Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Dec 2017 03:24:24 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r327234 - stable/11/contrib/tcpdump
Message-ID:  <201712270324.vBR3OOGr058526@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Wed Dec 27 03:24:24 2017
New Revision: 327234
URL: https://svnweb.freebsd.org/changeset/base/327234

Log:
  MFC r326613: Update tcpdump to 4.9.2
  
  It contains many fixes, including bounds checking, buffer overflows (in
  SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
  
  One other notable change:
    Do not use getprotobynumber() for protocol name resolution.
    Do not do any protocol name resolution if -n is specified.
  
  Relnotes:	Yes
  Security:	CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
  Security:	CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
  Security:	CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
  Security:	CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
  Security:	CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
  Security:	CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
  Security:	CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
  Security:	CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
  Security:	CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
  Security:	CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
  Security:	CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
  Security:	CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
  Security:	CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
  Security:	CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
  Security:	CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
  Security:	CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
  Security:	CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
  Security:	CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
  Security:	CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
  Security:	CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
  Security:	CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
  Security:	CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
  Security:	CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
  Security:	CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
  Security:	CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
  Security:	CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
  Security:	CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
  Security:	CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
  Security:	CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
  Security:	CVE-2017-13689, CVE-2017-13690, CVE-2017-13725

Added:
     - copied unchanged from r326613, head/contrib/tcpdump/funcattrs.h
Directory Properties:
  stable/11/contrib/tcpdump/funcattrs.h   (props changed)
Modified:
  stable/11/contrib/tcpdump/CHANGES
  stable/11/contrib/tcpdump/CONTRIBUTING
  stable/11/contrib/tcpdump/CREDITS
  stable/11/contrib/tcpdump/INSTALL.txt
  stable/11/contrib/tcpdump/Makefile.in
  stable/11/contrib/tcpdump/PLATFORMS
  stable/11/contrib/tcpdump/README.md
  stable/11/contrib/tcpdump/VERSION
  stable/11/contrib/tcpdump/addrtoname.c
  stable/11/contrib/tcpdump/addrtoname.h
  stable/11/contrib/tcpdump/addrtostr.c
  stable/11/contrib/tcpdump/af.c
  stable/11/contrib/tcpdump/af.h
  stable/11/contrib/tcpdump/checksum.c
  stable/11/contrib/tcpdump/config.h.in
  stable/11/contrib/tcpdump/configure
  stable/11/contrib/tcpdump/configure.in
  stable/11/contrib/tcpdump/extract.h
  stable/11/contrib/tcpdump/gmpls.c
  stable/11/contrib/tcpdump/gmpls.h
  stable/11/contrib/tcpdump/ip6.h
  stable/11/contrib/tcpdump/ipproto.c
  stable/11/contrib/tcpdump/ipproto.h
  stable/11/contrib/tcpdump/l2vpn.c
  stable/11/contrib/tcpdump/l2vpn.h
  stable/11/contrib/tcpdump/netdissect-stdinc.h
  stable/11/contrib/tcpdump/netdissect.h
  stable/11/contrib/tcpdump/nlpid.c
  stable/11/contrib/tcpdump/nlpid.h
  stable/11/contrib/tcpdump/oui.c
  stable/11/contrib/tcpdump/oui.h
  stable/11/contrib/tcpdump/print-802_11.c
  stable/11/contrib/tcpdump/print-802_15_4.c
  stable/11/contrib/tcpdump/print-aodv.c
  stable/11/contrib/tcpdump/print-arp.c
  stable/11/contrib/tcpdump/print-atm.c
  stable/11/contrib/tcpdump/print-beep.c
  stable/11/contrib/tcpdump/print-bfd.c
  stable/11/contrib/tcpdump/print-bgp.c
  stable/11/contrib/tcpdump/print-bootp.c
  stable/11/contrib/tcpdump/print-cfm.c
  stable/11/contrib/tcpdump/print-chdlc.c
  stable/11/contrib/tcpdump/print-cnfp.c
  stable/11/contrib/tcpdump/print-decnet.c
  stable/11/contrib/tcpdump/print-dhcp6.c
  stable/11/contrib/tcpdump/print-domain.c
  stable/11/contrib/tcpdump/print-eap.c
  stable/11/contrib/tcpdump/print-eigrp.c
  stable/11/contrib/tcpdump/print-esp.c
  stable/11/contrib/tcpdump/print-ether.c
  stable/11/contrib/tcpdump/print-fr.c
  stable/11/contrib/tcpdump/print-frag6.c
  stable/11/contrib/tcpdump/print-gre.c
  stable/11/contrib/tcpdump/print-hncp.c
  stable/11/contrib/tcpdump/print-icmp.c
  stable/11/contrib/tcpdump/print-icmp6.c
  stable/11/contrib/tcpdump/print-ip.c
  stable/11/contrib/tcpdump/print-ip6.c
  stable/11/contrib/tcpdump/print-ip6opts.c
  stable/11/contrib/tcpdump/print-isakmp.c
  stable/11/contrib/tcpdump/print-isoclns.c
  stable/11/contrib/tcpdump/print-juniper.c
  stable/11/contrib/tcpdump/print-l2tp.c
  stable/11/contrib/tcpdump/print-ldp.c
  stable/11/contrib/tcpdump/print-llc.c
  stable/11/contrib/tcpdump/print-lldp.c
  stable/11/contrib/tcpdump/print-lmp.c
  stable/11/contrib/tcpdump/print-lspping.c
  stable/11/contrib/tcpdump/print-m3ua.c
  stable/11/contrib/tcpdump/print-mobility.c
  stable/11/contrib/tcpdump/print-mpcp.c
  stable/11/contrib/tcpdump/print-mpls.c
  stable/11/contrib/tcpdump/print-mptcp.c
  stable/11/contrib/tcpdump/print-nfs.c
  stable/11/contrib/tcpdump/print-null.c
  stable/11/contrib/tcpdump/print-olsr.c
  stable/11/contrib/tcpdump/print-ospf6.c
  stable/11/contrib/tcpdump/print-pgm.c
  stable/11/contrib/tcpdump/print-pim.c
  stable/11/contrib/tcpdump/print-pktap.c
  stable/11/contrib/tcpdump/print-ppp.c
  stable/11/contrib/tcpdump/print-radius.c
  stable/11/contrib/tcpdump/print-resp.c
  stable/11/contrib/tcpdump/print-ripng.c
  stable/11/contrib/tcpdump/print-rpki-rtr.c
  stable/11/contrib/tcpdump/print-rsvp.c
  stable/11/contrib/tcpdump/print-rt6.c
  stable/11/contrib/tcpdump/print-rx.c
  stable/11/contrib/tcpdump/print-sip.c
  stable/11/contrib/tcpdump/print-sl.c
  stable/11/contrib/tcpdump/print-slow.c
  stable/11/contrib/tcpdump/print-stp.c
  stable/11/contrib/tcpdump/print-syslog.c
  stable/11/contrib/tcpdump/print-telnet.c
  stable/11/contrib/tcpdump/print-tftp.c
  stable/11/contrib/tcpdump/print-vqp.c
  stable/11/contrib/tcpdump/print-vtp.c
  stable/11/contrib/tcpdump/print-wb.c
  stable/11/contrib/tcpdump/print-zephyr.c
  stable/11/contrib/tcpdump/print.c
  stable/11/contrib/tcpdump/signature.c
  stable/11/contrib/tcpdump/signature.h
  stable/11/contrib/tcpdump/smbutil.c
  stable/11/contrib/tcpdump/tcpdump.1.in
  stable/11/contrib/tcpdump/tcpdump.c
  stable/11/contrib/tcpdump/util-print.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/tcpdump/CHANGES
==============================================================================
--- stable/11/contrib/tcpdump/CHANGES	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/CHANGES	Wed Dec 27 03:24:24 2017	(r327234)
@@ -1,10 +1,119 @@
+Sunday September 3, 2017 denis@ovsienko.info
+  Summary for 4.9.2 tcpdump release
+    Do not use getprotobynumber() for protocol name resolution.  Do not do
+      any protocol name resolution if -n is specified.
+    Improve errors detection in the test scripts.
+    Fix a segfault with OpenSSL 1.1 and improve OpenSSL usage.
+    Clean up IS-IS printing.
+    Fix buffer overflow vulnerabilities:
+      CVE-2017-11543 (SLIP)
+      CVE-2017-13011 (bittok2str_internal)
+    Fix infinite loop vulnerabilities:
+      CVE-2017-12989 (RESP)
+      CVE-2017-12990 (ISAKMP)
+      CVE-2017-12995 (DNS)
+      CVE-2017-12997 (LLDP)
+    Fix buffer over-read vulnerabilities:
+      CVE-2017-11541 (safeputs)
+      CVE-2017-11542 (PIMv1)
+      CVE-2017-12893 (SMB/CIFS)
+      CVE-2017-12894 (lookup_bytestring)
+      CVE-2017-12895 (ICMP)
+      CVE-2017-12896 (ISAKMP)
+      CVE-2017-12897 (ISO CLNS)
+      CVE-2017-12898 (NFS)
+      CVE-2017-12899 (DECnet)
+      CVE-2017-12900 (tok2strbuf)
+      CVE-2017-12901 (EIGRP)
+      CVE-2017-12902 (Zephyr)
+      CVE-2017-12985 (IPv6)
+      CVE-2017-12986 (IPv6 routing headers)
+      CVE-2017-12987 (IEEE 802.11)
+      CVE-2017-12988 (telnet)
+      CVE-2017-12991 (BGP)
+      CVE-2017-12992 (RIPng)
+      CVE-2017-12993 (Juniper)
+      CVE-2017-11542 (PIMv1)
+      CVE-2017-11541 (safeputs)
+      CVE-2017-12994 (BGP)
+      CVE-2017-12996 (PIMv2)
+      CVE-2017-12998 (ISO IS-IS)
+      CVE-2017-12999 (ISO IS-IS)
+      CVE-2017-13000 (IEEE 802.15.4)
+      CVE-2017-13001 (NFS)
+      CVE-2017-13002 (AODV)
+      CVE-2017-13003 (LMP)
+      CVE-2017-13004 (Juniper)
+      CVE-2017-13005 (NFS)
+      CVE-2017-13006 (L2TP)
+      CVE-2017-13007 (Apple PKTAP)
+      CVE-2017-13008 (IEEE 802.11)
+      CVE-2017-13009 (IPv6 mobility)
+      CVE-2017-13010 (BEEP)
+      CVE-2017-13012 (ICMP)
+      CVE-2017-13013 (ARP)
+      CVE-2017-13014 (White Board)
+      CVE-2017-13015 (EAP)
+      CVE-2017-11543 (SLIP)
+      CVE-2017-13016 (ISO ES-IS)
+      CVE-2017-13017 (DHCPv6)
+      CVE-2017-13018 (PGM)
+      CVE-2017-13019 (PGM)
+      CVE-2017-13020 (VTP)
+      CVE-2017-13021 (ICMPv6)
+      CVE-2017-13022 (IP)
+      CVE-2017-13023 (IPv6 mobility)
+      CVE-2017-13024 (IPv6 mobility)
+      CVE-2017-13025 (IPv6 mobility)
+      CVE-2017-13026 (ISO IS-IS)
+      CVE-2017-13027 (LLDP)
+      CVE-2017-13028 (BOOTP)
+      CVE-2017-13029 (PPP)
+      CVE-2017-13030 (PIM)
+      CVE-2017-13031 (IPv6 fragmentation header)
+      CVE-2017-13032 (RADIUS)
+      CVE-2017-13033 (VTP)
+      CVE-2017-13034 (PGM)
+      CVE-2017-13035 (ISO IS-IS)
+      CVE-2017-13036 (OSPFv3)
+      CVE-2017-13037 (IP)
+      CVE-2017-13038 (PPP)
+      CVE-2017-13039 (ISAKMP)
+      CVE-2017-13040 (MPTCP)
+      CVE-2017-13041 (ICMPv6)
+      CVE-2017-13042 (HNCP)
+      CVE-2017-13043 (BGP)
+      CVE-2017-13044 (HNCP)
+      CVE-2017-13045 (VQP)
+      CVE-2017-13046 (BGP)
+      CVE-2017-13047 (ISO ES-IS)
+      CVE-2017-13048 (RSVP)
+      CVE-2017-13049 (Rx)
+      CVE-2017-13050 (RPKI-Router)
+      CVE-2017-13051 (RSVP)
+      CVE-2017-13052 (CFM)
+      CVE-2017-13053 (BGP)
+      CVE-2017-13054 (LLDP)
+      CVE-2017-13055 (ISO IS-IS)
+      CVE-2017-13687 (Cisco HDLC)
+      CVE-2017-13688 (OLSR)
+      CVE-2017-13689 (IKEv1)
+      CVE-2017-13690 (IKEv2)
+      CVE-2017-13725 (IPv6 routing headers)
+
+Sunday July 23, 2017 denis@ovsienko.info
+  Summary for 4.9.1 tcpdump release
+    CVE-2017-11108/Fix bounds checking for STP.
+    Make assorted documentation updates and fix a few typos in tcpdump output.
+    Fixup -C for file size >2GB (GH #488).
+    Show AddressSanitizer presence in version output.
+    Fix a bug in test scripts (exposed in GH #613).
+    On FreeBSD adjust Capsicum capabilities for netmap.
+    On Linux fix a use-after-free when the requested interface does not exist.
+
 Wednesday January 18, 2017 devel.fx.lebail@orange.fr
   Summary for 4.9.0 tcpdump release
     General updates:
-    Improve separation frontend/backend (tcpdump/libnetdissect)
-    Don't require IPv6 library support in order to support IPv6 addresses
-    Introduce data types to use for integral values in packet structures
-    Fix display of timestamps with -tt, -ttt and -ttttt options
     Fix some heap overflows found with American Fuzzy Lop by Hanno Boeck and others
         (More information in the log with CVE-2016-* and CVE-2017-*)
     Change the way protocols print link-layer addresses (Fix heap overflows
@@ -35,14 +144,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     Don't drop CAP_SYS_CHROOT before chrooting
     Fixes issue where statistics not reported when -G and -W options used
 
-    New printers supporting:
-    Generic Protocol Extension for VXLAN (VXLAN-GPE)
-    Home Networking Control Protocol (HNCP), RFCs 7787 and 7788
-    Locator/Identifier Separation Protocol (LISP), type 3 and type 4 packets
-    Marvell Extended Distributed Switch Architecture header (MEDSA)
-    Network Service Header (NSH)
-    REdis Serialization Protocol (RESP)
-
     Updated printers:
     802.11: Beginnings of 11ac radiotap support
     802.11: Check the Protected bit for management frames
@@ -61,7 +162,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     ATM: Fix an incorrect bounds check
     BFD: Update specification from draft to RFC 5880
     BFD: Update to print optional authentication field
-    BGP: Add decoding of ADD-PATH capability
     BGP: Add support for the AIGP attribute (RFC7311)
     BGP: Print LARGE_COMMUNITY Path Attribute
     BGP: Update BGP numbers from IANA; Print minor values for FSM notification
@@ -78,7 +178,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     DTP: Improve packet integrity checks
     EGP: Fix bounds checks
     ESP: Don't use OpenSSL_add_all_algorithms() in OpenSSL 1.1.0 or later
-    ESP: Handle OpenSSL 1.1.x
     Ethernet: Add some bounds checking before calling isoclns_print (Fix a heap overflow)
     Ethernet: Print the Length/Type field as length when needed
     FDDI: Fix -e output for FDDI
@@ -87,7 +186,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     Geneve: Fix error message with invalid option length; Update list option classes
     HNCP: Fix incorrect time interval format. Fix handling of IPv4 prefixes
     ICMP6: Fetch a 32-bit big-endian quantity with EXTRACT_32BITS()
-    ICMP6: dagid is always an IPv6 address, not an opaque 128-bit string
     IGMP: Add a length check
     IP: Add a bounds check (Fix a heap overflow)
     IP: Check before fetching the protocol version (Fix a heap overflow)
@@ -115,7 +213,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     MPLS LSP ping: Update printing for RFC 4379, bug fixes, more bounds checks
     MPLS: "length" is now the *remaining* packet length
     MPLS: Add bounds and length checks (Fix a heap overflow)
-    NFS: Add a test that makes unaligned accesses
     NFS: Don't assume the ONC RPC header is nicely aligned
     NFS: Don't overflow the Opaque_Handle buffer (Fix a segmentation fault)
     NFS: Don't run past the end of an NFSv3 file handle
@@ -130,7 +227,6 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     PGM: Print the formatted IP address, not the raw binary address, as a string
     PIM: Add some bounds checking (Fix a heap overflow)
     PIMv2: Fix checksumming of Register messages
-    PPI: Pass an adjusted struct pcap_pkthdr to the sub-printer
     PPP: Add some bounds checks (Fix a heap overflow)
     PPP: Report invalid PAP AACK/ANAK packets
     Q.933: Add a missing bounds check
@@ -171,16 +267,46 @@ Wednesday January 18, 2017 devel.fx.lebail@orange.fr
     UDLD: Fix an infinite loop
     UDP: Add a bounds check (Fix a heap overflow)
     UDP: Check against the packet length first
-    UDP: Don't do the DDP-over-UDP heuristic check up front
     VAT: Add some bounds checks
     VTP: Add a test on Mgmt Domain Name length
     VTP: Add bounds checks and filter out non-printable characters
     VXLAN: Add a bound check and a test case
     ZeroMQ: Fix an infinite loop
 
-Tuesday April 14, 2015 guy@alum.mit.edu
-  Summary for 4.8.0 tcpdump release
+Tuesday October 25, 2016 mcr@sandelman.ca
+  Summary for 4.8.1 tcpdump release
 	Fix "-x" for Apple PKTAP and PPI packets
+        Improve separation frontend/backend (tcpdump/libnetdissect)
+        Fix display of timestamps with -tt, -ttt and -ttttt options
+        Add support for the Marvell Extended Distributed Switch Architecture header
+        Use PRIx64 to print a 64-bit number in hex.
+        Printer for HNCP (RFCs 7787 and 7788).
+        dagid is always an IPv6 address, not an opaque 128-bit string, and other fixes to RPL printer.
+        RSVP: Add bounds and length checks
+        OSPF: Do more bounds checking
+        Handle OpenSSL 1.1.x.
+        Initial support for the REdis Serialization Protocol known as RESP.
+        Add printing function for Generic Protocol Extension for VXLAN
+            draft-ietf-nvo3-vxlan-gpe-01
+        Network Service Header: draft-ietf-sfc-nsh-01
+        Don't recompile the filter if the new file has the same DLT.
+        Pass an adjusted struct pcap_pkthdr to the sub-printer.
+        Add three test cases for already fixed CVEs
+           CVE-2014-8767: OLSR
+           CVE-2014-8768: Geonet
+           CVE-2014-8769: AODV
+        Don't do the DDP-over-UDP heuristic first: GitHub issue #499.
+        Use the new debugging routines in libpcap.
+        Harmonize TCP source or destination ports tests with UDP ones
+        Introduce data types to use for integral values in packet structures.
+        RSVP: Fix an infinite loop
+        Support of Type 3 and Type 4 LISP packets.
+        Don't require IPv6 library support in order to support IPv6 addresses.
+        Many many changes to support libnetdissect usage.
+        Add a test that makes unaligned accesses: GitHub issue #478.
+        add a DNSSEC test case: GH #445 and GH #467.
+        BGP: add decoding of ADD-PATH capability
+        fixes to LLC header printing, and RFC948-style IP packets
 
 Friday April 10, 2015 guy@alum.mit.edu
   Summary for 4.7.4 tcpdump release

Modified: stable/11/contrib/tcpdump/CONTRIBUTING
==============================================================================
--- stable/11/contrib/tcpdump/CONTRIBUTING	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/CONTRIBUTING	Wed Dec 27 03:24:24 2017	(r327234)
@@ -3,6 +3,44 @@ Some Information for Contributors
 You want to contribute to Tcpdump, Thanks!
 Please, read these lines.
 
+
+How to report bugs and other problems
+-------------------------------------
+To report a security issue (segfault, buffer overflow, infinite loop, arbitrary
+code execution etc) please send an e-mail to security@tcpdump.org, do not use
+the bug tracker!
+
+To report a non-security problem (failure to compile, incorrect output in the
+protocol printout, missing support for a particular protocol etc) please check
+first that it reproduces with the latest stable release of tcpdump and the latest
+stable release of libpcap. If it does, please check that the problem reproduces
+with the current git master branch of tcpdump and the current git master branch of
+libpcap. If it does (and it is not a security-related problem, otherwise see
+above), please navigate to https://github.com/the-tcpdump-group/tcpdump/issues
+and check if the problem has already been reported. If it has not, please open
+a new issue and provide the following details:
+
+* tcpdump and libpcap version (tcpdump --version)
+* operating system name and version and any other details that may be relevant
+  (uname -a, compiler name and version, CPU type etc.)
+* configure flags if any were used
+* statement of the problem
+* steps to reproduce
+
+Please note that if you know exactly how to solve the problem and the solution
+would not be too intrusive, it would be best to contribute some development time
+and open a pull request instead as discussed below.
+
+Still not sure how to do? Feel free to [subscribe](http://www.tcpdump.org/#mailing-lists)
+to the mailing list tcpdump-workers@lists.tcpdump.org and ask!
+
+
+How to add new code and to update existing code
+-----------------------------------------------
+
+0) Check that there isn't a pull request already opened for the changes you
+   intend to make.
+
 1) Fork the Tcpdump repository on GitHub from
    https://github.com/the-tcpdump-group/tcpdump
    (See https://help.github.com/articles/fork-a-repo/)
@@ -12,8 +50,11 @@ Please, read these lines.
    on Linux and OSX before sending pull requests.
    (See http://docs.travis-ci.com/user/getting-started/)
 
-3) Clone your repository
+3) Setup your git working copy
    git clone https://github.com/<username>/tcpdump.git
+   cd tcpdump
+   git remote add upstream https://github.com/the-tcpdump-group/tcpdump
+   git fetch upstream
 
 4) Do a 'touch .devel' in your working directory.
    Currently, the effect is
@@ -47,19 +88,26 @@ Please, read these lines.
 7) Test with 'make check'
    Don't send a pull request if 'make check' gives failed tests.
 
-8) Rebase your commits against upstream/master
-   (To keep linearity)
+8) Try to rebase your commits to keep the history simple.
+   git rebase upstream/master
+   (If the rebase fails and you cannot resolve, issue "git rebase --abort"
+   and ask for help in the pull request comment.)
 
-9) Initiate and send a pull request
+9) Once 100% happy, put your work into your forked repository.
+   git push
+
+10) Initiate and send a pull request
    (See https://help.github.com/articles/using-pull-requests/)
 
-Some remarks
-------------
+
+Code style and generic remarks
+------------------------------
 a) A thorough reading of some other printers code is useful.
 
 b) Put the normative reference if any as comments (RFC, etc.).
 
-c) Put the format of packets/headers/options as comments.
+c) Put the format of packets/headers/options as comments if there is no
+   published normative reference.
 
 d) The printer may receive incomplete packet in the buffer, truncated at any
    random position, for example by capturing with '-s size' option.

Modified: stable/11/contrib/tcpdump/CREDITS
==============================================================================
--- stable/11/contrib/tcpdump/CREDITS	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/CREDITS	Wed Dec 27 03:24:24 2017	(r327234)
@@ -5,7 +5,7 @@ The current maintainers:
     Denis Ovsienko                <denis at ovsienko dot info>
     Fulvio Risso                  <risso at polito dot it>
     Guy Harris                    <guy at alum dot mit dot edu>
-    Hannes Gredler                <hannes at juniper dot net>
+    Hannes Gredler                <hannes at gredler dot at>
     Michael Richardson            <mcr at sandelman dot ottawa dot on dot ca>
     Francois-Xavier Le Bail       <fx dot lebail at yahoo dot com>
 
@@ -39,6 +39,7 @@ Additional people who have contributed patches:
     Bjoern A. Zeeb                <bzeeb at Zabbadoz dot NeT>
     Bram                          <tcpdump at mail dot wizbit dot be>
     Brent L. Bates                <blbates at vigyan dot com>
+    Brian Carpenter               <brian dot carpenter at gmail dot com>
     Brian Ginsbach                <ginsbach at cray dot com>
     Bruce M. Simpson              <bms at spc dot org>
     Carles Kishimoto Bisbe        <ckishimo at ac dot upc dot es>
@@ -54,6 +55,7 @@ Additional people who have contributed patches:
     Craig Rodrigues               <rodrigc at mediaone dot net>
     Crist J. Clark                <cjclark at alum dot mit dot edu>
     Daniel Hagerty                <hag at ai dot mit dot edu>
+    Daniel Lee                    <Longinus00 at gmail dot com>
     Darren Reed                   <darrenr at reed dot wattle dot id dot au>
     David Binderman               <d dot binderman at virgin dot net>
     David Horn                    <dhorn2000 at gmail dot com>
@@ -85,6 +87,7 @@ Additional people who have contributed patches:
     Greg Stark                    <gsstark at mit dot edu>
     Hank Leininger                <tcpdump-workers at progressive-comp dot com>
     Hannes Viertel                <hviertel at juniper dot net>
+    Hanno Böck                    <hanno at hboeck dot de>
     Harry Raaymakers              <harryr at connect dot com dot au>
     Heinz-Ado Arnolds             <Ado dot Arnolds at dhm-systems dot de>
     Hendrik Scholz                <hendrik at scholz dot net>
@@ -111,6 +114,7 @@ Additional people who have contributed patches:
     Juliusz Chroboczek            <jch at pps dot jussieu dot fr>
     Kaarthik Sivakumar            <kaarthik at torrentnet dot com>
     Kaladhar Musunuru             <kaladharm at sourceforge dot net>
+    Kamil Frankowicz              <kontakt at frankowicz dot me>
     Karl Norby                    <karl-norby at sourceforge dot net>
     Kazushi Sugyo                 <sugyo at pb dot jp dot nec dot com>
     Kelly Carmichael              <kcarmich at ipapp dot com>
@@ -123,7 +127,6 @@ Additional people who have contributed patches:
     Larry Lile                    <lile at stdio dot com>
     Lennert Buytenhek             <buytenh at gnu dot org>
     Loganaden Velvindron          <logan at elandsys dot com>
-    Daniel Lee                    <Longinus00 at gmail dot com>
     Loris Degioanni               <loris at netgroup-serv dot polito dot it>
     Love Hörnquist-Åstrand        <lha at stacken dot kth dot se>
     Lucas C. Villa Real           <lucasvr at us dot ibm dot com>
@@ -166,6 +169,7 @@ Additional people who have contributed patches:
     Paolo Abeni                   <paolo dot abeni at email dot it>
     Pascal Hennequin              <pascal dot hennequin at int-evry dot fr>
     Pasvorn Boonmark              <boonmark at juniper dot net>
+    Patrik Lundquist              <patrik dot lundquist at gmail dot com>
     Paul Ferrell                  <pflarr at sourceforge dot net>
     Paul Mundt                    <lethal at linux-sh dot org>
     Paul S. Traina                <pst at freebsd dot org>

Modified: stable/11/contrib/tcpdump/INSTALL.txt
==============================================================================
--- stable/11/contrib/tcpdump/INSTALL.txt	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/INSTALL.txt	Wed Dec 27 03:24:24 2017	(r327234)
@@ -37,6 +37,7 @@ Please see "PLATFORMS" for notes about tested platform
 FILES
 -----
 CHANGES		- description of differences between releases
+CONTRIBUTING	- guidelines for contributing
 CREDITS		- people that have helped tcpdump along
 INSTALL.txt	- this file
 LICENSE		- the license under which tcpdump is distributed

Modified: stable/11/contrib/tcpdump/Makefile.in
==============================================================================
--- stable/11/contrib/tcpdump/Makefile.in	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/Makefile.in	Wed Dec 27 03:24:24 2017	(r327234)
@@ -263,6 +263,7 @@ HDR = \
 	ether.h \
 	ethertype.h \
 	extract.h \
+	funcattrs.h \
 	getopt_long.h \
 	gmpls.h \
 	gmt2local.h \

Modified: stable/11/contrib/tcpdump/PLATFORMS
==============================================================================
--- stable/11/contrib/tcpdump/PLATFORMS	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/PLATFORMS	Wed Dec 27 03:24:24 2017	(r327234)
@@ -1,9 +1,16 @@
-== Tested platforms ==
-NetBSD 		  5.1/i386	(mcr - 2012/4/1)
-Debian Linux (squeeze/i386)	(mcr - 2012/4/1)
+In many operating systems tcpdump is available as a native package or port,
+which simplifies installation of updates and long-term maintenance. However,
+the native packages are sometimes a few versions behind and to try a more
+recent snapshot it will take to compile tcpdump from the source code.
 
----
-RedHat Linux 	6.1/i386	(assar)
-FreeBSD		2.2.8/i386	(itojun)
+tcpdump compiles and works on at least the following platforms:
 
-
+* AIX
+* FreeBSD
+* HP-UX 11i
+* Linux (any) with glibc (usually just works)
+* Linux (any) with musl libc (sometimes fails to compile, please report any bugs)
+* Mac OS X / macOS
+* NetBSD
+* OpenWrt
+* Solaris

Modified: stable/11/contrib/tcpdump/README.md
==============================================================================
--- stable/11/contrib/tcpdump/README.md	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/README.md	Wed Dec 27 03:24:24 2017	(r327234)
@@ -3,25 +3,21 @@
 [![Build
 Status](https://travis-ci.org/the-tcpdump-group/tcpdump.png)](https://travis-ci.org/the-tcpdump-group/tcpdump)
 
-TCPDUMP 4.x.y  
-Now maintained by "The Tcpdump Group"  
-See 		www.tcpdump.org  
+To report a security issue please send an e-mail to security@tcpdump.org.
 
-Please send inquiries/comments/reports to:
+To report bugs and other problems, contribute patches, request a
+feature, provide generic feedback etc please see the file
+CONTRIBUTING in the tcpdump source tree root.
 
-* tcpdump-workers@lists.tcpdump.org
+TCPDUMP 4.x.y
+Now maintained by "The Tcpdump Group"
+See 		www.tcpdump.org
 
 Anonymous Git is available via:
 
 	git clone git://bpf.tcpdump.org/tcpdump
 
-Please submit patches by forking the branch on GitHub at:
-
-*	http://github.com/the-tcpdump-group/tcpdump/tree/master
-
-and issuing a pull request.
-
-formerly from 	Lawrence Berkeley National Laboratory  
+formerly from 	Lawrence Berkeley National Laboratory
 		Network Research Group <tcpdump@ee.lbl.gov>  
 		ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)
 
@@ -70,20 +66,6 @@ Another tool that tcpdump users might find useful is t
 It is a program that can be used to extract portions of tcpdump binary
 trace files. See the above distribution for further details and
 documentation.
-
-Problems, bugs, questions, desirable enhancements, etc. should be sent
-to the address "tcpdump-workers@lists.tcpdump.org".  Bugs, support
-requests, and feature requests may also be submitted on the GitHub issue
-tracker for tcpdump at:
-
-* https://github.com/the-tcpdump-group/tcpdump/issues
-
-Source code contributions, etc. should be sent to the email address
-above or submitted by forking the branch on GitHub at:
-
-* http://github.com/the-tcpdump-group/tcpdump/tree/master
-
-and issuing a pull request.
 
 Current versions can be found at www.tcpdump.org.
 

Modified: stable/11/contrib/tcpdump/VERSION
==============================================================================
--- stable/11/contrib/tcpdump/VERSION	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/VERSION	Wed Dec 27 03:24:24 2017	(r327234)
@@ -1 +1 @@
-4.9.0
+4.9.2

Modified: stable/11/contrib/tcpdump/addrtoname.c
==============================================================================
--- stable/11/contrib/tcpdump/addrtoname.c	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/addrtoname.c	Wed Dec 27 03:24:24 2017	(r327234)
@@ -150,14 +150,24 @@ struct enamemem {
 	u_short e_addr2;
 	const char *e_name;
 	u_char *e_nsap;			/* used only for nsaptable[] */
-#define e_bs e_nsap			/* for bytestringtable */
 	struct enamemem *e_nxt;
 };
 
 static struct enamemem enametable[HASHNAMESIZE];
 static struct enamemem nsaptable[HASHNAMESIZE];
-static struct enamemem bytestringtable[HASHNAMESIZE];
 
+struct bsnamemem {
+	u_short bs_addr0;
+	u_short bs_addr1;
+	u_short bs_addr2;
+	const char *bs_name;
+	u_char *bs_bytes;
+	unsigned int bs_nbytes;
+	struct bsnamemem *bs_nxt;
+};
+
+static struct bsnamemem bytestringtable[HASHNAMESIZE];
+
 struct protoidmem {
 	uint32_t p_oui;
 	u_short p_proto;
@@ -342,7 +352,7 @@ getname6(netdissect_options *ndo, const u_char *ap)
 	return (p->name);
 }
 
-static const char hex[] = "0123456789abcdef";
+static const char hex[16] = "0123456789abcdef";
 
 
 /* Find the hash node that corresponds the ether address 'ep' */
@@ -380,11 +390,11 @@ lookup_emem(netdissect_options *ndo, const u_char *ep)
  * with length 'nlen'
  */
 
-static inline struct enamemem *
+static inline struct bsnamemem *
 lookup_bytestring(netdissect_options *ndo, register const u_char *bs,
 		  const unsigned int nlen)
 {
-	struct enamemem *tp;
+	struct bsnamemem *tp;
 	register u_int i, j, k;
 
 	if (nlen >= 6) {
@@ -399,26 +409,28 @@ lookup_bytestring(netdissect_options *ndo, register co
 		i = j = k = 0;
 
 	tp = &bytestringtable[(i ^ j) & (HASHNAMESIZE-1)];
-	while (tp->e_nxt)
-		if (tp->e_addr0 == i &&
-		    tp->e_addr1 == j &&
-		    tp->e_addr2 == k &&
-		    memcmp((const char *)bs, (const char *)(tp->e_bs), nlen) == 0)
+	while (tp->bs_nxt)
+		if (nlen == tp->bs_nbytes &&
+		    tp->bs_addr0 == i &&
+		    tp->bs_addr1 == j &&
+		    tp->bs_addr2 == k &&
+		    memcmp((const char *)bs, (const char *)(tp->bs_bytes), nlen) == 0)
 			return tp;
 		else
-			tp = tp->e_nxt;
+			tp = tp->bs_nxt;
 
-	tp->e_addr0 = i;
-	tp->e_addr1 = j;
-	tp->e_addr2 = k;
+	tp->bs_addr0 = i;
+	tp->bs_addr1 = j;
+	tp->bs_addr2 = k;
 
-	tp->e_bs = (u_char *) calloc(1, nlen + 1);
-	if (tp->e_bs == NULL)
+	tp->bs_bytes = (u_char *) calloc(1, nlen);
+	if (tp->bs_bytes == NULL)
 		(*ndo->ndo_error)(ndo, "lookup_bytestring: calloc");
 
-	memcpy(tp->e_bs, bs, nlen);
-	tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp));
-	if (tp->e_nxt == NULL)
+	memcpy(tp->bs_bytes, bs, nlen);
+	tp->bs_nbytes = nlen;
+	tp->bs_nxt = (struct bsnamemem *)calloc(1, sizeof(*tp));
+	if (tp->bs_nxt == NULL)
 		(*ndo->ndo_error)(ndo, "lookup_bytestring: calloc");
 
 	return tp;
@@ -445,11 +457,11 @@ lookup_nsap(netdissect_options *ndo, register const u_
 
 	tp = &nsaptable[(i ^ j) & (HASHNAMESIZE-1)];
 	while (tp->e_nxt)
-		if (tp->e_addr0 == i &&
+		if (nsap_length == tp->e_nsap[0] &&
+		    tp->e_addr0 == i &&
 		    tp->e_addr1 == j &&
 		    tp->e_addr2 == k &&
-		    tp->e_nsap[0] == nsap_length &&
-		    memcmp((const char *)&(nsap[1]),
+		    memcmp((const char *)nsap,
 			(char *)&(tp->e_nsap[1]), nsap_length) == 0)
 			return tp;
 		else
@@ -549,12 +561,12 @@ le64addr_string(netdissect_options *ndo, const u_char 
 	const unsigned int len = 8;
 	register u_int i;
 	register char *cp;
-	register struct enamemem *tp;
+	register struct bsnamemem *tp;
 	char buf[BUFSIZE];
 
 	tp = lookup_bytestring(ndo, ep, len);
-	if (tp->e_name)
-		return (tp->e_name);
+	if (tp->bs_name)
+		return (tp->bs_name);
 
 	cp = buf;
 	for (i = len; i > 0 ; --i) {
@@ -566,11 +578,11 @@ le64addr_string(netdissect_options *ndo, const u_char 
 
 	*cp = '\0';
 
-	tp->e_name = strdup(buf);
-	if (tp->e_name == NULL)
+	tp->bs_name = strdup(buf);
+	if (tp->bs_name == NULL)
 		(*ndo->ndo_error)(ndo, "le64addr_string: strdup(buf)");
 
-	return (tp->e_name);
+	return (tp->bs_name);
 }
 
 const char *
@@ -579,7 +591,7 @@ linkaddr_string(netdissect_options *ndo, const u_char 
 {
 	register u_int i;
 	register char *cp;
-	register struct enamemem *tp;
+	register struct bsnamemem *tp;
 
 	if (len == 0)
 		return ("<empty>");
@@ -591,11 +603,11 @@ linkaddr_string(netdissect_options *ndo, const u_char 
 		return (q922_string(ndo, ep, len));
 
 	tp = lookup_bytestring(ndo, ep, len);
-	if (tp->e_name)
-		return (tp->e_name);
+	if (tp->bs_name)
+		return (tp->bs_name);
 
-	tp->e_name = cp = (char *)malloc(len*3);
-	if (tp->e_name == NULL)
+	tp->bs_name = cp = (char *)malloc(len*3);
+	if (tp->bs_name == NULL)
 		(*ndo->ndo_error)(ndo, "linkaddr_string: malloc");
 	*cp++ = hex[*ep >> 4];
 	*cp++ = hex[*ep++ & 0xf];
@@ -605,7 +617,7 @@ linkaddr_string(netdissect_options *ndo, const u_char 
 		*cp++ = hex[*ep++ & 0xf];
 	}
 	*cp = '\0';
-	return (tp->e_name);
+	return (tp->bs_name);
 }
 
 const char *

Modified: stable/11/contrib/tcpdump/addrtoname.h
==============================================================================
--- stable/11/contrib/tcpdump/addrtoname.h	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/addrtoname.h	Wed Dec 27 03:24:24 2017	(r327234)
@@ -33,7 +33,8 @@ enum {
     LINKADDR_ETHER,
     LINKADDR_FRELAY,
     LINKADDR_IEEE1394,
-    LINKADDR_ATM
+    LINKADDR_ATM,
+    LINKADDR_OTHER
 };
 
 #define BUFSIZE 128

Modified: stable/11/contrib/tcpdump/addrtostr.c
==============================================================================
--- stable/11/contrib/tcpdump/addrtostr.c	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/addrtostr.c	Wed Dec 27 03:24:24 2017	(r327234)
@@ -110,25 +110,24 @@ addrtostr6 (const void *src, char *dst, size_t size)
   size_t space_left, added_space;
   int snprintfed;
   struct {
-    long base;
-    long len;
+    int base;
+    int len;
   } best, cur;
-  u_long words [IN6ADDRSZ / INT16SZ];
+  uint16_t words [IN6ADDRSZ / INT16SZ];
   int  i;
 
   /* Preprocess:
    *  Copy the input (bytewise) array into a wordwise array.
    *  Find the longest run of 0x00's in src[] for :: shorthanding.
    */
-  memset (words, 0, sizeof(words));
-  for (i = 0; i < IN6ADDRSZ; i++)
-      words[i/2] |= (srcaddr[i] << ((1 - (i % 2)) << 3));
+  for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++)
+      words[i] = (srcaddr[2*i] << 8) | srcaddr[2*i + 1];
 
   best.len = 0;
   best.base = -1;
   cur.len = 0;
   cur.base  = -1;
-  for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++)
+  for (i = 0; i < (int)(IN6ADDRSZ / INT16SZ); i++)
   {
     if (words[i] == 0)
     {
@@ -161,7 +160,7 @@ addrtostr6 (const void *src, char *dst, size_t size)
         *dp++ = c; \
         space_left--; \
     }
-  for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++)
+  for (i = 0; i < (int)(IN6ADDRSZ / INT16SZ); i++)
   {
     /* Are we inside the best run of 0x00's?
      */
@@ -192,7 +191,7 @@ addrtostr6 (const void *src, char *dst, size_t size)
       space_left -= added_space;
       break;
     }
-    snprintfed = snprintf (dp, space_left, "%lx", words[i]);
+    snprintfed = snprintf (dp, space_left, "%x", words[i]);
     if (snprintfed < 0)
         return (NULL);
     if ((size_t) snprintfed >= space_left)

Modified: stable/11/contrib/tcpdump/af.c
==============================================================================
--- stable/11/contrib/tcpdump/af.c	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/af.c	Wed Dec 27 03:24:24 2017	(r327234)
@@ -12,7 +12,7 @@
  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE.
  *
- * Original code by Hannes Gredler (hannes@juniper.net)
+ * Original code by Hannes Gredler (hannes@gredler.at)
  */
 
 #ifdef HAVE_CONFIG_H

Modified: stable/11/contrib/tcpdump/af.h
==============================================================================
--- stable/11/contrib/tcpdump/af.h	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/af.h	Wed Dec 27 03:24:24 2017	(r327234)
@@ -12,7 +12,7 @@
  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE.
  *
- * Original code by Hannes Gredler (hannes@juniper.net)
+ * Original code by Hannes Gredler (hannes@gredler.at)
  */
 
 extern const struct tok af_values[];

Modified: stable/11/contrib/tcpdump/checksum.c
==============================================================================
--- stable/11/contrib/tcpdump/checksum.c	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/checksum.c	Wed Dec 27 03:24:24 2017	(r327234)
@@ -14,7 +14,7 @@
  *
  * miscellaneous checksumming routines
  *
- * Original code by Hannes Gredler (hannes@juniper.net)
+ * Original code by Hannes Gredler (hannes@gredler.at)
  */
 
 #ifdef HAVE_CONFIG_H

Modified: stable/11/contrib/tcpdump/config.h.in
==============================================================================
--- stable/11/contrib/tcpdump/config.h.in	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/config.h.in	Wed Dec 27 03:24:24 2017	(r327234)
@@ -34,6 +34,9 @@
 /* Define to 1 if you have the `ether_ntohost' function. */
 #undef HAVE_ETHER_NTOHOST
 
+/* Define to 1 if you have the `EVP_CipherInit_ex' function. */
+#undef HAVE_EVP_CIPHERINIT_EX
+
 /* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
 #undef HAVE_EVP_CIPHER_CTX_NEW
 

Modified: stable/11/contrib/tcpdump/configure
==============================================================================
--- stable/11/contrib/tcpdump/configure	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/configure	Wed Dec 27 03:24:24 2017	(r327234)
@@ -5801,7 +5801,7 @@ if test "x$ac_cv_func_pcap_loop" = xyes; then :
 
 else
 
-	    as_fn_error $? "Report this to tcpdump-workers@lists.tcpdump.org, and include the
+	    as_fn_error $? "This is a bug, please follow the guidelines in CONTRIBUTING and include the
 config.log file in your report.  If you have downloaded libpcap from
 tcpdump.org, and built it yourself, please also include the config.log
 file from the libpcap source directory, the Makefile from the libpcap
@@ -8116,17 +8116,32 @@ fi
 done
 
 			#
-			# OK, do we have EVP_CIPHER_CTX_new?
+			# OK, then:
+			#
+			# 1) do we have EVP_CIPHER_CTX_new?
 			# If so, we use it to allocate an
 			# EVP_CIPHER_CTX, as EVP_CIPHER_CTX may be
 			# opaque; otherwise, we allocate it ourselves.
 			#
-			for ac_func in EVP_CIPHER_CTX_new
+			# 2) do we have EVP_CipherInit_ex()?
+			# If so, we use it, because we need to be
+			# able to make two "initialize the cipher"
+			# calls, one with the cipher and key, and
+			# one with the IV, and, as of OpenSSL 1.1,
+			# You Can't Do That with EVP_CipherInit(),
+			# because a call to EVP_CipherInit() will
+			# unconditionally clear the context, and
+			# if you don't supply a cipher, it'll
+			# clear the cipher, rendering the context
+			# unusable and causing a crash.
+			#
+			for ac_func in EVP_CIPHER_CTX_new EVP_CipherInit_ex
 do :
-  ac_fn_c_check_func "$LINENO" "EVP_CIPHER_CTX_new" "ac_cv_func_EVP_CIPHER_CTX_new"
-if test "x$ac_cv_func_EVP_CIPHER_CTX_new" = xyes; then :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_EVP_CIPHER_CTX_NEW 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
 fi

Modified: stable/11/contrib/tcpdump/configure.in
==============================================================================
--- stable/11/contrib/tcpdump/configure.in	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/configure.in	Wed Dec 27 03:24:24 2017	(r327234)
@@ -935,12 +935,26 @@ if test "$want_libcrypto" != "no"; then
 		if test "$ac_cv_lib_crypto_DES_cbc_encrypt" = "yes"; then
 			AC_CHECK_HEADERS(openssl/evp.h)
 			#
-			# OK, do we have EVP_CIPHER_CTX_new?
+			# OK, then:
+			#
+			# 1) do we have EVP_CIPHER_CTX_new?
 			# If so, we use it to allocate an
 			# EVP_CIPHER_CTX, as EVP_CIPHER_CTX may be
 			# opaque; otherwise, we allocate it ourselves.
 			#
-			AC_CHECK_FUNCS(EVP_CIPHER_CTX_new)
+			# 2) do we have EVP_CipherInit_ex()?
+			# If so, we use it, because we need to be
+			# able to make two "initialize the cipher"
+			# calls, one with the cipher and key, and
+			# one with the IV, and, as of OpenSSL 1.1,
+			# You Can't Do That with EVP_CipherInit(),
+			# because a call to EVP_CipherInit() will
+			# unconditionally clear the context, and
+			# if you don't supply a cipher, it'll
+			# clear the cipher, rendering the context
+			# unusable and causing a crash.
+			#
+			AC_CHECK_FUNCS(EVP_CIPHER_CTX_new EVP_CipherInit_ex)
 		fi
 	])
 fi

Modified: stable/11/contrib/tcpdump/extract.h
==============================================================================
--- stable/11/contrib/tcpdump/extract.h	Wed Dec 27 03:23:58 2017	(r327233)
+++ stable/11/contrib/tcpdump/extract.h	Wed Dec 27 03:24:24 2017	(r327234)
@@ -20,8 +20,48 @@
  */
 
 /*
- * Macros to extract possibly-unaligned big-endian integral values.
+ * For 8-bit values; provided for the sake of completeness.  Byte order
+ * isn't relevant, and alignment isn't an issue.
  */
+#define EXTRACT_8BITS(p)	(*(p))
+#define EXTRACT_LE_8BITS(p)	(*(p))
+
+/*
+ * Inline functions or macros to extract possibly-unaligned big-endian
+ * integral values.
+ */
+#include "funcattrs.h"
+
+/*
+ * If we have versions of GCC or Clang that support an __attribute__
+ * to say "if we're building with unsigned behavior sanitization,
+ * don't complain about undefined behavior in this function", we
+ * label these functions with that attribute - we *know* it's undefined
+ * in the C standard, but we *also* know it does what we want with
+ * the ISA we're targeting and the compiler we're using.
+ *
+ * For GCC 4.9.0 and later, we use __attribute__((no_sanitize_undefined));
+ * pre-5.0 GCC doesn't have __has_attribute, and I'm not sure whether
+ * GCC or Clang first had __attribute__((no_sanitize(XXX)).
+ *
+ * For Clang, we check for __attribute__((no_sanitize(XXX)) with
+ * __has_attribute, as there are versions of Clang that support
+ * __attribute__((no_sanitize("undefined")) but don't support
+ * __attribute__((no_sanitize_undefined)).
+ *
+ * We define this here, rather than in funcattrs.h, because we
+ * only want it used here, we don't want it to be broadly used.
+ * (Any printer will get this defined, but this should at least
+ * make it harder for people to find.)
+ */
+#if defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 409)
+#define UNALIGNED_OK	__attribute__((no_sanitize_undefined))
+#elif __has_attribute(no_sanitize)
+#define UNALIGNED_OK	__attribute__((no_sanitize("undefined")))
+#else
+#define UNALIGNED_OK
+#endif
+
 #ifdef LBL_ALIGN
 /*
  * The processor doesn't natively handle unaligned loads.
@@ -31,7 +71,7 @@
      defined(__mips) || defined(__mips__))
 
 /*
- * This is a GCC-compatible compiler and we have __attribute__, which
+* This is a GCC-compatible compiler and we have __attribute__, which
  * we assume that mean we have __attribute__((packed)), and this is
  * MIPS or Alpha, which has instructions that can help when doing
  * unaligned loads.
@@ -88,19 +128,19 @@ typedef struct {
 	uint32_t	val;
 } __attribute__((packed)) unaligned_uint32_t;
 
-static inline uint16_t
+UNALIGNED_OK static inline uint16_t
 EXTRACT_16BITS(const void *p)
 {
 	return ((uint16_t)ntohs(((const unaligned_uint16_t *)(p))->val));
 }
 
-static inline uint32_t
+UNALIGNED_OK static inline uint32_t
 EXTRACT_32BITS(const void *p)
 {
 	return ((uint32_t)ntohl(((const unaligned_uint32_t *)(p))->val));
 }
 
-static inline uint64_t
+UNALIGNED_OK static inline uint64_t
 EXTRACT_64BITS(const void *p)
 {
 	return ((uint64_t)(((uint64_t)ntohl(((const unaligned_uint32_t *)(p) + 0)->val)) << 32 |
@@ -138,19 +178,19 @@ EXTRACT_64BITS(const void *p)
  * The processor natively handles unaligned loads, so we can just
  * cast the pointer and fetch through it.
  */
-static inline uint16_t
+static inline uint16_t UNALIGNED_OK
 EXTRACT_16BITS(const void *p)
 {
 	return ((uint16_t)ntohs(*(const uint16_t *)(p)));
 }
 
-static inline uint32_t
+static inline uint32_t UNALIGNED_OK
 EXTRACT_32BITS(const void *p)
 {
 	return ((uint32_t)ntohl(*(const uint32_t *)(p)));
 }
 
-static inline uint64_t
+static inline uint64_t UNALIGNED_OK
 EXTRACT_64BITS(const void *p)
 {
 	return ((uint64_t)(((uint64_t)ntohl(*((const uint32_t *)(p) + 0))) << 32 |
@@ -193,7 +233,6 @@ EXTRACT_64BITS(const void *p)
  * Macros to extract possibly-unaligned little-endian integral values.
  * XXX - do loads on little-endian machines that support unaligned loads?
  */
-#define EXTRACT_LE_8BITS(p) (*(p))
 #define EXTRACT_LE_16BITS(p) \
 	((uint16_t)(((uint16_t)(*((const uint8_t *)(p) + 1)) << 8) | \
 	            ((uint16_t)(*((const uint8_t *)(p) + 0)) << 0)))
@@ -242,3 +281,6 @@ EXTRACT_64BITS(const void *p)
 
 #define ND_TTEST_64BITS(p) ND_TTEST2(*(p), 8)
 #define ND_TCHECK_64BITS(p) ND_TCHECK2(*(p), 8)
+
+#define ND_TTEST_128BITS(p) ND_TTEST2(*(p), 16)
+#define ND_TCHECK_128BITS(p) ND_TCHECK2(*(p), 16)

Copied: stable/11/contrib/tcpdump/funcattrs.h (from r326613, head/contrib/tcpdump/funcattrs.h)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/contrib/tcpdump/funcattrs.h	Wed Dec 27 03:24:24 2017	(r327234, copy of r326613, head/contrib/tcpdump/funcattrs.h)
@@ -0,0 +1,122 @@
+/* -*- Mode: c; tab-width: 8; indent-tabs-mode: 1; c-basic-offset: 8; -*- */
+/*
+ * Copyright (c) 1993, 1994, 1995, 1996, 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the Computer Systems
+ *	Engineering Group at Lawrence Berkeley Laboratory.
+ * 4. Neither the name of the University nor of the Laboratory may be used
+ *    to endorse or promote products derived from this software without
+ *    specific prior written permission.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712270324.vBR3OOGr058526>