summaryrefslogtreecommitdiffstats
path: root/lib/libc (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Don't crash dumping malloc stats if malloc_init hasn't been called, noted byotto2016-01-261-1/+3
| | | | David CARLIER
* When encoding fails in fputwc(3), set the error indicator as requiredschwarze2016-01-261-2/+2
| | | | | | | | | | | | | | | | by POSIX and as FreeBSD, SunOS 10/11, and glibc also do it. Note that an enquiry to the Austin Group led to the conclusion that this change probably violates the C standard: C and POSIX unintentionally conflict. But the POSIX behaviour makes more sense (easier to write correct error handling code for it, and a lower risk that programs miss errors) and is much more widespread, and the Austin Group intends to approach the C committee in order to adjust the C standard. See: http://austingroupbugs.net/view.php?id=1022 While here, do not set errno a second time, wcrtomb(3) already did that, and it is required to do it by the standard. OK millert@ and tedu@, and jca@ no longer objects
* replace (void *)0 with NULLmmcc2016-01-191-4/+4
|
* remove a nop assignment that has been #if 0'd since 1996mmcc2016-01-191-5/+1
| | | | ok millert@
* adjust some syscalls in proc & id; from Carlin Binghamderaadt2016-01-181-5/+9
|
* Replace "function call" with "function" when referring to a functionmmcc2016-01-091-3/+3
| | | | | | | (well, a syscall, but this is the established practice) in the general sense. ok jmc@
* drop "abort" promise, and make it the default behaviour.semarie2016-01-091-3/+3
| | | | | | | | | The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
* add a bug that the path whitelist is not available at this time.tedu2016-01-061-2/+4
|
* Long ago, malloc internally had two kinds of failures, warnings and errors.tedu2016-01-062-14/+7
| | | | | | | | The 'A' option elevated warnings to errors, and has been the default for some time. Then warnings were effectively eliminated in favor of everything being an error, but then the 'a' flag turned real errors into warnings! Remove the 'a' option entirely. You shouldn't have used it anyway. ok tb tdeval
* Use "path" not "file" as the function arg to utimes() and utimensat().millert2016-01-051-8/+8
| | | | The DESCRIPTION section already referred to "path" in some places.
* Follow style(9) and drop lint /* NOTREACHED */ annotations fromtb2016-01-042-6/+4
| | | | | | | | the examples. Diff from Juuso Lapinlampi < wub () partyvan ! eu >, thanks! ok schwarze@
* Bugfix: When errno happens to be EILSEQ upon entry to fgetws(3),schwarze2016-01-041-3/+3
| | | | | | | and when the file ends without a terminating Ln character, fgetws(3) discarded any characters read and reported bogus EOF. Never inspect errno(2) unless right after an error occurred! OK millert@
* Fix lots of bugs.schwarze2016-01-041-18/+28
| | | | | | | | | | | | | | | | | | | | | 1. When fprintf(fp, "...%ls...", ...) encounters an encoding error, do not destroy all the fp->_flags, which made the file permanently unreadable and unwriteable. 2. Do not change fp->_flags at all in case of encoding errors. Neither the manual nor POSIX ask for it, no other conversions set the error indicator, and it isn't needed because the return value reports failure and must be checked anyway. 3. Detect failure in mbrtowc(3), do not silently treat invalid bytes in the format string as the end of the format string. 4. Detect failure of __find_arguments(), no matter whether due to out of memory conditions or encoding errors, and gracefully fail rather than accessing an invalid pointer. 5. Remove the pointless and slightly dangerous errno = EILSEQ overrides after functions that already do that and are required by the standard to do so. OK jca@ on items 1, 2, and 5. OK millert@ on the complete diff. "Completely brutal mix of bugs." deraadt@
* another case where bad things would happen after wrterrortedu2015-12-301-2/+4
|
* if somebody makes the mistake of disabling abort, don't deref null intedu2015-12-301-2/+4
| | | | validate_junk. from Michal Mazurek
* Verify that the section header size supplied in the ELF header is whatmmcc2015-12-291-1/+4
| | | | | | | we expect it to be. This prevents out-of-bounds access or excessive memory allocation on a malformed ELF header. Found by Serguey Parkhomovsky with AFL. Improved by and ok kettenis@
* Remove NULL-checks before free() and needless argument casts.mmcc2015-12-281-5/+3
| | | | ok tb@
* Remove NULL-checks before free() and unnecessary argument casts.mmcc2015-12-281-8/+5
| | | | ok tb@
* Remove NULL-checks before free() and a few related dead assignments.mmcc2015-12-2816-96/+53
| | | | ok and valuable input from millert@
* remove unused variablechl2015-12-271-2/+1
| | | | ok tedu@
* Simplify allocation logic based on free and realloc's behavior on NULL.mmcc2015-12-251-4/+3
| | | | ok tedu@
* Add missing second argument to FD_SET macro in example code snippet.tb2015-12-251-3/+3
| | | | | | Spotted and diff provided by d ! lowe () openmailbox ! org, thanks! ok schwarze@
* Both our manual and POSIX ask us to set the error indicator when anschwarze2015-12-241-2/+2
| | | | | | | encoding error occurs, so do it. While here, do not set errno after mbrtowc(3) failure; mbrtowc(3) already does that, and that behaviour is required by the standard. ok jca@ guenther@ "nice find" deraadt@
* gethostbyname2() and gethostbyaddr() need <sys/socket.h>; discussed withtim2015-12-191-6/+8
| | | | millert@
* Simplify return call of rand() and rand_r() to make it easier to read.tb2015-12-181-2/+2
| | | | | | | | | This is slightly less robust, but RAND_MAX must be one below a power of two in both variants anyway. Based on a suggestion by Matthew Martin. ok tedu@
* tweak previous;jmc2015-12-162-4/+5
|
* documents pledge(2) "dpath" promisesemarie2015-12-161-1/+6
| | | | | | with inputs from jmc@ ok jmc@ deraadt@
* Remove support for HOSTALIASES from the resolver. This "open and parsederaadt2015-12-167-81/+13
| | | | | | | | any file indicated by an environment variable" feature inside the resolver is incompatible with what pledge "dns" is trying to be. It is a misguided "feature" added way back in history which almost noone uses, but everyone has to assume the risk from. ok eric florian kettenis
* in pledged process, setuid/setgid/sticky bits should be ignored.semarie2015-12-161-2/+4
| | | | | | enforce it for mkfifo(2) and mknod(2) (with "dpath" promise). ok deraadt@
* s/begining/beginning/gmmcc2015-12-141-2/+2
|
* Remove calloc cast, give sizeof parens. No functional change.mmcc2015-12-121-2/+2
|
* "the the" -> "the" in commentmmcc2015-12-111-2/+2
|
* tiny sanity check on file sizetedu2015-12-101-1/+3
|
* use geteuid to make it easier for root to communicate.tedu2015-12-101-2/+2
| | | | reported by Jeunder Yu
* Integrate two patches originally from Daniel Micay.tedu2015-12-091-8/+76
| | | | | | | | | | | | 1. Optionally add random "canaries" to the end of an allocation. This requires increasing the internal size of the allocation slightly, which probably results in a large effective increase with current power of two sizing. Therefore, this option is only enabled via 'C'. 2. When writing junk (0xdf) to freed chunks (current default behavior), check that the junk is still intact when finally freeing the delayed chunk to catch some potential use after free. This should be pretty cheap so there's no option to control it separately. ok deraadt tb
* rewrite guts of getusershell() to avoid possibility of overflow.tedu2015-12-081-41/+45
| | | | | | | | instead of trying to allocate "just enough" memory based on the size of the file (which is mostly comments, in fact), allocate memory on demand. i.e., save memory by wasting it. also be a little stricter about parsing. after discussion with tobias. (with a bug fix from patrick keshishian) descended from bug glibc bug 18660 via tobias.
* Validate input files to prevent out of boundary accesses.tobias2015-12-061-63/+80
| | | | with input by and ok schwarze@
* Remove the /usr/share/nls/ exception from pledge(2). The libcbluhm2015-12-031-9/+5
| | | | | native language support was deleted a month ago at u2k15. OK semarie@ deraadt@
* use strlcat instead of strlcpy with modified arguments. ok deraadt@canacar2015-12-011-6/+5
|
* Document that "tty" provides read-write access to /dev/tty too.millert2015-12-011-4/+9
| | | | OK deraadt@
* modify getpw*(), getgr*(), and getgrouplist() functions to access thederaadt2015-12-013-4/+24
| | | | | | | | | YP lock file unconditionally. This hints to the kernel that a "getpw" operation is happening, even in the non-YP case. This looks like a gruesome hack, but helps refine the ways these functions are called and mandates the right pledge requests. Once the tree is fully annotated we will know better how to improve the backing store management. ok semarie espie beck
* Send Aviion to same place as Nova IIderaadt2015-12-011-5/+5
| | | | discussed with jsg
* Mention ksh along with csh when job control is discussed. ok deraadt@mmcc2015-12-011-3/+6
|
* Phrase allocation failure more clearly. ok deraadt@mmcc2015-12-011-3/+3
|
* change Xrs from now-defunct db(3) to dbopen(3); this wasn;t ajmc2015-11-304-17/+17
| | | | | | | straight replace: thanks both to schwarze and maja for feedback on how to rewrite parts; i've snuck in an rcs id->openbsd id change in dev_mkdb too;
* Add pledge "pf" which allows ioctls on pf(4). This will be used bybenno2015-11-291-2/+20
| | | | | relayd and other programs manipulating the packet filter. ok deraadt@
* remove the "YP server for domain %s not responding, still trying" code.deraadt2015-11-261-15/+1
| | | | | | | | | For years, it talked to stderr. That was wrong. Then it was converted to opening /dev/tty, which is also wrong (pledge says so). Upon reconsideration people in these more modern times have adapted to all sorts of services not being available, so axe the alert and retry silently. ok beck
* group_from_gid: use _GR_BUF_LEN instead of _PW_BUF_LENjcs2015-11-251-2/+2
|
* Wrap <icdb.h> so that calls go direct and the symbols are all weakguenther2015-11-252-1/+47
| | | | ok tedu@
* Make using a deprecated function an error instead of just a warningguenther2015-11-251-1/+5
| | | | ok millert@ kettenis@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.