Age | Commit message (Collapse) | Author |
|
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
|
|
* bgp_attr.c
* bgp_attr_med(): add checks for "optional", "transitive" and
"partial" bits, log each error condition independently
|
|
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
|
|
* bgp_packet.c
* bgp_notify_send_with_data(): add calls to zlog_info()
|
|
|
|
* ospf6_area.c
* ospf6_area_config_write(): write filter-list, import-list and
export-list lines
|
|
This essentially merges the fix available from Debian build of Quagga.
* ospf6_area.c
* area_filter_list(): use correct argv indices
* no_area_filter_list(): idem
|
|
This change is based on Xavier Beaudouin's patch (which fixes detection
of 3 config.h macros on FreeBSD without any impact to Linux build of
Quagga) and FreeBSD port patch (which fixes 5 config.h macros, but
breaks the Linux build), it fixes 5 macros and works for both FreeBSD 8
and Linux.
|
|
|
|
* isis_pdu.c: Divide hello interval by three, depending if we are DIS or
not.
|
|
The crash is due to threads accessing data that gets destroyed
during the removal of the configuration.
* isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread.
Stop PSNP threads.
* isisd.c: Change state of circuit back to INIT and reassign the
circuit structure to isis->init_circ_list rather than destroying
the circuit data structure. Stop SPF threads. Stop LSP generation
threads.
* isisd.h: Add pointers to LSP threads into area structure in order to
stop them in isisd.c
* isis_lsp.c: Store pointer to LSP thread in area structure.
* isis_pdu.c: Stop PDU generation for a circuit with a removed area.
* isis_pfpacket.c: Stop processing received PDUs for a circuit with a
removed area.
|
|
Recent versions of libc on Linux (Debian Testing) create lots of
compile warnings about direct usage of libutil.h
|
|
* rt_netlink.c
* netlink_route_change(): fetch metric information like
netlink_routing_table() does and pass it further
|
|
* ospf_route.c: Function ospf_asbr_route_cmp is called uniquely from
ospf_route_cmp() when the flag OSPF_RFC1583_COMPATIBLE is not set.
Therefore, the check that the flag is set doesn't make sense at all
and it can consequently be removed without doing any harm.
Signed-off-by: Alexandre Chappuis <alc@open.ch>
Signed-off-by: Roman Hoog Antink <rha@open.ch>
|
|
|
|
* ospfd.texi: Adjust meaning of the rfc1583compatibility option in
order to match the RFC specification and the actual source code.
|
|
|
|
This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
|
|
This vulnerability (CERT-FI #514839) was reported by CROSS project.
When Database Description LSA header list contains trailing zero octets,
ospf6d tries to process this data as an LSA header. This triggers an
assertion in the code and ospf6d shuts down.
* ospf6_lsa.c
* ospf6_lsa_is_changed(): handle header-only argument(s)
appropriately, do not treat LSA length underrun as a fatal error.
|
|
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
|
|
This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
* ospf_read(): add size check
|
|
This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
* ospf_flood(): check return value of ospf_lsa_install()
|
|
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
|
|
|
|
This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
|
|
This vulnerability (CERT-FI #514839) was reported by CROSS project.
When Database Description LSA header list contains trailing zero octets,
ospf6d tries to process this data as an LSA header. This triggers an
assertion in the code and ospf6d shuts down.
* ospf6_lsa.c
* ospf6_lsa_is_changed(): handle header-only argument(s)
appropriately, do not treat LSA length underrun as a fatal error.
|
|
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
|
|
This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
* ospf_read(): add size check
|
|
This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
* ospf_flood(): check return value of ospf_lsa_install()
|
|
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
|
|
* lib/prefix.h
* IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
* bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
reporting, explain meaning of RFC4271 section 6.3 and implement it
|
|
* bgp_debug.c (bgp_notify_open_msg, bgp_notify_update_msg,
bgp_notify_cease_msg, bgp_notify_capability_msg): add messages for
"unspecific" subcode.
|
|
* log.[ch]
* mes_lookup: add a parameter with the name of the message list, print
the name in case of failure.
* LOOKUP macro: pass the name of the message list.
|
|
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
|
|
* bgp_attr.c
* bgp_attr_med(): add checks for "optional", "transitive" and
"partial" bits, log each error condition independently
|
|
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
|
|
Other platform may have compatible facilities.
|
|
|
|
|
|
* isis_pdu.c: Divide hello interval by three, depending if we are DIS or
not.
|
|
The crash is due to threads accessing data that gets destroyed
during the removal of the configuration.
* isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread.
Stop PSNP threads.
* isisd.c: Change state of circuit back to INIT and reassign the
circuit structure to isis->init_circ_list rather than destroying
the circuit data structure. Stop SPF threads. Stop LSP generation
threads.
* isisd.h: Add pointers to LSP threads into area structure in order to
stop them in isisd.c
* isis_lsp.c: Store pointer to LSP thread in area structure.
* isis_pdu.c: Stop PDU generation for a circuit with a removed area.
* isis_pfpacket.c: Stop processing received PDUs for a circuit with a
removed area.
|
|
* ospf6_area.c: Call ospf6_spf_table_finish() before deleting the spf
table. This ensures that the associated ospf6_vertex structures
are also freed.
* ospf6_spf.c: Only allocate a priority queue when a spf calculation
is actually performed.
|
|
* ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug
option. This allows ospf6 route memory debugging to be enabled or
disabled interactively or from a config file.
|
|
|
|
Recent versions of libc on Linux (Debian Testing) create lots of
compile warnings about direct usage of libutil.h
|
|
* ospfd.texi: Adjust meaning of the rfc1583compatibility option in
order to match the RFC specification and the actual source code.
|
|
* ospf6_area.c
* ospf6_area_config_write(): write filter-list, import-list and
export-list lines
|
|
"While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
* bgp_capability_restart(): actually process the last AFI/SAFI block
|
|
This essentially merges the fix available from Debian build of Quagga.
* ospf6_area.c
* area_filter_list(): use correct argv indices
* no_area_filter_list(): idem
|
|
* bgp_packet.c
* bgp_notify_send_with_data(): add calls to zlog_info()
|