|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | |  | 
| | 
| 
| 
| 
| 
| 
| | Use a temporary variable to store the number of bytes to be copied
(size_t) and also use it as the memcpy(3) length.  Previously we
copied "size" bytes instead of just the necessary number.
OK claudio@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@ | 
| | 
| 
| 
| | ok jmc@ schwarze@ | 
| | 
| 
| 
| | instances in the tree.  ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | in size. This cache is indexed by size (in # of pages), so it is
very quick to check.  Some programs allocate and deallocate larger
allocations in a frantic way.  Accomodate those programs by also
keeping a cache of regions between 128k and 2M, in a cache of variable
sized regions.
Tested by many in snaps; ok deraadt@ | 
| | 
| 
| 
| | ok jmc@ sthen@ millert@ | 
| | 
| 
| 
| 
| 
| | from uwe@netbsd -r1.22
ok millert | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | lsearch(3) is really just lfind(3) with an additional branch to append
the key if lfind(3) fails.  If we get rid of the underlying
linear_base() function and move the search portion into lfind(3) and
the key-copying portion into lsearch(3) we get smaller and simpler
code.
Misc. notes:
- We do not need to keep the historical comment about errno.  lsearch(3)
  is pure computation and does not set errno.  That's really all you
  need to know.  The specification reserves no errors, either.
- We are using lfind(3) internally now, so it switches from
  PROTO_DEPRECATED to PROTO_NORMAL in hidden/search.h and needs
  DEF_WEAK in stdlib/lsearch.c.
With advice from guenther@ on symbol housekeeping in libc.
Thread: https://marc.info/?l=openbsd-tech&m=163885187632449&w=2
ok millert@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | If the key overlaps the end of the array, memcpy(3) mutates the key
and copies a corrupted value into the end of the array.
If we use memmove(3) instead we at least end up with a clean copy of
the key at the end of the array.  This is closer to the intended
behavior.
With input from millert@ and deraadt@.
Thread: https://marc.info/?l=openbsd-tech&m=163880307403606&w=2
ok millert@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The "lim" variable needs to be a size_t to match nmemb, otherwise we
get undefined behavior when nmemb exceeds INT_MAX.
Prompted by a blog post by Joshua Bloch:
https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html
Fixed by Chris Torek a long time ago:
https://svnweb.freebsd.org/csrg/lib/libc/stdlib/bsearch.c?revision=51742&view=markup
ok millert@ | 
| | |  | 
| | 
| 
| 
| | to 3-term BSD license. | 
| | 
| 
| 
| | ok florian@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so.  Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8).  For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE.  It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer.  Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@ | 
| | 
| 
| 
| | from Emil Engler | 
| | 
| 
| 
| | Dunno why this ended up here, cvs is always full of surprises. | 
| | 
| 
| 
| 
| 
| | Apparently spotted by mortimer@ while working on clang 13 and amd64.
No actual change on sparc64 as this architecture still uses ld.bfd.
ok kettenis@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | 3rd (variadic) mode_t parameter is irrelevant.  Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk.  They could all be 0xdeafbeef.
ok millert | 
| | 
| 
| 
| | ok mpi@ deraadt@ | 
| | 
| 
| 
| | removed and the former is still needed, as pointed out by kettenis | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | portability annoyance since not all systems have u_char. Remove
the now unused includes sys/types.h and stdio.h.
u_char diff from Jonas Termansen
ok deraadt | 
| | 
| 
| 
| 
| 
| 
| | A tiny realpath(3) wrapper to make a porter's life easier.
Feedback kettenis deraadt cheloha sthen
OK cheloha martijn deraadt | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This matches the documented behavior more obviously and ensures that
these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto | 
| | 
| 
| 
| 
| 
| | * mention that the *optionp input string will be modified
* clarify that the array of tokens is expected to be NULL-terminated
OK millert@ tb@, and the first half of STANDARDS also OK jmc@ | 
| | 
| 
| 
| 
| | to the list. While here remove some of the headers from inet_net_ntop(3)
for balance. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | of pages anymore, but also cache larger regions; ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | getpagesize() will only return positive numbers (there is no negative
page size system) and it can not fail.
Should fix some compiler warnings seen in -portable projects.
OK otto@ | 
| | 
| 
| 
| 
| | regions of a given size.  In snaps for a while, committing since
no issues were reported and a wider audience is good.  ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | write 8 bytes at the time by using a uint64_t pointer. For an
allocation a max of 4 such uint64_t's are written spread over the
allocation. For pages sized and larger, the first page is junked in
such a way.
- Delayed free of a small chunk checks the corresponiding way.
- Pages ending up in the cache are validated upon unmapping or re-use.
In snaps for a while | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | use cases, so explain the situation a bit more.  Since the 80's, I estimate
around 5 algorithm changes, so any chosen seed is unrepeatable UB.
+The deterministic sequence algorithm changed a number of times since
+original development, is underspecified, and should not be relied upon to
+remain consistent between platforms and over time.
ok jmc kettenis | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | too small in the AF_INET6 case.
Spotted by Brad House (brad AT brad-house.com) with the c-ares
regression test.
The man page says
     Caution: The dst field should be zeroed before calling inet_net_pton() as
     the function will only fill the number of bytes necessary to encode the
     network number in network byte order.
Which seems to suggest that the function should work if the passed in
storage is big enough to hold the prefix, which might be smaller than
sizeof(in6_addr).
Input & OK tb | 
| | 
| 
| 
| 
| 
| 
| 
| | - setting up asr in single thread mode and then starting threads using asr
  would lead to multiple threads sharing the same resolver.
- destruction of a thread that has been using asr would leak data.
Problem originally reported by Alexey Sokolov and Uli Schlachter.
ok kettenis@ | 
| | |  | 
| | 
| 
| 
| | ok guenther tb millert | 
| | 
| 
| 
| 
| | So redo previous commit properly:
Use random value for canary bytes; ok tb@. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | shaving off into the cache but unamp them. Pages in the cache get
re-used and then a future grow of the first allocation will be
hampered. Also make realloc a no-op for small shrinkage.
ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they want to count the passage of time.
If a timecounter clock can be exposed to userland than it needs to set
its tc_user member to a non-zero value. Tested with one or multiple
counters per architecture.
The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands information
that is frequently updated by the kernel.
Timing differences between the last kernel update and the current time
are adjusted in userland by the tc_get_timecount() function inside the
MD usertc.c file.
This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able to fly
in Minecraft now).
Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others!
OK from at least kettenis@, cheloha@, naddy@, sthen@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The bug, present since 4.4BSD, was that a trailing dash in an option
group, when the dash is not permitted as an option letter, resulted
in the whole option group being returned as an argument, even though
the previous option in the group was already parsed as an option:
OPTS=abc ./getopt-test -a- -c arg  ===>>  OPT(a)ARG(-a-)ARG(-c)ARG(arg).
Instead, treat the dash as an invalid option and continue parsing
options:  ===>>  OPT(a)ERR(?-)OPT(c)ARG(arg).
The undesirable behaviour was that allowing the dash as an option
letter only allowed isolated dashes ("-") and trailing dashes in
groups ("-a-"), but neither middle dashes in groups ("-a-b"), even
though that already partially worked in 4.4BSD, nor leading dashes
in groups ("--a"), even though that works on all other BSDs and on
glibc.  Also, while POSIX does not require that the dash can be
used as an option letter at all, arguably, it encourages that letters
either be fully supported or not supported at all.  It is dubious
whether supporting an option letter in some positions but not in
others can be considered conforming.
This patch makes OpenBSD behaviour identical to FreeBSD and NetBSD,
improves compatibility with glibc (except that glibc does not support
isolated "-"), improves compatibility with DragonFly (except that
DragonFly is buggy when the dash option letter can take an optional
argument but that argument is not present), improves compatibility
with Illumos and Solaris 11 (except those do not support "-" and
mishandle "--a"), and restores 4.4BSD behaviour for "-a-b".  In no
respect i'm aware of is compatibility with any other systems reduced.
For the full rationale, see my mail to tech@
on 30 Mar 2020 14:26:41 +0200.
Part of the problem was originally reported by an anonymous coward
on tech@ on 12 Mar 2020 03:40:24 +0200, additional analysis was
contributed by martijn@, and then the OP sent the final version of
the patch i'm now committing on 17 Mar 2020 19:17:56 +0200.
No licensing problem here because after the commit, the file does
not contain a single word written by the OP.  Also, the OP told me
in private mail that he intends to publish the patch under the ISC
license already contained in the file and that he wishes to be known
by the pseudonym "0xef967c36".
OK martijn@, and no objection when shown on tech@,
but commit delayed to stay clear of the release. | 
| | 
| 
| 
| 
| 
| 
| | queue -> list; mention "intrusive"; element -> member at one place;
delete a bogus remark that maybe referred to a long-gone
implementation in VAX assembly code.
Much more could be improved, but i don't want to waste too much time here. | 
| | 
| 
| 
| 
| 
| | ok schwarze
kill a Tn while here... | 
| | 
| 
| 
| | Suggested by Evan Silberman, confirmed by jmc@ | 
| | 
| 
| 
| | Suggested by eric@, input from deraadt@, ok deraadt@ eric@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | The previous wording implied this option does nothing, which is wrong.
This option does affect the way gethostbyname(3) works on OpenBSD
(return IPv6 addresses if available).  On some systems, it also
introduces IPv4-mapped IPv6 addresses, a "feature" that we don't
support.
ok deraadt@ eric@ |