we are using ring buffers, if we can't insert any more into
-* the output queue, we can assume the ring is full and that someone
-* forgot to set the high water mark correctly. We set it and then
-* proceed as normal.
-*/
- hiwat = tp-t_outq.c_cc - 1;
-
ovhiwat:
ttstart(tp);
s = spltty();
@@ -2114,7 +2105,7 @@ ttsetwater(struct tty *tp)
cps = tp-t_ospeed / 10;
tp-t_lowat = x = CLAMP(cps / 2, TTMAXLOWAT, TTMINLOWAT);
x += cps;
- tp-t_hiwat = CLAMP(x, tp-t_outq.c_cn, 100);
+ tp-t_hiwat = CLAMP(x, tp-t_outq.c_cn - TTHIWATMINSPACE, TTMINHIWAT);
#undef CLAMP
}
--- sys/sys/tty.h
+++ sys/sys/tty.h
@@ -171,6 +171,8 @@ struct itty {
#ifdef _KERNEL
#defineTTMAXLOWAT 256
#defineTTMINLOWAT 32
+#defineTTMINHIWAT 100
+#defineTTHIWATMINSPACE 200 /* Min space above hiwat */
#endif
/* These flags are kept in t_state. */
Re: doubled words in libcrypto manuals
Hi Theo, Theo Buehler wrote on Wed, Jul 08, 2015 at 10:28:56AM +0200: While dabbling with J. Friedl's script for detecting doubled words in his Mastering Regular Expressions book, I found these four instances of doubled words. Three of these are completely straightforward: EC_GROUP_copy.pod: the the EC_KEY_new.pod: have have d2i_X509_NAME.pod: the the However, the doubled 'not' in EVP_DigestVerifyInit.pod reverses the meaning of the sentence. The context indicates that the word doubling is unintended. Committed, thanks. Ingo Index: lib/libssl/src/doc/crypto/EC_GROUP_copy.pod === RCS file: /cvs/src/lib/libssl/src/doc/crypto/EC_GROUP_copy.pod,v retrieving revision 1.1 diff -u -p -r1.1 EC_GROUP_copy.pod --- lib/libssl/src/doc/crypto/EC_GROUP_copy.pod 11 Jul 2014 16:18:14 - 1.1 +++ lib/libssl/src/doc/crypto/EC_GROUP_copy.pod 8 Jul 2015 08:21:24 - @@ -158,7 +158,7 @@ EC_GROUP_get0_seed returns a pointer to specified. EC_GROUP_get_seed_len returns the length of the seed or 0 if the seed is not specified. EC_GROUP_set_seed returns the length of the seed that has been set. If the supplied seed is NULL, or the supplied seed length is -0, the the return value will be 1. On error 0 is returned. +0, the return value will be 1. On error 0 is returned. EC_GROUP_cmp returns 0 if the curves are equal, 1 if they are not equal, or -1 on error. Index: lib/libssl/src/doc/crypto/EC_KEY_new.pod === RCS file: /cvs/src/lib/libssl/src/doc/crypto/EC_KEY_new.pod,v retrieving revision 1.1 diff -u -p -r1.1 EC_KEY_new.pod --- lib/libssl/src/doc/crypto/EC_KEY_new.pod 11 Jul 2014 16:18:14 - 1.1 +++ lib/libssl/src/doc/crypto/EC_KEY_new.pod 8 Jul 2015 08:21:24 - @@ -78,7 +78,7 @@ The functions EC_KEY_get_conv_form and E of point_conversion_forms please refer to LEC_POINT_new(3)|EC_POINT_new(3). EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitary additional data specific to the -elliptic curve scheme being used with the EC_KEY object. This data is treated as a black box by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the Bdata parameter, which must have have associated functions for duplicating, freeing and clear_freeing the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and clear_freeing the data item must be provided again, and they must be the same as they were when the data item was inserted. +elliptic curve scheme being used with the EC_KEY object. This data is treated as a black box by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the Bdata parameter, which must have associated functions for duplicating, freeing and clear_freeing the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and clear_freeing the data item must be provided again, and they must be the same as they were when the data item was inserted. EC_KEY_set_flags sets the flags in the Bflags parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the Bflags parameter. All other flags are left in their existing state. Index: lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod === RCS file: /cvs/src/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod,v retrieving revision 1.5 diff -u -p -r1.5 EVP_DigestVerifyInit.pod --- lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod20 Jun 2015 01:07:25 - 1.5 +++ lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod8 Jul 2015 08:21:24 - @@ -39,7 +39,7 @@ or a negative value for failure. In part the operation is not supported by the public key algorithm. Unlike other functions the return value 0 from EVP_DigestVerifyFinal() only -indicates that the signature did not not verify successfully (that is tbs did +indicates that the signature did not verify successfully (that is tbs did not match the original data or the signature was of invalid form) it is not an indication of a more serious error. Index: lib/libssl/src/doc/crypto/d2i_X509_NAME.pod === RCS file: /cvs/src/lib/libssl/src/doc/crypto/d2i_X509_NAME.pod,v retrieving revision 1.2 diff -u -p -r1.2 d2i_X509_NAME.pod ---
OpenNTPD: replace bzero with memset
This diff converts bzero calls to memset, which is more portable and
compilers can optimize as well.
---
src/usr.sbin/ntpd/client.c | 2 +-
src/usr.sbin/ntpd/config.c | 6 +++---
src/usr.sbin/ntpd/control.c | 2 +-
src/usr.sbin/ntpd/ntp.c | 6 +++---
src/usr.sbin/ntpd/ntpd.c| 4 ++--
src/usr.sbin/ntpd/parse.y | 2 +-
src/usr.sbin/ntpd/server.c | 2 +-
7 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
index 1d982d6..eca2467 100644
--- a/src/usr.sbin/ntpd/client.c
+++ b/src/usr.sbin/ntpd/client.c
@@ -215,7 +215,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
double T1, T2, T3, T4;
time_t interval;
- bzero(somsg, sizeof(somsg));
+ memset(somsg, 0, sizeof(somsg));
iov[0].iov_base = buf;
iov[0].iov_len = sizeof(buf);
somsg.msg_iov = iov;
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 3945405..7e2ecb6 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -65,7 +65,7 @@ host_v4(const char *s)
struct sockaddr_in *sa_in;
struct ntp_addr *h;
- bzero(ina, sizeof(struct in_addr));
+ memset(ina, 0, sizeof(struct in_addr));
if (inet_pton(AF_INET, s, ina) != 1)
return (NULL);
@@ -86,7 +86,7 @@ host_v6(const char *s)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h = NULL;
- bzero(hints, sizeof(hints));
+ memset(hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
@@ -128,7 +128,7 @@ host_dns(const char *s, struct ntp_addr **hn)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h, *hh = NULL;
- bzero(hints, sizeof(hints));
+ memset(hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
/* ntpd MUST NOT use AI_ADDRCONFIG here */
diff --git a/src/usr.sbin/ntpd/control.c b/src/usr.sbin/ntpd/control.c
index 3662971..fa95504 100644
--- a/src/usr.sbin/ntpd/control.c
+++ b/src/usr.sbin/ntpd/control.c
@@ -45,7 +45,7 @@ control_init(char *path)
return (-1);
}
- bzero(sa, sizeof(sa));
+ memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, path, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 50fc468..b89ddf2 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -188,7 +188,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf
*nconf,
TAILQ_FOREACH(p, conf-ntp_peers, entry)
client_peer_init(p);
- bzero(conf-status, sizeof(conf-status));
+ memset(conf-status, 0, sizeof(conf-status));
conf-freq.num = 0;
conf-freq.samples = 0;
@@ -246,8 +246,8 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf
*nconf,
pfd_elms = new_cnt;
}
- bzero(pfd, sizeof(*pfd) * pfd_elms);
- bzero(idx2peer, sizeof(*idx2peer) * idx2peer_elms);
+ memset(pfd, 0, sizeof(*pfd) * pfd_elms);
+ memset(idx2peer, 0, sizeof(*idx2peer) * idx2peer_elms);
nextaction = getmonotime() + 3600;
pfd[PFD_PIPE_MAIN].fd = ibuf_main-fd;
pfd[PFD_PIPE_MAIN].events = POLLIN;
diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
index 045bdd4..3adf4dc 100644
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@@ -119,7 +119,7 @@ main(int argc, char *argv[])
conffile = CONFFILE;
- bzero(lconf, sizeof(lconf));
+ memset(lconf, 0, sizeof(lconf));
log_init(1);/* log to stderr until daemonized */
@@ -557,7 +557,7 @@ ctl_main(int argc, char *argv[])
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
err(1, ntpctl: socket);
- bzero(sa, sizeof(sa));
+ memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, sockname, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y
index 4b9ef49..999ff24 100644
--- a/src/usr.sbin/ntpd/parse.y
+++ b/src/usr.sbin/ntpd/parse.y
@@ -426,7 +426,7 @@ rtable : RTABLE NUMBER {
void
opts_default(void)
{
- bzero(opts, sizeof opts);
+ memset(opts, 0, sizeof opts);
opts.weight = 1;
opts.rtable = -1;
opts.stratum = 1;
diff --git a/src/usr.sbin/ntpd/server.c b/src/usr.sbin/ntpd/server.c
index ef448d3..9c71eed 100644
--- a/src/usr.sbin/ntpd/server.c
+++ b/src/usr.sbin/ntpd/server.c
@@ -175,7 +175,7 @@ server_dispatch(int fd, struct ntpd_conf *lconf)
if (ntp_getmsg((struct sockaddr *)fsa, buf, size,
Re: httpd: hsts (rfc 6797)
On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. Adding a generic header mechanism would make it utterly more complex, both from a useability and a implementation point of view. If we ever find the time and need for such mechanism, we can keep the existing hsts keywords as a higher layer on top of it. Reyk
Re: httpd: hsts (rfc 6797)
On 2015/07/17 20:51, Ted Unangst wrote: Reyk Floeter wrote: On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: Florian Obser wrote: OK? diff --git httpd.conf.5 httpd.conf.5 index b3eaad8..bfca29f 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -262,6 +262,18 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. Why this, but not also e.g. Public-Key-Pins or Content-Security? I think this quickly turns into a call for a generic add-header mechanism. HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: hsts. If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar top five headers you need to use today! lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended. There are others outside of security too, like cache-control.
