| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible for the capture buffer to be smaller than indicated by the
header length. However, pfsync_print() only took the header length into
account. As a result we could read outside of the buffer.
Check that we have at least the expected amount of data before we start
parsing.
PR: 278034
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44580
|
|
|
|
|
|
|
|
|
|
| |
When print-ip-demux.c was introduced on ee67461e, the pfsync_ip_print
function was missed, causing tcpdump to treat pfsync packets on network
interfaces as an unknown protocol.
MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D42504
|
|
|
|
|
|
|
|
|
|
|
| |
An explicit tzset() call is usually not needed as it happens implicitly
the first time we call localtime() or mktime(), but in some cases
(sandboxing, chroot) this may be too late.
PR: 273807
MFC after: 3 days
Reviewed by: jrm
Differential Revision: https://reviews.freebsd.org/D41880
|
|
|
|
|
|
|
|
| |
Fixes: ee67461e (tpcdump: Update to 4.99.4)
Reported by: glebius
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D40578
|
|
|
|
| |
Fixes: ee67461e56828dd1f8de165947ba83f6d9148a87
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Local changes:
- Update some local modifications to fix build
- Synch config.h with upstream as much as possible
Changelog: https://git.tcpdump.org/tcpdump/blob/55bc126b0216cfe409b8d6bd378f65679d136ddf:/CHANGES
Reviewed by: emaste
Obtained from: https://www.tcpdump.org/release/tcpdump-4.99.4.tar.gz
Sponsored by: The FreeBSD Foundation
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make struct pfsync_state contents configurable by sending out new
versions of the structure in separate subheader actions. Both old and
new version of struct pfsync_state can be understood, so replication of
states from a system running an older kernel is possible. The version
being sent out is configured using ifconfig pfsync0 … version XXXX. The
version is an user-friendly string - 1301 stands for FreeBSD 13.1 (I
have checked synchronization against a host running 13.1), 1400 stands
for 14.0.
A host running an older kernel will just ignore the messages and count
them as "packets discarded for bad action".
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39392
|
| |
| |
| |
| |
| |
| | |
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39586
|
| |
| |
| |
| |
| |
| | |
See also: https://github.com/the-tcpdump-group/tcpdump/commit/51f9c3b947eac89254c4e3662902487e0844a699
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750
|
| |
| |
| |
| |
| |
| |
| | |
Reviewed by: kp, scottl
Obtained from: pfsense
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D31153
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Such change should not have happen without prior discussion and review.
With hat: transitioning core
Notes:
svn path=/head/; revision=362488
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
No functional change intended.
s/Master Boot/Main Boot/ (also called MBR)
MFC after: 1 week
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=362466
|
|\|
| |
| |
| |
| |
| |
| |
| |
| | |
Update tcpdump from 4.9.2 to 4.9.3.
MFC after: 2 weeks
Notes:
svn path=/head/; revision=355989
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The -E is used to provide a secret for decrypting IPsec.
The secret may be provided through command line or as the file.
The problem is that tcpdump doesn't support yet opening files in capability mode
and the file may contain a list of the files to open.
As a workaround, for now, let's just disable capsicum if the -E
the option is provided.
PR: 236819
MFC after: 2 weeks
Notes:
svn path=/head/; revision=346263
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes tcpdump when using mlx5_X devices.
Differential Revision: https://reviews.freebsd.org/D18499
Reviewed by: kib@, slavash@, oshogbo@
MFC after: 1 week
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=341844
|
| |
| |
| |
| |
| |
| |
| |
| | |
Reported by: pjd
MFC after: 3 weeks
Notes:
svn path=/head/; revision=340363
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If pf logs the user id ('pass out log (user)') have tcpdump also print
this.
Example output:
00:00:00.000000 rule 0/0(match) [uid 1001]: pass out on vtnet0: (tos 0x0, ttl 64, id 57539, offset 0, flags [none], proto UDP (17), length 55)
172.16.2.2.18337 > 172.16.2.1.53: [bad udp cksum 0x5c58 -> 0x16e4!] 40222+ A? google.be. (27)
PR: 122773
Differential Revision: https://reviews.freebsd.org/D17625
Notes:
svn path=/head/; revision=339557
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Not all libpcap backends use the BPF compatible set
of IOCTLs. For example the mlx5 backend uses libibverbs
which is currently not capsicum compatible.
Disable sandboxing for such backends.
MFC after: 3 days
Discussed with: emaste@
Approved by: re (kib)
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=338613
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Vendor import two upstream commits:
c1bb8784abd3ca978e376b0d10e324db0491237b
9c4af7213cc2543a1f5586d8f2c19f86aa0cbe72
When using tcpdump -I -i wlanN and wlanN is not a monitor mode VAP,
tcpdump will print an error message saying rfmon is not supported.
Give a concise explanation as to how one might solve this problem by
creating a monitor mode VAP.
MFC after: 1 month
Approved by: hselasky (mentor), kib (mentor)
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=334318
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
Notes:
svn path=/head/; revision=326613
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Using HAVE_* is a internal tcpdump style standard.
We want to be consistent with the standard to upstream those changes in
the future.
Requested by: glebius@
Notes:
svn path=/head/; revision=324287
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
let's standardize this. Now we are always use WITH_CASPER name.
Discussed with: emaste@
MFC after: 1 month
Notes:
svn path=/head/; revision=323866
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
if tcpdump(1) is run on non-existent interface.
Suggested by: zeising
Notes:
svn path=/head/; revision=317409
|
|\ \
| | |
| | |
| | | |
Notes:
svn path=/projects/clang400-import/; revision=313301
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
make it easier to upstream HAVE_CASPER patch.
Notes:
svn path=/head/; revision=313104
|
|\| |
| | |
| | |
| | | |
Notes:
svn path=/projects/clang400-import/; revision=313055
|
|/| |
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.
Security: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security: CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security: CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security: CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security: CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security: CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security: CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security: CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security: CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security: CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security: CVE-2017-5486
Notes:
svn path=/head/; revision=313048
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
addresses of members of struct ip, which is packed. Since the pointers
are only used for memcmp'ing, they can be pointing to void instead.
Note that upstream has removed the src and dst variables, in the mean
time.
MFC after: 3 days
Notes:
svn path=/head/; revision=311570
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The libpcap library can use a BIOCROTZBUF ioctl when net.bpf.zerocopy_enable
sysctl is set.
Reported by: olivier@
Tested by: olivier@
Notes:
svn path=/head/; revision=309649
|
| |
| |
| |
| |
| |
| |
| |
| | |
sys/capability.h is just a backwards compatibility wrapper around
sys/capsicum.h, which is already #included.
Notes:
svn path=/head/; revision=305989
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
of Capser and should use openat(2) unconditionally on FreeBSD.
openat(2) is mandatory when sandboxed with Capsicum, but still works
in the absence of Capsicum.
Reviewed by: AllanJude
Notes:
svn path=/head/; revision=301705
|
| |
| |
| |
| |
| |
| |
| |
| | |
PR: 210031
Reported by: AllanJude, jmallett
Notes:
svn path=/head/; revision=301701
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
After calling the cap_init(3) function Casper will fork from it's original
process, using pdfork(2). Forking from a process has a lot of advantages:
1. We have the same cwd as the original process.
2. The same uid, gid and groups.
3. The same MAC labels.
4. The same descriptor table.
5. The same routing table.
6. The same umask.
7. The same cpuset(1).
From now services are also in form of libraries.
We also removed libcapsicum at all and converts existing program using Casper
to new architecture.
Discussed with: pjd, jonathan, ed, drysdale@google.com, emaste
Partially reviewed by: drysdale@google.com, bdrewery
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4277
Notes:
svn path=/head/; revision=296047
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Merge upstream fix to eliminate build-breaking gcc warnings of no
importance.
commit: cab33b7a0acba7d2268a23c4383be6167106e549
Update ND_TTEST2 to fix issue 443
Add IS_NOT_NEGATIVE macro.
Avoid these warnings:
- comparison of unsigned expression >= 0 is always true [-Wtype-limits],
- comparison is always true due to limited range of data type [-Wtype-limits].
Reviewed by: adrian
Approved by: jmallett (mentor)
MFC after: 1 month
Notes:
svn path=/head/; revision=285299
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Also, the changes made in r272451 and r272653 that were lost in the
merge of 4.6.2 (r276788) have been restored.
PR: 199568
Differential Revision: https://reviews.freebsd.org/D3007
Reviewed by: brooks, hiren
Approved by: jmallett (mentor)
MFC after: 1 month
Notes:
svn path=/head/; revision=285275
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change consumers to include those files from sys.
Add duplicated files to ObsoleteFiles.
Approved by: pjd (mentor)
Notes:
svn path=/head/; revision=285063
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These messages serve little purpose and break some consumers.
PR: 199855
Differential Revision: https://reviews.freebsd.org/D2440
Reviewed by: rwatson
Approved by: pjd
MFC after: 1 week
Sponsored by: DARPA, AFRL
Notes:
svn path=/head/; revision=282436
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Convert the pfsync dissector to use the netdissect framework.
Differential Revision: https://reviews.freebsd.org/D2359
Reviewed by: glebius
Sponsored by: DARPA, AFRL
Notes:
svn path=/head/; revision=281938
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Upstream fixes for issues found with afl (Issue #417).
- Fix length checking.
Check both the captured length and the on-the-wire length (the latter
*should* be greater than or equal to the former, but that's not
guaranteed).
Add some additional length checks, so neither caplen nor length
underflow.
If we stop dissecting because the packet is too short, return 1, not 0,
as we've "dissected" what we can; 0 means "this is LLC+SNAP with an OUI
of 0 and an unknown Ethertype".
commit: 743bcecdc92f88b118ec7aac4f68b606601205cc
- Clean up length checks.
Check only the amount of length that matters at any given point; yes,
this means we do multiple checks, but so it goes.
We don't need to check for LLC+SNAP - llc_print() does that for us. We
do, however, need to check to make sure we can safely skip the Fore
header.
commit: 5c65e7532fa16308e01299988852b0dc5b027559
Notes:
svn path=/head/; revision=277982
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Merge some cherry-picked fixes originating in OpenBSD
Check whether the version field is available before looking at it.
While we're at it, use ND_TCHECK(), rather than a hand-rolled check, to
check whether we have the full fixed-length portion of the IPv4 header.
commit c67afe913011138a2504ec4d3d423b48e73b12f3
Do more length checking. From OpenBSD.
commit d7516761f9c4877bcb05bb6543be3543e165249
Notes:
svn path=/head/; revision=277783
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reported by: luigi
MFC after: 14 days
X-MFC-with: r276788
Notes:
svn path=/head/; revision=277638
|
|\|
| |
| |
| |
| |
| |
| | |
MFC after: 1 month
Notes:
svn path=/head/; revision=276788
|
| |
| |
| |
| |
| |
| |
| | |
MFC after: 3 days
Notes:
svn path=/head/; revision=272653
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pcap--netmap which does poll() on the file descriptor
MFC after: 2 weeks
Notes:
svn path=/head/; revision=272451
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.
MFC after: 3 weeks
Notes:
svn path=/head/; revision=263234
|
| |
| |
| |
| |
| |
| |
| |
| | |
Submitted by: dt71 gmx com
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=259678
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
to casperd, but we cannot access the service we need we exit with an error.
This should not happen and just indicates some configuration error which
should be fixed, so we force the user to do it by failing.
Discussed with: emaste
Notes:
svn path=/head/; revision=259580
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Now tcpdump(8) is sandboxed even if DNS resolution is required.
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=259432
|
|\|
| |
| |
| |
| |
| |
| |
| |
| | |
Reported by: tinderbox (gjb)
Submitted by: glebius
MFC after: 2 weeks
Notes:
svn path=/head/; revision=258573
|