| Age | Commit message (Collapse) | Author | 
|---|
|  | This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
  * debug ospf packet all
  * debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
  * ospf_verify_header(): add type field check
  * ospf_read(): perform input checks early | 
|  | This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
  * ospf_read(): add size check | 
|  | This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
  * ospf_flood(): check return value of ospf_lsa_install() | 
|  | This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
  * ecommunity_ecom2str(): perform size check earlier | 
|  | Two extern declarations in ospf6_abr.h are based on struct ospf6_route,
which may not be available at the time ospf6_abr.h is included. This may
lead to warnings after including ospf6_abr.h just for the structures
defined in it. | 
|  |  | 
|  | * ospf6_abr.c
  * ospf6_abr_examin_summary(): only fill "buf" when it is used | 
|  |  | 
|  | Contains BGP fixes:
- set extcommunity crash: tihs patch tries to make the refcounting more robust
  but does not fully solve the problem, sadly.
- BGP attribute error handling: Little testing. | 
|  |  | 
|  |  | 
|  |  | 
|  | "mtu-ignore" is an option ospfd used to mimic from the vendor's
implementation, now ospf6d will also implement it.
* ospf6_interface.h: extend ospf6_interface structure by one flag
* ospf6_interface.c: (ipv6_ospf6_mtu_ignore, no_ipv6_ospf6_mtu_ignore):
  new declarations; (ospf6_interface_create): show initial value for
  consistency; (ospf6_interface_show): print flag status
* ospf6_message.c: (ospf6_dbdesc_recv): consider interface-specific flag
  when checking MTU | 
|  | * zebra_routemap.c: (route_set_src) get rid of the dummy family variable. | 
|  | * bgp_aspath.c: (assegments_parse) just bail early if length doesn't match
  and fix the formatting.
* bgp_network.c: add include needed for set_nonblocking
* bgp_packet.c: formatting | 
|  | * ospf_apiserver.{c,h}: (ospf_apiserver_lsa_refresher) refreshers must now
  return the refreshed LSA.
* ospf_te.{c,h}: (ospf_mpls_te_lsa_refresh) ditto
* ospf_api.c: trivial compiler warning fix | 
|  |  | 
|  | * ospf6_zebra.c: (ospf6_zebra_if_state_update) zebra_interface_state_read
  may return NULL, if it can't find an interface, deal with it. | 
|  | * ospf6_zebra.c: (ospf6_zebra_if_state_update) zebra_interface_state_read
  may return NULL, if it can't find an interface, deal with it. | 
|  | * bgp_routemap.c: (route_set_community_delete) When deleting a
  community in a route-map the old community was being orphaned.  Like
  the description of the same code in route_set_community, this is a
  hack, not a true fix. | 
|  | This reverts commit 2c9fd7e07283b8904ef20030c9dadb032e999b12. | 
|  | * doc/Makefile.am: pdf target needs to depend on all the input files. | 
|  |  | 
|  | * bgp_attr.c: (attrhash_key_make) 98e30f should have changed jhash2 to jhash.
  These kinds of merge errors would be reduced and life would be easier if
  people would submit fully-formed fixes that could be chucked directly into
  git-am. | 
|  | * bgpd.h: Add error code for setting GTSM on iBGP
* bgpd.c: (peer_ttl_security_hops_set) use previous error code and signal
  incompatibility of GTSM+iBGP to vty.
  Consider the session state when setting GTSM, and reset Open/Active peers
  to let them pick up new TTL from start. | 
|  | In deciding whether to default ospfapi to on or off, use the same rule
for opaque-lsa as earlier: != no rather than = yes, so that not having
set it implies yes. | 
|  | * sockunion.c: (sockopt_minttl) Add IPv6 support for min hop count.
  The kernel support is Linux kernel 2.6.35 or later. | 
|  | * bgp_vty.c: (peer_ebgp_multihop_{un,}set_vty) tail-call cleanup.
  ({no_,}neighbor_ttl_security) ditto.
* bgpd.c: (peer_ttl_security_hops_set) Peer group checks and TTL set only
  need to be done on transition.
* sockunion.c: (sockopt_minttl) remove always-on debug and improve readability. | 
|  | * bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used
  to verify that incoming packets have been sent from neighbours no more
  than X IP hops away. In other words, this allows packets that were sent from
  further away (i.e. not by the neighbour with known distance, and so possibly
  a miscreant) to be filtered out.
* lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL
  using the IP_MINTTL socket opt.
* bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command
  error for minttl.
  (struct peer) add a config variable, to store the configured minttl.
  (peer_ttl_security_hops_{set,unset}) configuration handlers
* bgpd.c: (peer_group_get) init gtsm_hops
  (peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and
  GTSM can't both be active for a peer at the same time.
  (peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with
  ebgp_multihop.
  (bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X".
* bgp_vty.c: (bgp_vty_return) message for
  BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK
  (peer_ebgp_multihop_{un,}set_vty)
* bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate.
  (bgp_connect) ditto for outbound. | 
|  |  | 
|  | * bgp_route.c: ({no_,}ipv6_bgp_network_ttl_cmd) depends on ipv6_bgp_network
  which is HAVE_IPV6, so these should be too.
  (bgp_route_init) and the installs should be similarly ifdefed | 
|  | The following patch was also neccessary to compile.
* command.c: (config_logmsg_cmd) use "%s" format spec
* if.c: (connected_log) ditto | 
|  | * bgp_attr.c; (attrhash_key_make) s6_addr is only member of in6_addr
  guaranteed to be available - s6_addr32 isn't. Fix to be more portable, and
  thus allow compilation on BSD again. | 
|  | * ospfd: Refresher logic cleanup broke OSPF opaque, which does its own thing
  with regard to refresher logic and which also, in the protocol, requires
  implementations to keep state of which OI an LSA is received on (rather
  than providing information in the LSA to allow it to be looked up - as
  other LSAs requiring such assocation were careful to do).
* ospf_lsa.h: (struct ospf_interface) Add back the pointer to oi, but only
  for type-9 now.
* ospf_nsm.c: (ospf_db_summary_add) check the oi actually exists first -
  doesn't obviate the need for opaque to ensure oi pointers get cleaned up
  when ospf_interfaces disappear.
* ospf_opaque.{c,h}: (ospf_opaque_functab,ospf_opaque_lsa_refresh) Refresher
  LSA functions now need to return the LSA to the general refresh logic,
  to indicate whether the LSA was refreshed. | 
|  | * configure.ac: (AC_ARG_ENABLE({ospf-te,opaque-lsa})) reverse the sense to
  --disable
  (enable_{opaque_lsa,ospf_te}) treat as enabled unless explicitly disabled. | 
|  | * bgp_packet.c: (bgp_write) On BGP write, use TCP_CORK to provide hints to
  kernel about TCP buffering.  This will cause BGP packets to occur in
  bigger chunks (full size MTU), improving performance and getting rid of
  one of the problems reported in the UNH BGP conformance test. | 
|  | * sockunion.{c,h}: (sockopt_cork) wrapper for TCP_CORK socket option for
  those platforms that provide it.  For other platforms, it is just a nop. | 
|  | * bgpd: Rather than toggling socket in/out of non-block mode, just leave it
  in nonblocking mode.
  One exception is in bgp_notify which only happens just before close. | 
|  | * bgp_community.[ch]: (community_lookup) New helper function to look
  up a community list in the hash table.
* bgp_routemap.c: A new community structure was being allocated for
  every BGP update which matched a route map which set a community.
  This behavior led to rapid growth in the memory consumed by bgpd.
  Adding the communities to the hash table addresses the memory
  growth, but may introduce a problem in modifying or deleting the
  'set community' statement in the route map. | 
|  | Many show commands do not have support for multiple views and do not
treat different address families uniformly.  The following changes add
a number of commands with support for views and rationalized treatment
of IPv4 v IPv6 and unicast v multicast (such as in JUNOS, IOS XR and
more recent versions of IOS).
* bgp_route.c: (bgp_show_community) Inserted a new second argument (the
  name of the view) and the code to look up that name in the BGP structure.
  The NULL argument in the call to bgp_show (indicating the default view)
  was replaced by the specified view.  The existing calls to
  bgp_show_community had a NULL second argument inserted to make clear
  that they refer to the default view.
  (top level) Added new functions via the DEFUN and/or ALIAS macros (and
  the associated command table entries) to add the commands
    show bgp ipv4 (unicast|multicast)
    show bgp ipv4 (unicast|multicast) A.B.C.D
    show bgp ipv4 (unicast|multicast) A.B.C.D/M
    show bgp ipv6 (unicast|multicast)
    show bgp ipv6 (unicast|multicast) X:X::X:X
    show bgp ipv6 (unicast|multicast) X:X::X:X/M
      These show either the full BGP table or the specified route or
      prefix for the given address family.
    show bgp view WORD (ipv4|ipv6) (unicast|multicast) community
    show bgp view WORD (ipv4|ipv6) (unicast|multicast) community \
            (AA:NN|local-AS|no-advertise|no-export){1,4}
      For the specified view and address family, these show entries
      matching any community or the specified communit(y)(ies).
    show bgp view WORD (ipv4|ipv6) (unicast|multicast) neighbors \
            (A.B.C.D|X:X::X:X) (advertised-routes|received-routes)
      For the specified view and address family, show the routes
      advertised to or received from the given BGP neighbor.
    show bgp [view WORD] ipv4 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X)
    show bgp [view WORD] ipv4 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X) A.B.C.D
    show bgp [view WORD] ipv4 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X) A.B.C.D/M
    show bgp [view WORD] ipv6 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X)
    show bgp [view WORD] ipv6 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X) X:X::X:X
    show bgp [view WORD] ipv6 (unicast|multicast) \
            rsclient (A.B.C.D|X:X::X:X) X:X::X:X/M
      For the specifed (optional) view and address family, show either
      the full BGP table or the specified route or prefix for the given
      route server client peer.
* bgp_vty.c: (top level) Added new functions via the DEFUN and/or ALIAS
  macros (and the associated command table entries) to add the commands
    show bgp [view WORD] (ipv4|ipv6) (unicast|multicast) summary
    show bgp [view WORD] (ipv4|ipv6) (unicast|multicast) rsclient summary
      For the specified (optional) view and address family, display
      either the normal summary table for BGP peers, or the route server
      client table showing the import and export policies. | 
|  | * configure.ac: Bump to 0.99.18 | 
|  | * BGP error handling generally boils down to "reset session". This was fine
  when all BGP speakers pretty much understood all BGP messages. However
  the increasing deployment of new attribute types has shown this approach
  to cause problems, in particular where a new attribute type is "tunneled"
  over some speakers which do not understand it, and then arrives at a speaker
  which does but considers it malformed (e.g. corruption along the way, or
  because of early implementation bugs/interop issues).
  To mitigate this drafts before the IDR (likely to be adopted) propose to
  treat errors in partial (i.e.  not understood by neighbour), optional
  transitive attributes, when received from eBGP peers, as withdrawing only
  the NLRIs in the affected UPDATE, rather than causing the entire session
  to be reset.  See:
   http://tools.ietf.org/html/draft-scudder-idr-optional-transitive
* bgp_aspath.c: (assegments_parse) Replace the "NULL means valid, 0-length
  OR an error" return value with an error code - instead taking
  pointer to result structure as arg.
  (aspath_parse) adjust to suit previous change, but here NULL really
  does mean error in the external interface.
* bgp_attr.h (bgp_attr_parse) use an explictly typed and enumerated
  value to indicate return result.
  (bgp_attr_unintern_sub) cleans up just the members of an attr, but not the
  attr itself, for benefit of those who use a stack-local attr.
* bgp_attr.c: (bgp_attr_unintern_sub) split out from bgp_attr_unintern
  (bgp_attr_unintern) as previous.
  (bgp_attr_malformed) helper function to centralise decisions on how to
  handle errors in attributes.
  (bgp_attr_{aspathlimit,origin,etc..}) Use bgp_attr_malformed.
  (bgp_attr_aspathlimit) Subcode for error specifc to this attr should be
  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR.
  (bgp_attr_as4_path) be more rigorous about checks, ala bgp_attr_as_path.
  (bgp_attr_parse) Adjust to deal with the additional error level that
  bgp_attr_ parsers can raise, and also similarly return appropriate
  error back up to (bgp_update_receive). Try to avoid leaking as4_path.
* bgp_packet.c: (bgp_update_receive) Adjust to deal with BGP_ATTR_PARSE_WITHDRAW
  error level from bgp_attr_parse, which should lead to a withdraw, by
  making the attribute parameter in call to (bgp_nlri_parse) conditional
  on the error, so the update case morphs also into a withdraw.
  Use bgp_attr_unintern_sub from above, instead of doing this itself.
  Fix error case returns which were not calling bgp_attr_unintern_sub
  and probably leaking memory.
* tests/aspath_test.c: Fix to work for null return with bad segments | 
|  | * draft-ietf-idr-as-pathlimit doesn't seem to have gone anywhere, and its
  author does not think it will make progress in IDR. Remove all support
  introduced for it, but leave stubs for the commands to avoid breaking
  any configurations.
  Basically reverts cecab5e9725792e60a5e4b473e238a14cd85815d. | 
|  |  | 
|  | extcom..'
* Extended communities has some kind of resource allocation problem which
  causes a double-free if the 'set extcommunity ...' command is used.
  Try fix by properly interning extcommunities.
  Also, more generally, make unintern functions take a double pointer
  so they can NULL out callers references - a usefully defensive programming
  pattern for functions which make refs invalid.
  Sadly, this patch doesn't fix the problem entirely - crashes still
  occur on session clear.
* bgp_ecommunity.h: (ecommunity_{free,unintern}) take double pointer
  args.
* bgp_community.h: (community_unintern) ditto
* bgp_attr.h: (bgp_attr_intern) ditto
* bgp_aspath.h: (bgp_aspath.h) ditto
* (general) update all callers of above
* bgp_routemap.c: (route_set_ecommunity_{rt,soo}) intern the new extcom added
  to the attr, and unintern any old one.
  (route_set_ecommunity_{rt,soo}_compile) intern the extcom to be used
  for the route-map set.
  (route_set_ecommunity_*_free) unintern to match, instead of free
  (route_set_ecommunity_soo) Do as _rt does and don't just leak
  any pre-existing community, add to it (is additive right though?) | 
|  | * aspath_test.c: Add more test cases. In particular ones to cover the
  last invalid-segment problem. Also add ability to specify aspath attribute
  headers and test them somewhat.
  NB: It's obvious this test has not been run for a year by anyone, despite
  2 non-trivial commits to bgpd aspath code. | 
|  | Some of the changes made in commit cddb8112b80fa9867156c637d63e6e79eeac67bb
don't work particularly well for other changes that need to be made to
address BGP attribute error handling problems. In particular, returning
a pointer from complex attribute data parsing functions will not suffice
to express the require range of return status conditions.
* bgp_aspath.c: (assegments_parse) Rollback to a more minimal set of
  changes to fix the original problem.
  (aspath_parse) Slightly needless pushing around of code, and taking
  2 parameters to say whether ot use 2 or 4 byte encoding seems unnecessary.
* bgp_attr.c: (bgp_attr_as{,4}path) Rollback, in preparation for BGP
  attribute error handling update. | 
|  | * bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs
  can leave attr->flag indicating ext-community is present, even though no
  extended-community object has been attached to the attr structure.  Thus a
  null-pointer dereference can occur later.
  (bgp_attr_community) No bug fixed here, but tidy up flow so it has same
  form as previous.
  Problem and fix thanks to anonymous reporter. | 
|  | * ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug
  option.  This allows ospf6 route memory debugging to be enabled or
  disabled interactively or from a config file. | 
|  | * ospf6_route.c: (ospf6_route_best_next) Allows unlock route, even
  when there's no next route.  This is consistent with how
  ospf6_route_next() behaves.
* ospf6_intra.c: (ospf6_intra_prefix_lsa_remove) Make sure the last
  route considered is always unlocked.  This is needed when the for
  loop terminates because ospf6_route_is_prefix() returns zero. |