FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F10.2 2016-01-14T09:10:46Z 2016-01-14T09:10:46Z Gleb Smirnoff glebius@FreeBSD.org 2016-01-14T09:10:46Z urn:sha1:7f86e2d395476d8856f8ec778b41942180ef632c o Fix invalid TCP checksums with pf(4). [EN-16:02.pf] o Fix YP/NIS client library critical bug. [EN-16:03.yplib] o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd] Errata: FreeBSD-EN-16:01.filemon Errata: FreeBSD-EN-16:02.pf Errata: FreeBSD-EN-16:03.yplib Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879 Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300 Security: FreeBSD-SA-16:03.linux, CVE-2016-1880 Security: FreeBSD-SA-16:04.linux, CVE-2016-1881 Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882 Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677 Approved by: so 2015-07-23T19:58:56Z Hiroki Sato hrs@FreeBSD.org 2015-07-23T19:58:56Z urn:sha1:3d0c9d2121260c211263b100cf91f88d65ddf800 - Remove ND6_IFF_IGNORELOOP. This functionality was useless in practice because a link where looped back NS messages are permanently observed does not work with either NDP or ARP for IPv4. - draft-ietf-6man-enhanced-dad is now RFC 7527. Approved by: re (gjb) 2015-07-23T19:54:42Z Hiroki Sato hrs@FreeBSD.org 2015-07-23T19:54:42Z urn:sha1:c83d646d270d23552f0ec612f7d352f9c0b75486 Fix a bug which prevented ND6_IFF_IFDISABLED flag from clearing when the newly-added IPv6 address was /128. Approved by: re (gjb) 2015-06-20T08:25:27Z Michael Tuexen tuexen@FreeBSD.org 2015-06-20T08:25:27Z urn:sha1:8b84747295b1ab57cb5c71a55b37d46634c78d7d Add FIB support for SCTP. This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379 PR: 200379 2015-06-18T20:57:21Z Kristof Provost kp@FreeBSD.org 2015-06-18T20:57:21Z urn:sha1:57086958eb50c89d9b320b1d4565de57ee621da4 Evaluate packet size after the firewall had its chance Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. Differential Revision: https://reviews.freebsd.org/D2821 Reviewed by: gnn 2015-06-18T20:45:37Z Kristof Provost kp@FreeBSD.org 2015-06-18T20:45:37Z urn:sha1:313ee62a2249d866383fd55a5da17f357514e440 Remove duplicate code We'll just fall into the same local delivery block under the 'if (m->m_flags & M_FASTFWD_OURS)'. Suggested by: ae Differential Revision: https://reviews.freebsd.org/D2820 Reviewed by: gnn 2015-06-18T20:40:36Z Kristof Provost kp@FreeBSD.org 2015-06-18T20:40:36Z urn:sha1:5f33cfc73ed13d388ef7c725de2906b134183d22 Preserve IPv6 fragment IDs accross reassembly and refragmentation When forwarding fragmented IPv6 packets and filtering with PF we reassemble and refragment. That means we generate new fragment headers and a new fragment ID. We already save the fragment IDs so we can do the reassembly so it's straightforward to apply the incoming fragment ID on the refragmented packets. Differential Revision: https://reviews.freebsd.org/D2817 Reviewed by: gnn 2015-06-18T20:32:53Z Kristof Provost kp@FreeBSD.org 2015-06-18T20:32:53Z urn:sha1:46ad7f560747d46f14ac2211e6c67a884043c551 Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4). Differential Revision: https://reviews.freebsd.org/D2815 Reviewed by: gnn 2015-06-18T20:21:02Z Kristof Provost kp@FreeBSD.org 2015-06-18T20:21:02Z urn:sha1:e17b502b41cc727172eb3bb0480c828116ee2ba4 - Factor out ip6_deletefraghdr() function, to be shared between IPv6 stack and pf(4). - Move ip6_deletefraghdr() to frag6.c. (Suggested by bz) Differential Revision: https://reviews.freebsd.org/D2813 Reviewed by: gnn 2015-06-06T13:26:13Z Andrey V. Elsukov ae@FreeBSD.org 2015-06-06T13:26:13Z urn:sha1:03bb2aebc8b518d6165f313b6b842bce457fec43 Remove in_gif.h and in6_gif.h files. They only contain function declarations used by gif(4). Instead declare these functions in C files. Also make some variables static. MFC r276215: Extern declarations in C files loses compile-time checking that the functions' calls match their definitions. Move them to header files.