svn commit: r52312 - in head/share: security/advisories security/patches/EN-18:09 security/patches/EN-18:10 security/patches/EN-18:11 security/patches/EN-18:12 xml
Gordon Tetlow
gordon at FreeBSD.org
Thu Sep 27 19:11:51 UTC 2018
Author: gordon (src,ports committer)
Date: Thu Sep 27 19:11:47 2018
New Revision: 52312
URL: https://svnweb.freebsd.org/changeset/doc/52312
Log:
Add errata notices EN-18:09 through EN-18:12
Approved by: so
Added:
head/share/security/advisories/FreeBSD-EN-18:09.ip.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-18:11.listen.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-18:12.mem.asc (contents, props changed)
head/share/security/patches/EN-18:09/
head/share/security/patches/EN-18:09/ip.patch (contents, props changed)
head/share/security/patches/EN-18:09/ip.patch.asc (contents, props changed)
head/share/security/patches/EN-18:10/
head/share/security/patches/EN-18:10/syscall-11.patch (contents, props changed)
head/share/security/patches/EN-18:10/syscall-11.patch.asc (contents, props changed)
head/share/security/patches/EN-18:11/
head/share/security/patches/EN-18:11/listen-10.patch (contents, props changed)
head/share/security/patches/EN-18:11/listen-10.patch.asc (contents, props changed)
head/share/security/patches/EN-18:11/listen-11.patch (contents, props changed)
head/share/security/patches/EN-18:11/listen-11.patch.asc (contents, props changed)
head/share/security/patches/EN-18:12/
head/share/security/patches/EN-18:12/mem.patch (contents, props changed)
head/share/security/patches/EN-18:12/mem.patch.asc (contents, props changed)
Modified:
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-18:09.ip.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:09.ip.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:09.ip Errata Notice
+ The FreeBSD Project
+
+Topic: IP fragment remediation causes IPv6 fragment
+ reassembly failure
+
+Category: core
+Module: kernel
+Announced: 2018-09-27
+Credits: Kristof Provost
+Affects: FreeBSD 11.1 and FreeBSD 11.2
+Corrected: 2018-09-27 18:29:55 UTC (releng/11.2, 11.2-RELEASE-p4)
+ 2018-09-27 18:29:55 UTC (releng/11.1, 11.1-RELEASE-p15)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The recent security advisory titled SA-18:10.ip resolved an issue in the IPv4
+and IPv6 fragment reassembly code.
+
+II. Problem Description
+
+As a result of fixing the issue describe in SA-18:10.ip, a regression was
+introduced in the IPv6 fragment hashing code which could cause reassembly to
+fail.
+
+III. Impact
+
+Received IPv6 packets requiring fragment reassembly may be dropped instead of
+properly reassembled and delivered.
+
+IV. Workaround
+
+Disable IPv6 fragment reassembly, using these commands:
+ % sysctl net.inet6.ip6.maxfrags=0
+
+On systems compiled with VIMAGE, these sysctls will need to be
+executed for each VNET.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch.asc
+# gpg --verify ip.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+releng/11.1/ r338978
+releng/11.2/ r338978
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The security advisory that introduced the regression is available at
+<URL:https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231045>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:09.ip.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKTVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKagRAAh4AnkPqG5hNnpilNct2cjY6GrU+Ex0hmbDbv36RR5Cj/Xi6FrdjGdF6/
+sA5/KYC1fOe07S2JJDgh2b5f1E3NBtfCCXQL3Fq46LRu8KJUifReY23kxNw74pev
+86WmxtctkJ62gc3EUhaTx5tgvIqHRnLrNbJqAJ9VEZkV5aa33yT/5zDTq0TLJPsK
+LfgwIWw7KAecH28cHx9KH+QyeLEsKoQPj5PIpQih7aZE/8cVLIMxKepExzPFx0s8
+SV1BFVQqJaRK4frv7tHZIEjTrseKVhF6SCqbtSVP6ZBtOAaaNGobq9bQNzPPxls7
+tTIGC6JVacUNNzJY+uv+DyHwCcEqyU5HQKOaJGqcQ4rxccXdWLBQOA55sRuiCZSy
+SxRzs+4JNo2XDACnSECUFFos05HXxOWm8lqt8juR6fnq9Auej/PmktQYHaIXI3us
+hYOlHu7Oo6sSGERBE92I1B4Y0L2BzXgroFN+rKmzlLGmM3vQYDxt2o0/GpMRf0wf
+I+plRLC9osYTc/QFJzqt6dGJj+46xWyCw8aGcRhtQGPWUcB3DtYRjJxi1x6YjBkN
+Cw3nepcW4rwJpmJZyGuNhsyKFZlhhz2+GV1lxsoe5TC6rRbEo30O3aU1zh5+fljo
+KR9WSfy6bNoTX4NhbCJ+j9fdD6AxiqWtmB8h4Vp7ykrM/VJLUzc=
+=1FtK
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:10.syscall.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:10.syscall Errata Notice
+ The FreeBSD Project
+
+Topic: NULL pointer dereference in freebsd4_getfsstat system call
+
+Category: core
+Module: kernel
+Announced: 2018-09-27
+Credits: Thomas Barabosch, Fraunhofer FKIE
+Affects: FreeBSD 11.x
+Corrected: 2018-09-27 18:54:41 UTC (stable/11, 11.1-STABLE)
+ 2018-09-27 18:32:14 UTC (releng/11.2, 11.2-RELEASE-p4)
+ 2018-09-27 18:32:14 UTC (releng/11.1, 11.1-RELEASE-p15)
+CVE Name: CVE-2018-17154
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The freebsd4_getfsstat system call returns information about all mounted file
+systems in a binary format compatible with FreeBSD 4.x. Part of the call
+includes passing in a userland allocated buffer for the system call to fill
+along with the size of the buffer.
+
+II. Problem Description
+
+Insufficient checking occurs on the buffer when a very large buffer size causes
+memory allocation to fail. Resulting code attempts to free the NULL pointer.
+
+III. Impact
+
+A local unprivileged user may cause a denial of service using a specially
+crafted binary.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch.asc
+# gpg --verify syscall-11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r338987
+releng/11.1/ r338979
+releng/11.2/ r338979
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17154>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:10.syscall.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKT9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJMqQ/4ycdylBNCX0cqFDYrtDU0OJO0mEi2LKqCM31YzOCLbKLtVSq06rxOj/E9
+0okWag0NxaGIo2+7+b/hykDwL+1Rwpa5YNdODESRYQeW0OVdnmy/JSB/8q2I2BwX
+PrqMc38sc9YuCz202B7tj4CQRKyhe2/qWRXANzh4jolC8zIuP7zAH6bMO+jc4XJS
+9qe2YdvChWiwLJXOSXaqZf1xY1jY08+lRGDx03n13OLRN8PZdbIoDEmOd2/vxhcV
+YRcDH0axLJSyngknPE9gU8iVZDunxpNBool5hJYDd8rBbAfypXWSDZ7wJGUn7tUZ
+3Cj/NPmZ9auMTGLgpRJB/bhgCnn3mZQ5QjR1egonZf3uIlTWZ+0C9GhJjh5cw+2p
+3hF+202uJicNm5TSkO6QpavVVvQNFcuCR54ZvXEICv3YNam3yDupGWsbjHloxoCw
+7A/wmBBcbtAJ7ujzgPm4+yN5Vno4dcPmkIfW9bz0fwXzYF1VEaF5pZZu7a9bjdI0
+xHBk2v77NIRBxC5i1KK5R5Guj0UY0EvkclBTF4Twh3TP0SAPN+5sqpmBRQwPGEdp
+9v5TPQv5DJn0KTJwkdrrP+70WIYkfcUVJ9hJYbXAMXseN1q3mTggS/ypF9ckTP0Z
+D1hQuUySz07GInHlJ+znS8CzVSj/iWqsxThBBbwgy1a4haxr5A==
+=HCqG
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-18:11.listen.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:11.listen.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:11.listen Errata Notice
+ The FreeBSD Project
+
+Topic: Denial of service in listen syscall over IPv6 socket
+
+Category: core
+Module: kernel
+Announced: 2018-09-27
+Credits: Jakub Jirasek, Secunia Research at Flexera
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-09-27 18:50:10 UTC (stable/11, 11.2-STABLE)
+ 2018-09-27 18:34:42 UTC (releng/11.2, 11.2-RELEASE-p4)
+ 2018-09-27 18:34:42 UTC (releng/11.1, 11.1-RELEASE-p15)
+ 2018-09-27 18:48:50 UTC (stable/10, 10.4-STABLE)
+ 2018-09-27 18:34:42 UTC (releng/10.4, 10.4-RELEASE-p13)
+CVE Name: CVE-2018-6925
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The protocol control block is a structure that maintains the network layer
+state for various sockets. There are various state flags that must be
+properly maintained to keep the structure consistent.
+
+II. Problem Description
+
+There are various cases in the IPv6 socket code where the protocol control
+block's state flags are modified during a syscall, but are not restored if
+the operation fails. This can leave the control block in an inconsistent
+state.
+
+III. Impact
+
+A local unprivileged user could exploit the inconsistent state of the
+protocol control block to cause the kernel to crash, leading to a denial of
+service.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch.asc
+# gpg --verify listen-11.patch.asc
+
+[FreeBSD 10.4]
+# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch.asc
+# gpg --verify listen-10.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r338985
+releng/10.4/ r338980
+stable/11/ r338986
+releng/11.1/ r338980
+releng/11.2/ r338980
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6925>
+
+For information about Secunia Research:
+<URL:https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:11.listen.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKURfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIUEA/+JxBo76dRre8nfvYcN2PJGGFn8i2mWwSG87SWwQUeKlkgpJCV8qMnVEr2
+dGz3gwBsxFLKUjQVyl+IwFkaJgKXMbFYkfIqLaS+3a12KLllFAn2Q0dnN+oxFhS2
+Wpx4DkDRgBzEyLokxwjUCtg2fd6HPlML2YXCR5SqjXDOoBGAR9GCCXXYNnWSC00y
+IYgeC8UpE3ykTlwDH8q+LgLqtnx/oDW1h6UR12alP0ytH8+BldiAqRxjHE3/Wv2E
+aU8m8YuAAIW4tHZ4vdqpiFP4grN/0tSf/DEPBTtVIv5FGpXSk61YTBSm4OMIKNN8
+QEVEA6n6NEGSKYrbB5BE73KYgCAaeGzcGikX9F4aAlN5GSPBVJ66SEbk16YDzDfB
+KimjhityEP5YXh8hVkNo6fq+17dKpqx81390wzcXeDlBTIkANnKLh23gE0RuniNY
+dXrPE2HWSpkCnWN6l0BImefDeCgAaF7KZK+z7bbsn2D7UMGFGeHU/XlRM0ze7OOV
+ETqwk2M4GuxddHTKktNGBItWVd6EjReAh6QOo1kAA4qMKuNIiDQdRS72x6fUbmlA
+ZIOzPNd6TS57aKSnAZlR1SpvRMqo+g9cetMxuJmKnQ+hXaRk2zJVuP2RAJuoFFqf
+TmnVAPpDRjoYa0lf2YkOKtYcfF+pBcWI1CVAEFuQG2PheJRYns0=
+=jMY6
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-18:12.mem.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:12.mem.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:12.mem Errata Notice
+ The FreeBSD Project
+
+Topic: Small kernel memory disclosures in two system calls
+
+Category: core
+Module: kernel
+Announced: 2018-09-27
+Credits: Thomas Barabosch, Fraunhofer FKIE
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-09-27 18:42:40 UTC (stable/11, 11.2-STABLE)
+ 2018-09-27 18:36:30 UTC (releng/11.2, 11.2-RELEASE-p4)
+ 2018-09-27 18:36:30 UTC (releng/11.1, 11.1-RELEASE-p15)
+ 2018-09-27 18:44:40 UTC (stable/10, 10.4-STABLE)
+ 2018-09-27 18:36:30 UTC (releng/10.4, 10.4-RELEASE-p13)
+CVE Name: CVE-2018-17155
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The kernel provides an interface for userland programs via system calls. Two
+of these system calls are named getcontext and swapcontext.
+
+II. Problem Description
+
+Due to insufficient initialization of memory copied to userland in the
+getcontext and swapcontext system calls, small amounts of kernel memory may
+be disclosed to userland processes.
+
+III. Impact
+
+An unprivileged local user may be able to create a specific program to read
+the contents of small portions of kernel memory.
+
+Such memory might contain sensitive information, such as portions of the file
+cache or terminal buffers. This information might be directly useful, or it
+might be leveraged to obtain elevated privileges in some way; for example,
+a terminal buffer might include a user-entered password.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch.asc
+# gpg --verify mem.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r339984
+releng/10.4/ r338981
+stable/11/ r339983
+releng/11.1/ r338981
+releng/11.2/ r338981
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17155>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:12.mem.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKU5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJfGA/3XLR2dunxnQZYQvdpA8k9HA1zHfKFUMbTJqESIZPofvLnFJiw7gwDl0mF
+pMC5LCi+k+LIIsXPLzRk/7BUmoCt/hCbD7BOVuiYXhIZy0VgKhaOggSvOXYOsjNl
+JTJa5zGsKm4BUNhAkxcJtCO9i+gOShZ2fxiJ9SU7bO/gVl5HoMh56KWTLUBXX2jD
+vZfEvxJvllbvk6ST68jb7C0Ix47+idRO2hdfxVLyZfD1PsILIy6JThqKqsbGgqbA
++ma7OnCigxwI0bds4nusi7vNu3IiFuzjBLfV9exW8kcRgyotOsmCfCjSOlOcEJvR
+gKcmqZccf1SMGFR336YwGB66xL56QwpgN+UZ/QhmBX15mqI/oAekd0W3fb3OmfvW
+bMiDo0MHmtZqiSnQyUOcCPRW5s0l8EHeWCVbjKX1ViqY6e4NdQajrjRUyXnOqcM5
+vtTWAJ+BCc3Acg1V4nkjF7HNCUyGObKZcbDqK7M7p5+i/CFxJkCdKu0x8dsZRHL8
+7V4SL1sb9OkPWjBxyzHuiQNGJfTgknDsIxvBYcdPVukTtGzrWH1skhdWL2O0CNvQ
+Quk2YQePQ/X4ICPIB3s+Yao5N8t0FoEM4Hus6nSCpNRyP5XpCaBISHbhG8Ay7yJr
+1p0YkV22eQ5KXiNY6Qmof7S0S1p8IZlomO8J8I/yGuwqh2mkkQ==
+=uZtl
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-18:09/ip.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:09/ip.patch Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,13 @@
+--- sys/netinet6/frag6.c.orig
++++ sys/netinet6/frag6.c
+@@ -216,7 +216,9 @@
+ int offset = *offp, nxt, i, next;
+ int first_frag = 0;
+ int fragoff, frgpartlen; /* must be larger than u_int16_t */
+- uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
++ uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
++ sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
++ uint32_t hash, *hashkeyp;
+ struct ifnet *dstifp;
+ u_int8_t ecn, ecn0;
+ #ifdef RSS
Added: head/share/security/patches/EN-18:09/ip.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:09/ip.patch.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKWZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK5fQ//cqB5ebX2iYBeKRDL7IfgBaDcojr8x8bDwu2PTRqlXtlq2pUVAkzKynaF
+HUoJtvE3xKXkCOw60igjtK1AqWjOyLebUfivM/YykcuBvpiVfs6ZNHsiLCFw+oz9
+pMq4I5jbhizxS4Rdo9ZFMo8Gys6lNMdq9iV6f7rJFD7Ls8sJRi5fi5BR7I08AIBl
+VVP3E+0ACOitR9YidRRZ5w4QWYjoZJljMjUlIL023B3VkK+h2uxJy16wLdHv3Tpt
+c0DnKyXlM1s0BoCq4qSwFkE2BfutIgsNWgzHHmDDhc6ju9eS96OtZDrok7+knLQr
+eBH5WEzXnnrBc+J31LIVVev12uJhntAXRtOau218BYeCnjwln4mBk/y+JqIqLjar
+jn4rWEj7lh/PTsmAEulh53mTdyz+tEHSeacNnkR+vuynLGWNUKmFkul4RCLrlP74
+u5qquwkDe3l/6vluGR6tI52RiDiyAuT5s6czH5/mKb/ewWTHj3uFJx9X0J/55Kcp
+pBSNuNtzwpjm2bAQy/9n6AYHqfmKvbKoIjIAB+WZwefYrEmAEfaqzchmjfrw5A0a
+D8w7IQhljX1CAZ9IcjuUMOWlNSeWdIlGHMZpXM+1MH4nP3RF1JbHGlCyo5WaRHKs
+0FLBWGYFN/hvUjY1H1izCCtKeUTDG6y9WnFJW+/VchZZvWFhP24=
+=q3dd
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-18:10/syscall-11.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:10/syscall-11.patch Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,11 @@
+--- sys/kern/vfs_syscalls.c.orig
++++ sys/kern/vfs_syscalls.c
+@@ -600,6 +600,8 @@
+ size = count * sizeof(struct statfs);
+ error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE,
+ uap->mode);
++ if (buf == NULL)
++ return (EINVAL);
+ td->td_retval[0] = count;
+ if (size != 0) {
+ sp = buf;
Added: head/share/security/patches/EN-18:10/syscall-11.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:10/syscall-11.patch.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKW1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLwRxAAnybQwo07WZtP8aLAuOEzXjEJ8rLMKAV80pvIFj27TAxpiIw1cltQsZhb
+qHMhYFjnJejgujwBmMEz7rAK97zte71AW4Lm4+I6r2MY8Wniu8OiTHUkYOHlNkWM
+iROkSiRRLtPdH0HXk3M5n+BhprDgovOv1xQhu17RLbDYX+9mz5kB2EaRJtnv0JCT
+ZfYhin262zaZR0yJ4f5Hug5NphmcbD7VtSD3ZNye2txicJ7330B3iIcpD6YZnkH2
+pJqs4OzLux/xHhQdSMCN5dVtC6M5Gkt6gYDQX6vMoouRw/2o4gcpjye9aV1rkrVd
+D3c8iGwdTxyYzUZ++E3OCilx4YbAqmBEXmP4BsiiiO71XHr+oB79+0FQ+U0ZNy7T
+zVuc9TJOfOnIDyyz4KL5RcMSFFdNggnYHdCYQZAGk+Xv8aY1ddxmV8M1NBpMvuhS
+XQpiWvfoEP5e0pmRfG3OL5XOt9J271BF+gPMRDOAAeDgU/PkWRrHWxAQJtiC6HYl
+TEirv16TKpui1nITJj9Q8BBgxMdymEY5SezKdCYeX5PKwsCO9xd0ZRTBhgvVwnCU
+e/UTu7vL0ngZ9TFsTVj2A5YsGhDn/7ayYBMwndplF82lpdvPGwhSYmUUpHYBesXi
+NjnZjLrpxM+pntbnEcTPLuE7xqIvWsqn6M4DQeRs8+bY8zo9l9k=
+=s1wm
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-18:11/listen-10.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:11/listen-10.patch Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,260 @@
+--- sys/netinet/tcp_usrreq.c.orig
++++ sys/netinet/tcp_usrreq.c
+@@ -328,6 +328,7 @@
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
+ struct sockaddr_in6 *sin6p;
++ u_char vflagsav;
+
+ sin6p = (struct sockaddr_in6 *)nam;
+ if (nam->sa_len != sizeof (*sin6p))
+@@ -344,6 +345,7 @@
+ inp = sotoinpcb(so);
+ KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL"));
+ INP_WLOCK(inp);
++ vflagsav = inp->inp_vflag;
+ if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+ error = EINVAL;
+ goto out;
+@@ -373,6 +375,8 @@
+ error = in6_pcbbind(inp, nam, td->td_ucred);
+ INP_HASH_WUNLOCK(&V_tcbinfo);
+ out:
++ if (error != 0)
++ inp->inp_vflag = vflagsav;
+ TCPDEBUG2(PRU_BIND);
+ INP_WUNLOCK(inp);
+ return (error);
+@@ -434,6 +438,7 @@
+ int error = 0;
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
++ u_char vflagsav;
+
+ TCPDEBUG0;
+ inp = sotoinpcb(so);
+@@ -443,6 +448,7 @@
+ error = EINVAL;
+ goto out;
+ }
++ vflagsav = inp->inp_vflag;
+ tp = intotcpcb(inp);
+ TCPDEBUG1();
+ SOCK_LOCK(so);
+@@ -469,6 +475,9 @@
+ if (tp->t_flags & TF_FASTOPEN)
+ tp->t_tfo_pending = tcp_fastopen_alloc_counter();
+ #endif
++ if (error != 0)
++ inp->inp_vflag = vflagsav;
++
+ out:
+ TCPDEBUG2(PRU_LISTEN);
+ INP_WUNLOCK(inp);
+@@ -543,6 +552,8 @@
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
+ struct sockaddr_in6 *sin6p;
++ u_int8_t incflagsav;
++ u_char vflagsav;
+
+ TCPDEBUG0;
+
+@@ -559,6 +570,8 @@
+ inp = sotoinpcb(so);
+ KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL"));
+ INP_WLOCK(inp);
++ vflagsav = inp->inp_vflag;
++ incflagsav = inp->inp_inc.inc_flags;
+ if (inp->inp_flags & INP_TIMEWAIT) {
+ error = EADDRINUSE;
+ goto out;
+@@ -584,11 +597,11 @@
+ }
+
+ in6_sin6_2_sin(&sin, sin6p);
+- inp->inp_vflag |= INP_IPV4;
+- inp->inp_vflag &= ~INP_IPV6;
+ if ((error = prison_remote_ip4(td->td_ucred,
+ &sin.sin_addr)) != 0)
+ goto out;
++ inp->inp_vflag |= INP_IPV4;
++ inp->inp_vflag &= ~INP_IPV6;
+ if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0)
+ goto out;
+ #ifdef TCP_OFFLOAD
+@@ -601,11 +614,11 @@
+ goto out;
+ }
+ #endif
++ if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
++ goto out;
+ inp->inp_vflag &= ~INP_IPV4;
+ inp->inp_vflag |= INP_IPV6;
+ inp->inp_inc.inc_flags |= INC_ISIPV6;
+- if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
+- goto out;
+ if ((error = tcp6_connect(tp, nam, td)) != 0)
+ goto out;
+ #ifdef TCP_OFFLOAD
+@@ -618,6 +631,15 @@
+ error = tcp_output(tp);
+
+ out:
++ /*
++ * If the implicit bind in the connect call fails, restore
++ * the flags we modified.
++ */
++ if (error != 0 && inp->inp_lport == 0) {
++ inp->inp_vflag = vflagsav;
++ inp->inp_inc.inc_flags = incflagsav;
++ }
++
+ TCPDEBUG2(PRU_CONNECT);
+ INP_WUNLOCK(inp);
+ return (error);
+--- sys/netinet6/sctp6_usrreq.c.orig
++++ sys/netinet6/sctp6_usrreq.c
+@@ -608,6 +608,7 @@
+ struct sctp_inpcb *inp;
+ struct in6pcb *inp6;
+ int error;
++ u_char vflagsav;
+
+ inp = (struct sctp_inpcb *)so->so_pcb;
+ if (inp == NULL) {
+@@ -638,6 +639,7 @@
+ }
+ }
+ inp6 = (struct in6pcb *)inp;
++ vflagsav = inp6->inp_vflag;
+ inp6->inp_vflag &= ~INP_IPV4;
+ inp6->inp_vflag |= INP_IPV6;
+ if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) {
+@@ -667,7 +669,7 @@
+ inp6->inp_vflag |= INP_IPV4;
+ inp6->inp_vflag &= ~INP_IPV6;
+ error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p);
+- return (error);
++ goto out;
+ }
+ #endif
+ break;
+@@ -684,7 +686,8 @@
+ if (addr->sa_family == AF_INET) {
+ /* can't bind v4 addr to v6 only socket! */
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
+- return (EINVAL);
++ error = EINVAL;
++ goto out;
+ }
+ #endif
+ sin6_p = (struct sockaddr_in6 *)addr;
+@@ -693,10 +696,14 @@
+ /* can't bind v4-mapped addrs either! */
+ /* NOTE: we don't support SIIT */
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
+- return (EINVAL);
++ error = EINVAL;
++ goto out;
+ }
+ }
+ error = sctp_inpcb_bind(so, addr, NULL, p);
++out:
++ if (error != 0)
++ inp6->inp_vflag = vflagsav;
+ return (error);
+ }
+
+--- sys/netinet6/udp6_usrreq.c.orig
++++ sys/netinet6/udp6_usrreq.c
+@@ -947,6 +947,7 @@
+ struct inpcb *inp;
+ struct inpcbinfo *pcbinfo;
+ int error;
++ u_char vflagsav;
+
+ pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol);
+ inp = sotoinpcb(so);
+@@ -954,6 +955,7 @@
+
+ INP_WLOCK(inp);
+ INP_HASH_WLOCK(pcbinfo);
++ vflagsav = inp->inp_vflag;
+ inp->inp_vflag &= ~INP_IPV4;
+ inp->inp_vflag |= INP_IPV6;
+ if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) {
+@@ -981,6 +983,8 @@
+ #ifdef INET
+ out:
+ #endif
++ if (error != 0)
++ inp->inp_vflag = vflagsav;
+ INP_HASH_WUNLOCK(pcbinfo);
+ INP_WUNLOCK(inp);
+ return (error);
+@@ -1023,6 +1027,7 @@
+ struct inpcbinfo *pcbinfo;
+ struct sockaddr_in6 *sin6;
+ int error;
++ u_char vflagsav;
+
+ pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol);
+ inp = sotoinpcb(so);
+@@ -1046,17 +1051,26 @@
+ goto out;
+ }
+ in6_sin6_2_sin(&sin, sin6);
+- inp->inp_vflag |= INP_IPV4;
+- inp->inp_vflag &= ~INP_IPV6;
+ error = prison_remote_ip4(td->td_ucred, &sin.sin_addr);
+ if (error != 0)
+ goto out;
++ vflagsav = inp->inp_vflag;
++ inp->inp_vflag |= INP_IPV4;
++ inp->inp_vflag &= ~INP_IPV6;
+ INP_HASH_WLOCK(pcbinfo);
+ error = in_pcbconnect(inp, (struct sockaddr *)&sin,
+ td->td_ucred);
+ INP_HASH_WUNLOCK(pcbinfo);
++ /*
++ * If connect succeeds, mark socket as connected. If
++ * connect fails and socket is unbound, reset inp_vflag
++ * field.
++ */
+ if (error == 0)
+ soisconnected(so);
++ else if (inp->inp_laddr.s_addr == INADDR_ANY &&
++ inp->inp_lport == 0)
++ inp->inp_vflag = vflagsav;
+ goto out;
+ }
+ #endif
+@@ -1064,16 +1078,25 @@
+ error = EISCONN;
+ goto out;
+ }
+- inp->inp_vflag &= ~INP_IPV4;
+- inp->inp_vflag |= INP_IPV6;
+ error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr);
+ if (error != 0)
+ goto out;
++ vflagsav = inp->inp_vflag;
++ inp->inp_vflag &= ~INP_IPV4;
++ inp->inp_vflag |= INP_IPV6;
+ INP_HASH_WLOCK(pcbinfo);
+ error = in6_pcbconnect(inp, nam, td->td_ucred);
+ INP_HASH_WUNLOCK(pcbinfo);
++ /*
++ * If connect succeeds, mark socket as connected. If
++ * connect fails and socket is unbound, reset inp_vflag
++ * field.
++ */
+ if (error == 0)
+ soisconnected(so);
++ else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) &&
++ inp->inp_lport == 0)
++ inp->inp_vflag = vflagsav;
+ out:
+ INP_WUNLOCK(inp);
+ return (error);
Added: head/share/security/patches/EN-18:11/listen-10.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:11/listen-10.patch.asc Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKX5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLu1Q//dA9SiNzXp7Yn4jdV4DYI9OAOeeqi0yPYNpMjA2YL3/ItEB4SrIE86ELc
+9/OuUXZPUaRkvefgOO8IvY/wZKDCHOm94lizn2mstp3JyNLVFaTWimu1QQSaZZCj
+bCCVqMVWlYa3ssIUv3wJ8XPf0hDAJ4m+UuMoKG/6YpIsy5AM041RHNYFj881KLRw
+4vBioFuoKKQliIksfTgLJjjf6HvKeu9tHnckKrAyZ//sxAsSZ5zfnQbjXwympY8R
+n22Om1aXSYQc4Pve4dXY6gLhPcEtIAZKR6L1SOWtHv1RECSK98ePbDTXqQIkpOab
+au/WJyjLkZQ6SgIZofGVe9OAb0ibYO5eshgMWmHHDXyFmPAZ7P/XUFWM0C3bN5DA
+gQo3sLVJxZ2x6S8/shhK9OWU0pxVFbsewKsqTpHqozhCL/s9obfr81ao2dAGV8pR
+l9kT16PZcuWmvqMPgb7AF1eTBzSg4XtGcAEqcwIIuUEnCplCrnaDVaCfATsmu48s
+/x8RELtfCBbwGdCcoaCTimQJSe2xVfEI/mO60C1fZCeQCVfsCepgFDfR0HGd/lIq
+tCDIgoCFs978IPyApSpJ9IENK+SdA8jxfyPYbR+DrtCP23TIt+n6VISP5KCYRgn0
+mk/h/BV1GxHsM3FonUE3cV+AReRT3lJZHenXKQU3mxZn9C3wpKs=
+=1akG
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-18:11/listen-11.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:11/listen-11.patch Thu Sep 27 19:11:47 2018 (r52312)
@@ -0,0 +1,260 @@
+--- sys/netinet/tcp_usrreq.c.orig
++++ sys/netinet/tcp_usrreq.c
+@@ -339,6 +339,7 @@
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
+ struct sockaddr_in6 *sin6p;
++ u_char vflagsav;
+
+ sin6p = (struct sockaddr_in6 *)nam;
+ if (nam->sa_len != sizeof (*sin6p))
+@@ -355,6 +356,7 @@
+ inp = sotoinpcb(so);
+ KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL"));
+ INP_WLOCK(inp);
++ vflagsav = inp->inp_vflag;
+ if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+ error = EINVAL;
+ goto out;
+@@ -384,6 +386,8 @@
+ error = in6_pcbbind(inp, nam, td->td_ucred);
+ INP_HASH_WUNLOCK(&V_tcbinfo);
+ out:
++ if (error != 0)
++ inp->inp_vflag = vflagsav;
+ TCPDEBUG2(PRU_BIND);
+ TCP_PROBE2(debug__user, tp, PRU_BIND);
+ INP_WUNLOCK(inp);
+@@ -447,6 +451,7 @@
+ int error = 0;
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
++ u_char vflagsav;
+
+ TCPDEBUG0;
+ inp = sotoinpcb(so);
+@@ -456,6 +461,7 @@
+ error = EINVAL;
+ goto out;
+ }
++ vflagsav = inp->inp_vflag;
+ tp = intotcpcb(inp);
+ TCPDEBUG1();
+ SOCK_LOCK(so);
+@@ -482,6 +488,9 @@
+ if (tp->t_flags & TF_FASTOPEN)
+ tp->t_tfo_pending = tcp_fastopen_alloc_counter();
+ #endif
++ if (error != 0)
++ inp->inp_vflag = vflagsav;
++
+ out:
+ TCPDEBUG2(PRU_LISTEN);
+ TCP_PROBE2(debug__user, tp, PRU_LISTEN);
+@@ -558,6 +567,8 @@
+ struct inpcb *inp;
+ struct tcpcb *tp = NULL;
+ struct sockaddr_in6 *sin6p;
++ u_int8_t incflagsav;
++ u_char vflagsav;
+
+ TCPDEBUG0;
+
+@@ -574,6 +585,8 @@
+ inp = sotoinpcb(so);
+ KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL"));
+ INP_WLOCK(inp);
++ vflagsav = inp->inp_vflag;
++ incflagsav = inp->inp_inc.inc_flags;
+ if (inp->inp_flags & INP_TIMEWAIT) {
+ error = EADDRINUSE;
+ goto out;
+@@ -603,11 +616,11 @@
+ }
+
+ in6_sin6_2_sin(&sin, sin6p);
+- inp->inp_vflag |= INP_IPV4;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list