diff options
| -rw-r--r-- | contrib/blocklist/libexec/blacklistd-helper | 172 | ||||
| -rw-r--r-- | crypto/openssh/misc.c | 6 | ||||
| -rw-r--r-- | sbin/dumpon/dumpon.8 | 15 | ||||
| -rw-r--r-- | sbin/mksnap_ffs/mksnap_ffs.c | 2 | ||||
| -rw-r--r-- | share/man/man4/ciss.4 | 9 | ||||
| -rw-r--r-- | sys/cddl/dev/fbt/aarch64/fbt_isa.c | 2 | ||||
| -rw-r--r-- | sys/dev/nvme/nvme_ctrlr.c | 9 | ||||
| -rw-r--r-- | sys/dev/nvme/nvme_pci.c | 48 | ||||
| -rw-r--r-- | sys/dev/nvme/nvme_private.h | 6 | ||||
| -rw-r--r-- | sys/netgraph/ng_nat.c | 95 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 13 | ||||
| -rw-r--r-- | sys/netinet/ip_var.h | 1 | ||||
| -rw-r--r-- | usr.bin/id/id.c | 10 | ||||
| -rw-r--r-- | usr.bin/truss/syscalls.c | 2 | ||||
| -rw-r--r-- | usr.sbin/cron/lib/env.c | 5 |
15 files changed, 303 insertions, 92 deletions
diff --git a/contrib/blocklist/libexec/blacklistd-helper b/contrib/blocklist/libexec/blacklistd-helper index f92eab8b29bd..fa53c8c84932 100644 --- a/contrib/blocklist/libexec/blacklistd-helper +++ b/contrib/blocklist/libexec/blacklistd-helper @@ -17,24 +17,41 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then fi if [ -z "$pf" ]; then - for f in npf pf ipf; do - if [ -f "/etc/$f.conf" ]; then + for f in npf pf ipfilter ipfw; do + if [ -x /etc/rc.d/$f ]; then + if /etc/rc.d/$f status >/dev/null 2>&1; then + pf="$f" + break + fi + elif [ -f "/etc/$f.conf" ]; then + # xxx assume a config file means it can be enabled -- + # and the first one wins! pf="$f" break fi done fi +if [ -z "$pf" -a -x "/sbin/iptables" ]; then + pf="iptables" +fi + if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi +flags= if [ -n "$3" ]; then + raw_proto="$3" proto="proto $3" + if [ $3 = "tcp" ]; then + flags="flags S/SAFR" + fi fi if [ -n "$6" ]; then + raw_port="$6" port="port $6" fi @@ -51,12 +68,65 @@ esac case "$1" in add) case "$pf" in - ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 - echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK + ipfilter) + # N.B.: If you reload /etc/ipf.conf then you need to stop and + # restart blacklistd (and make sure blacklistd_flags="-r"). + # This should normally already be implemented in + # /etc/rc.d/ipfilter, but if then not add the following lines to + # the end of the ipfilter_reload() function: + # + # if checkyesnox blacklistd; then + # /etc/rc.d/blacklistd restart + # fi + # + # XXX we assume the following rule is present in /etc/ipf.conf: + # (should we check? -- it probably cannot be added dynamically) + # + # block in proto tcp/udp from any to any head blacklistd + # + # where "blacklistd" is the default rulename (i.e. "$2") + # + # This rule can come before any rule that logs connections, + # etc., and should be followed by final rules such as: + # + # # log all as-yet unblocked incoming TCP connection + # # attempts + # log in proto tcp from any to any flags S/SAFR + # # last "pass" match wins for all non-blocked packets + # pass in all + # pass out all + # + # I.e. a "pass" rule which will be the final match and override + # the "block". This way the rules added by blacklistd will + # actually block packets, and prevent logging of them as + # connections, because they include the "quick" flag. + # + # N.b.: $port is not included/used in rules -- abusers are cut + # off completely from all services! + # + # Note RST packets are not returned for blocked SYN packets of + # active attacks, so the port will not appear to be closed. + # This will probably give away the fact that a firewall has been + # triggered to block connections, but it prevents generating + # extra outbound traffic, and it may also slow down the attacker + # somewhat. + # + # Note also that we don't block all packets, just new attempts + # to open connections (see $flags above). This allows us to do + # counterespionage against the attacker (or continue to make use + # of any other services that might be on the same subnet as the + # supposed attacker). However it does not kill any active + # connections -- we rely on the reporting daemon to do its own + # protection and cleanup. + # + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "rem" command below! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK ;; + ipfw) # use $ipfw_offset+$port for rule number rule=$(($ipfw_offset + $6)) @@ -69,10 +139,23 @@ add) table"("$tname")" to any dst-port $6 >/dev/null && \ echo OK ;; + + iptables) + if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --new-chain "$2" + fi + /sbin/iptables --append INPUT --proto "$raw_proto" \ + --dport "$raw_port" --jump "$2" + /sbin/iptables --append "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" --jump DROP + echo OK + ;; + npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port ;; + pf) # if the filtering rule does not exist, create it /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ @@ -83,45 +166,100 @@ add) /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ /sbin/pfctl -qk "$addr" && echo OK ;; + esac ;; rem) case "$pf" in - ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 - echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK + ipfilter) + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "add" command above! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK ;; + ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ echo OK ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --delete "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" \ + --jump DROP + fi + echo OK + ;; + npf) /sbin/npfctl rule "$2" rem-id "$7" ;; + pf) /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ echo OK ;; + esac ;; flush) case "$pf" in - ipf) - /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK + ipfilter) + # + # N.B. WARNING: This is obviously not reentrant! + # + # First we flush all the rules from the inactive set, then we + # reload the ones that do not belong to the group "$2", and + # finally we swap the active and inactive rule sets. + # + /sbin/ipf -I -F a + # + # "ipf -I -F a" also flushes active accounting rules! + # + # Note that accounting rule groups are unique to accounting + # rules and have nothing to do with filter rules, though of + # course theoretically one could use the same group name for + # them too. + # + # In theory anyone using any such accounting rules should have a + # wrapper /etc/rc.conf.d/blacklistd script (and corresponding + # /etc/rc.conf.d/ipfilter script) that will record and + # consolidate the values accumulated by such accounting rules + # before they are flushed, since otherwise their counts will be + # lost forever. + # + /usr/sbin/ipfstat -io | fgrep -v "group $2" | \ + /sbin/ipf -I -f - >/dev/null 2>&1 + # + # This MUST be done last and separately as "-s" is executed + # _while_ the command arguments are being processed! + # + /sbin/ipf -s && echo OK ;; + ipfw) /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --flush "$2" + fi + echo OK + ;; + npf) /sbin/npfctl rule "$2" flush ;; + pf) # dynamically determine which anchors exist - for anchor in $(/sbin/pfctl -a "$2" -s Anchors); do - /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush - /sbin/pfctl -a $anchor -F rules + for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do + /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush + /sbin/pfctl -a "$anchor" -F rules done echo OK ;; diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c index 1b4b55c5034d..e129218cdd5c 100644 --- a/crypto/openssh/misc.c +++ b/crypto/openssh/misc.c @@ -2534,8 +2534,10 @@ format_absolute_time(uint64_t t, char *buf, size_t len) time_t tt = t > SSH_TIME_T_MAX ? SSH_TIME_T_MAX : t; struct tm tm; - localtime_r(&tt, &tm); - strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); + if (localtime_r(&tt, &tm) == NULL) + strlcpy(buf, "UNKNOWN-TIME", len); + else + strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); } /* diff --git a/sbin/dumpon/dumpon.8 b/sbin/dumpon/dumpon.8 index 59d199a2de17..b607f8717ff9 100644 --- a/sbin/dumpon/dumpon.8 +++ b/sbin/dumpon/dumpon.8 @@ -230,6 +230,20 @@ total amount of physical memory as reported by the .Va hw.physmem .Xr sysctl 8 variable. +.Sh SYSCTL VARIABLES +The following +.Xr sysctl 8 +variables can be used to modify or monitor the behavior of crash dumps: +.Bl -tag -width "machdep.dump_retry_count" +.It Va debug.minidump +Set the type of kernel crash dump. +Possible values are 0 for a full crash dump or 1 for a minidump. +The default is minidump. +.It Va machdep.dump_retry_count +The maximum number of times dump will retry before giving up. +The default value is 5. +This sysctl is only supported on PowerPC and AMD64. +.El .Sh IMPLEMENTATION NOTES Because the file system layer is already dead by the time a crash dump is taken, it is not possible to send crash dumps directly to a file. @@ -379,6 +393,7 @@ needed. .Xr loader 8 , .Xr rc 8 , .Xr savecore 8 , +.Xr sysctl 8 , .Xr swapon 8 , .Xr panic 9 .Sh HISTORY diff --git a/sbin/mksnap_ffs/mksnap_ffs.c b/sbin/mksnap_ffs/mksnap_ffs.c index 0d8e32a15ab3..58939cc69029 100644 --- a/sbin/mksnap_ffs/mksnap_ffs.c +++ b/sbin/mksnap_ffs/mksnap_ffs.c @@ -150,7 +150,7 @@ main(int argc, char **argv) errx(1, "%s: Not a mount point", stfsbuf.f_mntonname); } if (cp != stfsbuf.f_mntonname) - strlcpy(stfsbuf.f_mntonname, cp, sizeof(stfsbuf.f_mntonname)); + memmove(stfsbuf.f_mntonname, cp, strlen(cp) + 1); /* * Having verified access to the directory in which the diff --git a/share/man/man4/ciss.4 b/share/man/man4/ciss.4 index 28d6556ecd85..d731aaddad38 100644 --- a/share/man/man4/ciss.4 +++ b/share/man/man4/ciss.4 @@ -1,7 +1,7 @@ .\" Written by Tom Rhodes .\" This file is in the public domain. .\" -.Dd January 26, 2012 +.Dd November 6, 2025 .Dt CISS 4 .Os .Sh NAME @@ -87,9 +87,10 @@ might be solved by updating the firmware and/or setting the .Va hw.ciss.nop_message_heartbeat tunable to non-zero at boot time. .Sh HARDWARE -Controllers supported by the +The .Nm -driver include: +driver supports controllers implementing +Common Interface for SCSI-3 Support Open Specification v1.04, including: .Pp .Bl -bullet -compact .It @@ -145,6 +146,8 @@ HP Smart Array P430i .It HP Smart Array P431 .It +HP Smart Array P440ar +.It HP Smart Array P530 .It HP Smart Array P531 diff --git a/sys/cddl/dev/fbt/aarch64/fbt_isa.c b/sys/cddl/dev/fbt/aarch64/fbt_isa.c index fd666770d3a2..b265f6a1e23e 100644 --- a/sys/cddl/dev/fbt/aarch64/fbt_isa.c +++ b/sys/cddl/dev/fbt/aarch64/fbt_isa.c @@ -105,7 +105,7 @@ fbt_provide_module_function(linker_file_t lf, int symindx, */ if (strcmp(name, "handle_el1h_sync") == 0 || strcmp(name, "do_el1h_sync") == 0) - return (1); + return (0); instr = (uint32_t *)(symval->value); limit = (uint32_t *)(symval->value + symval->size); diff --git a/sys/dev/nvme/nvme_ctrlr.c b/sys/dev/nvme/nvme_ctrlr.c index 6f5d6ae74add..ce203e2869fd 100644 --- a/sys/dev/nvme/nvme_ctrlr.c +++ b/sys/dev/nvme/nvme_ctrlr.c @@ -1584,9 +1584,14 @@ noadminq: bus_release_resource(ctrlr->dev, SYS_RES_IRQ, rman_get_rid(ctrlr->res), ctrlr->res); - if (ctrlr->bar4_resource != NULL) { + if (ctrlr->msix_table_resource != NULL) { bus_release_resource(dev, SYS_RES_MEMORY, - ctrlr->bar4_resource_id, ctrlr->bar4_resource); + ctrlr->msix_table_resource_id, ctrlr->msix_table_resource); + } + + if (ctrlr->msix_pba_resource != NULL) { + bus_release_resource(dev, SYS_RES_MEMORY, + ctrlr->msix_pba_resource_id, ctrlr->msix_pba_resource); } bus_release_resource(dev, SYS_RES_MEMORY, diff --git a/sys/dev/nvme/nvme_pci.c b/sys/dev/nvme/nvme_pci.c index a78327ba0e8b..9c40c3d9f5c7 100644 --- a/sys/dev/nvme/nvme_pci.c +++ b/sys/dev/nvme/nvme_pci.c @@ -154,11 +154,15 @@ nvme_ctrlr_allocate_bar(struct nvme_controller *ctrlr) { ctrlr->resource_id = PCIR_BAR(0); + ctrlr->msix_table_resource_id = -1; + ctrlr->msix_table_resource = NULL; + ctrlr->msix_pba_resource_id = -1; + ctrlr->msix_pba_resource = NULL; ctrlr->resource = bus_alloc_resource_any(ctrlr->dev, SYS_RES_MEMORY, &ctrlr->resource_id, RF_ACTIVE); - if(ctrlr->resource == NULL) { + if (ctrlr->resource == NULL) { nvme_printf(ctrlr, "unable to allocate pci resource\n"); return (ENOMEM); } @@ -168,15 +172,32 @@ nvme_ctrlr_allocate_bar(struct nvme_controller *ctrlr) ctrlr->regs = (struct nvme_registers *)ctrlr->bus_handle; /* - * The NVMe spec allows for the MSI-X table to be placed behind - * BAR 4/5, separate from the control/doorbell registers. Always - * try to map this bar, because it must be mapped prior to calling - * pci_alloc_msix(). If the table isn't behind BAR 4/5, - * bus_alloc_resource() will just return NULL which is OK. + * The NVMe spec allows for the MSI-X tables to be placed behind + * BAR 4 and/or 5, separate from the control/doorbell registers. */ - ctrlr->bar4_resource_id = PCIR_BAR(4); - ctrlr->bar4_resource = bus_alloc_resource_any(ctrlr->dev, SYS_RES_MEMORY, - &ctrlr->bar4_resource_id, RF_ACTIVE); + + ctrlr->msix_table_resource_id = pci_msix_table_bar(ctrlr->dev); + ctrlr->msix_pba_resource_id = pci_msix_pba_bar(ctrlr->dev); + + if (ctrlr->msix_table_resource_id >= 0 && + ctrlr->msix_table_resource_id != ctrlr->resource_id) { + ctrlr->msix_table_resource = bus_alloc_resource_any(ctrlr->dev, + SYS_RES_MEMORY, &ctrlr->msix_table_resource_id, RF_ACTIVE); + if (ctrlr->msix_table_resource == NULL) { + nvme_printf(ctrlr, "unable to allocate msi-x table resource\n"); + return (ENOMEM); + } + } + if (ctrlr->msix_pba_resource_id >= 0 && + ctrlr->msix_pba_resource_id != ctrlr->resource_id && + ctrlr->msix_pba_resource_id != ctrlr->msix_table_resource_id) { + ctrlr->msix_pba_resource = bus_alloc_resource_any(ctrlr->dev, + SYS_RES_MEMORY, &ctrlr->msix_pba_resource_id, RF_ACTIVE); + if (ctrlr->msix_pba_resource == NULL) { + nvme_printf(ctrlr, "unable to allocate msi-x pba resource\n"); + return (ENOMEM); + } + } return (0); } @@ -202,9 +223,14 @@ bad: ctrlr->resource_id, ctrlr->resource); } - if (ctrlr->bar4_resource != NULL) { + if (ctrlr->msix_table_resource != NULL) { + bus_release_resource(dev, SYS_RES_MEMORY, + ctrlr->msix_table_resource_id, ctrlr->msix_table_resource); + } + + if (ctrlr->msix_pba_resource != NULL) { bus_release_resource(dev, SYS_RES_MEMORY, - ctrlr->bar4_resource_id, ctrlr->bar4_resource); + ctrlr->msix_pba_resource_id, ctrlr->msix_pba_resource); } if (ctrlr->tag) diff --git a/sys/dev/nvme/nvme_private.h b/sys/dev/nvme/nvme_private.h index 36e04ceb7f31..93833672674a 100644 --- a/sys/dev/nvme/nvme_private.h +++ b/sys/dev/nvme/nvme_private.h @@ -233,8 +233,10 @@ struct nvme_controller { * separate from the control registers which are in BAR 0/1. These * members track the mapping of BAR 4/5 for that reason. */ - int bar4_resource_id; - struct resource *bar4_resource; + int msix_table_resource_id; + struct resource *msix_table_resource; + int msix_pba_resource_id; + struct resource *msix_pba_resource; int msi_count; uint32_t enable_aborts; diff --git a/sys/netgraph/ng_nat.c b/sys/netgraph/ng_nat.c index ae083608a199..9c09d3305ef9 100644 --- a/sys/netgraph/ng_nat.c +++ b/sys/netgraph/ng_nat.c @@ -812,7 +812,8 @@ ng_nat_rcvdata(hook_p hook, item_p item ) if (ip->ip_v != IPVERSION) goto send; /* other IP version, let it pass */ - if (m->m_pkthdr.len < ipofs + ntohs(ip->ip_len)) + uint16_t ip_len = ntohs(ip->ip_len); + if (m->m_pkthdr.len < (ipofs + ip_len)) goto send; /* packet too short (i.e. fragmented or broken) */ /* @@ -846,50 +847,68 @@ ng_nat_rcvdata(hook_p hook, item_p item ) if (rval == PKT_ALIAS_RESPOND) m->m_flags |= M_SKIP_FIREWALL; - m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len) + ipofs; - if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && - ip->ip_p == IPPROTO_TCP) { - struct tcphdr *th = (struct tcphdr *)((caddr_t)ip + - (ip->ip_hl << 2)); + /* Re-read just in case it has been updated */ + ip_len = ntohs(ip->ip_len); + int new_m_len = ip_len + ipofs; + if (new_m_len > (m->m_len + M_TRAILINGSPACE(m))) { /* - * Here is our terrible HACK. - * - * Sometimes LibAlias edits contents of TCP packet. - * In this case it needs to recompute full TCP - * checksum. However, the problem is that LibAlias - * doesn't have any idea about checksum offloading - * in kernel. To workaround this, we do not do - * checksumming in LibAlias, but only mark the - * packets in th_x2 field. If we receive a marked - * packet, we calculate correct checksum for it - * aware of offloading. - * - * Why do I do such a terrible hack instead of - * recalculating checksum for each packet? - * Because the previous checksum was not checked! - * Recalculating checksums for EVERY packet will - * hide ALL transmission errors. Yes, marked packets - * still suffer from this problem. But, sigh, natd(8) - * has this problem, too. + * This is just a safety railguard to make sure LibAlias has not + * screwed the IP packet up somehow, should probably be KASSERT() + * at some point. Calling in_delayed_cksum() will parse IP packet + * again and reliably panic if there is less data than the IP + * header declares, there might be some other places too. */ + log(LOG_ERR, "ng_nat_rcvdata: outgoing packet corrupted, " + "not enough data: expected %d, available (%d - %d)\n", + ip_len, m->m_len + (int)M_TRAILINGSPACE(m), ipofs); + NG_FREE_ITEM(item); + return (ENXIO); + } + + m->m_pkthdr.len = m->m_len = new_m_len; - if (th->th_x2) { - uint16_t ip_len = ntohs(ip->ip_len); + if ((ip->ip_off & htons(IP_OFFMASK)) != 0 || ip->ip_p != IPPROTO_TCP) + goto send; - th->th_x2 = 0; - th->th_sum = in_pseudo(ip->ip_src.s_addr, - ip->ip_dst.s_addr, htons(IPPROTO_TCP + - ip_len - (ip->ip_hl << 2))); + uint16_t pl_offset = ip->ip_hl << 2; + struct tcphdr *th = (struct tcphdr *)((caddr_t)ip + pl_offset); - if ((m->m_pkthdr.csum_flags & CSUM_TCP) == 0) { - m->m_pkthdr.csum_data = offsetof(struct tcphdr, - th_sum); - in_delayed_cksum(m); - } - } - } + /* + * Here is our terrible HACK. + * + * Sometimes LibAlias edits contents of TCP packet. + * In this case it needs to recompute full TCP + * checksum. However, the problem is that LibAlias + * doesn't have any idea about checksum offloading + * in kernel. To workaround this, we do not do + * checksumming in LibAlias, but only mark the + * packets in th_x2 field. If we receive a marked + * packet, we calculate correct checksum for it + * aware of offloading. + * + * Why do I do such a terrible hack instead of + * recalculating checksum for each packet? + * Because the previous checksum was not checked! + * Recalculating checksums for EVERY packet will + * hide ALL transmission errors. Yes, marked packets + * still suffer from this problem. But, sigh, natd(8) + * has this problem, too. + */ + + if (!th->th_x2) + goto send; + + th->th_x2 = 0; + th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, + htons(IPPROTO_TCP + ip_len - pl_offset)); + + if ((m->m_pkthdr.csum_flags & CSUM_TCP) != 0) + goto send; + + m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); + in_delayed_cksum_o(m, ipofs); send: if (hook == priv->in) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 66051c9c711c..e3ef8e2c7dd9 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1045,14 +1045,14 @@ done: } void -in_delayed_cksum(struct mbuf *m) +in_delayed_cksum_o(struct mbuf *m, uint16_t iph_offset) { struct ip *ip; struct udphdr *uh; uint16_t cklen, csum, offset; - ip = mtod(m, struct ip *); - offset = ip->ip_hl << 2 ; + ip = (struct ip *)mtodo(m, iph_offset); + offset = iph_offset + (ip->ip_hl << 2); if (m->m_pkthdr.csum_flags & CSUM_UDP) { /* if udp header is not in the first mbuf copy udplen */ @@ -1079,6 +1079,13 @@ in_delayed_cksum(struct mbuf *m) *(u_short *)mtodo(m, offset) = csum; } +void +in_delayed_cksum(struct mbuf *m) +{ + + in_delayed_cksum_o(m, 0); +} + /* * IP socket option processing. */ diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 3220679d749f..a1402f4fa268 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -259,6 +259,7 @@ VNET_DECLARE(struct pfil_head *, inet_local_pfil_head); #define PFIL_INET_LOCAL_NAME "inet-local" void in_delayed_cksum(struct mbuf *m); +void in_delayed_cksum_o(struct mbuf *m, uint16_t o); /* Hooks for ipfw, dummynet, divert etc. Most are declared in raw_ip.c */ /* diff --git a/usr.bin/id/id.c b/usr.bin/id/id.c index 238c6f2bf709..342a891e4165 100644 --- a/usr.bin/id/id.c +++ b/usr.bin/id/id.c @@ -79,19 +79,13 @@ main(int argc, char *argv[]) { struct group *gr; struct passwd *pw; -#ifdef USE_BSM_AUDIT - bool Aflag; -#endif - bool Gflag, Mflag, Pflag; + bool Aflag, Gflag, Mflag, Pflag; bool cflag, dflag, gflag, nflag, pflag, rflag, sflag, uflag; int ch, combo, error, id; const char *myname, *optstr; char loginclass[MAXLOGNAME]; -#ifdef USE_BSM_AUDIT - Aflag = false; -#endif - Gflag = Mflag = Pflag = false; + Aflag = Gflag = Mflag = Pflag = false; cflag = dflag = gflag = nflag = pflag = rflag = sflag = uflag = false; myname = getprogname(); diff --git a/usr.bin/truss/syscalls.c b/usr.bin/truss/syscalls.c index 47d6aef8f6ff..a6b6d4ec187e 100644 --- a/usr.bin/truss/syscalls.c +++ b/usr.bin/truss/syscalls.c @@ -401,7 +401,7 @@ static const struct syscall_decode decoded_syscalls[] = { { .name = "nanosleep", .ret_type = 1, .nargs = 1, .args = { { Timespec, 0 } } }, { .name = "nmount", .ret_type = 1, .nargs = 3, - .args = { { Ptr, 0 }, { UInt, 1 }, { Mountflags, 2 } } }, + .args = { { Iovec | IN, 0 }, { UInt, 1 }, { Mountflags, 2 } } }, { .name = "open", .ret_type = 1, .nargs = 3, .args = { { Name | IN, 0 }, { Open, 1 }, { Octal, 2 } } }, { .name = "openat", .ret_type = 1, .nargs = 4, diff --git a/usr.sbin/cron/lib/env.c b/usr.sbin/cron/lib/env.c index 36c5fca12117..b4dcf4ac5325 100644 --- a/usr.sbin/cron/lib/env.c +++ b/usr.sbin/cron/lib/env.c @@ -58,7 +58,7 @@ env_copy(char **envp) for (count = 0; envp[count] != NULL; count++) ; - p = (char **) malloc((count+1) * sizeof(char *)); /* 1 for the NULL */ + p = (char **) reallocarray(NULL, count+1, sizeof(char *)); /* 1 for the NULL */ if (p == NULL) { errno = ENOMEM; return NULL; @@ -115,8 +115,7 @@ env_set(char **envp, char *envstr) * one, save our string over the old null pointer, and return resized * array. */ - p = (char **) realloc((void *) envp, - (unsigned) ((count+1) * sizeof(char *))); + p = (char **) reallocarray(envp, count+1, sizeof(char *)); if (p == NULL) { /* XXX env_free(envp); */ errno = ENOMEM; |