| Age | Commit message (Collapse) | Author |
|---|
|
---
Recent versions of Unbound contain a problem that may cause Unbound to
crash after receiving a specially crafted query. This issue can only be
triggered by queries received from addresses allowed by Unbound's ACL.
---
tested by benno, tb
|
|
This also fixes a brain fart in trust_anchor_resolve_done() which was
arguably created by "sec" carrying 3 values and "true" does not mean
secure. Why this does not use enum sec_status is beyond me.
|
|
avoid an out-of-bound write for specific values and also check for
oob writes in general; with input from kettenis; ok florian@ kn@
|
|
|
|
instead of log_debug in error cases.
ok bluhm@ sthen@
|
|
ok bluhm@
|
|
Found by llvm's scan-build.
OK deraadt, benno
|
|
Do not assume that required tokens have been generated by strsep.
(toks[0] cannot be NULL but it doesn't hurt to be explicit about it.)
Found by llvm's scan-build.
OK deraadt, kn
|
|
to ps(1).
Noted by kettenis@. florian@'s fix pointed out by maestre@.
ok maestre@
|
|
ok mlarkin
|
|
Heavy lifting by sthen with updating in-tree unbound(8)
|
|
This became possible because copies of the original v1 manuals
have shown up on the Internet some time ago.
Reminded by Sevan Janiyan <venture37 at geeklan dot co dot uk>.
|
|
when an interface is gone. Bubble the error up and let the callers
deal with it instead of exiting.
OK deraadt, benno
|
|
getcap->cgetent. pwcache->user_from_uid. And then repair references.
ok jmc
|
|
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).
This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.
ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!
Very helpful input by mpi@ and deraadt@
|
|
were still not correct. While the values written to the kernel are
fine, the bytes for padding were taken from memory after the sockaddr
structs.
In route(8) the union of sockaddrs can be made larger, so that the
padding is taken from there.
In arp(8) the size of the struct is known. Copy only the struct
and advance over the padding. The memory has been zeroed before.
Merge all address size fixes from arp(8) into ndp(8).
OK claudio@
|
|
help/ok deraadt
|
|
link-state change and no new router advertisement is obtained (in accordance
with RFC 6059).
This should improve IPv6 -> legacy-IP-only transitions, preventing
applications from believing IPv6 connectivity is available when it is
not, potentially resulting in long timeouts.
suggestion, input and OK florian@ phessler@
|
|
|
|
included in the routing message. The significance of the bits has
to be consistent with the order of the addresss. In route(8) store
addresses in ascending order of RTA values. This allows to use
MPLS routes together with route labels.
OK mpi@ claudio@
|
|
ok patrick@
|
|
type. Provide the address family AF_LINK and storage size of struct
sockaddr_dl to the kernel when creating an IFP routing address.
OK mpi@
|
|
found by deraadt@
|
|
|
|
implausible bug existed in the socket setup (mostly dns-related and
setsockopt) it would be largely neutered. of course, a very restrictive
pledge is installed soon after that...
ok mestre brynet florian
|
|
shrinks some QSFP+ DAC output a bit.
|
|
|
|
qsfp and xfp have remarkably similar layouts, so we can use the
same code to print media for both. sfp and xfp/qsfp generally have
the same fields, just in different register locations and with some
different scales/factors for some values. this change provides a
map of these differences as structs for the sfp and qsfp/xfp layouts.
the big difference between sfp, xfp, and qsfp that still remains
is how they interpret the wavelength field. qsfp stores either optic
wavelength in units of 0.05nm, or a couple of copper cable attenuation
values in dB at different frequencies. sfp stores wavelength in nm
units, but has magic values to blacklist copper cables with. xfp
stores wavelength in 0.05 nm units, so more like like qsfp. right
now the code uses the sfp behaviour, which means qsfp will show a
weird wavelength for copper cables when it shouldnt. i'm still
trying to figure out the least worst way to handle that, but at
least it looks right for optics now.
|
|
this shows the maximum case temperature reported by the chip, and
the low and high alarm ranges for temp and vcc when page 3 is
available and working.
this will hopefully give deraadt@ a better idea about how much
headroom one of his 100g optics has.
|
|
this is a bit rough, but a good start. apart from the media types
and length, qsfp support should be on par with sfp modules now.
|
|
i have some qsfp DACs and a couple of optics, and they're all
terrible, so this is about as far as i can go for now. at least the
code will be robust in the face of terrible modules though.
the DACs are pretty dumb and basically report that they're DACs
with some strings. this code just prints that they're DACs with
strings now.
modules are supposed to be able to report overall temperature and
voltage, and optics can report tx and rx values for the 4 different
signal lanes they're supposed to provide. interestingly the current
values are always reported in the lower page, but thresholds are
reported in page 3, but not all modules support page switching.
devices are supposed to say whether they can switch pages, but i
have one that does say it can switch but then doesn't. anyway, the
take away is that it is therefore possible for a module to report
values without also
reporting thresholds.
this sets the code up to report the values on their own if we can't
query page 3 for any reason.
if the temp sensor value looks bogus (ie, 0x0000 or 0xffff), assume
the monitor values are bogus and bail early.
hopefully i can find a module soon that supports multiple signal
lanes and actually reports their values and thresholds for them.
|
|
The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))
ok bluhm@
|
|
OK florian
|
|
ok patrick@
|
|
OK gerhard@
|
|
Explain the use of the option (according to the RFC) and make clear it is
not usually needed for subnets specified in "from" and "to" options.
ok sthen@
|
|
If the IKE SA changes during an ongoing rekey exchange, messages may be
lost because they were inteded for the old SA. An iked instance that is
waiting for a rekey Child SA response will no longer reply to IKE SA
rekey requests until the ongoing Child SA exchange has completed or
timed out.
ok sthen@
|
|
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
|
|
|
|
ok patrick@
|
|
Ok kn@
|
|
For all transforms the error case only printed the error but
did not exit. YYERROR was added to exit gracefully instead of
segfaulting later.
ok benno@
|
|
(bug found and fix tested by Jesper Wallin)
OK deraadt OK kn
|
|
set.
ok patrick@
|
|
which SA. Use IKE specific terms peer and local instead of to and from.
ok reyk@ patrick@
|
|
to misread.
as per suggestion by and OK deraadt@
|
|
Brings various dhcp related daemons into line with
the common idiom.
ok florian@
|
|
carry on if it can't be accessed. e.g. if /var/db is not present in
single user mode.
|
|
and carry-on. Similar to treatment of /etc/resolv.conf[.tail].
Lets /var/db/dhclient.leases.if be on RO filesystem.
|
|
|
