| Age | Commit message (Collapse) | Author | 
|---|
|  | This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
  * debug ospf packet all
  * debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
  * ospf_verify_header(): add type field check
  * ospf_read(): perform input checks early | 
|  | This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
  * ospf_read(): add size check | 
|  | This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
  * ospf_flood(): check return value of ospf_lsa_install() | 
|  | This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
  * ecommunity_ecom2str(): perform size check earlier | 
|  | * lib/prefix.h
  * IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
  * bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
    reporting, explain meaning of RFC4271 section 6.3 and implement it | 
|  | * bgp_debug.c (bgp_notify_open_msg, bgp_notify_update_msg,
  bgp_notify_cease_msg, bgp_notify_capability_msg): add messages for
  "unspecific" subcode. | 
|  | * log.[ch]
  * mes_lookup: add a parameter with the name of the message list, print
    the name in case of failure.
  * LOOKUP macro: pass the name of the message list. | 
|  | * bgp_attr.c
  * bgp_attr_atomic(): accept extra argument, add checks for
    "optional", "transitive" and "partial" bits, log each error
    condition independently
  * bgp_attr_parse(): provide extra argument | 
|  | * bgp_attr.c
  * bgp_attr_med(): add checks for "optional", "transitive" and
    "partial" bits, log each error condition independently | 
|  | * bgp_attr.c
  * bgp_attr_local_pref(): accept extra argument, add checks for
    "optional" and "transitive" bits, log each error condition
    independently
  * bgp_attr_parse(): provide extra argument | 
|  | Other platform may have compatible facilities. | 
|  |  | 
|  |  | 
|  | * isis_pdu.c: Divide hello interval by three, depending if we are DIS or
  not. | 
|  | The crash is due to threads accessing data that gets destroyed
during the removal of the configuration.
* isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread.
  Stop PSNP threads.
* isisd.c: Change state of circuit back to INIT and reassign the
  circuit structure to isis->init_circ_list rather than destroying
  the circuit data structure. Stop SPF threads. Stop LSP generation
  threads.
* isisd.h: Add pointers to LSP threads into area structure in order to
  stop them in isisd.c
* isis_lsp.c: Store pointer to LSP thread in area structure.
* isis_pdu.c: Stop PDU generation for a circuit with a removed area.
* isis_pfpacket.c: Stop processing received PDUs for a circuit with a
  removed area. | 
|  | * ospf6_area.c: Call ospf6_spf_table_finish() before deleting the spf
    table.  This ensures that the associated ospf6_vertex structures
    are also freed.
* ospf6_spf.c: Only allocate a priority queue when a spf calculation
    is actually performed. | 
|  | * ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug
  option.  This allows ospf6 route memory debugging to be enabled or
  disabled interactively or from a config file. | 
|  |  | 
|  | Recent versions of libc on Linux (Debian Testing) create lots of
compile warnings about direct usage of libutil.h | 
|  | * ospfd.texi: Adjust meaning of the rfc1583compatibility option in
  order to match the RFC specification and the actual source code. | 
|  | * ospf6_area.c
  * ospf6_area_config_write(): write filter-list, import-list and
    export-list lines | 
|  | "While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
  * bgp_capability_restart(): actually process the last AFI/SAFI block | 
|  | This essentially merges the fix available from Debian build of Quagga.
* ospf6_area.c
  * area_filter_list(): use correct argv indices
  * no_area_filter_list(): idem | 
|  | * bgp_packet.c
  * bgp_notify_send_with_data(): add calls to zlog_info() | 
|  |  | 
|  | * rt_netlink.c
  * netlink_route_change(): fetch metric information like
    netlink_routing_table() does and pass it further | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | This reverts commit 68575f4babf4d6fc302c366898a1047f13629214. | 
|  |  | 
|  | Since 46bc0e432e75, all the binaries are built as Position-Independed
Executables (if available and enabled). ospfd was missed for some
unknown reason. | 
|  | * ospf_ase.c
  * ospf_ase_complete_direct_routes(): dismiss unused variable
  * ospf_ase_calculate_route(): put assignments into parentheses | 
|  |  | 
|  | * ospf6_main.c: include required headers
* ospf6_asbr.h: idem
* ospf6_spf.c
  * ospf6_spf_install(): remove unused variables | 
|  | * ospf_spf.c
  * ROUTER_LSA_TOS_SIZE: prepend OSPF_ and move to ospf_lsa.h
  * ROUTER_LSA_MIN_SIZE: replace with existing OSPF_ROUTER_LSA_LINK_SIZE | 
|  | (This commit is based on the patch from BZ#420, and should fix that bug.)
* configure.ac: detect availability of that API
* sockopt.c (setsockopt_ipv4_multicast): use it for join/leave IPv4
  multicast groups | 
|  | * sockopt.c (setsockopt_ipv4_multicast): check for wrong optname with
  assert(), rather than return an error. | 
|  | Two extern declarations in ospf6_abr.h are based on struct ospf6_route,
which may not be available at the time ospf6_abr.h is included. This may
lead to warnings after including ospf6_abr.h just for the structures
defined in it. | 
|  |  | 
|  |  | 
|  | * sockopt.c (setsockopt_ipv4_multicast_if): fix missed line in
  the previous commit. | 
|  | * ospf6_abr.c
  * ospf6_abr_examin_summary(): only fill "buf" when it is used | 
|  | * sockopt.[ch] (setsockopt_ipv4_multicast): ifindex is now mandatory (all
  non-ancient OSes can use it anyway), and if_addr parameter (the address
  of the interface) is now gone. (setsockopt_ipv4_multicast_if):
  IP_MULTICAST_IF processing moved to this new function
* ospf_network.c (ospf_if_add_allspfrouters, ospf_if_drop_allspfrouters,
  ospf_if_add_alldrouters, ospf_if_drop_alldrouters, ospf_if_ipmulticast),
  rip_interface.c (ipv4_multicast_join, ipv4_multicast_leave,
  rip_interface_new): adapt to the new interface | 
|  |  | 
|  | * bgp_nexthop.c (show_ip_bgp_scan_tables): access proper structure field
  in AF_INET6 case, handle ifindex NH type properly | 
|  | bgp_nexthop_onlink(): zlookup is not used here at all
bgp_nexthop_lookup_ipv6(): rely on the detection performed by "query"
  function (this also changes the fallback value to 0), reorder if-block
bgp_nexthop_lookup(): idem | 
|  | * bgp_nexthop.c: (show_ip_bgp_scan) transform into
  show_ip_bgp_scan_tables(), which uses inet_ntop() and can dump
  nexthops on request; (show_ip_bgp_scan_detail_cmd) new function |