Age | Commit message (Collapse) | Author |
|
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
|
|
* lib/prefix.h
* IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
* bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
reporting, explain meaning of RFC4271 section 6.3 and implement it
|
|
* bgp_debug.c (bgp_notify_open_msg, bgp_notify_update_msg,
bgp_notify_cease_msg, bgp_notify_capability_msg): add messages for
"unspecific" subcode.
|
|
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
|
|
* bgp_attr.c
* bgp_attr_med(): add checks for "optional", "transitive" and
"partial" bits, log each error condition independently
|
|
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
|
|
"While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
* bgp_capability_restart(): actually process the last AFI/SAFI block
|
|
* bgp_packet.c
* bgp_notify_send_with_data(): add calls to zlog_info()
|
|
|
|
|
|
* bgp_nexthop.c (show_ip_bgp_scan_tables): access proper structure field
in AF_INET6 case, handle ifindex NH type properly
|
|
bgp_nexthop_onlink(): zlookup is not used here at all
bgp_nexthop_lookup_ipv6(): rely on the detection performed by "query"
function (this also changes the fallback value to 0), reorder if-block
bgp_nexthop_lookup(): idem
|
|
* bgp_nexthop.c: (show_ip_bgp_scan) transform into
show_ip_bgp_scan_tables(), which uses inet_ntop() and can dump
nexthops on request; (show_ip_bgp_scan_detail_cmd) new function
|
|
bgp_nexthop_lookup_ipv6(): declare variables where they are actually
used, drop no-op initialization (the field is already 0)
bgp_nexthop_lookup(): ditto
bgp_nexthop_check_ebgp(): rename to bgp_nexthop_onlink()
bgp_nexthop_cache_changed(): rename to bgp_nexthop_cache_different()
|
|
* bgpd: (bgp_damp_parameter_set) The BGP reuse_index is not initialized
properly. This would cause sporadic crash when disabling dampening. Use
XCALLOC correctly and the right size array is initialized and no memset is
needed.
|
|
* bgp_route.c: (route_vty_out*) The local prefix, metric and weight values
are all stored as uint32_t. Change the format to %u so that large values
are not displayed as negative integers.
|
|
* bgp_route.c: ({no_,}ipv6_bgp_network_ttl_cmd) depends on ipv6_bgp_network
which is HAVE_IPV6, so these should be too.
(bgp_route_init) and the installs should be similarly ifdefed
|
|
- SAFI value 3 is reserved. It was assigned by RFC 2858 for a use
that was never fully implemented, so it is deprecated by this
document.
* zebra.h: rename macro
* bgp_fsm.c: (bgp_graceful_restart_timer_expire,
bgp_graceful_stale_timer_expire, bgp_stop, bgp_establish): update
* bgpd.c: (peer_nsf_stop): update
* bgp_open.c: (bgp_capability_vty_out): SAFI 3 isn't a recognized case
any more
|
|
Two macros resolving to the same integer constant broke a case block and
a more thorough merge of BGP_SAFI_VPNV4 and BGP_SAFI_VPNV6 was
performed.
* bgpd.h: MPLS-labeled VPN SAFI is AFI-independent, switch to single
* macro
* bgp_capability_test.c: update test data
* bgp_mp_attr_test.c: idem
* bgp_route.c: (bgp_maximum_prefix_overflow, bgp_table_stats_vty) update
macro and check conditions (where appropriate)
* bgp_packet.c: (bgp_route_refresh_send, bgp_capability_send,
bgp_update_receive, bgp_route_refresh_receive): idem
* bgp_open.c: (bgp_capability_vty_out, bgp_afi_safi_valid_indices,
bgp_open_capability_orf, bgp_open_capability): idem
* bgp_attr.c: (bgp_mp_reach_parse, bgp_packet_attribute,
bgp_packet_withdraw): idem
|
|
* bgpd.h: change value of BGP_SAFI_VPNV6 to 128 (RFC4659, BZ#659)
* bgp_route.c: (bgp_table_stats_vty) fix length argument to strncmp()
|
|
|
|
* draft-ietf-idr-as-pathlimit doesn't seem to have gone anywhere, and its
author does not think it will make progress in IDR. Remove all support
introduced for it, but leave stubs for the commands to avoid breaking
any configurations.
Basically reverts cecab5e9725792e60a5e4b473e238a14cd85815d.
(cherry picked from commit c8f3fe3063cb9ff193b13011cfbda3e605395340)
Conflicts:
bgpd/bgp_attr.c (caused by c8e7b895, resolved)
|
|
* bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs
can leave attr->flag indicating ext-community is present, even though no
extended-community object has been attached to the attr structure. Thus a
null-pointer dereference can occur later.
(bgp_attr_community) No bug fixed here, but tidy up flow so it has same
form as previous.
Problem and fix thanks to anonymous reporter.
(cherry picked from commit 0c46638122f10019a12ae9668aec91691cf2e017)
|
|
* bgpd/bgp_debug.c: fix VTY strings for BGP debug commands to match
correct syntax
(cherry picked from commit 6e22b9017e1ae2ce61c383b1b2b63973207704ac)
|
|
* bgp_packet.c: (bgp_notify_receive) justify the difference between
BGP_NOTIFY_OPEN_UNSUP_PARAM and BGP_NOTIFY_OPEN_UNSUP_CAPBL cases, as
it is explained in RFC5492, page 3, paragraph 1.
"Unsupported Capability" error does not mean, that the peer doesn't
support capabilities advertisement -- quite the opposite (if the peer
would not support capabilities advertisement, the code would be
"Unsupported Optional Parameter"). Thus there is no reason to mark
the peer as one non-supporting capabilities advertisement.
Example: suppose the peer is in fact IPv6-only, but we didn't configure
anything address-family specific for it. Then, the peer would refuse
the session with "Unsupported Capability" code. If we internally set
the peer as non-supporting capabilities advertisement after that, we
will not be able to establish the session with it ever, even with a
fixed configuration -- IPv6-only BGP session cannot be established
without capabilities.
In practice an edge case would be seen as the same IPv6 peer working
with its "neighbor" block read from bgpd.conf, but not working, when
slowly input in "conf t" mode.
(cherry picked from commit c7aa8abd8788c3607ad0131f02e892cf92221e40)
|
|
* bgp_vty.c: (community_list_perror, show_ip_community_list_arg,
show_ip_extcommunity_list_arg) fix spelling
(cherry picked from commit b729294c8c5c6f2af8ddf6cfbea2374b6faabe9d)
|
|
* bgp_route.c: (route_vty_out_detail) calculate time value
in a way, which works regardless of monotonic clock
being used or not
|
|
* bgpd/bgp_attr.c, bgpd/bgp_open.h, bgpd/bgp_route.c, lib/prefix.c,
lib/prefix.h: Various integer types were being used where, if we
had strict type checking, afi_t and safi_t would be required.
Signed-off-by: G.Balaji <balajig81@gmail.com>
(cherry picked from commit c8af35ffa2dc79ff7d7ff00b1b61f1f50a100ab6)
|
|
bgpd/bgp_packet.c:bgp_update_packet(): When extracting the peer, don't
fail to extract it because "binfo->extra" is NULL. While one should
certainly avoid dereferencing binfo->extra, that's not a good reason
not to use binfo->peer.
Fixes https://bugzilla.quagga.net/show_bug.cgi?id=497.
Patch by Eric Sobocinksi.
|
|
* bgpd/bgp_aspath.c
* assegments_parse(): add handling of AS4_PATH input, update bounds
checks, add check for AS segment type
* aspath_parse(): add handling of AS4_PATH input, expect
assegments_parse() to do length checking
* aspath_empty(): update for the new function prototype
* bgpd/bgp_aspath.h: ditto
* tests/aspath_test.c: ditto
* bgpd/bgp_attr.c
* bgp_attr_aspath(): add handling of AS4_PATH input, update flags
checks, change returned type
* bgp_attr_as4_path(): discard, superseded by bgp_attr_aspath()
* bgp_attr_parse(): update respectively
|
|
* bgp_packet.c: (bgp_route_refresh_receive) add validation of
"Length" (RFC5292) field value, check input stream bounds
each time bytes are pulled from it
|
|
BGP uses time() to get system time of day; but that value
fluctuates with time adjustments from NTP. This can cause premature
flapping of peer sessions and other failures.
Use the system monotonic clock supported by Quagga thread library
to avoid issue.
See: http://bugzilla.vyatta.com/show_bug.cgi?id=4467
* bgpd/bgp_fsm.c
* bgp_uptime_reset(): dismiss function
* bgpd/bgpd.c
* bgp_clock(): new function
* bgpd/bgp_damp.c
* bgp_reuse_timer(): employ bgp_clock() instead of time(NULL)
* bgp_damp_withdraw(): idem
* bgp_damp_update(): idem
* bgp_damp_scan(): idem
* bgp_damp_info_vty(): idem
* bgp_damp_reuse_time_vty(): idem
* bgpd/bgp_fsm.c
* bgp_routeadv_timer(): idem
* bgp_stop(): idem
* bgp_establish(): idem
* bgpd/bgp_packet.c
* bgp_update_receive(): idem
* bgpd/bgp_route.c
* bgp_update_rsclient(): idem
* bgp_update_main(): idem
* bgp_static_update_rsclient(): idem
* bgp_static_update_main(): idem
* bgp_static_update_vpnv4(): idem
* bgp_aggregate_route(): idem
* bgp_aggregate_add(): idem
* bgp_redistribute_add(): idem
* bgpd/bgp_snmp.c
* bgpPeerTable(): idem
* bgpTrapEstablished(): idem
* bgpTrapBackwardTransition(): idem
* bgpd/bgpd.c
* peer_create(): idem
* peer_uptime(): idem
* bgp_master_init(): idem
|
|
* bgpd/bgp_aspath.c
* ashash: only used in one file, make static
* aspath_count_numas(): dead code, sayonara
* bgpd/bgpd.c
* peer_nsf_stop(): only used in one file, make static
* bgpd/bgp_packet.h
* bgp_capability_receive(): add missing prototype for a
global function
|
|
* bgpd/bgp_fsm.c
* bgp_clearing_completed(): only used in one file, can be static
* bgpd/bgp_packet.c
* afi2str(): sayonara
* safi2str(): sayonara
* bgpd/bgp_route.c
* bgp_distance_reset(): sayonara
* bgpd/bgp_zebra.c
* bgp_ifindex_by_nexthop(): sayonara
|
|
Make one version of check prefix bit, and put it inline
with proper prototype. This gets rid of some macro's and also some
assert() that can never happen on a non-broken compiler.
* bgpd/bgp_table.c
* CHECK_BIT(): sayonara
* check_bit(): sayonara
* SET_LINK(): sayonara
* set_link(): make use of prefix_bit() instead of check_bit()
* bgp_node_match(): idem
* bgp_node_lookup(): idem
* bgp_node_get(): idem
* lib/prefix.h
* prefix_bit(): new inline version of check_bit()
* lib/table.c
* CHECK_BIT(): sayonara
* check_bit(): sayonara
* SET_LINK(): sayonara
* set_link(): make use of prefix_bit() instead of check_bit()
* route_node_match(): idem
* route_node_lookup(): idem
* route_node_get(): idem
* ospf6d/ospf6_lsdb.c
* CHECK_BIT(): sayonara
* ospf6_lsdb_lookup_next(): make use of prefix_bit() instead of
CHECK_BIT()
* ospf6_lsdb_type_router_head(): idem
* ospf6_lsdb_type_head(): idem
* ospf6d/ospf6_route.c
* CHECK_BIT(): sayonara
* ospf6_route_match_head() make use of prefix_bit() instead of
* CHECK_BIT()
|
|
|
|
* bgp_network.c: (bgp_md5_set) Missing piece from earlier listener change
did not get ported from Vyatta code into upstream. The list
listener_sockets changed from (int *) to (struct bgp_listener *).
|
|
* bgp_network.c: (bgp_accept) The code in current git will crash as part of
the revised listener code is missing. The new listener thread code passes
a pointer to a bgp_listener structure, not the bgp pointer. The old code
always got a NULL for bgp pointer, so that is now hard coded.
|
|
* bgp_filter.h: Gcc complains the function prototype is not correct because
the function argument is using old K&R style.
|
|
* bgpd.c: (peer_lookup_with_open) Bodged application of previous patch
meant the second loop around bgp->peer wasn't included in the loop
around bm->bgp as it was supposed to be. Fix..
|
|
|
|
* bgp_attr.c: (bgp_mp_reach_parse) There are some interoperability issues
for MBGP (particularly IPv4 multicast NLRI) between different
implementations. In order to get some next hops to install correctly in
the BGP tables, it appears to be necessary to copy the multiprotocol next
hop into the base next hop field. This is related to differences in RFC
2283 and RFC 2858.
|
|
|
|
* bgpd.c: (peer_lookup) Search through all BGP instances for matches, not just
the default instance, if no specific instance is given.
(peer_lookup_with_open) same.
|
|
* bgp_fsm.c: I have found an fd leak in bgpd that is caused by the 'new'
Clearing state. I've been seeing it from hold timer failures, but it can
also be triggered by other things.
When Hold_Timer_expired fires in Established state, a notify is sent and
BGP_Stop event queued. The fsm then transitions into Clearing state.
That is the problem; When the BGP_Stop event is serviced, the state table
says to ignore it while in Clearing. Thus bgp_stop is not called and the
fd leaks. Previously the peer would be in Idle state, which correctly
handles the BGP_Stop event.
Fix by making bgp_stop safe to call from Clearing state, without losing
ClearingCompleted events, and then ensuring it is called prior to
transition from Clearing->Idle.
|
|
AS_CONFED_SEQUENCE segment should always be deleted when prepending
(e.g. with a route-map) an AS_SEQUENCE segment to an AS path. Otherwise,
AS_CONFED_SEQUENCE will not be deleted later when updating EBGP peers (since
it is not the leftmost segment) and will leak outside the confederation.
|
|
This patch implements BGP confederation error handling in Quagga as described
in RFC5065, paragraph 5.
* bgp_aspath.c: (aspath_confed_check, aspath_left_confed_check) new functions
* bgp_attr.c: (bgp_attr_aspath_check) apply previous and NOTIFY if there's
a problem.
|
|
Start BGP listener only after first instance is started. This helps the
security if BGP is not used but daemon is started. It also addresses some
issues like MD5 not working on listener unless IPV6 configured (because
listener was not in list); as well as compiler warnings.
* bgp_network.c: (bgp_listener) listen socket creation consolidated here
(bgp_socket) Use bgp_listener
* bgpd.c: (bgp_get) call bgp_socket on creation of first struct bgp.
(bgp_init) remove bgp_socket call.
* memtypes.c: Add MTYPE_BGP_LISTENER
|
|
bgpd.c: (various tables) only used in one place and are immutable.
|
|
* bgp_vty.c: (BGP_UPDATE_SOURCE_STR) Restore ability to accept arbitrary
interface names for the 'neighbor ... update-source' command - shouldn't
have been deleted.
(BGP_UPDATE_SOURCE_STR) Add help for same.
|