From owner-svn-doc-head@freebsd.org Thu Sep 27 19:11:51 2018 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7E6610B672C; Thu, 27 Sep 2018 19:11:50 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CC8372A70; Thu, 27 Sep 2018 19:11:50 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 678EA23CE; Thu, 27 Sep 2018 19:11:50 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RJBoFc094332; Thu, 27 Sep 2018 19:11:50 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RJBmpb094317; Thu, 27 Sep 2018 19:11:48 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271911.w8RJBmpb094317@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 19:11:48 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52312 - in head/share: security/advisories security/patches/EN-18:09 security/patches/EN-18:10 security/patches/EN-18:11 security/patches/EN-18:12 xml X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/EN-18:09 security/patches/EN-18:10 security/patches/EN-18:11 security/patches/EN-18:12 xml X-SVN-Commit-Revision: 52312 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 19:11:51 -0000 Author: gordon (src,ports committer) Date: Thu Sep 27 19:11:47 2018 New Revision: 52312 URL: https://svnweb.freebsd.org/changeset/doc/52312 Log: Add errata notices EN-18:09 through EN-18:12 Approved by: so Added: head/share/security/advisories/FreeBSD-EN-18:09.ip.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:11.listen.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:12.mem.asc (contents, props changed) head/share/security/patches/EN-18:09/ head/share/security/patches/EN-18:09/ip.patch (contents, props changed) head/share/security/patches/EN-18:09/ip.patch.asc (contents, props changed) head/share/security/patches/EN-18:10/ head/share/security/patches/EN-18:10/syscall-11.patch (contents, props changed) head/share/security/patches/EN-18:10/syscall-11.patch.asc (contents, props changed) head/share/security/patches/EN-18:11/ head/share/security/patches/EN-18:11/listen-10.patch (contents, props changed) head/share/security/patches/EN-18:11/listen-10.patch.asc (contents, props changed) head/share/security/patches/EN-18:11/listen-11.patch (contents, props changed) head/share/security/patches/EN-18:11/listen-11.patch.asc (contents, props changed) head/share/security/patches/EN-18:12/ head/share/security/patches/EN-18:12/mem.patch (contents, props changed) head/share/security/patches/EN-18:12/mem.patch.asc (contents, props changed) Modified: head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-18:09.ip.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:09.ip.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:09.ip Errata Notice + The FreeBSD Project + +Topic: IP fragment remediation causes IPv6 fragment + reassembly failure + +Category: core +Module: kernel +Announced: 2018-09-27 +Credits: Kristof Provost +Affects: FreeBSD 11.1 and FreeBSD 11.2 +Corrected: 2018-09-27 18:29:55 UTC (releng/11.2, 11.2-RELEASE-p4) + 2018-09-27 18:29:55 UTC (releng/11.1, 11.1-RELEASE-p15) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The recent security advisory titled SA-18:10.ip resolved an issue in the IPv4 +and IPv6 fragment reassembly code. + +II. Problem Description + +As a result of fixing the issue describe in SA-18:10.ip, a regression was +introduced in the IPv6 fragment hashing code which could cause reassembly to +fail. + +III. Impact + +Received IPv6 packets requiring fragment reassembly may be dropped instead of +properly reassembled and delivered. + +IV. Workaround + +Disable IPv6 fragment reassembly, using these commands: + % sysctl net.inet6.ip6.maxfrags=0 + +On systems compiled with VIMAGE, these sysctls will need to be +executed for each VNET. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch +# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch.asc +# gpg --verify ip.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +releng/11.1/ r338978 +releng/11.2/ r338978 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The security advisory that introduced the regression is available at + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKTVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKagRAAh4AnkPqG5hNnpilNct2cjY6GrU+Ex0hmbDbv36RR5Cj/Xi6FrdjGdF6/ +sA5/KYC1fOe07S2JJDgh2b5f1E3NBtfCCXQL3Fq46LRu8KJUifReY23kxNw74pev +86WmxtctkJ62gc3EUhaTx5tgvIqHRnLrNbJqAJ9VEZkV5aa33yT/5zDTq0TLJPsK +LfgwIWw7KAecH28cHx9KH+QyeLEsKoQPj5PIpQih7aZE/8cVLIMxKepExzPFx0s8 +SV1BFVQqJaRK4frv7tHZIEjTrseKVhF6SCqbtSVP6ZBtOAaaNGobq9bQNzPPxls7 +tTIGC6JVacUNNzJY+uv+DyHwCcEqyU5HQKOaJGqcQ4rxccXdWLBQOA55sRuiCZSy +SxRzs+4JNo2XDACnSECUFFos05HXxOWm8lqt8juR6fnq9Auej/PmktQYHaIXI3us +hYOlHu7Oo6sSGERBE92I1B4Y0L2BzXgroFN+rKmzlLGmM3vQYDxt2o0/GpMRf0wf +I+plRLC9osYTc/QFJzqt6dGJj+46xWyCw8aGcRhtQGPWUcB3DtYRjJxi1x6YjBkN +Cw3nepcW4rwJpmJZyGuNhsyKFZlhhz2+GV1lxsoe5TC6rRbEo30O3aU1zh5+fljo +KR9WSfy6bNoTX4NhbCJ+j9fdD6AxiqWtmB8h4Vp7ykrM/VJLUzc= +=1FtK +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:10.syscall Errata Notice + The FreeBSD Project + +Topic: NULL pointer dereference in freebsd4_getfsstat system call + +Category: core +Module: kernel +Announced: 2018-09-27 +Credits: Thomas Barabosch, Fraunhofer FKIE +Affects: FreeBSD 11.x +Corrected: 2018-09-27 18:54:41 UTC (stable/11, 11.1-STABLE) + 2018-09-27 18:32:14 UTC (releng/11.2, 11.2-RELEASE-p4) + 2018-09-27 18:32:14 UTC (releng/11.1, 11.1-RELEASE-p15) +CVE Name: CVE-2018-17154 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The freebsd4_getfsstat system call returns information about all mounted file +systems in a binary format compatible with FreeBSD 4.x. Part of the call +includes passing in a userland allocated buffer for the system call to fill +along with the size of the buffer. + +II. Problem Description + +Insufficient checking occurs on the buffer when a very large buffer size causes +memory allocation to fail. Resulting code attempts to free the NULL pointer. + +III. Impact + +A local unprivileged user may cause a denial of service using a specially +crafted binary. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch +# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch.asc +# gpg --verify syscall-11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r338987 +releng/11.1/ r338979 +releng/11.2/ r338979 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKT9fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJMqQ/4ycdylBNCX0cqFDYrtDU0OJO0mEi2LKqCM31YzOCLbKLtVSq06rxOj/E9 +0okWag0NxaGIo2+7+b/hykDwL+1Rwpa5YNdODESRYQeW0OVdnmy/JSB/8q2I2BwX +PrqMc38sc9YuCz202B7tj4CQRKyhe2/qWRXANzh4jolC8zIuP7zAH6bMO+jc4XJS +9qe2YdvChWiwLJXOSXaqZf1xY1jY08+lRGDx03n13OLRN8PZdbIoDEmOd2/vxhcV +YRcDH0axLJSyngknPE9gU8iVZDunxpNBool5hJYDd8rBbAfypXWSDZ7wJGUn7tUZ +3Cj/NPmZ9auMTGLgpRJB/bhgCnn3mZQ5QjR1egonZf3uIlTWZ+0C9GhJjh5cw+2p +3hF+202uJicNm5TSkO6QpavVVvQNFcuCR54ZvXEICv3YNam3yDupGWsbjHloxoCw +7A/wmBBcbtAJ7ujzgPm4+yN5Vno4dcPmkIfW9bz0fwXzYF1VEaF5pZZu7a9bjdI0 +xHBk2v77NIRBxC5i1KK5R5Guj0UY0EvkclBTF4Twh3TP0SAPN+5sqpmBRQwPGEdp +9v5TPQv5DJn0KTJwkdrrP+70WIYkfcUVJ9hJYbXAMXseN1q3mTggS/ypF9ckTP0Z +D1hQuUySz07GInHlJ+znS8CzVSj/iWqsxThBBbwgy1a4haxr5A== +=HCqG +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:11.listen.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:11.listen.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:11.listen Errata Notice + The FreeBSD Project + +Topic: Denial of service in listen syscall over IPv6 socket + +Category: core +Module: kernel +Announced: 2018-09-27 +Credits: Jakub Jirasek, Secunia Research at Flexera +Affects: All supported versions of FreeBSD. +Corrected: 2018-09-27 18:50:10 UTC (stable/11, 11.2-STABLE) + 2018-09-27 18:34:42 UTC (releng/11.2, 11.2-RELEASE-p4) + 2018-09-27 18:34:42 UTC (releng/11.1, 11.1-RELEASE-p15) + 2018-09-27 18:48:50 UTC (stable/10, 10.4-STABLE) + 2018-09-27 18:34:42 UTC (releng/10.4, 10.4-RELEASE-p13) +CVE Name: CVE-2018-6925 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The protocol control block is a structure that maintains the network layer +state for various sockets. There are various state flags that must be +properly maintained to keep the structure consistent. + +II. Problem Description + +There are various cases in the IPv6 socket code where the protocol control +block's state flags are modified during a syscall, but are not restored if +the operation fails. This can leave the control block in an inconsistent +state. + +III. Impact + +A local unprivileged user could exploit the inconsistent state of the +protocol control block to cause the kernel to crash, leading to a denial of +service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch +# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch.asc +# gpg --verify listen-11.patch.asc + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch +# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch.asc +# gpg --verify listen-10.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r338985 +releng/10.4/ r338980 +stable/11/ r338986 +releng/11.1/ r338980 +releng/11.2/ r338980 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +For information about Secunia Research: + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKURfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIUEA/+JxBo76dRre8nfvYcN2PJGGFn8i2mWwSG87SWwQUeKlkgpJCV8qMnVEr2 +dGz3gwBsxFLKUjQVyl+IwFkaJgKXMbFYkfIqLaS+3a12KLllFAn2Q0dnN+oxFhS2 +Wpx4DkDRgBzEyLokxwjUCtg2fd6HPlML2YXCR5SqjXDOoBGAR9GCCXXYNnWSC00y +IYgeC8UpE3ykTlwDH8q+LgLqtnx/oDW1h6UR12alP0ytH8+BldiAqRxjHE3/Wv2E +aU8m8YuAAIW4tHZ4vdqpiFP4grN/0tSf/DEPBTtVIv5FGpXSk61YTBSm4OMIKNN8 +QEVEA6n6NEGSKYrbB5BE73KYgCAaeGzcGikX9F4aAlN5GSPBVJ66SEbk16YDzDfB +KimjhityEP5YXh8hVkNo6fq+17dKpqx81390wzcXeDlBTIkANnKLh23gE0RuniNY +dXrPE2HWSpkCnWN6l0BImefDeCgAaF7KZK+z7bbsn2D7UMGFGeHU/XlRM0ze7OOV +ETqwk2M4GuxddHTKktNGBItWVd6EjReAh6QOo1kAA4qMKuNIiDQdRS72x6fUbmlA +ZIOzPNd6TS57aKSnAZlR1SpvRMqo+g9cetMxuJmKnQ+hXaRk2zJVuP2RAJuoFFqf +TmnVAPpDRjoYa0lf2YkOKtYcfF+pBcWI1CVAEFuQG2PheJRYns0= +=jMY6 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:12.mem.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:12.mem.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:12.mem Errata Notice + The FreeBSD Project + +Topic: Small kernel memory disclosures in two system calls + +Category: core +Module: kernel +Announced: 2018-09-27 +Credits: Thomas Barabosch, Fraunhofer FKIE +Affects: All supported versions of FreeBSD. +Corrected: 2018-09-27 18:42:40 UTC (stable/11, 11.2-STABLE) + 2018-09-27 18:36:30 UTC (releng/11.2, 11.2-RELEASE-p4) + 2018-09-27 18:36:30 UTC (releng/11.1, 11.1-RELEASE-p15) + 2018-09-27 18:44:40 UTC (stable/10, 10.4-STABLE) + 2018-09-27 18:36:30 UTC (releng/10.4, 10.4-RELEASE-p13) +CVE Name: CVE-2018-17155 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The kernel provides an interface for userland programs via system calls. Two +of these system calls are named getcontext and swapcontext. + +II. Problem Description + +Due to insufficient initialization of memory copied to userland in the +getcontext and swapcontext system calls, small amounts of kernel memory may +be disclosed to userland processes. + +III. Impact + +An unprivileged local user may be able to create a specific program to read +the contents of small portions of kernel memory. + +Such memory might contain sensitive information, such as portions of the file +cache or terminal buffers. This information might be directly useful, or it +might be leveraged to obtain elevated privileges in some way; for example, +a terminal buffer might include a user-entered password. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch +# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch.asc +# gpg --verify mem.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r339984 +releng/10.4/ r338981 +stable/11/ r339983 +releng/11.1/ r338981 +releng/11.2/ r338981 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKU5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJfGA/3XLR2dunxnQZYQvdpA8k9HA1zHfKFUMbTJqESIZPofvLnFJiw7gwDl0mF +pMC5LCi+k+LIIsXPLzRk/7BUmoCt/hCbD7BOVuiYXhIZy0VgKhaOggSvOXYOsjNl +JTJa5zGsKm4BUNhAkxcJtCO9i+gOShZ2fxiJ9SU7bO/gVl5HoMh56KWTLUBXX2jD +vZfEvxJvllbvk6ST68jb7C0Ix47+idRO2hdfxVLyZfD1PsILIy6JThqKqsbGgqbA ++ma7OnCigxwI0bds4nusi7vNu3IiFuzjBLfV9exW8kcRgyotOsmCfCjSOlOcEJvR +gKcmqZccf1SMGFR336YwGB66xL56QwpgN+UZ/QhmBX15mqI/oAekd0W3fb3OmfvW +bMiDo0MHmtZqiSnQyUOcCPRW5s0l8EHeWCVbjKX1ViqY6e4NdQajrjRUyXnOqcM5 +vtTWAJ+BCc3Acg1V4nkjF7HNCUyGObKZcbDqK7M7p5+i/CFxJkCdKu0x8dsZRHL8 +7V4SL1sb9OkPWjBxyzHuiQNGJfTgknDsIxvBYcdPVukTtGzrWH1skhdWL2O0CNvQ +Quk2YQePQ/X4ICPIB3s+Yao5N8t0FoEM4Hus6nSCpNRyP5XpCaBISHbhG8Ay7yJr +1p0YkV22eQ5KXiNY6Qmof7S0S1p8IZlomO8J8I/yGuwqh2mkkQ== +=uZtl +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:09/ip.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:09/ip.patch Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,13 @@ +--- sys/netinet6/frag6.c.orig ++++ sys/netinet6/frag6.c +@@ -216,7 +216,9 @@ + int offset = *offp, nxt, i, next; + int first_frag = 0; + int fragoff, frgpartlen; /* must be larger than u_int16_t */ +- uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp; ++ uint32_t hashkey[(sizeof(struct in6_addr) * 2 + ++ sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)]; ++ uint32_t hash, *hashkeyp; + struct ifnet *dstifp; + u_int8_t ecn, ecn0; + #ifdef RSS Added: head/share/security/patches/EN-18:09/ip.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:09/ip.patch.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKWZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK5fQ//cqB5ebX2iYBeKRDL7IfgBaDcojr8x8bDwu2PTRqlXtlq2pUVAkzKynaF +HUoJtvE3xKXkCOw60igjtK1AqWjOyLebUfivM/YykcuBvpiVfs6ZNHsiLCFw+oz9 +pMq4I5jbhizxS4Rdo9ZFMo8Gys6lNMdq9iV6f7rJFD7Ls8sJRi5fi5BR7I08AIBl +VVP3E+0ACOitR9YidRRZ5w4QWYjoZJljMjUlIL023B3VkK+h2uxJy16wLdHv3Tpt +c0DnKyXlM1s0BoCq4qSwFkE2BfutIgsNWgzHHmDDhc6ju9eS96OtZDrok7+knLQr +eBH5WEzXnnrBc+J31LIVVev12uJhntAXRtOau218BYeCnjwln4mBk/y+JqIqLjar +jn4rWEj7lh/PTsmAEulh53mTdyz+tEHSeacNnkR+vuynLGWNUKmFkul4RCLrlP74 +u5qquwkDe3l/6vluGR6tI52RiDiyAuT5s6czH5/mKb/ewWTHj3uFJx9X0J/55Kcp +pBSNuNtzwpjm2bAQy/9n6AYHqfmKvbKoIjIAB+WZwefYrEmAEfaqzchmjfrw5A0a +D8w7IQhljX1CAZ9IcjuUMOWlNSeWdIlGHMZpXM+1MH4nP3RF1JbHGlCyo5WaRHKs +0FLBWGYFN/hvUjY1H1izCCtKeUTDG6y9WnFJW+/VchZZvWFhP24= +=q3dd +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:10/syscall-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:10/syscall-11.patch Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,11 @@ +--- sys/kern/vfs_syscalls.c.orig ++++ sys/kern/vfs_syscalls.c +@@ -600,6 +600,8 @@ + size = count * sizeof(struct statfs); + error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE, + uap->mode); ++ if (buf == NULL) ++ return (EINVAL); + td->td_retval[0] = count; + if (size != 0) { + sp = buf; Added: head/share/security/patches/EN-18:10/syscall-11.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:10/syscall-11.patch.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKW1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLwRxAAnybQwo07WZtP8aLAuOEzXjEJ8rLMKAV80pvIFj27TAxpiIw1cltQsZhb +qHMhYFjnJejgujwBmMEz7rAK97zte71AW4Lm4+I6r2MY8Wniu8OiTHUkYOHlNkWM +iROkSiRRLtPdH0HXk3M5n+BhprDgovOv1xQhu17RLbDYX+9mz5kB2EaRJtnv0JCT +ZfYhin262zaZR0yJ4f5Hug5NphmcbD7VtSD3ZNye2txicJ7330B3iIcpD6YZnkH2 +pJqs4OzLux/xHhQdSMCN5dVtC6M5Gkt6gYDQX6vMoouRw/2o4gcpjye9aV1rkrVd +D3c8iGwdTxyYzUZ++E3OCilx4YbAqmBEXmP4BsiiiO71XHr+oB79+0FQ+U0ZNy7T +zVuc9TJOfOnIDyyz4KL5RcMSFFdNggnYHdCYQZAGk+Xv8aY1ddxmV8M1NBpMvuhS +XQpiWvfoEP5e0pmRfG3OL5XOt9J271BF+gPMRDOAAeDgU/PkWRrHWxAQJtiC6HYl +TEirv16TKpui1nITJj9Q8BBgxMdymEY5SezKdCYeX5PKwsCO9xd0ZRTBhgvVwnCU +e/UTu7vL0ngZ9TFsTVj2A5YsGhDn/7ayYBMwndplF82lpdvPGwhSYmUUpHYBesXi +NjnZjLrpxM+pntbnEcTPLuE7xqIvWsqn6M4DQeRs8+bY8zo9l9k= +=s1wm +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:11/listen-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:11/listen-10.patch Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,260 @@ +--- sys/netinet/tcp_usrreq.c.orig ++++ sys/netinet/tcp_usrreq.c +@@ -328,6 +328,7 @@ + struct inpcb *inp; + struct tcpcb *tp = NULL; + struct sockaddr_in6 *sin6p; ++ u_char vflagsav; + + sin6p = (struct sockaddr_in6 *)nam; + if (nam->sa_len != sizeof (*sin6p)) +@@ -344,6 +345,7 @@ + inp = sotoinpcb(so); + KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); + INP_WLOCK(inp); ++ vflagsav = inp->inp_vflag; + if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { + error = EINVAL; + goto out; +@@ -373,6 +375,8 @@ + error = in6_pcbbind(inp, nam, td->td_ucred); + INP_HASH_WUNLOCK(&V_tcbinfo); + out: ++ if (error != 0) ++ inp->inp_vflag = vflagsav; + TCPDEBUG2(PRU_BIND); + INP_WUNLOCK(inp); + return (error); +@@ -434,6 +438,7 @@ + int error = 0; + struct inpcb *inp; + struct tcpcb *tp = NULL; ++ u_char vflagsav; + + TCPDEBUG0; + inp = sotoinpcb(so); +@@ -443,6 +448,7 @@ + error = EINVAL; + goto out; + } ++ vflagsav = inp->inp_vflag; + tp = intotcpcb(inp); + TCPDEBUG1(); + SOCK_LOCK(so); +@@ -469,6 +475,9 @@ + if (tp->t_flags & TF_FASTOPEN) + tp->t_tfo_pending = tcp_fastopen_alloc_counter(); + #endif ++ if (error != 0) ++ inp->inp_vflag = vflagsav; ++ + out: + TCPDEBUG2(PRU_LISTEN); + INP_WUNLOCK(inp); +@@ -543,6 +552,8 @@ + struct inpcb *inp; + struct tcpcb *tp = NULL; + struct sockaddr_in6 *sin6p; ++ u_int8_t incflagsav; ++ u_char vflagsav; + + TCPDEBUG0; + +@@ -559,6 +570,8 @@ + inp = sotoinpcb(so); + KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); + INP_WLOCK(inp); ++ vflagsav = inp->inp_vflag; ++ incflagsav = inp->inp_inc.inc_flags; + if (inp->inp_flags & INP_TIMEWAIT) { + error = EADDRINUSE; + goto out; +@@ -584,11 +597,11 @@ + } + + in6_sin6_2_sin(&sin, sin6p); +- inp->inp_vflag |= INP_IPV4; +- inp->inp_vflag &= ~INP_IPV6; + if ((error = prison_remote_ip4(td->td_ucred, + &sin.sin_addr)) != 0) + goto out; ++ inp->inp_vflag |= INP_IPV4; ++ inp->inp_vflag &= ~INP_IPV6; + if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0) + goto out; + #ifdef TCP_OFFLOAD +@@ -601,11 +614,11 @@ + goto out; + } + #endif ++ if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) ++ goto out; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; + inp->inp_inc.inc_flags |= INC_ISIPV6; +- if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) +- goto out; + if ((error = tcp6_connect(tp, nam, td)) != 0) + goto out; + #ifdef TCP_OFFLOAD +@@ -618,6 +631,15 @@ + error = tcp_output(tp); + + out: ++ /* ++ * If the implicit bind in the connect call fails, restore ++ * the flags we modified. ++ */ ++ if (error != 0 && inp->inp_lport == 0) { ++ inp->inp_vflag = vflagsav; ++ inp->inp_inc.inc_flags = incflagsav; ++ } ++ + TCPDEBUG2(PRU_CONNECT); + INP_WUNLOCK(inp); + return (error); +--- sys/netinet6/sctp6_usrreq.c.orig ++++ sys/netinet6/sctp6_usrreq.c +@@ -608,6 +608,7 @@ + struct sctp_inpcb *inp; + struct in6pcb *inp6; + int error; ++ u_char vflagsav; + + inp = (struct sctp_inpcb *)so->so_pcb; + if (inp == NULL) { +@@ -638,6 +639,7 @@ + } + } + inp6 = (struct in6pcb *)inp; ++ vflagsav = inp6->inp_vflag; + inp6->inp_vflag &= ~INP_IPV4; + inp6->inp_vflag |= INP_IPV6; + if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) { +@@ -667,7 +669,7 @@ + inp6->inp_vflag |= INP_IPV4; + inp6->inp_vflag &= ~INP_IPV6; + error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p); +- return (error); ++ goto out; + } + #endif + break; +@@ -684,7 +686,8 @@ + if (addr->sa_family == AF_INET) { + /* can't bind v4 addr to v6 only socket! */ + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); +- return (EINVAL); ++ error = EINVAL; ++ goto out; + } + #endif + sin6_p = (struct sockaddr_in6 *)addr; +@@ -693,10 +696,14 @@ + /* can't bind v4-mapped addrs either! */ + /* NOTE: we don't support SIIT */ + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); +- return (EINVAL); ++ error = EINVAL; ++ goto out; + } + } + error = sctp_inpcb_bind(so, addr, NULL, p); ++out: ++ if (error != 0) ++ inp6->inp_vflag = vflagsav; + return (error); + } + +--- sys/netinet6/udp6_usrreq.c.orig ++++ sys/netinet6/udp6_usrreq.c +@@ -947,6 +947,7 @@ + struct inpcb *inp; + struct inpcbinfo *pcbinfo; + int error; ++ u_char vflagsav; + + pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); + inp = sotoinpcb(so); +@@ -954,6 +955,7 @@ + + INP_WLOCK(inp); + INP_HASH_WLOCK(pcbinfo); ++ vflagsav = inp->inp_vflag; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; + if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) { +@@ -981,6 +983,8 @@ + #ifdef INET + out: + #endif ++ if (error != 0) ++ inp->inp_vflag = vflagsav; + INP_HASH_WUNLOCK(pcbinfo); + INP_WUNLOCK(inp); + return (error); +@@ -1023,6 +1027,7 @@ + struct inpcbinfo *pcbinfo; + struct sockaddr_in6 *sin6; + int error; ++ u_char vflagsav; + + pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); + inp = sotoinpcb(so); +@@ -1046,17 +1051,26 @@ + goto out; + } + in6_sin6_2_sin(&sin, sin6); +- inp->inp_vflag |= INP_IPV4; +- inp->inp_vflag &= ~INP_IPV6; + error = prison_remote_ip4(td->td_ucred, &sin.sin_addr); + if (error != 0) + goto out; ++ vflagsav = inp->inp_vflag; ++ inp->inp_vflag |= INP_IPV4; ++ inp->inp_vflag &= ~INP_IPV6; + INP_HASH_WLOCK(pcbinfo); + error = in_pcbconnect(inp, (struct sockaddr *)&sin, + td->td_ucred); + INP_HASH_WUNLOCK(pcbinfo); ++ /* ++ * If connect succeeds, mark socket as connected. If ++ * connect fails and socket is unbound, reset inp_vflag ++ * field. ++ */ + if (error == 0) + soisconnected(so); ++ else if (inp->inp_laddr.s_addr == INADDR_ANY && ++ inp->inp_lport == 0) ++ inp->inp_vflag = vflagsav; + goto out; + } + #endif +@@ -1064,16 +1078,25 @@ + error = EISCONN; + goto out; + } +- inp->inp_vflag &= ~INP_IPV4; +- inp->inp_vflag |= INP_IPV6; + error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr); + if (error != 0) + goto out; ++ vflagsav = inp->inp_vflag; ++ inp->inp_vflag &= ~INP_IPV4; ++ inp->inp_vflag |= INP_IPV6; + INP_HASH_WLOCK(pcbinfo); + error = in6_pcbconnect(inp, nam, td->td_ucred); + INP_HASH_WUNLOCK(pcbinfo); ++ /* ++ * If connect succeeds, mark socket as connected. If ++ * connect fails and socket is unbound, reset inp_vflag ++ * field. ++ */ + if (error == 0) + soisconnected(so); ++ else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && ++ inp->inp_lport == 0) ++ inp->inp_vflag = vflagsav; + out: + INP_WUNLOCK(inp); + return (error); Added: head/share/security/patches/EN-18:11/listen-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:11/listen-10.patch.asc Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKX5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLu1Q//dA9SiNzXp7Yn4jdV4DYI9OAOeeqi0yPYNpMjA2YL3/ItEB4SrIE86ELc +9/OuUXZPUaRkvefgOO8IvY/wZKDCHOm94lizn2mstp3JyNLVFaTWimu1QQSaZZCj +bCCVqMVWlYa3ssIUv3wJ8XPf0hDAJ4m+UuMoKG/6YpIsy5AM041RHNYFj881KLRw +4vBioFuoKKQliIksfTgLJjjf6HvKeu9tHnckKrAyZ//sxAsSZ5zfnQbjXwympY8R +n22Om1aXSYQc4Pve4dXY6gLhPcEtIAZKR6L1SOWtHv1RECSK98ePbDTXqQIkpOab +au/WJyjLkZQ6SgIZofGVe9OAb0ibYO5eshgMWmHHDXyFmPAZ7P/XUFWM0C3bN5DA +gQo3sLVJxZ2x6S8/shhK9OWU0pxVFbsewKsqTpHqozhCL/s9obfr81ao2dAGV8pR +l9kT16PZcuWmvqMPgb7AF1eTBzSg4XtGcAEqcwIIuUEnCplCrnaDVaCfATsmu48s +/x8RELtfCBbwGdCcoaCTimQJSe2xVfEI/mO60C1fZCeQCVfsCepgFDfR0HGd/lIq +tCDIgoCFs978IPyApSpJ9IENK+SdA8jxfyPYbR+DrtCP23TIt+n6VISP5KCYRgn0 +mk/h/BV1GxHsM3FonUE3cV+AReRT3lJZHenXKQU3mxZn9C3wpKs= +=1akG +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:11/listen-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:11/listen-11.patch Thu Sep 27 19:11:47 2018 (r52312) @@ -0,0 +1,260 @@ +--- sys/netinet/tcp_usrreq.c.orig ++++ sys/netinet/tcp_usrreq.c +@@ -339,6 +339,7 @@ + struct inpcb *inp; + struct tcpcb *tp = NULL; + struct sockaddr_in6 *sin6p; ++ u_char vflagsav; + + sin6p = (struct sockaddr_in6 *)nam; + if (nam->sa_len != sizeof (*sin6p)) +@@ -355,6 +356,7 @@ + inp = sotoinpcb(so); + KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); + INP_WLOCK(inp); ++ vflagsav = inp->inp_vflag; + if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { + error = EINVAL; + goto out; +@@ -384,6 +386,8 @@ + error = in6_pcbbind(inp, nam, td->td_ucred); + INP_HASH_WUNLOCK(&V_tcbinfo); + out: ++ if (error != 0) ++ inp->inp_vflag = vflagsav; + TCPDEBUG2(PRU_BIND); + TCP_PROBE2(debug__user, tp, PRU_BIND); + INP_WUNLOCK(inp); +@@ -447,6 +451,7 @@ + int error = 0; + struct inpcb *inp; + struct tcpcb *tp = NULL; ++ u_char vflagsav; + + TCPDEBUG0; + inp = sotoinpcb(so); +@@ -456,6 +461,7 @@ + error = EINVAL; + goto out; + } ++ vflagsav = inp->inp_vflag; + tp = intotcpcb(inp); + TCPDEBUG1(); + SOCK_LOCK(so); +@@ -482,6 +488,9 @@ + if (tp->t_flags & TF_FASTOPEN) + tp->t_tfo_pending = tcp_fastopen_alloc_counter(); + #endif ++ if (error != 0) ++ inp->inp_vflag = vflagsav; ++ + out: + TCPDEBUG2(PRU_LISTEN); + TCP_PROBE2(debug__user, tp, PRU_LISTEN); +@@ -558,6 +567,8 @@ + struct inpcb *inp; + struct tcpcb *tp = NULL; + struct sockaddr_in6 *sin6p; ++ u_int8_t incflagsav; ++ u_char vflagsav; + + TCPDEBUG0; + +@@ -574,6 +585,8 @@ + inp = sotoinpcb(so); + KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); + INP_WLOCK(inp); ++ vflagsav = inp->inp_vflag; ++ incflagsav = inp->inp_inc.inc_flags; + if (inp->inp_flags & INP_TIMEWAIT) { + error = EADDRINUSE; + goto out; +@@ -603,11 +616,11 @@ + } + + in6_sin6_2_sin(&sin, sin6p); +- inp->inp_vflag |= INP_IPV4; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***