From owner-svn-src-releng@freebsd.org Tue Aug 6 17:07:44 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4696EC5E06; Tue, 6 Aug 2019 17:07:44 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631KX16qVz4DKc; Tue, 6 Aug 2019 17:07:44 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0840B2F12B; Tue, 6 Aug 2019 17:07:44 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76H7hgQ037625; Tue, 6 Aug 2019 17:07:43 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76H7hRg037622; Tue, 6 Aug 2019 17:07:43 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061707.x76H7hRg037622@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:07:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350641 - in releng/12.0/sys: kern sys X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/12.0/sys: kern sys X-SVN-Commit-Revision: 350641 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:07:44 -0000 Author: gordon Date: Tue Aug 6 17:07:43 2019 New Revision: 350641 URL: https://svnweb.freebsd.org/changeset/base/350641 Log: Fix incorrect locking in epoch(9). Approved by: so Security: FreeBSD-EN-19:14.epoch Modified: releng/12.0/sys/kern/subr_epoch.c releng/12.0/sys/kern/subr_turnstile.c releng/12.0/sys/sys/turnstile.h Modified: releng/12.0/sys/kern/subr_epoch.c ============================================================================== --- releng/12.0/sys/kern/subr_epoch.c Tue Aug 6 17:05:58 2019 (r350640) +++ releng/12.0/sys/kern/subr_epoch.c Tue Aug 6 17:07:43 2019 (r350641) @@ -325,24 +325,20 @@ epoch_block_handler_preempt(struct ck_epoch *global __ */ critical_enter(); thread_unlock(td); - owner = turnstile_lock(ts, &lock); - /* - * The owner pointer indicates that the lock succeeded. Only - * in case we hold the lock and the turnstile we locked is still - * the one that curwaittd is blocked on can we continue. Otherwise - * The turnstile pointer has been changed out from underneath - * us, as in the case where the lock holder has signalled curwaittd, - * and we need to continue. - */ - if (owner != NULL && ts == curwaittd->td_blocked) { - MPASS(TD_IS_INHIBITED(curwaittd) && TD_ON_LOCK(curwaittd)); - critical_exit(); - turnstile_wait(ts, owner, curwaittd->td_tsqueue); - counter_u64_add(turnstile_count, 1); - thread_lock(td); - return; - } else if (owner != NULL) + + if (turnstile_lock(ts, &lock, &owner)) { + if (ts == curwaittd->td_blocked) { + MPASS(TD_IS_INHIBITED(curwaittd) && + TD_ON_LOCK(curwaittd)); + critical_exit(); + turnstile_wait(ts, owner, + curwaittd->td_tsqueue); + counter_u64_add(turnstile_count, 1); + thread_lock(td); + return; + } turnstile_unlock(ts, lock); + } thread_lock(td); critical_exit(); KASSERT(td->td_locks == locksheld, Modified: releng/12.0/sys/kern/subr_turnstile.c ============================================================================== --- releng/12.0/sys/kern/subr_turnstile.c Tue Aug 6 17:05:58 2019 (r350640) +++ releng/12.0/sys/kern/subr_turnstile.c Tue Aug 6 17:07:43 2019 (r350641) @@ -566,24 +566,26 @@ turnstile_trywait(struct lock_object *lock) return (ts); } -struct thread * -turnstile_lock(struct turnstile *ts, struct lock_object **lockp) +bool +turnstile_lock(struct turnstile *ts, struct lock_object **lockp, + struct thread **tdp) { struct turnstile_chain *tc; struct lock_object *lock; if ((lock = ts->ts_lockobj) == NULL) - return (NULL); + return (false); tc = TC_LOOKUP(lock); mtx_lock_spin(&tc->tc_lock); mtx_lock_spin(&ts->ts_lock); if (__predict_false(lock != ts->ts_lockobj)) { mtx_unlock_spin(&tc->tc_lock); mtx_unlock_spin(&ts->ts_lock); - return (NULL); + return (false); } *lockp = lock; - return (ts->ts_owner); + *tdp = ts->ts_owner; + return (true); } void Modified: releng/12.0/sys/sys/turnstile.h ============================================================================== --- releng/12.0/sys/sys/turnstile.h Tue Aug 6 17:05:58 2019 (r350640) +++ releng/12.0/sys/sys/turnstile.h Tue Aug 6 17:07:43 2019 (r350641) @@ -100,7 +100,8 @@ int turnstile_signal(struct turnstile *, int); struct turnstile *turnstile_trywait(struct lock_object *); void turnstile_unpend(struct turnstile *); void turnstile_wait(struct turnstile *, struct thread *, int); -struct thread *turnstile_lock(struct turnstile *, struct lock_object **); +bool turnstile_lock(struct turnstile *, struct lock_object **, + struct thread **); void turnstile_unlock(struct turnstile *, struct lock_object *); void turnstile_assert(struct turnstile *); #endif /* _KERNEL */ From owner-svn-src-releng@freebsd.org Tue Aug 6 17:11:18 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 349F2C5E6D; Tue, 6 Aug 2019 17:11:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631Pf1Jpxz4DdG; Tue, 6 Aug 2019 17:11:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E899D2F15A; Tue, 6 Aug 2019 17:11:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76HBHiU039010; Tue, 6 Aug 2019 17:11:17 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76HBHa6039007; Tue, 6 Aug 2019 17:11:17 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061711.x76HBHa6039007@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:11:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350644 - in releng: 11.2/sys/netinet6 11.3/sys/netinet6 12.0/sys/netinet6 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/netinet6 11.3/sys/netinet6 12.0/sys/netinet6 X-SVN-Commit-Revision: 350644 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:11:18 -0000 Author: gordon Date: Tue Aug 6 17:11:17 2019 New Revision: 350644 URL: https://svnweb.freebsd.org/changeset/base/350644 Log: Fix ICMPv6 / MLDv2 out-of-bounds memory access. Approved by: so Security: FreeBSD-SA-19:19.mldv2 Security: CVE-2019-5608 Modified: releng/11.2/sys/netinet6/mld6.c releng/11.3/sys/netinet6/mld6.c releng/12.0/sys/netinet6/mld6.c Modified: releng/11.2/sys/netinet6/mld6.c ============================================================================== --- releng/11.2/sys/netinet6/mld6.c Tue Aug 6 17:09:47 2019 (r350643) +++ releng/11.2/sys/netinet6/mld6.c Tue Aug 6 17:11:17 2019 (r350644) @@ -137,14 +137,15 @@ static int mld_v2_enqueue_group_record(struct mbufq *, struct in6_multi *, const int, const int, const int, const int); static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *, - struct mbuf *, const int, const int); + struct mbuf *, struct mldv2_query *, const int, const int); static int mld_v2_merge_state_changes(struct in6_multi *, struct mbufq *); static void mld_v2_process_group_timers(struct mld_ifsoftc *, struct mbufq *, struct mbufq *, struct in6_multi *, const int); static int mld_v2_process_group_query(struct in6_multi *, - struct mld_ifsoftc *mli, int, struct mbuf *, const int); + struct mld_ifsoftc *mli, int, struct mbuf *, + struct mldv2_query *, const int); static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS); static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS); @@ -794,16 +795,16 @@ mld_v1_update_group(struct in6_multi *inm, const int t * Process a received MLDv2 general, group-specific or * group-and-source-specific query. * - * Assumes that the query header has been pulled up to sizeof(mldv2_query). + * Assumes that mld points to a struct mldv2_query which is stored in + * contiguous memory. * * Return 0 if successful, otherwise an appropriate error code is returned. */ static int mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6, - struct mbuf *m, const int off, const int icmp6len) + struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len) { struct mld_ifsoftc *mli; - struct mldv2_query *mld; struct in6_multi *inm; uint32_t maxdelay, nsrc, qqi; int is_general_query; @@ -828,8 +829,6 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp)); - mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off); - maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */ if (maxdelay >= 32768) { maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) << @@ -954,7 +953,7 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 * group-specific or group-and-source query. */ if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer) - mld_v2_process_group_query(inm, mli, timer, m, off); + mld_v2_process_group_query(inm, mli, timer, m, mld, off); /* XXX Clear embedded scope ID as userland won't expect it. */ in6_clearscope(&mld->mld_addr); @@ -975,9 +974,8 @@ out_locked: */ static int mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli, - int timer, struct mbuf *m0, const int off) + int timer, struct mbuf *m0, struct mldv2_query *mld, const int off) { - struct mldv2_query *mld; int retval; uint16_t nsrc; @@ -985,7 +983,6 @@ mld_v2_process_group_query(struct in6_multi *inm, stru MLD_LOCK_ASSERT(); retval = 0; - mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off); switch (inm->in6m_state) { case MLD_NOT_MEMBER: @@ -1005,6 +1002,15 @@ mld_v2_process_group_query(struct in6_multi *inm, stru nsrc = ntohs(mld->mld_numsrc); + /* Length should be checked by calling function. */ + KASSERT((m0->m_flags & M_PKTHDR) == 0 || + m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), + ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)", + m0->m_pkthdr.len, off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), m0)); + + /* * Deal with group-specific queries upfront. * If any group query is already pending, purge any recorded @@ -1046,28 +1052,20 @@ mld_v2_process_group_query(struct in6_multi *inm, stru * report for those sources. */ if (inm->in6m_nsrc > 0) { - struct mbuf *m; - uint8_t *sp; + struct in6_addr srcaddr; int i, nrecorded; int soff; - m = m0; soff = off + sizeof(struct mldv2_query); nrecorded = 0; for (i = 0; i < nsrc; i++) { - sp = mtod(m, uint8_t *) + soff; - retval = in6m_record_source(inm, - (const struct in6_addr *)sp); + m_copydata(m0, soff, sizeof(struct in6_addr), + (caddr_t)&srcaddr); + retval = in6m_record_source(inm, &srcaddr); if (retval < 0) break; nrecorded += retval; soff += sizeof(struct in6_addr); - if (soff >= m->m_len) { - soff = soff - m->m_len; - m = m->m_next; - if (m == NULL) - break; - } } if (nrecorded > 0) { CTR1(KTR_MLD, @@ -1276,8 +1274,8 @@ mld_input(struct mbuf *m, int off, int icmp6len) if (mld_v1_input_query(ifp, ip6, mld) != 0) return (0); } else if (icmp6len >= sizeof(struct mldv2_query)) { - if (mld_v2_input_query(ifp, ip6, m, off, - icmp6len) != 0) + if (mld_v2_input_query(ifp, ip6, m, + (struct mldv2_query *)mld, off, icmp6len) != 0) return (0); } break; Modified: releng/11.3/sys/netinet6/mld6.c ============================================================================== --- releng/11.3/sys/netinet6/mld6.c Tue Aug 6 17:09:47 2019 (r350643) +++ releng/11.3/sys/netinet6/mld6.c Tue Aug 6 17:11:17 2019 (r350644) @@ -137,14 +137,15 @@ static int mld_v2_enqueue_group_record(struct mbufq *, struct in6_multi *, const int, const int, const int, const int); static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *, - struct mbuf *, const int, const int); + struct mbuf *, struct mldv2_query *, const int, const int); static int mld_v2_merge_state_changes(struct in6_multi *, struct mbufq *); static void mld_v2_process_group_timers(struct mld_ifsoftc *, struct mbufq *, struct mbufq *, struct in6_multi *, const int); static int mld_v2_process_group_query(struct in6_multi *, - struct mld_ifsoftc *mli, int, struct mbuf *, const int); + struct mld_ifsoftc *mli, int, struct mbuf *, + struct mldv2_query *, const int); static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS); static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS); @@ -794,16 +795,16 @@ mld_v1_update_group(struct in6_multi *inm, const int t * Process a received MLDv2 general, group-specific or * group-and-source-specific query. * - * Assumes that the query header has been pulled up to sizeof(mldv2_query). + * Assumes that mld points to a struct mldv2_query which is stored in + * contiguous memory. * * Return 0 if successful, otherwise an appropriate error code is returned. */ static int mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6, - struct mbuf *m, const int off, const int icmp6len) + struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len) { struct mld_ifsoftc *mli; - struct mldv2_query *mld; struct in6_multi *inm; uint32_t maxdelay, nsrc, qqi; int is_general_query; @@ -828,8 +829,6 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp)); - mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off); - maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */ if (maxdelay >= 32768) { maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) << @@ -954,7 +953,7 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 * group-specific or group-and-source query. */ if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer) - mld_v2_process_group_query(inm, mli, timer, m, off); + mld_v2_process_group_query(inm, mli, timer, m, mld, off); /* XXX Clear embedded scope ID as userland won't expect it. */ in6_clearscope(&mld->mld_addr); @@ -975,9 +974,8 @@ out_locked: */ static int mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli, - int timer, struct mbuf *m0, const int off) + int timer, struct mbuf *m0, struct mldv2_query *mld, const int off) { - struct mldv2_query *mld; int retval; uint16_t nsrc; @@ -985,7 +983,6 @@ mld_v2_process_group_query(struct in6_multi *inm, stru MLD_LOCK_ASSERT(); retval = 0; - mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off); switch (inm->in6m_state) { case MLD_NOT_MEMBER: @@ -1005,6 +1002,15 @@ mld_v2_process_group_query(struct in6_multi *inm, stru nsrc = ntohs(mld->mld_numsrc); + /* Length should be checked by calling function. */ + KASSERT((m0->m_flags & M_PKTHDR) == 0 || + m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), + ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)", + m0->m_pkthdr.len, off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), m0)); + + /* * Deal with group-specific queries upfront. * If any group query is already pending, purge any recorded @@ -1046,28 +1052,20 @@ mld_v2_process_group_query(struct in6_multi *inm, stru * report for those sources. */ if (inm->in6m_nsrc > 0) { - struct mbuf *m; - uint8_t *sp; + struct in6_addr srcaddr; int i, nrecorded; int soff; - m = m0; soff = off + sizeof(struct mldv2_query); nrecorded = 0; for (i = 0; i < nsrc; i++) { - sp = mtod(m, uint8_t *) + soff; - retval = in6m_record_source(inm, - (const struct in6_addr *)sp); + m_copydata(m0, soff, sizeof(struct in6_addr), + (caddr_t)&srcaddr); + retval = in6m_record_source(inm, &srcaddr); if (retval < 0) break; nrecorded += retval; soff += sizeof(struct in6_addr); - if (soff >= m->m_len) { - soff = soff - m->m_len; - m = m->m_next; - if (m == NULL) - break; - } } if (nrecorded > 0) { CTR1(KTR_MLD, @@ -1276,8 +1274,8 @@ mld_input(struct mbuf *m, int off, int icmp6len) if (mld_v1_input_query(ifp, ip6, mld) != 0) return (0); } else if (icmp6len >= sizeof(struct mldv2_query)) { - if (mld_v2_input_query(ifp, ip6, m, off, - icmp6len) != 0) + if (mld_v2_input_query(ifp, ip6, m, + (struct mldv2_query *)mld, off, icmp6len) != 0) return (0); } break; Modified: releng/12.0/sys/netinet6/mld6.c ============================================================================== --- releng/12.0/sys/netinet6/mld6.c Tue Aug 6 17:09:47 2019 (r350643) +++ releng/12.0/sys/netinet6/mld6.c Tue Aug 6 17:11:17 2019 (r350644) @@ -139,14 +139,15 @@ static int mld_v2_enqueue_group_record(struct mbufq *, struct in6_multi *, const int, const int, const int, const int); static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *, - struct mbuf *, const int, const int); + struct mbuf *, struct mldv2_query *, const int, const int); static int mld_v2_merge_state_changes(struct in6_multi *, struct mbufq *); static void mld_v2_process_group_timers(struct in6_multi_head *, struct mbufq *, struct mbufq *, struct in6_multi *, const int); static int mld_v2_process_group_query(struct in6_multi *, - struct mld_ifsoftc *mli, int, struct mbuf *, const int); + struct mld_ifsoftc *mli, int, struct mbuf *, + struct mldv2_query *, const int); static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS); static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS); @@ -797,16 +798,16 @@ mld_v1_update_group(struct in6_multi *inm, const int t * Process a received MLDv2 general, group-specific or * group-and-source-specific query. * - * Assumes that the query header has been pulled up to sizeof(mldv2_query). + * Assumes that mld points to a struct mldv2_query which is stored in + * contiguous memory. * * Return 0 if successful, otherwise an appropriate error code is returned. */ static int mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6, - struct mbuf *m, const int off, const int icmp6len) + struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len) { struct mld_ifsoftc *mli; - struct mldv2_query *mld; struct in6_multi *inm; uint32_t maxdelay, nsrc, qqi; int is_general_query; @@ -831,8 +832,6 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp)); - mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off); - maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */ if (maxdelay >= 32768) { maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) << @@ -957,7 +956,7 @@ mld_v2_input_query(struct ifnet *ifp, const struct ip6 * group-specific or group-and-source query. */ if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer) - mld_v2_process_group_query(inm, mli, timer, m, off); + mld_v2_process_group_query(inm, mli, timer, m, mld, off); /* XXX Clear embedded scope ID as userland won't expect it. */ in6_clearscope(&mld->mld_addr); @@ -978,9 +977,8 @@ out_locked: */ static int mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli, - int timer, struct mbuf *m0, const int off) + int timer, struct mbuf *m0, struct mldv2_query *mld, const int off) { - struct mldv2_query *mld; int retval; uint16_t nsrc; @@ -988,7 +986,6 @@ mld_v2_process_group_query(struct in6_multi *inm, stru MLD_LOCK_ASSERT(); retval = 0; - mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off); switch (inm->in6m_state) { case MLD_NOT_MEMBER: @@ -1008,6 +1005,15 @@ mld_v2_process_group_query(struct in6_multi *inm, stru nsrc = ntohs(mld->mld_numsrc); + /* Length should be checked by calling function. */ + KASSERT((m0->m_flags & M_PKTHDR) == 0 || + m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), + ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)", + m0->m_pkthdr.len, off + sizeof(struct mldv2_query) + + nsrc * sizeof(struct in6_addr), m0)); + + /* * Deal with group-specific queries upfront. * If any group query is already pending, purge any recorded @@ -1049,28 +1055,20 @@ mld_v2_process_group_query(struct in6_multi *inm, stru * report for those sources. */ if (inm->in6m_nsrc > 0) { - struct mbuf *m; - uint8_t *sp; + struct in6_addr srcaddr; int i, nrecorded; int soff; - m = m0; soff = off + sizeof(struct mldv2_query); nrecorded = 0; for (i = 0; i < nsrc; i++) { - sp = mtod(m, uint8_t *) + soff; - retval = in6m_record_source(inm, - (const struct in6_addr *)sp); + m_copydata(m0, soff, sizeof(struct in6_addr), + (caddr_t)&srcaddr); + retval = in6m_record_source(inm, &srcaddr); if (retval < 0) break; nrecorded += retval; soff += sizeof(struct in6_addr); - if (soff >= m->m_len) { - soff = soff - m->m_len; - m = m->m_next; - if (m == NULL) - break; - } } if (nrecorded > 0) { CTR1(KTR_MLD, @@ -1279,8 +1277,8 @@ mld_input(struct mbuf *m, int off, int icmp6len) if (mld_v1_input_query(ifp, ip6, mld) != 0) return (0); } else if (icmp6len >= sizeof(struct mldv2_query)) { - if (mld_v2_input_query(ifp, ip6, m, off, - icmp6len) != 0) + if (mld_v2_input_query(ifp, ip6, m, + (struct mldv2_query *)mld, off, icmp6len) != 0) return (0); } break; From owner-svn-src-releng@freebsd.org Tue Aug 6 17:08:31 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7F594C5E1D; Tue, 6 Aug 2019 17:08:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631LR2nhXz4DQ5; Tue, 6 Aug 2019 17:08:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 415062F12C; Tue, 6 Aug 2019 17:08:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76H8VFc037714; Tue, 6 Aug 2019 17:08:31 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76H8Upt037712; Tue, 6 Aug 2019 17:08:30 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061708.x76H8Upt037712@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:08:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350642 - in releng: 11.2/contrib/llvm/projects/libunwind/src 12.0/contrib/llvm/projects/libunwind/src X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/contrib/llvm/projects/libunwind/src 12.0/contrib/llvm/projects/libunwind/src X-SVN-Commit-Revision: 350642 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:08:31 -0000 Author: gordon Date: Tue Aug 6 17:08:30 2019 New Revision: 350642 URL: https://svnweb.freebsd.org/changeset/base/350642 Log: Fix incorrect exception handling. Approved by: so Security: FreeBSD-EN-19:15.libunwind Modified: releng/11.2/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp releng/12.0/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp Modified: releng/11.2/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp ============================================================================== --- releng/11.2/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp Tue Aug 6 17:07:43 2019 (r350641) +++ releng/11.2/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp Tue Aug 6 17:08:30 2019 (r350642) @@ -68,7 +68,9 @@ void EHHeaderParser::decodeEHHdr(A &addressSpace, p ehHdrInfo.eh_frame_ptr = addressSpace.getEncodedP(p, ehHdrEnd, eh_frame_ptr_enc, ehHdrStart); ehHdrInfo.fde_count = - addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); + fde_count_enc == DW_EH_PE_omit + ? 0 + : addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); ehHdrInfo.table = p; } Modified: releng/12.0/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp ============================================================================== --- releng/12.0/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp Tue Aug 6 17:07:43 2019 (r350641) +++ releng/12.0/contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp Tue Aug 6 17:08:30 2019 (r350642) @@ -68,7 +68,9 @@ void EHHeaderParser::decodeEHHdr(A &addressSpace, p ehHdrInfo.eh_frame_ptr = addressSpace.getEncodedP(p, ehHdrEnd, eh_frame_ptr_enc, ehHdrStart); ehHdrInfo.fde_count = - addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); + fde_count_enc == DW_EH_PE_omit + ? 0 + : addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); ehHdrInfo.table = p; } From owner-svn-src-releng@freebsd.org Tue Aug 6 17:14:11 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8B828C603D; Tue, 6 Aug 2019 17:14:11 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631Sz38Mhz4FGV; Tue, 6 Aug 2019 17:14:11 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4DE592F2F2; Tue, 6 Aug 2019 17:14:11 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76HEBYu044048; Tue, 6 Aug 2019 17:14:11 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76HEAen044043; Tue, 6 Aug 2019 17:14:10 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061714.x76HEAen044043@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:14:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350649 - in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Commit-Revision: 350649 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:14:11 -0000 Author: gordon Date: Tue Aug 6 17:14:09 2019 New Revision: 350649 URL: https://svnweb.freebsd.org/changeset/base/350649 Log: Bump version information and add UPDATING entries. Approved by: so Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.3/UPDATING releng/11.3/sys/conf/newvers.sh releng/12.0/UPDATING releng/12.0/sys/conf/newvers.sh Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Aug 6 17:13:41 2019 (r350648) +++ releng/11.2/UPDATING Tue Aug 6 17:14:09 2019 (r350649) @@ -16,6 +16,24 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190806 p13 FreeBSD-EN-19:15.libunwind + FreeBSD-SA-19:18.bzip2 + FreeBSD-SA-19:19.mldv2 + FreeBSD-SA-19:20.bsnmp + FreeBSD-SA-19:21.bhyve + + Fix incorrect exception handling. [EN-19:15.libunwind] + + Fix multiple vulnerabilities in bzip2. [SA-19:18.bzip2] + + Fix ICMPv6 / MLDv2 out-of-bounds memory access. [SA-19:19.mldv2] + + Fix insufficient message length validation in bsnmp library. + [SA-19:20.bsnmp] + + Fix insufficient validation of guest-supplied data (e1000 device). + [SA-19:21.bhyve] + 20190724 p12 FreeBSD-EN-19:13.mds FreeBSD-SA-19:12.telnet FreeBSD-SA-19:13.pts Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Aug 6 17:13:41 2019 (r350648) +++ releng/11.2/sys/conf/newvers.sh Tue Aug 6 17:14:09 2019 (r350649) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p12" +BRANCH="RELEASE-p13" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.3/UPDATING ============================================================================== --- releng/11.3/UPDATING Tue Aug 6 17:13:41 2019 (r350648) +++ releng/11.3/UPDATING Tue Aug 6 17:14:09 2019 (r350649) @@ -16,6 +16,21 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190806 p2 FreeBSD-SA-19:18.bzip2 + FreeBSD-SA-19:19.mldv2 + FreeBSD-SA-19:20.bsnmp + FreeBSD-SA-19:21.bhyve + + Fix multiple vulnerabilities in bzip2. [SA-19:18.bzip2] + + Fix ICMPv6 / MLDv2 out-of-bounds memory access. [SA-19:19.mldv2] + + Fix insufficient message length validation in bsnmp library. + [SA-19:20.bsnmp] + + Fix insufficient validation of guest-supplied data (e1000 device). + [SA-19:21.bhyve] + 20190724 p1 FreeBSD-EN-19:13.mds FreeBSD-SA-19:12.telnet FreeBSD-SA-19:13.pts Modified: releng/11.3/sys/conf/newvers.sh ============================================================================== --- releng/11.3/sys/conf/newvers.sh Tue Aug 6 17:13:41 2019 (r350648) +++ releng/11.3/sys/conf/newvers.sh Tue Aug 6 17:14:09 2019 (r350649) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.3" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/12.0/UPDATING ============================================================================== --- releng/12.0/UPDATING Tue Aug 6 17:13:41 2019 (r350648) +++ releng/12.0/UPDATING Tue Aug 6 17:14:09 2019 (r350649) @@ -16,6 +16,27 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190806 p9 FreeBSD-EN-19:14.epoch + FreeBSD-EN-19:15.libunwind + FreeBSD-SA-19:18.bzip2 + FreeBSD-SA-19:19.mldv2 + FreeBSD-SA-19:20.bsnmp + FreeBSD-SA-19:21.bhyve + + Fix incorrect locking in epoch(9). [EN-19:14.epoch] + + Fix incorrect exception handling. [EN-19:15.libunwind] + + Fix multiple vulnerabilities in bzip2. [SA-19:18.bzip2] + + Fix ICMPv6 / MLDv2 out-of-bounds memory access. [SA-19:19.mldv2] + + Fix insufficient message length validation in bsnmp library. + [SA-19:20.bsnmp] + + Fix insufficient validation of guest-supplied data (e1000 device). + [SA-19:21.bhyve] + 20190724 p8 FreeBSD-EN-19:13.mds FreeBSD-SA-19:12.telnet FreeBSD-SA-19:13.pts Modified: releng/12.0/sys/conf/newvers.sh ============================================================================== --- releng/12.0/sys/conf/newvers.sh Tue Aug 6 17:13:41 2019 (r350648) +++ releng/12.0/sys/conf/newvers.sh Tue Aug 6 17:14:09 2019 (r350649) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.0" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Aug 6 17:13:18 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC32DC6024; Tue, 6 Aug 2019 17:13:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631Ry5Kwzz4F5r; Tue, 6 Aug 2019 17:13:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 98BD82F2ED; Tue, 6 Aug 2019 17:13:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76HDI9K043901; Tue, 6 Aug 2019 17:13:18 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76HDHDi043896; Tue, 6 Aug 2019 17:13:17 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061713.x76HDHDi043896@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:13:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350647 - in releng: 11.2/usr.sbin/bhyve 11.3/usr.sbin/bhyve 12.0/usr.sbin/bhyve X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/usr.sbin/bhyve 11.3/usr.sbin/bhyve 12.0/usr.sbin/bhyve X-SVN-Commit-Revision: 350647 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:13:18 -0000 Author: gordon Date: Tue Aug 6 17:13:17 2019 New Revision: 350647 URL: https://svnweb.freebsd.org/changeset/base/350647 Log: Fix insufficient validation of guest-supplied data (e1000 device). Approved by: so Security: FreeBSD-SA-19:21.bhyve Security: CVE-2019-5609 Modified: releng/11.2/usr.sbin/bhyve/pci_e82545.c releng/11.3/usr.sbin/bhyve/pci_e82545.c releng/12.0/usr.sbin/bhyve/pci_e82545.c Modified: releng/11.2/usr.sbin/bhyve/pci_e82545.c ============================================================================== --- releng/11.2/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:12:17 2019 (r350646) +++ releng/11.2/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:13:17 2019 (r350647) @@ -1076,8 +1076,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head struct ck_info ckinfo[2]; struct iovec *iov; union e1000_tx_udesc *dsc; - int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso; + int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso; int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff; + unsigned hdrlen, vlen; uint32_t tcpsum, tcpseq; uint16_t ipcs, tcpcs, ipid, ohead; @@ -1221,6 +1222,68 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head } else { /* In case of TSO header length provided by software. */ hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len; + + /* + * Cap the header length at 240 based on 7.2.4.5 of + * the Intel 82576EB (Rev 2.63) datasheet. + */ + if (hdrlen > 240) { + WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen); + goto done; + } + + /* + * If VLAN insertion is requested, ensure the header + * at least holds the amount of data copied during + * VLAN insertion below. + * + * XXX: Realistic packets will include a full Ethernet + * header before the IP header at ckinfo[0].ck_start, + * but this check is sufficient to prevent + * out-of-bounds access below. + */ + if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) { + WPRINTF("TSO hdrlen too small for vlan insertion " + "(%d vs %d) -- dropped\r\n", hdrlen, + ETHER_ADDR_LEN*2); + goto done; + } + + /* + * Ensure that the header length covers the used fields + * in the IP and TCP headers as well as the IP and TCP + * checksums. The following fields are accessed below: + * + * Header | Field | Offset | Length + * -------+-------+--------+------- + * IPv4 | len | 2 | 2 + * IPv4 | ID | 4 | 2 + * IPv6 | len | 4 | 2 + * TCP | seq # | 4 | 4 + * TCP | flags | 13 | 1 + * UDP | len | 4 | 4 + */ + if (hdrlen < ckinfo[0].ck_start + 6 || + hdrlen < ckinfo[0].ck_off + 2) { + WPRINTF("TSO hdrlen too small for IP fields (%d) " + "-- dropped\r\n", hdrlen); + goto done; + } + if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { + if (hdrlen < ckinfo[1].ck_start + 14 || + (ckinfo[1].ck_valid && + hdrlen < ckinfo[1].ck_off + 2)) { + WPRINTF("TSO hdrlen too small for TCP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } else { + if (hdrlen < ckinfo[1].ck_start + 8) { + WPRINTF("TSO hdrlen too small for UDP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } } /* Allocate, fill and prepend writable header vector. */ @@ -1242,7 +1305,8 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head iovcnt++; iov->iov_base = hdr; iov->iov_len = hdrlen; - } + } else + hdr = NULL; /* Insert VLAN tag. */ if (vlen != 0) { @@ -1284,7 +1348,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n", tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt); ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]); - tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); + tcpseq = 0; + if (tcp) + tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off]; tcpcs = 0; if (ckinfo[1].ck_valid) /* Save partial pseudo-header checksum. */ Modified: releng/11.3/usr.sbin/bhyve/pci_e82545.c ============================================================================== --- releng/11.3/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:12:17 2019 (r350646) +++ releng/11.3/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:13:17 2019 (r350647) @@ -1078,8 +1078,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head struct ck_info ckinfo[2]; struct iovec *iov; union e1000_tx_udesc *dsc; - int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso; + int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso; int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff; + unsigned hdrlen, vlen; uint32_t tcpsum, tcpseq; uint16_t ipcs, tcpcs, ipid, ohead; @@ -1223,6 +1224,68 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head } else { /* In case of TSO header length provided by software. */ hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len; + + /* + * Cap the header length at 240 based on 7.2.4.5 of + * the Intel 82576EB (Rev 2.63) datasheet. + */ + if (hdrlen > 240) { + WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen); + goto done; + } + + /* + * If VLAN insertion is requested, ensure the header + * at least holds the amount of data copied during + * VLAN insertion below. + * + * XXX: Realistic packets will include a full Ethernet + * header before the IP header at ckinfo[0].ck_start, + * but this check is sufficient to prevent + * out-of-bounds access below. + */ + if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) { + WPRINTF("TSO hdrlen too small for vlan insertion " + "(%d vs %d) -- dropped\r\n", hdrlen, + ETHER_ADDR_LEN*2); + goto done; + } + + /* + * Ensure that the header length covers the used fields + * in the IP and TCP headers as well as the IP and TCP + * checksums. The following fields are accessed below: + * + * Header | Field | Offset | Length + * -------+-------+--------+------- + * IPv4 | len | 2 | 2 + * IPv4 | ID | 4 | 2 + * IPv6 | len | 4 | 2 + * TCP | seq # | 4 | 4 + * TCP | flags | 13 | 1 + * UDP | len | 4 | 4 + */ + if (hdrlen < ckinfo[0].ck_start + 6 || + hdrlen < ckinfo[0].ck_off + 2) { + WPRINTF("TSO hdrlen too small for IP fields (%d) " + "-- dropped\r\n", hdrlen); + goto done; + } + if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { + if (hdrlen < ckinfo[1].ck_start + 14 || + (ckinfo[1].ck_valid && + hdrlen < ckinfo[1].ck_off + 2)) { + WPRINTF("TSO hdrlen too small for TCP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } else { + if (hdrlen < ckinfo[1].ck_start + 8) { + WPRINTF("TSO hdrlen too small for UDP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } } /* Allocate, fill and prepend writable header vector. */ @@ -1244,7 +1307,8 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head iovcnt++; iov->iov_base = hdr; iov->iov_len = hdrlen; - } + } else + hdr = NULL; /* Insert VLAN tag. */ if (vlen != 0) { @@ -1286,7 +1350,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n", tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt); ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]); - tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); + tcpseq = 0; + if (tcp) + tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off]; tcpcs = 0; if (ckinfo[1].ck_valid) /* Save partial pseudo-header checksum. */ Modified: releng/12.0/usr.sbin/bhyve/pci_e82545.c ============================================================================== --- releng/12.0/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:12:17 2019 (r350646) +++ releng/12.0/usr.sbin/bhyve/pci_e82545.c Tue Aug 6 17:13:17 2019 (r350647) @@ -1078,8 +1078,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head struct ck_info ckinfo[2]; struct iovec *iov; union e1000_tx_udesc *dsc; - int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso; + int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso; int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff; + unsigned hdrlen, vlen; uint32_t tcpsum, tcpseq; uint16_t ipcs, tcpcs, ipid, ohead; @@ -1223,6 +1224,68 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head } else { /* In case of TSO header length provided by software. */ hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len; + + /* + * Cap the header length at 240 based on 7.2.4.5 of + * the Intel 82576EB (Rev 2.63) datasheet. + */ + if (hdrlen > 240) { + WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen); + goto done; + } + + /* + * If VLAN insertion is requested, ensure the header + * at least holds the amount of data copied during + * VLAN insertion below. + * + * XXX: Realistic packets will include a full Ethernet + * header before the IP header at ckinfo[0].ck_start, + * but this check is sufficient to prevent + * out-of-bounds access below. + */ + if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) { + WPRINTF("TSO hdrlen too small for vlan insertion " + "(%d vs %d) -- dropped\r\n", hdrlen, + ETHER_ADDR_LEN*2); + goto done; + } + + /* + * Ensure that the header length covers the used fields + * in the IP and TCP headers as well as the IP and TCP + * checksums. The following fields are accessed below: + * + * Header | Field | Offset | Length + * -------+-------+--------+------- + * IPv4 | len | 2 | 2 + * IPv4 | ID | 4 | 2 + * IPv6 | len | 4 | 2 + * TCP | seq # | 4 | 4 + * TCP | flags | 13 | 1 + * UDP | len | 4 | 4 + */ + if (hdrlen < ckinfo[0].ck_start + 6 || + hdrlen < ckinfo[0].ck_off + 2) { + WPRINTF("TSO hdrlen too small for IP fields (%d) " + "-- dropped\r\n", hdrlen); + goto done; + } + if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { + if (hdrlen < ckinfo[1].ck_start + 14 || + (ckinfo[1].ck_valid && + hdrlen < ckinfo[1].ck_off + 2)) { + WPRINTF("TSO hdrlen too small for TCP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } else { + if (hdrlen < ckinfo[1].ck_start + 8) { + WPRINTF("TSO hdrlen too small for UDP fields " + "(%d) -- dropped\r\n", hdrlen); + goto done; + } + } } /* Allocate, fill and prepend writable header vector. */ @@ -1244,7 +1307,8 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head iovcnt++; iov->iov_base = hdr; iov->iov_len = hdrlen; - } + } else + hdr = NULL; /* Insert VLAN tag. */ if (vlen != 0) { @@ -1286,7 +1350,9 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n", tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt); ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]); - tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); + tcpseq = 0; + if (tcp) + tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off]; tcpcs = 0; if (ckinfo[1].ck_valid) /* Save partial pseudo-header checksum. */ From owner-svn-src-releng@freebsd.org Tue Aug 6 17:09:56 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6EEDEC5E3B; Tue, 6 Aug 2019 17:09:56 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631N431X5z4DVr; Tue, 6 Aug 2019 17:09:56 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 305012F12D; Tue, 6 Aug 2019 17:09:56 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76H9uKW037875; Tue, 6 Aug 2019 17:09:56 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76H9m4X037832; Tue, 6 Aug 2019 17:09:48 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061709.x76H9m4X037832@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:09:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350643 - in releng: 11.2/contrib/bzip2 11.3/contrib/bzip2 12.0/contrib/bzip2 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/contrib/bzip2 11.3/contrib/bzip2 12.0/contrib/bzip2 X-SVN-Commit-Revision: 350643 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:09:56 -0000 Author: gordon Date: Tue Aug 6 17:09:47 2019 New Revision: 350643 URL: https://svnweb.freebsd.org/changeset/base/350643 Log: Fix multiple vulnerabilities in bzip2. Approved by: so Security: FreeBSD-SA-19:18.bzip2 Security: CVE-2016-3189 Security: CVE-2019-12900 Modified: releng/11.2/contrib/bzip2/CHANGES releng/11.2/contrib/bzip2/LICENSE releng/11.2/contrib/bzip2/README releng/11.2/contrib/bzip2/README.COMPILATION.PROBLEMS releng/11.2/contrib/bzip2/blocksort.c releng/11.2/contrib/bzip2/bzip2.1 releng/11.2/contrib/bzip2/bzip2.c releng/11.2/contrib/bzip2/bzip2recover.c releng/11.2/contrib/bzip2/bzlib.c releng/11.2/contrib/bzip2/bzlib.h releng/11.2/contrib/bzip2/bzlib_private.h releng/11.2/contrib/bzip2/compress.c releng/11.2/contrib/bzip2/crctable.c releng/11.2/contrib/bzip2/decompress.c releng/11.2/contrib/bzip2/huffman.c releng/11.2/contrib/bzip2/randtable.c releng/11.2/contrib/bzip2/spewG.c releng/11.2/contrib/bzip2/unzcrash.c releng/11.2/contrib/bzip2/words2 releng/11.3/contrib/bzip2/CHANGES releng/11.3/contrib/bzip2/LICENSE releng/11.3/contrib/bzip2/README releng/11.3/contrib/bzip2/README.COMPILATION.PROBLEMS releng/11.3/contrib/bzip2/blocksort.c releng/11.3/contrib/bzip2/bzip2.1 releng/11.3/contrib/bzip2/bzip2.c releng/11.3/contrib/bzip2/bzip2recover.c releng/11.3/contrib/bzip2/bzlib.c releng/11.3/contrib/bzip2/bzlib.h releng/11.3/contrib/bzip2/bzlib_private.h releng/11.3/contrib/bzip2/compress.c releng/11.3/contrib/bzip2/crctable.c releng/11.3/contrib/bzip2/decompress.c releng/11.3/contrib/bzip2/huffman.c releng/11.3/contrib/bzip2/randtable.c releng/11.3/contrib/bzip2/spewG.c releng/11.3/contrib/bzip2/unzcrash.c releng/11.3/contrib/bzip2/words2 releng/12.0/contrib/bzip2/CHANGES releng/12.0/contrib/bzip2/LICENSE releng/12.0/contrib/bzip2/README releng/12.0/contrib/bzip2/README.COMPILATION.PROBLEMS releng/12.0/contrib/bzip2/blocksort.c releng/12.0/contrib/bzip2/bzip2.1 releng/12.0/contrib/bzip2/bzip2.c releng/12.0/contrib/bzip2/bzip2recover.c releng/12.0/contrib/bzip2/bzlib.c releng/12.0/contrib/bzip2/bzlib.h releng/12.0/contrib/bzip2/bzlib_private.h releng/12.0/contrib/bzip2/compress.c releng/12.0/contrib/bzip2/crctable.c releng/12.0/contrib/bzip2/decompress.c releng/12.0/contrib/bzip2/huffman.c releng/12.0/contrib/bzip2/randtable.c releng/12.0/contrib/bzip2/spewG.c releng/12.0/contrib/bzip2/unzcrash.c releng/12.0/contrib/bzip2/words2 Modified: releng/11.2/contrib/bzip2/CHANGES ============================================================================== --- releng/11.2/contrib/bzip2/CHANGES Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/CHANGES Tue Aug 6 17:09:47 2019 (r350643) @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -325,3 +325,16 @@ Security fix only. Fixes CERT-FI 20469 as it applies Izdebski. * Make the documentation build on Ubuntu 10.04 + +1.0.7 (27 Jun 19) +~~~~~~~~~~~~~~~~~ + +* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH + +* bzip2: Fix return value when combining --test,-t and -q. + +* bzip2recover: Fix buffer overflow for large argv[0] + +* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189) + +* Make sure nSelectors is not out of range (CVE-2019-12900) Modified: releng/11.2/contrib/bzip2/LICENSE ============================================================================== --- releng/11.2/contrib/bzip2/LICENSE Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/LICENSE Tue Aug 6 17:09:47 2019 (r350643) @@ -36,7 +36,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUD NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -Julian Seward, jseward@bzip.org -bzip2/libbzip2 version 1.0.6 of 6 September 2010 +Julian Seward, jseward@acm.org +bzip2/libbzip2 version 1.0.7 of 27 June 2019 -------------------------------------------------------------------------- Modified: releng/11.2/contrib/bzip2/README ============================================================================== --- releng/11.2/contrib/bzip2/README Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/README Tue Aug 6 17:09:47 2019 (r350643) @@ -6,8 +6,8 @@ This version is fully compatible with the previous pub This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in this file. @@ -73,7 +73,7 @@ HOW TO BUILD -- Windows 95, NT, DOS, Mac, etc. It's difficult for me to support compilation on all these platforms. My approach is to collect binaries for these platforms, and put them -on the master web site (http://www.bzip.org). Look there. However +on the master web site (https://sourceware.org/bzip2/). Look there. However (FWIW), bzip2-1.0.X is very standard ANSI C and should compile unmodified with MS Visual C. If you have difficulties building, you might want to read README.COMPILATION.PROBLEMS. @@ -161,43 +161,22 @@ WHAT'S NEW IN 0.9.5 ? * Many small improvements in file and flag handling. * A Y2K statement. -WHAT'S NEW IN 1.0.0 ? +WHAT'S NEW IN 1.0.x ? See the CHANGES file. -WHAT'S NEW IN 1.0.2 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.3 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.4 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.5 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.6 ? - - See the CHANGES file. - - I hope you find bzip2 useful. Feel free to contact me at - jseward@bzip.org + jseward@acm.org if you have any suggestions or queries. Many people mailed me with comments, suggestions and patches after the releases of bzip-0.15, bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this feedback. I thank you for your comments. -bzip2's "home" is http://www.bzip.org/ +bzip2's "home" is https://sourceware.org/bzip2/ Julian Seward -jseward@bzip.org +jseward@acm.org Cambridge, UK. 18 July 1996 (version 0.15) @@ -213,3 +192,4 @@ Cambridge, UK. 20 December 2006 (bzip2, version 1.0.4) 10 December 2007 (bzip2, version 1.0.5) 6 Sept 2010 (bzip2, version 1.0.6) +27 June 2019 (bzip2, version 1.0.7) Modified: releng/11.2/contrib/bzip2/README.COMPILATION.PROBLEMS ============================================================================== --- releng/11.2/contrib/bzip2/README.COMPILATION.PROBLEMS Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/README.COMPILATION.PROBLEMS Tue Aug 6 17:09:47 2019 (r350643) @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -12,7 +12,7 @@ This program is released under the terms of the licens in the file LICENSE. ------------------------------------------------------------------ -bzip2-1.0.6 should compile without problems on the vast majority of +bzip2 should compile without problems on the vast majority of platforms. Using the supplied Makefile, I've built and tested it myself for x86-linux and amd64-linux. With makefile.msc, Visual C++ 6.0 and nmake, you can build a native Win32 version too. Large file Modified: releng/11.2/contrib/bzip2/blocksort.c ============================================================================== --- releng/11.2/contrib/bzip2/blocksort.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/blocksort.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -202,9 +202,9 @@ void fallbackQSort3 ( UInt32* fmap, bhtab [ 0 .. 2+(nblock/32) ] destroyed */ -#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31)) -#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31)) -#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31))) +#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31)) +#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31)) +#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31))) #define WORD_BH(zz) bhtab[(zz) >> 5] #define UNALIGNED_BH(zz) ((zz) & 0x01f) Modified: releng/11.2/contrib/bzip2/bzip2.1 ============================================================================== --- releng/11.2/contrib/bzip2/bzip2.1 Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzip2.1 Tue Aug 6 17:09:47 2019 (r350643) @@ -1,6 +1,6 @@ .TH bzip2 1 .SH NAME -bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6 +bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7 .br bzcat \- decompresses files to stdout .br @@ -404,7 +404,7 @@ I/O error messages are not as helpful as they could be tries hard to detect I/O errors and exit cleanly, but the details of what the problem is sometimes seem rather misleading. -This manual page pertains to version 1.0.6 of +This manual page pertains to version 1.0.7 of .I bzip2. Compressed data created by this version is entirely forwards and backwards compatible with the previous public releases, versions @@ -426,9 +426,9 @@ with MaybeUInt64 set to be an unsigned 64-bit integer. .SH AUTHOR -Julian Seward, jsewardbzip.org. +Julian Seward, jseward@acm.org. -http://www.bzip.org +https://sourceware.org/bzip2/ The ideas embodied in .I bzip2 Modified: releng/11.2/contrib/bzip2/bzip2.c ============================================================================== --- releng/11.2/contrib/bzip2/bzip2.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzip2.c Tue Aug 6 17:09:47 2019 (r350643) @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -554,7 +554,7 @@ static Bool testStream ( FILE *zStream ) { BZFILE* bzf = NULL; - Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i; + Int32 bzerr, bzerr_dummy, ret, streamNo, i; UChar obuf[5000]; UChar unused[BZ_MAX_UNUSED]; Int32 nUnused; @@ -577,7 +577,7 @@ Bool testStream ( FILE *zStream ) streamNo++; while (bzerr == BZ_OK) { - nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); + BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler; } if (bzerr != BZ_STREAM_END) goto errhandler; @@ -749,7 +749,7 @@ void panic ( const Char* s ) "\n%s: PANIC -- internal consistency error:\n" "\t%s\n" "\tThis is a BUG. Please report it to me at:\n" - "\tjseward@bzip.org\n", + "\tjseward@acm.org\n", progName, s ); showFileNames(); cleanUpAndFail( 3 ); @@ -829,7 +829,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (1) and (2).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (1)\n" - " or (2), feel free to report it to me at: jseward@bzip.org.\n" + " or (2), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -852,7 +852,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (2) and (3).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (2)\n" - " or (3), feel free to report it to me at: jseward@bzip.org.\n" + " or (3), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -1609,7 +1609,7 @@ void license ( void ) " \n" " This program is free software; you can redistribute it and/or modify\n" " it under the terms set out in the LICENSE file, which is included\n" - " in the bzip2-1.0.6 source distribution.\n" + " in the bzip2 source distribution.\n" " \n" " This program is distributed in the hope that it will be useful,\n" " but WITHOUT ANY WARRANTY; without even the implied warranty of\n" @@ -2005,12 +2005,14 @@ IntNative main ( IntNative argc, Char *argv[] ) testf ( aa->name ); } } - if (testFailsExist && noisy) { - fprintf ( stderr, - "\n" - "You can use the `bzip2recover' program to attempt to recover\n" - "data from undamaged sections of corrupted files.\n\n" - ); + if (testFailsExist) { + if (noisy) { + fprintf ( stderr, + "\n" + "You can use the `bzip2recover' program to attempt to recover\n" + "data from undamaged sections of corrupted files.\n\n" + ); + } setExit(2); exit(exitValue); } Modified: releng/11.2/contrib/bzip2/bzip2recover.c ============================================================================== --- releng/11.2/contrib/bzip2/bzip2recover.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzip2recover.c Tue Aug 6 17:09:47 2019 (r350643) @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -309,11 +309,12 @@ Int32 main ( Int32 argc, Char** argv ) UInt32 buffHi, buffLo, blockCRC; Char* p; - strcpy ( progName, argv[0] ); + strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); + progName[BZ_MAX_FILENAME-1]='\0'; inFileName[0] = outFileName[0] = 0; fprintf ( stderr, - "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" ); + "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" ); if (argc != 2) { fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n", @@ -457,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); bsPutUInt32 ( bsWr, blockCRC ); bsClose ( bsWr ); + outFile = NULL; } if (wrBlock >= rbCtr) break; wrBlock++; Modified: releng/11.2/contrib/bzip2/bzlib.c ============================================================================== --- releng/11.2/contrib/bzip2/bzlib.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzlib.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -47,7 +47,7 @@ void BZ2_bz__AssertH__fail ( int errcode ) fprintf(stderr, "\n\nbzip2/libbzip2: internal error number %d.\n" "This is a bug in bzip2/libbzip2, %s.\n" - "Please report it to me at: jseward@bzip.org. If this happened\n" + "Please report it to me at: jseward@acm.org. If this happened\n" "when you were using some program which uses libbzip2 as a\n" "component, you should also report this bug to the author(s)\n" "of that program. Please make an effort to report this bug;\n" Modified: releng/11.2/contrib/bzip2/bzlib.h ============================================================================== --- releng/11.2/contrib/bzip2/bzlib.h Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzlib.h Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/bzlib_private.h ============================================================================== --- releng/11.2/contrib/bzip2/bzlib_private.h Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/bzlib_private.h Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -36,7 +36,7 @@ /*-- General stuff. --*/ -#define BZ_VERSION "1.0.6, 6-Sept-2010" +#define BZ_VERSION "1.0.7, 27-Jun-2019" typedef char Char; typedef unsigned char Bool; Modified: releng/11.2/contrib/bzip2/compress.c ============================================================================== --- releng/11.2/contrib/bzip2/compress.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/compress.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/crctable.c ============================================================================== --- releng/11.2/contrib/bzip2/crctable.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/crctable.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/decompress.c ============================================================================== --- releng/11.2/contrib/bzip2/decompress.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/decompress.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -285,9 +285,9 @@ Int32 BZ2_decompress ( DState* s ) /*--- Now the selectors ---*/ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); - if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); - if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); for (i = 0; i < nSelectors; i++) { j = 0; while (True) { Modified: releng/11.2/contrib/bzip2/huffman.c ============================================================================== --- releng/11.2/contrib/bzip2/huffman.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/huffman.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/randtable.c ============================================================================== --- releng/11.2/contrib/bzip2/randtable.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/randtable.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/spewG.c ============================================================================== --- releng/11.2/contrib/bzip2/spewG.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/spewG.c Tue Aug 6 17:09:47 2019 (r350643) @@ -13,8 +13,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/unzcrash.c ============================================================================== --- releng/11.2/contrib/bzip2/unzcrash.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/unzcrash.c Tue Aug 6 17:09:47 2019 (r350643) @@ -17,8 +17,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.2/contrib/bzip2/words2 ============================================================================== --- releng/11.2/contrib/bzip2/words2 Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.2/contrib/bzip2/words2 Tue Aug 6 17:09:47 2019 (r350643) @@ -1,5 +1,5 @@ Checking test results. If any of the four "cmp"s which follow report any differences, something is wrong. If you can't easily -figure out what, please let me know (jseward@bzip.org). +figure out what, please let me know (jseward@acm.org). Modified: releng/11.3/contrib/bzip2/CHANGES ============================================================================== --- releng/11.3/contrib/bzip2/CHANGES Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/CHANGES Tue Aug 6 17:09:47 2019 (r350643) @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -325,3 +325,16 @@ Security fix only. Fixes CERT-FI 20469 as it applies Izdebski. * Make the documentation build on Ubuntu 10.04 + +1.0.7 (27 Jun 19) +~~~~~~~~~~~~~~~~~ + +* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH + +* bzip2: Fix return value when combining --test,-t and -q. + +* bzip2recover: Fix buffer overflow for large argv[0] + +* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189) + +* Make sure nSelectors is not out of range (CVE-2019-12900) Modified: releng/11.3/contrib/bzip2/LICENSE ============================================================================== --- releng/11.3/contrib/bzip2/LICENSE Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/LICENSE Tue Aug 6 17:09:47 2019 (r350643) @@ -36,7 +36,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUD NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -Julian Seward, jseward@bzip.org -bzip2/libbzip2 version 1.0.6 of 6 September 2010 +Julian Seward, jseward@acm.org +bzip2/libbzip2 version 1.0.7 of 27 June 2019 -------------------------------------------------------------------------- Modified: releng/11.3/contrib/bzip2/README ============================================================================== --- releng/11.3/contrib/bzip2/README Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/README Tue Aug 6 17:09:47 2019 (r350643) @@ -6,8 +6,8 @@ This version is fully compatible with the previous pub This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in this file. @@ -73,7 +73,7 @@ HOW TO BUILD -- Windows 95, NT, DOS, Mac, etc. It's difficult for me to support compilation on all these platforms. My approach is to collect binaries for these platforms, and put them -on the master web site (http://www.bzip.org). Look there. However +on the master web site (https://sourceware.org/bzip2/). Look there. However (FWIW), bzip2-1.0.X is very standard ANSI C and should compile unmodified with MS Visual C. If you have difficulties building, you might want to read README.COMPILATION.PROBLEMS. @@ -161,43 +161,22 @@ WHAT'S NEW IN 0.9.5 ? * Many small improvements in file and flag handling. * A Y2K statement. -WHAT'S NEW IN 1.0.0 ? +WHAT'S NEW IN 1.0.x ? See the CHANGES file. -WHAT'S NEW IN 1.0.2 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.3 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.4 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.5 ? - - See the CHANGES file. - -WHAT'S NEW IN 1.0.6 ? - - See the CHANGES file. - - I hope you find bzip2 useful. Feel free to contact me at - jseward@bzip.org + jseward@acm.org if you have any suggestions or queries. Many people mailed me with comments, suggestions and patches after the releases of bzip-0.15, bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this feedback. I thank you for your comments. -bzip2's "home" is http://www.bzip.org/ +bzip2's "home" is https://sourceware.org/bzip2/ Julian Seward -jseward@bzip.org +jseward@acm.org Cambridge, UK. 18 July 1996 (version 0.15) @@ -213,3 +192,4 @@ Cambridge, UK. 20 December 2006 (bzip2, version 1.0.4) 10 December 2007 (bzip2, version 1.0.5) 6 Sept 2010 (bzip2, version 1.0.6) +27 June 2019 (bzip2, version 1.0.7) Modified: releng/11.3/contrib/bzip2/README.COMPILATION.PROBLEMS ============================================================================== --- releng/11.3/contrib/bzip2/README.COMPILATION.PROBLEMS Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/README.COMPILATION.PROBLEMS Tue Aug 6 17:09:47 2019 (r350643) @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.6 of 6 September 2010 -Copyright (C) 1996-2010 Julian Seward +bzip2/libbzip2 version 1.0.7 of 27 June 2019 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -12,7 +12,7 @@ This program is released under the terms of the licens in the file LICENSE. ------------------------------------------------------------------ -bzip2-1.0.6 should compile without problems on the vast majority of +bzip2 should compile without problems on the vast majority of platforms. Using the supplied Makefile, I've built and tested it myself for x86-linux and amd64-linux. With makefile.msc, Visual C++ 6.0 and nmake, you can build a native Win32 version too. Large file Modified: releng/11.3/contrib/bzip2/blocksort.c ============================================================================== --- releng/11.3/contrib/bzip2/blocksort.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/blocksort.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -202,9 +202,9 @@ void fallbackQSort3 ( UInt32* fmap, bhtab [ 0 .. 2+(nblock/32) ] destroyed */ -#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31)) -#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31)) -#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31))) +#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31)) +#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31)) +#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31))) #define WORD_BH(zz) bhtab[(zz) >> 5] #define UNALIGNED_BH(zz) ((zz) & 0x01f) Modified: releng/11.3/contrib/bzip2/bzip2.1 ============================================================================== --- releng/11.3/contrib/bzip2/bzip2.1 Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzip2.1 Tue Aug 6 17:09:47 2019 (r350643) @@ -1,6 +1,6 @@ .TH bzip2 1 .SH NAME -bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6 +bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7 .br bzcat \- decompresses files to stdout .br @@ -404,7 +404,7 @@ I/O error messages are not as helpful as they could be tries hard to detect I/O errors and exit cleanly, but the details of what the problem is sometimes seem rather misleading. -This manual page pertains to version 1.0.6 of +This manual page pertains to version 1.0.7 of .I bzip2. Compressed data created by this version is entirely forwards and backwards compatible with the previous public releases, versions @@ -426,9 +426,9 @@ with MaybeUInt64 set to be an unsigned 64-bit integer. .SH AUTHOR -Julian Seward, jsewardbzip.org. +Julian Seward, jseward@acm.org. -http://www.bzip.org +https://sourceware.org/bzip2/ The ideas embodied in .I bzip2 Modified: releng/11.3/contrib/bzip2/bzip2.c ============================================================================== --- releng/11.3/contrib/bzip2/bzip2.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzip2.c Tue Aug 6 17:09:47 2019 (r350643) @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -554,7 +554,7 @@ static Bool testStream ( FILE *zStream ) { BZFILE* bzf = NULL; - Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i; + Int32 bzerr, bzerr_dummy, ret, streamNo, i; UChar obuf[5000]; UChar unused[BZ_MAX_UNUSED]; Int32 nUnused; @@ -577,7 +577,7 @@ Bool testStream ( FILE *zStream ) streamNo++; while (bzerr == BZ_OK) { - nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); + BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler; } if (bzerr != BZ_STREAM_END) goto errhandler; @@ -749,7 +749,7 @@ void panic ( const Char* s ) "\n%s: PANIC -- internal consistency error:\n" "\t%s\n" "\tThis is a BUG. Please report it to me at:\n" - "\tjseward@bzip.org\n", + "\tjseward@acm.org\n", progName, s ); showFileNames(); cleanUpAndFail( 3 ); @@ -829,7 +829,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (1) and (2).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (1)\n" - " or (2), feel free to report it to me at: jseward@bzip.org.\n" + " or (2), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -852,7 +852,7 @@ void mySIGSEGVorSIGBUScatcher ( IntNative n ) " The user's manual, Section 4.3, has more info on (2) and (3).\n" " \n" " If you suspect this is a bug in bzip2, or are unsure about (2)\n" - " or (3), feel free to report it to me at: jseward@bzip.org.\n" + " or (3), feel free to report it to me at: jseward@acm.org.\n" " Section 4.3 of the user's manual describes the info a useful\n" " bug report should have. If the manual is available on your\n" " system, please try and read it before mailing me. If you don't\n" @@ -1609,7 +1609,7 @@ void license ( void ) " \n" " This program is free software; you can redistribute it and/or modify\n" " it under the terms set out in the LICENSE file, which is included\n" - " in the bzip2-1.0.6 source distribution.\n" + " in the bzip2 source distribution.\n" " \n" " This program is distributed in the hope that it will be useful,\n" " but WITHOUT ANY WARRANTY; without even the implied warranty of\n" @@ -2005,12 +2005,14 @@ IntNative main ( IntNative argc, Char *argv[] ) testf ( aa->name ); } } - if (testFailsExist && noisy) { - fprintf ( stderr, - "\n" - "You can use the `bzip2recover' program to attempt to recover\n" - "data from undamaged sections of corrupted files.\n\n" - ); + if (testFailsExist) { + if (noisy) { + fprintf ( stderr, + "\n" + "You can use the `bzip2recover' program to attempt to recover\n" + "data from undamaged sections of corrupted files.\n\n" + ); + } setExit(2); exit(exitValue); } Modified: releng/11.3/contrib/bzip2/bzip2recover.c ============================================================================== --- releng/11.3/contrib/bzip2/bzip2recover.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzip2recover.c Tue Aug 6 17:09:47 2019 (r350643) @@ -7,8 +7,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -309,11 +309,12 @@ Int32 main ( Int32 argc, Char** argv ) UInt32 buffHi, buffLo, blockCRC; Char* p; - strcpy ( progName, argv[0] ); + strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); + progName[BZ_MAX_FILENAME-1]='\0'; inFileName[0] = outFileName[0] = 0; fprintf ( stderr, - "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" ); + "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" ); if (argc != 2) { fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n", @@ -457,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); bsPutUInt32 ( bsWr, blockCRC ); bsClose ( bsWr ); + outFile = NULL; } if (wrBlock >= rbCtr) break; wrBlock++; Modified: releng/11.3/contrib/bzip2/bzlib.c ============================================================================== --- releng/11.3/contrib/bzip2/bzlib.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzlib.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -47,7 +47,7 @@ void BZ2_bz__AssertH__fail ( int errcode ) fprintf(stderr, "\n\nbzip2/libbzip2: internal error number %d.\n" "This is a bug in bzip2/libbzip2, %s.\n" - "Please report it to me at: jseward@bzip.org. If this happened\n" + "Please report it to me at: jseward@acm.org. If this happened\n" "when you were using some program which uses libbzip2 as a\n" "component, you should also report this bug to the author(s)\n" "of that program. Please make an effort to report this bug;\n" Modified: releng/11.3/contrib/bzip2/bzlib.h ============================================================================== --- releng/11.3/contrib/bzip2/bzlib.h Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzlib.h Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/bzlib_private.h ============================================================================== --- releng/11.3/contrib/bzip2/bzlib_private.h Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/bzlib_private.h Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -36,7 +36,7 @@ /*-- General stuff. --*/ -#define BZ_VERSION "1.0.6, 6-Sept-2010" +#define BZ_VERSION "1.0.7, 27-Jun-2019" typedef char Char; typedef unsigned char Bool; Modified: releng/11.3/contrib/bzip2/compress.c ============================================================================== --- releng/11.3/contrib/bzip2/compress.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/compress.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/crctable.c ============================================================================== --- releng/11.3/contrib/bzip2/crctable.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/crctable.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/decompress.c ============================================================================== --- releng/11.3/contrib/bzip2/decompress.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/decompress.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -285,9 +285,9 @@ Int32 BZ2_decompress ( DState* s ) /*--- Now the selectors ---*/ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); - if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); - if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); for (i = 0; i < nSelectors; i++) { j = 0; while (True) { Modified: releng/11.3/contrib/bzip2/huffman.c ============================================================================== --- releng/11.3/contrib/bzip2/huffman.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/huffman.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/randtable.c ============================================================================== --- releng/11.3/contrib/bzip2/randtable.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/randtable.c Tue Aug 6 17:09:47 2019 (r350643) @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/spewG.c ============================================================================== --- releng/11.3/contrib/bzip2/spewG.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/spewG.c Tue Aug 6 17:09:47 2019 (r350643) @@ -13,8 +13,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/unzcrash.c ============================================================================== --- releng/11.3/contrib/bzip2/unzcrash.c Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/unzcrash.c Tue Aug 6 17:09:47 2019 (r350643) @@ -17,8 +17,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. Modified: releng/11.3/contrib/bzip2/words2 ============================================================================== --- releng/11.3/contrib/bzip2/words2 Tue Aug 6 17:08:30 2019 (r350642) +++ releng/11.3/contrib/bzip2/words2 Tue Aug 6 17:09:47 2019 (r350643) @@ -1,5 +1,5 @@ Checking test results. If any of the four "cmp"s which follow report any differences, something is wrong. If you can't easily -figure out what, please let me know (jseward@bzip.org). +figure out what, please let me know (jseward@acm.org). Modified: releng/12.0/contrib/bzip2/CHANGES ============================================================================== --- releng/12.0/contrib/bzip2/CHANGES Tue Aug 6 17:08:30 2019 (r350642) +++ releng/12.0/contrib/bzip2/CHANGES Tue Aug 6 17:09:47 2019 (r350643) @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.6 of 6 September 2010 - Copyright (C) 1996-2010 Julian Seward + bzip2/libbzip2 version 1.0.7 of 27 June 2019 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -325,3 +325,16 @@ Security fix only. Fixes CERT-FI 20469 as it applies Izdebski. * Make the documentation build on Ubuntu 10.04 + +1.0.7 (27 Jun 19) +~~~~~~~~~~~~~~~~~ + +* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@freebsd.org Tue Aug 6 17:12:18 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A92E0C5FEB; Tue, 6 Aug 2019 17:12:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4631Qp3fdYz4F0G; Tue, 6 Aug 2019 17:12:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5F03D2F2C3; Tue, 6 Aug 2019 17:12:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x76HCIDu042856; Tue, 6 Aug 2019 17:12:18 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x76HCHt6042854; Tue, 6 Aug 2019 17:12:17 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908061712.x76HCHt6042854@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 6 Aug 2019 17:12:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350646 - in releng: 11.2/contrib/bsnmp/lib 11.3/contrib/bsnmp/lib 12.0/contrib/bsnmp/lib X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/contrib/bsnmp/lib 11.3/contrib/bsnmp/lib 12.0/contrib/bsnmp/lib X-SVN-Commit-Revision: 350646 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 17:12:18 -0000 Author: gordon Date: Tue Aug 6 17:12:17 2019 New Revision: 350646 URL: https://svnweb.freebsd.org/changeset/base/350646 Log: Fix insufficient message length validation in bsnmp library. Approved by: so Security: FreeBSD-SA-19:20.bsnmp Security: CVE-2019-5610 Modified: releng/11.2/contrib/bsnmp/lib/asn1.c releng/11.3/contrib/bsnmp/lib/asn1.c releng/12.0/contrib/bsnmp/lib/asn1.c Modified: releng/11.2/contrib/bsnmp/lib/asn1.c ============================================================================== --- releng/11.2/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645) +++ releng/11.2/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646) @@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le *len = *b->asn_cptr++; b->asn_len--; } + if (*len > b->asn_len) { + asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len); + return (ASN_ERR_EOBUF); + } + return (ASN_ERR_OK); } Modified: releng/11.3/contrib/bsnmp/lib/asn1.c ============================================================================== --- releng/11.3/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645) +++ releng/11.3/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646) @@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le *len = *b->asn_cptr++; b->asn_len--; } + if (*len > b->asn_len) { + asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len); + return (ASN_ERR_EOBUF); + } + return (ASN_ERR_OK); } Modified: releng/12.0/contrib/bsnmp/lib/asn1.c ============================================================================== --- releng/12.0/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645) +++ releng/12.0/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646) @@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le *len = *b->asn_cptr++; b->asn_len--; } + if (*len > b->asn_len) { + asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len); + return (ASN_ERR_EOBUF); + } + return (ASN_ERR_OK); }