Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r243779 (marcel):

Protect against DoS attacks, such as being described in CVE-2010-2632.
The changes were derived from what has been committed to NetBSD, with
modifications. These are:

1. Preserve the existsing GLOB_LIMIT behaviour by including the number
of matches to the set of parameters to limit.
2. Change some of the limits to avoid impacting normal use cases:
GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3)
can still provide a full command line of expanded names.
GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than
that 128 feels too low (it's not a limit that impacts the
behaviour of the test program listed in CVE-2010-2632).
GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can
still provide a fill command line of expanded names.
3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or
GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in
those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we
would otherwise overrun the buffer.

This change also modifies the existing behaviour of glob(3) in case
GLOB_LIMIT is specifies by limiting the *new* matches and not all
matches. This is an important distinction when GLOB_APPEND is set or
when the caller uses a non-zero gl_offs. Previously pre-existing
matches or the value of gl_offs would be counted in the number of
matches even though the man page states that glob(3) would return
GLOB_NOSPACE when gl_matchc or more matches were found.

The limits that cannot be circumvented are GLOB_LIMIT_STRING and
GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3)
again and with GLOB_APPEND set.

The entire description above applies only when GLOB_LIMIT has been
specified of course. No limits apply when this flag isn't set!

Obtained from: Juniper Networks, Inc

MFC r243758 (marcel):

In globextend() when the pathv vector cannot be (re-)allocated, don't
free and clear the gl_pathv pointer in the glob_t structure. Such
breaks the invariant of the glob_t structure, as stated in the comment
right in front of the globextend() function. If gl_pathv was non-NULL,
then gl_pathc was > 0. Making gl_pathv a NULL pointer without also
setting gl_pathc to 0 is wrong.

Since we otherwise don't free the memory associated with a glob_t in
error cases, it's unlikely that this change will cause a memory leak
that wasn't already there to begin with. Callers of glob(3) must
call globfree(3) irrespective of whether glob(3) returned an error
or not.

MFC r243759 (marcel):

In globextend(), take advantage of the fact that realloc(NULL, size) is
equivalent to malloc(size). This eliminates the conditional expression
used for calling either realloc() or malloc() when realloc() will do
all the time.

MFC the xlocale implementation.

Merged revisions: 227487,227753,227807,227818,227999,228002,228875,230156,231673,232498,232601,232620,232626,232926-232927,232929,232931,232935,233173,233600,234573,234578,235239

This currently defines __NO_TLS on ARM (unlike head), because the required
support function has not been MFC'd.

MFC r228754:
- Add restrict keyword to glob(3)

PR: kern/161958
Approved by: jilles

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Fix a bug due to a type conversion from 64 to 32 bits. The side effect of
this type conversion is the high bits which were used to indicate if a
special character was a literal or special were dropped. As a result, all
special character were treated as special, even if they were supposed to
be literals.

Reviewed by: gad@
Approved by: mentor (wes@)

Gcc barfs in glob.c when run with -O3. To fix this make g_strchr() work on
and return (const Char *) pointers instead of just (Char *) and get rid of
all the type casting.

PR: kern/124334

Per Regents of the University of Calfornia letter, remove advertising
clause.

# If I've done so improperly on a file, please let me know.

- ANSIfy.
- Remove two unnecessary casts.

These changes would help gcc4 compile.

Reflect size_t changes in glob.h

Obtained from: NetBSD (mostly)

Don't reuse *pl to skip [], it is already used for {} parts in the loop above
(submitted patch slightly modified)

PR: 86038
Submitted by: Gerd Rausch <gerd@juniper.net>

Add support for multibyte characters.

Remove incomplete support for running FreeBSD userland on old NetBSD kernels
lacking the issetugid() and utrace() syscalls.

Update glob(3) to add all the POSIX required options, specifically:

- add GLOB_NOMATCH return value and use it when we don't get a match
- rename GLOB_ABEND to GLOB_ABORTED and use it instead of returning 1
in some places
- add GLOB_NOESCAPE flag and retire GLOB_QUOTE to compatibility
section

Suggestions/advice on correct usage of POSIX defines: wollman

* Remove __P and convert to ANSI prototypes.
* Remove 'register'. (some functions had 7+ register functions...)
* Fix SCM ID's.

Rename the GLOB_MAXPATH flag of glob(3) to GLOB_LIMIT to be compatible
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.

Reviewed by: sheldonh, assar
Obtained from: NetBSD/OpenBSD

Mostly pick up OpenBSD's rev 1.14 by deraadt@ and millert@.
I've left out a couple of unused args between internal functions.
Use MAXPATHLEN, not MAXPATHLEN + 1 in a couple of places.
Pass a pointer to the end of the target filename space.

OpenBSD's g_Ctoc() returned a false error when the target buffer was
exactly the right size. Do it differently - pass a length rather than an
end-of-string+1 pointer as this is more convenient anyway. Get rid of
the bogus +1's.

Fix g_Ctoc() interface, approximately based on OpenBSD's recent changes.
Also, set gl_pathv to NULL after we free it, especially when dealing
with realloc failures.

Obtained from: OpenBSD

Introduce the GLOB_MAXPATH flag, which allows the user to limit the
number of paths which glob(3) will return. Remove the hardcoded limit
from the last commit, which restores the previous unbounded behavior.

Document the new flag in the manual page.

Bump MAX_GLOBENTRIES up to 16384, so it is a power of two. Add
some comments explaining that this is an arbitrary limit.

Requested by: jkh

Limit the number of paths that glob can return to MAX_GLOBENTRIES, which
is currently set to 10000. This is intended to prevent glob from running
amok when a highly recursive path is provided (such as "../*/../*/../*/...")

Reviewed by: Diane Bruce <db@db.net>, jhb

NetBSD kernels don't have issetugid(), so #ifdef this out when
building FreeBSD's libc to run with a NetBSD kernel. We'll get to
the alpha kernel later, I promise. 8-)

Use getpwnam(getlogin()) before getpwuid(getuid())

Don't getenv(HOME) when set[ug]od. This can lead to a buffer overflow and
elevated privs.
Obtained from: OpenBSD

Speedup in case locale not used

Buffer overflow. Similar, but different, to the fix that Julian A submitted
in PR 2580.

Obtained from: BSDi by way of Keith Bostic

Should be in 2.2 and 2.1.x. I'll merge into 2.2.

collate_range_cmp -> __collate_range_cmp

Convert to newly aded collate compare function

Remove static collcmp, ise new internal function now

Use collate for alpha character ranges

Remove trailing whitespace.

This commit was generated by cvs2svn to compensate for changes in r1573,
which included commits to RCS files with non-trunk default branches.

BSD 4.4 Lite Lib Sources