mDNSResponder: another wrong return local address
dhcp: ignore a seemingly impossible stringop overflow
hpacel: avoid maybe uninitialised error that is wrong.
rsh: avoid impossible malloc(0)
udf: cast pointers through (uintptr_t) to fool invalid boundary checks
rename the "bits" column to "estimated bits".
this provides a clear indication when a source is being used, but
not increasing the entropy counter.
this commit fixes an unrelated bug where verbose output functioned
incorrectly when a class of device was specified with -t.
while here, reduce code duplication.
"gofer it" riastradh@
don't print "legacy options" RND_FLAG_ESTIMATE_TIME and
"RND_FLAG_ESTIMATE_VALUE"
only print "estimate" if we have actually counted any bits from
something, since it's no longer really possible to "enable estimation".
ideally, there should also be a "samples" field so it's clear
collected bits are not being counted.
While here, tweak RTF_GATEWAY description. Passive voice elsewhere in
this table is used to talk about the routes themselves, while here
it's about packets.
count blocks written in unsigned 64 bit counter
rather than signed int which overflows after 2^31-1
blocks (2TiB) after which neither the 5 minute
status updates or SIGINFO (^T) reports are issued
until the negative numbers increase past 0 and
wildly inaccurate reports would be written.
AF_LINK may not be the first address returned for the interface.
Technically, it *might* not even exist on the interface even though
other families do.
This is likely a driver bug if this really is the case though.
As such it's just easier to use direct ioctls rather than thump around
getifaddrs results. As it stands, the code makes a lot of getifaddrs
calls anyway, so an extra ioctl or two won't break the bank.
For AF_LINK addrs from getifaddrs(2), ifa_data is struct if_data.
This in turn holds ifi_link_state which we can use to report
link status if the interface does not support media where it's normally
reported.
Based on OpenBSD.
right now. new address-of-packed-member and format-overflow
warnings have new GCC_NO_ADDR_OF_PACKED_MEMBER amd
GCC_NO_FORMAT_OVERFLOW variables to remove these warnings.
apply to a bunch of the tree. mostly, these are real bugs that
should be fixed, but in many cases, only by removing the 'packed'
attribute from some structure that doesn't really need it. (i
looked at many different ones, and while perhaps 60-80% were
already properly aligned, it wasn't clear to me that the uses
were always coming from sane data vs network alignment, so it
doesn't seem safe to remove packed without careful research for
each affect struct.) clang already warned (and was not erroring)
for many of these cases, but gcc picked up dozens more.
the user choose to not abort, skip to the next header instead of trying
to use it.
This allowed me to recover files from a corrupt dump, instead of
getting a segfault.
function for resolving paths.
Make pathadj() no longer warn about symlinks. Symlinks in /dev are
regularly used in several places like LVM . The warning was also
only visible when calling a mount_* command directly as mount(8)
itself would resolve the path witout warning before passing it to
a mount_* command.
Previously, the best reference was pckbd.4. This does not make much
sense to read if you are on, say, an evbarm device with only USB.
wsconsctl.8 contained a vaguer description of supported language names,
which isn't very useful because you can't pass full language names
to the command. Point readers to wskbd.4 instead.
Note in the wskbd.4 page that while all layouts are generally supported
by pckbd(4) and ukbd(4), older keyboard interfaces might only support
a subset.
add them as signed valaues, rather than unsigned (which is how we keep them
in memory). This causes them be serialized in base-10 (rather than base-16,
which is the default for unsigned). This behavior is documented in
prop_number(3). Fixes t_gpt::backup_2part unit test.
This way, whenever /etc/security runs infrequently (daily), or the
operator manually issues rndctl -S, we ensure that all samples taken
during the entire boot are hashed together in the seed for the next
boot.
This should be infrequent enough that it's unlikely to enable the
iterative-guessing attacks that we try to mitigate by not frequently
consolidating entropy.
Go back to the book's order, now that writing to /dev/random
guarantees to consolidate entropy -- this way the _next_ boot is no
less secure than the current boot, in the event that entropy sources
like interrupt timings provided any security that we just don't know
how to measure honestly.
Make sure to open the old seed to overwrite and the new seed to write
anew first so that we can determine whether the medium is read-only
before accepting the file's entropy estimate.
- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.
- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.
- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)
Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.
The file format was defined with a machine-dependent 32-bit integer
field (the estimated number of bits of entropy in the process that
generated it). Take whichever byte order gives a number that is
reasonable, i.e. lower than the number of bits in the buffer.
Continue to have `rndctl -S' generate it in machine-dependent byte
order for now, so that if you roll back to an older rndctl(8) then
`rndctl -L' on the same machine will still be able to load it with
the right entropy estimate. In a future revision, perhaps we can
change it to be little-endian.
boot.c:150:29, left shift of 255 by 24 places cannot be represented in type 'int'
boot.c:153:29, left shift of 255 by 24 places cannot be represented in type 'int'
From FreeBSD: https://reviews.freebsd.org/D23082:
Correct off-by-two issue when determining FAT type.
In the code we used NumClusters as the upper (non-inclusive) boundary
of valid cluster number, so the actual value was 2 (CLUST_FIRST) more
than the real number of clusters. This causes a FAT16 media with
65524 clusters be treated as FAT32 and might affect FAT12 media with
4084 clusters as well.
To fix this, we increment NumClusters by CLUST_FIRST after the type
determination.
- Partially sort the list of per-vnode namecache entries by using a TAILQ.
Put the real name to the head, and put dot and dotdot to the tail so that
cache_lookup_reverse() doesn't have to consider them.
no need to skip a prefix "0x" of output of snprintb.
ifconfig expect the result of snprintb has "0x" prefix, but snprintb(3) specification has changed
so that if 0 is passed, it prints "0" instead of "0x0". (common/lib/libutil/snprintb.c r1.22)
The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.
This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).
GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)
use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.
we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."
configuring default values, retry with a smaller cluster size.
This makes the typical invocation to create a spec conformant EFI boot
partition work out of the box.
otherwise, if DIOCGDISKINFO returns an error != ENXIO getdiskinfo() later
tries to prop_object_release() stack garbage.
found by rumpctrl tests using clang-7.
returntosingle was defined in multiple places:
- fsck_lfs/main.c
- fsck_ffs/main.c
- fsck_ext2fs/main.c
- fsck/fsutil.c
Keep the fsutil.c definition as the only one.
Detected during the build of telned with Address Sanitizer (MKSANITIZER).
First proposed by jmcneill in 2017 and modified by me.
How to use:
- Set callback function:
ether_set_vlan_cb(struct ethercom *, ether_vlancb_t)
- Callback. This function is called when a vlan is attached/detached to the
parent interface:
int (*ether_vlancb_t)(struct ethercom *ec, uint16_t vlanid, bool set);
- ifconfig(8)
ifconfig ixg0 [-]vlan-hwfilter
Note that ETHERCAP_VLAN_HWFILTER is set by default on ixg(4) because
the PF driver usually enable "all block" filter by default.
Make options to chose alternate label position for systems using MBR
more intuitive. -m now selects mode with MBR, -n selects mode without,
independent of the machine defaults.
gpt_change_ent(). The purpose of the third argument is to specify
whether the entry to be changed is a primary GPT entry or a secondary
GPT entry. It is assumed that a secondary GPT entry will always
follow a corresponding primary entry.
This is in preparation for an upcoming change that will require it.
Make a SMALL dmesg even smaller.
When compiled -DSMALL, dmesg does nothing at all with the kernel
timestamps (it processes no options to be told what would be the
user's desire) so make it truly do (almost) nothing, rather than
some botched partial processing of them.
The "almost" is that a SMALL dmesg will now ignore spaces at the
beginning of each new message line ... those are (vanishingly)
unlikely to occur, as the kernel puts the timestamp (which starts
with '[' there) - fixing this would have meant even more #ifdef's
as the code that ignores that leading space is the only remaining
thing that (in a SMALL) dmesg looks at the value of the "tstamp"
variable, and if we don't keep some use of it, gcc complains...
These changes affect only SMALL dmesg (as installed on boot
floppies, etc) and have no intended effect on the version that's
installed on a normal (full size) running system.
Don't use portal_node_reclaim() inappropriately. It frees data we
did not allocate, but which might have been allocated by someone else.
While here, various other cleanups (avoid losing fd's if fork fails,
don't compose mangled st_mode S_IFMT values - puffs or's in what it
thinks is correct to the value we set, one case I saw was producing
0110600 for the mode, the 011 isn't any defined type at all - I'd
never seen ls print a '?' as the first char of ls -l output before!
This is still not really correct, but is I believe, better than before.
names (including the terminating NUL), as well as directory entries with
extra free space (d->d_reclen > UFS_DIRSIZ(d)).
Inspired from FreeBSD:
https://svnweb.freebsd.org/base?view=revision&revision=347066
While the kernel has been fixed to deal with the padding bytes (new
kernels will correctly zero out all the padding after the name), it
appears that there is still an issue with directory entries with extra
free space, since a newly created and populated filesystem gets modified
with "fsck_ffs -z".
Fix cgdconfig to report verification failures with gpt and mbr
verification methods (and not treat them as silent hard errors).
This also causes the cgd to be unconfigured when one of those
verification methods fails.
Add ATF tests to check that bad verification is reported, and
does not leave the cgd configured.
Patches from the PR applied.
and size in sectors (instead of the totally confusing bytes),
followed by the humanized byte offset/size.
This makes the numbers match the "gpt show" or "gpt show -a"
output.
This address situations where dump(8) cannot figure out the device being
dumped. It also allows tracking of subvolume dumps by using virtual
device as dumpdates entry.
christos