| Age | Commit message (Collapse) | Author |
|---|
|
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns access is
enough for everyone, sorry if you were using that old SunOS 4.x style
mechanism, but it is now gone.
ok semarie millert florian
|
|
from asr_ctx was skiped. Missed in previous commit.
OK deraadt@
|
|
nameservers could overflow the dns search pointers. Restrict the
number, size and address family of nameservers in res_init(3). This
fixes a crash in sendmail. Only programs that use the bind resolver
internals directly are affected.
OK deraadt@ millert@
|
|
the resolver.
ok millert@ deraadt@
|
|
This extension never made it to other systems. (pledge is also happy
with this. The idea of DNS @ any port collides with pledge encouraring
differentiation between DNS and non-DNS sockets)
ok phessler jung sthen kettenis
|
|
dnssonnect() calls. Be a bit careful crossing over this, need a kernel
no older than Monday.
ok guenther tedu semarie
|
|
system calls. These signal to the pledge kernel code that a DNS
transaction is happening. These special sockets only work well with
port 53 (there are some cute plans...).
Programs calling pledge "inet" will not work! You need pledge "dns",
and of course, you need a fairly fresh kernel.
ok guenther kettenis tedu
|
|
ok deraadt@
|
|
|
|
via _asr_use_resolver(). If the hint specifies for AI_NUMERICHOST,
create a transient lookup context which won't try to open /etc/reslov.conf
ok eric guenther
|
|
layers to decide. The request could be AI_NUMERICHOST. [And the process
could be tame()-constrained to not open /etc/resolv.conf]
ok eric guenther
|
|
ok millert@
|
|
When it was integrated as the main resolver, a bunch of strange initialization
code remained. Start whittling away at this, piece by piece, to make it
more clear.
ok eric
|
|
ok jca@
|
|
discussed with otto
|
|
|
|
|
|
|
|
|
|
|
|
direction & ok guenther
|
|
ok deraadt@
|
|
|
|
ok gilles@
|
|
print_sockaddr is internal to asr, and conflicts with ports/net/samba4.
ok eric@
|
|
is used after pid has changed.
ok deraadt@
|
|
with a newline.
ok jca@
|
|
|
|
ok eric@
|
|
prodded by Brad
ok jca@
|
|
for address/port formatting (e.g. NI_NUMERICHOST).
ok deraadt@ jca@
|
|
This is what RFC3493 suggests. Fixes AI_ADDRCONFIG on setups where
global addresses are configured only on loopback interfaces.
Discussed with and ok eric@ gilles@
|
|
Input from and ok gilles@ eric@
|
|
Bump MAXADDRS/ALIASES to the original of 35, and silently ignore extras
instead of failing.
Noticed by markson on freenode.
OK eric@ "with revised diff", phessler@.
|
|
This is what RFC 2553 initially described, sadly RFC 3493 stopped
limiting scope to DNS. This can result in nonsensical failures with
loopback addresses, link-local addresses, raw addresses and /etc/hosts
entries.
with and ok eric@ sperreault@
|
|
ok eric@
|
|
review by millert, binary checking process with doug, concept with guenther
|
|
it to get limits.h early enough
|
|
ok espie@ deraadt@ millert@ tedu@
|
|
in gethostbyname(). Similar fix for getnetbyname().
ok deraadt@ daniel@ jca@
|
|
of the resulting FILE *), then pass fopen() the 'e' mode letter to
mark it close-on-exec.
ok miod@
|
|
ok miod@
|
|
NO_DATA/EAI_NODATA when the hostname param is an empty string.
So far, they were using the entries in the search list with no
additional component, which is not really expected.
reported by jsing@ and a few others
ok deraadt@, "makes sense" jsing@
|
|
fix null deref spotted by Seth Hanford, pinpointed by dtucker@
ok florian@
|
|
ok sperreault@
|
|
This is a getaddrinfo() flag that is defined thusly in RFC 3493:
If the AI_ADDRCONFIG flag is specified, IPv4 addresses shall be
returned only if an IPv4 address is configured on the local system,
and IPv6 addresses shall be returned only if an IPv6 address is
configured on the local system. The loopback address is not
considered for this case as valid as a configured address.
For example, when using the DNS, a query for AAAA records should
occur only if the node has at least one IPv6 address configured
(other than IPv6 loopback) and a query for A records should occur
only if the node has at least one IPv4 address configured (other
than the IPv4 loopback).
The flag is set by default when hints is NULL.
ok Eric Faurot, Jason McIntyre
|
|
ok eric@ sthen@ deraadt@
|
|
Include tweaks suggested by mpi@
ok deraadt@
|
|
|
|
structures, functions and defines.
discussed with and ok deraadt@ guenther@
|
