(What were they smoking?!)
I suspect most of this is actually dead code that wasn't properly
amputated along with the rest of the gangrene of NFSKERB a decade
ago, but I'm out of time to investigate further. If someone else
wants to kill NFSSVC_AUTHIN/NFSSVC_AUTHINFAIL and the rest of the
tentacular kerberosity, be my guest.
Noted by Silvio Cesare of InfoSect.
* Move the structure definitions into frag6.c, they should not be used
elsewhere.
* Rename ip6af_mff -> ip6af_more, and switch it to bool, easier to
understand.
* Remove IP6_REASS_MBUF, no point in keeping this.
* Remove ip6q_arrive and ip6q_nxtp, unused.
* Style.
When waiting for a route update to finish, a waiter has to release its reference
to the route to avoid a deadlock. Because a updater tries to wait for references
to a target route (except for a reference by the updater itself) to be released.
The softint was introduced to defer fownsignal that was called in bpf_wakeup to
softint at v1.139, but now bpf_wakeup always runs in softint so we don't need
the softint anymore.
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.
I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.
to prevent use-after-free.
In fact, the m_pullup call is never reached: it is impossible for 'skip'
to be zero in this function, so add an XXX for now.
Summary of changes in tzdata2018c (2018-01-22 23:00:44 -0800):
Summary of changes in tzdata2018b (2018-01-17 23:24:48 -0800):
Summary of changes in tzdata2018a (2018-01-12 22:29:21 -0800):
2018a and 2018b were (kind of) released, but never announced.
Some "issues" were found with them that caused the relatively
quick updates...
The updates are from the previous version (2017c) to the
current one (2018c) - that 2018a & 2018b intervened is best
forgotten... (changes in 2018a that were corrected (2018b) or
reverted (2018c) are not mentioned).
Briefly:
Sao Tome and Principe (An island nation off west coast of Equatorial Africa)
switched from +00 to +01.
Brazil's DST will now start on November's first Sunday.
Use Debian-style installation locations, instead of 4.3BSD-style.
(this does not affect NetBSD, we do not use the tzdata Makefile)
Changes to past and future time stamps
Sao Tome and Principe switched from +00 to +01 on 2018-01-01 at
01:00. (Thanks to Steffen Thorsen and Michael Deckers.)
Changes to future time stamps
Starting in 2018 southern Brazil will begin DST on November's
first Sunday instead of October's third Sunday. (Thanks to
Steffen Thorsen.)
Changes to past time stamps
Japanese DST transitions (1948-1951) were Sundays at 00:00, not
Saturdays or Sundays at 02:00. (Thanks to Takayuki Nikai.)
A discrepancy of 4 s in timestamps before 1931 in South Sudan has
been corrected. The 'backzone' and 'zone.tab' files did not agree
with the 'africa' and 'zone1970.tab' files. (Problem reported by
Michael Deckers.)
The abbreviation invented for Bolivia Summer Time (1931-2) is now
BST instead of BOST, to be more consistent with the convention
used for Latvian Summer Time (1918-9) and for British Summer Time.
crash the kernel with a single packet.
In this loop we need to increment 'ad' by two, because the length field
of the option header does not count the size of the option header itself.
If the length is zero, then 'count' is incremented by zero, and there's
an infinite loop. Beyond that, this code was written with the assumption
that since the IPv6 packet already went through the generic IPv6 option
parser, several fields are guaranteed to be valid; but this assumption
does not hold because of the missing '+2', and there's as a result a
triggerable buffer overflow (write zeros after the end of the mbuf,
potentially to the next mbuf in memory since it's a pool).
Add the missing '+2', this place will be reinforced in separate commits.
