summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2011-09-27doc: add missing wordAlexandre Chappuis
* ospfd.texi: Adjust meaning of the rfc1583compatibility option in order to match the RFC specification and the actual source code.
2011-09-26release: 0.99.19Denis Ovsienko
2011-09-26ospf6d: CVE-2011-3323 (fortify packet reception)Denis Ovsienko
This vulnerability (CERT-FI #514840) was reported by CROSS project. ospf6d processes IPv6 prefix structures in incoming packets without verifying that the declared prefix length is valid. This leads to a crash caused by out of bounds memory access. * ospf6_abr.h: new macros for size/alignment validation * ospf6_asbr.h: idem * ospf6_intra.h: idem * ospf6_lsa.h: idem * ospf6_message.h: idem * ospf6_proto.h: idem * ospf6_message.c * ospf6_packet_minlen: helper array for ospf6_packet_examin() * ospf6_lsa_minlen: helper array for ospf6_lsa_examin() * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper layer verify the input data * ospf6_dbdesc_recv(): idem * ospf6_lsreq_recv(): idem * ospf6_lsupdate_recv(): idem * ospf6_lsack_recv(): idem * ospf6_prefixes_examin(): new function, implements A.4.1 * ospf6_lsa_examin(): new function, implements A.4 * ospf6_lsaseq_examin(): new function, an interface to above * ospf6_packet_examin(): new function, implements A.3 * ospf6_rxpacket_examin(): new function, replaces ospf6_header_examin() * ospf6_header_examin(): sayonara * ospf6_receive(): perform passive interface check earliest possible, employ ospf6_rxpacket_examin()
2011-09-26ospf6d: CVE-2011-3324 (DD LSA assertion)Denis Ovsienko
This vulnerability (CERT-FI #514839) was reported by CROSS project. When Database Description LSA header list contains trailing zero octets, ospf6d tries to process this data as an LSA header. This triggers an assertion in the code and ospf6d shuts down. * ospf6_lsa.c * ospf6_lsa_is_changed(): handle header-only argument(s) appropriately, do not treat LSA length underrun as a fatal error.
2011-09-26ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)Denis Ovsienko
This vulnerability (CERT-FI #514838) was reported by CROSS project. The error is reproducible only when ospfd debugging is enabled: * debug ospf packet all * debug ospf zebra When incoming packet header type field is set to 0x0a, ospfd will crash. * ospf_packet.c * ospf_verify_header(): add type field check * ospf_read(): perform input checks early
2011-09-26ospfd: CVE-2011-3325 part 1 (OSPF header underrun)Denis Ovsienko
This vulnerability (CERT-FI #514838) was reported by CROSS project. When only 14 first bytes of a Hello packet is delivered, ospfd crashes. * ospf_packet.c * ospf_read(): add size check
2011-09-26ospfd: CVE-2011-3326 (uknown LSA type segfault)CROSS
This vulnerability (CERT-FI #514837) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. Quagga ospfd does not seem to handle unknown LSA types in a Link State Update message correctly. If LSA type is something else than one supported by Quagga, the default handling of unknown types leads to an error. * ospf_flood.c * ospf_flood(): check return value of ospf_lsa_install()
2011-09-26bgpd: CVE-2011-3327 (ext. comm. buffer overflow)CROSS
This vulnerability (CERT-FI #513254) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier
2011-09-26version RE-0.99.17.4Denis Ovsienko
2011-09-26ospf6d: CVE-2011-3323 (fortify packet reception)Denis Ovsienko
This vulnerability (CERT-FI #514840) was reported by CROSS project. ospf6d processes IPv6 prefix structures in incoming packets without verifying that the declared prefix length is valid. This leads to a crash caused by out of bounds memory access. * ospf6_abr.h: new macros for size/alignment validation * ospf6_asbr.h: idem * ospf6_intra.h: idem * ospf6_lsa.h: idem * ospf6_message.h: idem * ospf6_proto.h: idem * ospf6_message.c * ospf6_packet_minlen: helper array for ospf6_packet_examin() * ospf6_lsa_minlen: helper array for ospf6_lsa_examin() * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper layer verify the input data * ospf6_dbdesc_recv(): idem * ospf6_lsreq_recv(): idem * ospf6_lsupdate_recv(): idem * ospf6_lsack_recv(): idem * ospf6_prefixes_examin(): new function, implements A.4.1 * ospf6_lsa_examin(): new function, implements A.4 * ospf6_lsaseq_examin(): new function, an interface to above * ospf6_packet_examin(): new function, implements A.3 * ospf6_rxpacket_examin(): new function, replaces ospf6_header_examin() * ospf6_header_examin(): sayonara * ospf6_receive(): perform passive interface check earliest possible, employ ospf6_rxpacket_examin()
2011-09-26ospf6d: CVE-2011-3324 (DD LSA assertion)Denis Ovsienko
This vulnerability (CERT-FI #514839) was reported by CROSS project. When Database Description LSA header list contains trailing zero octets, ospf6d tries to process this data as an LSA header. This triggers an assertion in the code and ospf6d shuts down. * ospf6_lsa.c * ospf6_lsa_is_changed(): handle header-only argument(s) appropriately, do not treat LSA length underrun as a fatal error.
2011-09-26ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)Denis Ovsienko
This vulnerability (CERT-FI #514838) was reported by CROSS project. The error is reproducible only when ospfd debugging is enabled: * debug ospf packet all * debug ospf zebra When incoming packet header type field is set to 0x0a, ospfd will crash. * ospf_packet.c * ospf_verify_header(): add type field check * ospf_read(): perform input checks early
2011-09-26ospfd: CVE-2011-3325 part 1 (OSPF header underrun)Denis Ovsienko
This vulnerability (CERT-FI #514838) was reported by CROSS project. When only 14 first bytes of a Hello packet is delivered, ospfd crashes. * ospf_packet.c * ospf_read(): add size check
2011-09-26ospfd: CVE-2011-3326 (uknown LSA type segfault)CROSS
This vulnerability (CERT-FI #514837) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. Quagga ospfd does not seem to handle unknown LSA types in a Link State Update message correctly. If LSA type is something else than one supported by Quagga, the default handling of unknown types leads to an error. * ospf_flood.c * ospf_flood(): check return value of ospf_lsa_install()
2011-09-26bgpd: CVE-2011-3327 (ext. comm. buffer overflow)CROSS
This vulnerability (CERT-FI #513254) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier
2011-09-25bgpd: improve NEXT_HOP attribute checks (BZ#680)Denis Ovsienko
* lib/prefix.h * IPV4_CLASS_DE(): new helper macro * bgp_attr.c * bgp_attr_nexthop(): add check for "partial" bit, refresh flag error reporting, explain meaning of RFC4271 section 6.3 and implement it
2011-09-25bgpd: don't be confused by "unspecific" subcode in the NOTIFY message.Dmitrij Tejblum
* bgp_debug.c (bgp_notify_open_msg, bgp_notify_update_msg, bgp_notify_cease_msg, bgp_notify_capability_msg): add messages for "unspecific" subcode.
2011-09-25lib: provide more information in case of failed LOOKUP.Dmitrij Tejblum
* log.[ch] * mes_lookup: add a parameter with the name of the message list, print the name in case of failure. * LOOKUP macro: pass the name of the message list.
2011-09-25bgpd: check ATOMIC_AGGREGATE attr flags (BZ#678)Denis Ovsienko
* bgp_attr.c * bgp_attr_atomic(): accept extra argument, add checks for "optional", "transitive" and "partial" bits, log each error condition independently * bgp_attr_parse(): provide extra argument
2011-09-25bgpd: check MULTI_EXIT_DISC attr flags (BZ#677)Denis Ovsienko
* bgp_attr.c * bgp_attr_med(): add checks for "optional", "transitive" and "partial" bits, log each error condition independently
2011-09-25bgpd: check LOCAL_PREF attribute flags (BZ#674)Denis Ovsienko
* bgp_attr.c * bgp_attr_local_pref(): accept extra argument, add checks for "optional" and "transitive" bits, log each error condition independently * bgp_attr_parse(): provide extra argument
2011-09-25configure: test for glibc backtrace even without glibc.Dmitrij Tejblum
Other platform may have compatible facilities.
2011-09-25ospfd: remove unused macroDenis Ovsienko
2011-09-25doc: fix typoRoman Hoog Antink
2011-09-25isisd: raise hello rate for DIS (BZ#539)Fritz Reichmann
* isis_pdu.c: Divide hello interval by three, depending if we are DIS or not.
2011-09-25isisd: fix crash on "no router isis" (BZ#536)Fritz Reichmann
The crash is due to threads accessing data that gets destroyed during the removal of the configuration. * isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread. Stop PSNP threads. * isisd.c: Change state of circuit back to INIT and reassign the circuit structure to isis->init_circ_list rather than destroying the circuit data structure. Stop SPF threads. Stop LSP generation threads. * isisd.h: Add pointers to LSP threads into area structure in order to stop them in isisd.c * isis_lsp.c: Store pointer to LSP thread in area structure. * isis_pdu.c: Stop PDU generation for a circuit with a removed area. * isis_pfpacket.c: Stop processing received PDUs for a circuit with a removed area.
2011-09-25ospf6d: Fix memory allocation issues in SPFTom Goff
* ospf6_area.c: Call ospf6_spf_table_finish() before deleting the spf table. This ensures that the associated ospf6_vertex structures are also freed. * ospf6_spf.c: Only allocate a priority queue when a spf calculation is actually performed.
2011-09-25ospf6d: Extend the "[no] debug ospf6 route" vty commandsTom Goff
* ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug option. This allows ospf6 route memory debugging to be enabled or disabled interactively or from a config file.
2011-09-25isisd: include hash.h, not hash.cPeter Szilagyi
2011-09-25configure: dismiss libutil.hStephen Hemminger
Recent versions of libc on Linux (Debian Testing) create lots of compile warnings about direct usage of libutil.h
2011-09-25doc: add missing wordAlexandre Chappuis
* ospfd.texi: Adjust meaning of the rfc1583compatibility option in order to match the RFC specification and the actual source code.
2011-09-25ospf6d: add lost lines to area config blockJon Andersson
* ospf6_area.c * ospf6_area_config_write(): write filter-list, import-list and export-list lines
2011-09-25bgpd: fix parsing of graceful restart cap. (#663)Peter Pentchev
"While setting up a testbed, I ran across a little problem in the parsing of the "graceful restart" BGP capability that resulted in Quagga not actually activating it for the peer in question - when the peer sent a single AFI/SAFI block." * bgp_open.c * bgp_capability_restart(): actually process the last AFI/SAFI block
2011-09-25ospf6d: fix crash on filter-list handling (BZ#530)Christian Hammers
This essentially merges the fix available from Debian build of Quagga. * ospf6_area.c * area_filter_list(): use correct argv indices * no_area_filter_list(): idem
2011-09-25bgpd: add useful notification logs (BZ#616)heasley
* bgp_packet.c * bgp_notify_send_with_data(): add calls to zlog_info()
2011-09-25doc: BGP route-flap dampeningAlexandre Chappuis
2011-09-25zebra: fix loss of metric for Linux routesDmitry Popov
* rt_netlink.c * netlink_route_change(): fetch metric information like netlink_routing_table() does and pass it further
2011-09-10ospfd: spellingDenis Ovsienko
2011-09-10bgpd: spellingDenis Ovsienko
2011-09-10bgpd: spellingDenis Ovsienko
2011-09-10ospfd: use existing macro for consistencyDenis Ovsienko
2011-09-07version RE-0.99.17.3Denis Ovsienko
2011-09-07ospfd: revert recent PIE change to fix amd64 buildDenis Ovsienko
This reverts commit 68575f4babf4d6fc302c366898a1047f13629214.
2011-09-07version RE-0.99.17.2Denis Ovsienko
2011-09-05build: build ospfd as Position-Independed Executable (if appropriate)Dmitrij Tejblum
Since 46bc0e432e75, all the binaries are built as Position-Independed Executables (if available and enabled). ospfd was missed for some unknown reason.
2011-08-28ospfd: address more trivial compiler warningsDenis Ovsienko
* ospf_ase.c * ospf_ase_complete_direct_routes(): dismiss unused variable * ospf_ase_calculate_route(): put assignments into parentheses
2011-08-28zebra: add missing includesDenis Ovsienko
2011-08-27ospf6d: address more trivial compiler warningsDenis Ovsienko
* ospf6_main.c: include required headers * ospf6_asbr.h: idem * ospf6_spf.c * ospf6_spf_install(): remove unused variables
2011-08-27ospf6d: add missing includeDenis Ovsienko
Two extern declarations in ospf6_abr.h are based on struct ospf6_route, which may not be available at the time ospf6_abr.h is included. This may lead to warnings after including ospf6_abr.h just for the structures defined in it.
2011-08-27ospf6d: move named constants to ospf6d.hDenis Ovsienko