Date: Tue, 13 May 2014 23:22:28 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r265987 - in releng/10.0: . crypto/openssl/ssl sys/conf sys/dev/ciss Message-ID: <201405132322.s4DNMSh6058494@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue May 13 23:22:28 2014 New Revision: 265987 URL: http://svnweb.freebsd.org/changeset/base/265987 Log: Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09] Security: FreeBSD-SA-14:09.openssl Security: CVE-2014-0198 Fix data corruption with ciss(4). [EN-14:05] Errata: FreeBSD-EN-14:05.ciss Approved by: so Modified: releng/10.0/UPDATING releng/10.0/crypto/openssl/ssl/s3_pkt.c releng/10.0/sys/conf/newvers.sh releng/10.0/sys/dev/ciss/ciss.c Modified: releng/10.0/UPDATING ============================================================================== --- releng/10.0/UPDATING Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/UPDATING Tue May 13 23:22:28 2014 (r265987) @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20140513: p3 FreeBSD-SA-14:10.openssl + FreeBSD-EN-14:05.ciss + + Fix OpenSSL NULL pointer deference vulnerability. [SA-14:10] + + Fix data corruption with ciss(4). [EN-14:05] + 20140430: p2 FreeBSD-SA-14:07.devfs FreeBSD-SA-14:08.tcp FreeBSD-SA-14:09.openssl Modified: releng/10.0/crypto/openssl/ssl/s3_pkt.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s3_pkt.c Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/crypto/openssl/ssl/s3_pkt.c Tue May 13 23:22:28 2014 (r265987) @@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ if (i <= 0) return(i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment) Modified: releng/10.0/sys/conf/newvers.sh ============================================================================== --- releng/10.0/sys/conf/newvers.sh Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/sys/conf/newvers.sh Tue May 13 23:22:28 2014 (r265987) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.0/sys/dev/ciss/ciss.c ============================================================================== --- releng/10.0/sys/dev/ciss/ciss.c Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/sys/dev/ciss/ciss.c Tue May 13 23:22:28 2014 (r265987) @@ -180,8 +180,6 @@ static int ciss_cam_emulate(struct ciss_ static void ciss_cam_poll(struct cam_sim *sim); static void ciss_cam_complete(struct ciss_request *cr); static void ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio); -static struct cam_periph *ciss_find_periph(struct ciss_softc *sc, - int bus, int target); static int ciss_name_device(struct ciss_softc *sc, int bus, int target); /* periodic status monitoring */ @@ -3398,27 +3396,6 @@ ciss_cam_complete_fixup(struct ciss_soft /******************************************************************************** - * Find a peripheral attached at (target) - */ -static struct cam_periph * -ciss_find_periph(struct ciss_softc *sc, int bus, int target) -{ - struct cam_periph *periph; - struct cam_path *path; - int status; - - status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), - target, 0); - if (status == CAM_REQ_CMP) { - periph = cam_periph_find(path, NULL); - xpt_free_path(path); - } else { - periph = NULL; - } - return(periph); -} - -/******************************************************************************** * Name the device at (target) * * XXX is this strictly correct? @@ -3427,12 +3404,22 @@ static int ciss_name_device(struct ciss_softc *sc, int bus, int target) { struct cam_periph *periph; + struct cam_path *path; + int status; if (CISS_IS_PHYSICAL(bus)) return (0); - if ((periph = ciss_find_periph(sc, bus, target)) != NULL) { + + status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), + target, 0); + + if (status == CAM_REQ_CMP) { + mtx_lock(&sc->ciss_mtx); + periph = cam_periph_find(path, NULL); sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d", periph->periph_name, periph->unit_number); + mtx_unlock(&sc->ciss_mtx); + xpt_free_path(path); return(0); } sc->ciss_logical[bus][target].cl_name[0] = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405132322.s4DNMSh6058494>