[Midnightbsd-cvs] [MidnightBSD/src] 44bbd5: pf: improve add state validation
Mark Johnston
noreply at github.com
Sun Jan 18 15:20:26 EST 2026
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: 44bbd5a7aa7d8e8d4e4a53d2744cbfa392d56df3
https://github.com/MidnightBSD/src/commit/44bbd5a7aa7d8e8d4e4a53d2744cbfa392d56df3
Author: Kristof Provost <kp at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/netpfil/pf/if_pfsync.c
M tests/sys/netpfil/pf/ioctl/validation.c
Log Message:
-----------
pf: improve add state validation
Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
Add a test case to exercise this code path.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit faacc0d968816cf8714c974b6d8df6191cfb0e0d)
Commit: ebae79a7e528eedfe8b0c8d4033cd5a08ca8b5dd
https://github.com/MidnightBSD/src/commit/ebae79a7e528eedfe8b0c8d4033cd5a08ca8b5dd
Author: Kristof Provost <kp at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/netpfil/pf/pf_ioctl.c
M tests/sys/netpfil/pf/ioctl/validation.c
Log Message:
-----------
pf: improve DIOCRCLRTABLES validation
Unterminated strings in the anchor or name could cause crashes.
Validate them, and add a test case.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 1da3c0ca5b1decaa9cf55859cd134bdcd1218116)
Commit: ea7ac2a2c35e52d39194ad5d7e5ce724ab5ec8ba
https://github.com/MidnightBSD/src/commit/ea7ac2a2c35e52d39194ad5d7e5ce724ab5ec8ba
Author: Jasper Tran O'Leary <jtranoleary at google.com>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/dev/nvme/nvme_ctrlr.c
M sys/dev/nvme/nvme_pci.c
M sys/dev/nvme/nvme_private.h
Log Message:
-----------
nvme: Add handling for bar5
The NVMe spec allows the Table BIR (TBIR) and PBA DIR (PBIR) to
be 0, 4, or 5. The existing NVMe driver basically only has support
for 4, perhaps under the assumption that BAR4 is 64-bit and also
occupies BAR5.
This change adds support for BAR5, covering the case where BAR4
and BAR5 might both be present and 32-bit, where the Table BIR
might be 4 and the PBA BIR might be 5, or vice versa.
The NVMe spec (in the SR-IOV section) also permits VFs to use BIR=2,
so I haven't added stricter checks on which BIR will be permitted
by the driver.
This enables FreeBSD on Google Compute Engine C4 Machines.
MFC after: 3 days
Reviewed by: imp
Sponsored by: Google
Co-authored-by: Matt Delco <delco at google.com>
Signed-off-by: Jasper Tran O'Leary <jtranoleary at google.com>
Differential Revision: https://reviews.freebsd.org/D53140
(cherry picked from commit 7b32f4f0a7fe9b1b2f5a3905ca15f656713255ad)
Commit: 55737e119d9614ce479fc539c191ea3a932405b5
https://github.com/MidnightBSD/src/commit/55737e119d9614ce479fc539c191ea3a932405b5
Author: Jose Luis Duran <jlduran at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M contrib/blacklist/libexec/blacklistd-helper
Log Message:
-----------
blacklist: Update the blacklistd-helper script
Update the blacklistd-helper script, it provides a better mechanism for
detecting the active packet filter.
This is a direct commit to stable/13, as blacklist has been renamed to
blocklist.
PR: 290645
Commit: 19f0c67f0dc4d98c1a0f5d6fbb3118b4073f37b1
https://github.com/MidnightBSD/src/commit/19f0c67f0dc4d98c1a0f5d6fbb3118b4073f37b1
Author: Seyed Pouria Mousavizadeh Tehrani <info at spmzt.net>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/net/if_vxlan.c
Log Message:
-----------
if_vxlan: fix byteorder of source port
Fix the htons byteorder of vxlan packets after
`vxlan_pick_source_port` picks a source port during encapsulation.
Reviewed by: zlei, kp, adrian
Differential Revision: https://reviews.freebsd.org/D53022
(cherry picked from commit 1cc316727ebae157b3d035d9fb1ad38310a80698)
Commit: 14d5f5db1b8ee22ffe48d07ed6471d547ebf4e9c
https://github.com/MidnightBSD/src/commit/14d5f5db1b8ee22ffe48d07ed6471d547ebf4e9c
Author: Dimitry Andric <dim at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
Log Message:
-----------
Revert "Merge commit e24f90190c77 from llvm git (by Brad Smith):"
[Driver] Enable outline atomics for FreeBSD/aarch64 (#156089)
The compiler_rt helper functions have been built since 12.4, 13.1, 14
and anything newer.
This reverts commit 51e8e8b0f36933814b1be08913857727876aece5.
MFC after: immediately
(cherry picked from commit bd27bd1f51d049538cc7a0053be9d99110a53ae1)
Commit: 091df1d0dd2f4bba26e45075c95e314e84736463
https://github.com/MidnightBSD/src/commit/091df1d0dd2f4bba26e45075c95e314e84736463
Author: Mateusz Piotrowski <0mp at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M cddl/contrib/opensolaris/cmd/dtrace/dtrace.1
Log Message:
-----------
dtrace.1: Document evaltime
Reviewed by: christos, ziaee
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51301
(cherry picked from commit 1fe7af0635810a96a292638d11d25ddbe95bd581)
Commit: 97016c0947b78e9ae9fbeaffdde2ff7efbe6212d
https://github.com/MidnightBSD/src/commit/97016c0947b78e9ae9fbeaffdde2ff7efbe6212d
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sbin/ipf/libipf/interror.c
Log Message:
-----------
ipfilter: Calculate the number of elements in ipf_errors
It serves no purpose to manually manage the IPF_NUM_ERRORS count.
Calculate it instead.
Reviewed by: emaste, markj
Differential revision: https://reviews.freebsd.org/D53308
(cherry picked from commit ab3c9853285b4907dac147ce2f818e3fb44df5a3)
Commit: 1eec7fabae2a3f7f3b26c97622b00afc25969e16
https://github.com/MidnightBSD/src/commit/1eec7fabae2a3f7f3b26c97622b00afc25969e16
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/netpfil/ipfilter/netinet/ip_htable.c
Log Message:
-----------
ipfilter: Add htable (hash table) tunable
This is in preparation for addition of a hash table max size.
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D53283
(cherry picked from commit c57262716b08717b6a9c5533941d4e0a2d180d46)
Commit: 8fa620589a9507d23448925448948887a2a8a196
https://github.com/MidnightBSD/src/commit/8fa620589a9507d23448925448948887a2a8a196
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/netpfil/ipfilter/netinet/ip_htable.c
M sys/netpfil/ipfilter/netinet/ip_htable.h
Log Message:
-----------
ipfilter: Add an htable max size tuneable.
Add an ipfilter runtime option (ipf -T) to adjust the default
maximum hash table size. Default it to 1024 entries. It will be
used by a subsequent commit to limit any damage due to excessively
large hash table input by the user.
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D53284
(cherry picked from commit f3b94f47f55c502e8983f9bd294e963e75b2963a)
Commit: c31eb38c9947f2c1d62afc8d8ecf64df5f21a694
https://github.com/MidnightBSD/src/commit/c31eb38c9947f2c1d62afc8d8ecf64df5f21a694
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sbin/ipf/libipf/interror.c
M sys/netpfil/ipfilter/netinet/ip_htable.c
Log Message:
-----------
ipfilter: Don't trust userland supplied iph_size
ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.
This is not typically a problem when using the ipfilter provided
userland tools as calculate the correct lengths. This mitigates a
rogue actor calling ipfilter ioctls directly.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D53286
(cherry picked from commit df381bec2d2b73697a3d163177df042dd272022d)
Commit: 35f8dc20b54c0cbbd5d3e8a82a659207b687d3eb
https://github.com/MidnightBSD/src/commit/35f8dc20b54c0cbbd5d3e8a82a659207b687d3eb
Author: Dag-Erling Smørgrav <des at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/fs/cd9660/cd9660_vnops.c
Log Message:
-----------
cd9660: Unbreak symbolic links
Since the introduction of permission masks, cd9660_getattr() returns a
size of zero for all symbolic links, because the code to retrieve the
length of the link target (as required by POSIX) is dead, since we strip
away the type bits before we try to use them to identify the file as a
link. Address this by checking the vnode type instead.
PR: 290556
MFC after: 3 days
Fixes: 82f2275b73e5 ("cd9660: Add support for mask,dirmask,uid,gid options")
Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D53598
(cherry picked from commit 978aaa72f3196f5489630052762cac5a7863e774)
Commit: 570036f5500f2096a9206760dc806fa9d2e5b304
https://github.com/MidnightBSD/src/commit/570036f5500f2096a9206760dc806fa9d2e5b304
Author: Mark Johnston <markj at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/kern/kern_descrip.c
Log Message:
-----------
file: Simplify an INVARIANTS check in _fdrop()
No functional change intended.
MFC after: 1 week
Sponsored by: Klara, Inc.
(cherry picked from commit a2e22ed3420d92d9d98a1e9681b5c9b1fbe40fca)
Commit: dac4ab1a47b9744e081d6fa31aab854a4a41e736
https://github.com/MidnightBSD/src/commit/dac4ab1a47b9744e081d6fa31aab854a4a41e736
Author: Mark Johnston <markj at FreeBSD.org>
Date: 2026-01-18 (Sun, 18 Jan 2026)
Changed paths:
M sys/kern/kern_descrip.c
M sys/kern/sys_procdesc.c
M sys/kern/uipc_mqueue.c
M sys/kern/uipc_sem.c
M sys/kern/uipc_syscalls.c
M sys/kern/vfs_syscalls.c
M sys/sys/file.h
M sys/sys/filedesc.h
M sys/sys/namei.h
M sys/sys/procdesc.h
M sys/sys/socketvar.h
Log Message:
-----------
file: Qualify pointers to capsicum rights as const
File descriptor lookup routines typically take a set of capsicum rights
as input to the lookup, so that the fd's rights can be atomically
checked. This set should be qualified with const.
No functional change intended.
Reviewed by: olce, oshogbo, brooks, kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50419
(cherry picked from commit 5319cb21610ad947c56fd0cd4f18ef5b58bc8db7)
Compare: https://github.com/MidnightBSD/src/compare/fe7c4e44ac3e...dac4ab1a47b9
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list