Age | Commit message (Collapse) | Author |
|
This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
|
|
This vulnerability (CERT-FI #514839) was reported by CROSS project.
When Database Description LSA header list contains trailing zero octets,
ospf6d tries to process this data as an LSA header. This triggers an
assertion in the code and ospf6d shuts down.
* ospf6_lsa.c
* ospf6_lsa_is_changed(): handle header-only argument(s)
appropriately, do not treat LSA length underrun as a fatal error.
|
|
* ospf6_area.c: Call ospf6_spf_table_finish() before deleting the spf
table. This ensures that the associated ospf6_vertex structures
are also freed.
* ospf6_spf.c: Only allocate a priority queue when a spf calculation
is actually performed.
|
|
* ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug
option. This allows ospf6 route memory debugging to be enabled or
disabled interactively or from a config file.
|
|
* ospf6_area.c
* ospf6_area_config_write(): write filter-list, import-list and
export-list lines
|
|
This essentially merges the fix available from Debian build of Quagga.
* ospf6_area.c
* area_filter_list(): use correct argv indices
* no_area_filter_list(): idem
|
|
* ospf6_main.c: include required headers
* ospf6_asbr.h: idem
* ospf6_spf.c
* ospf6_spf_install(): remove unused variables
|
|
Two extern declarations in ospf6_abr.h are based on struct ospf6_route,
which may not be available at the time ospf6_abr.h is included. This may
lead to warnings after including ospf6_abr.h just for the structures
defined in it.
|
|
|
|
|
|
* ospf6_abr.c
* ospf6_abr_examin_summary(): only fill "buf" when it is used
|
|
|
|
* ospf6_area.c: (ospf6_area_delete) Get rid of unused code that refers
to a nonexistent function and structure member.
|
|
* ospf6_message.c: (ospf6_packet_max): new function, return maximum IPv6
payload on an interface; (ospf6_hello_send, ospf6_dbdesc_send,
ospf6_dbdesc_send_newone, ospf6_lsreq_send, ospf6_lsupdate_send_neighbor,
ospf6_lsupdate_send_interface, ospf6_lsack_send_neighbor,
ospf6_lsack_send_interface): compare message size with the maximum
payload instead of the MTU.
|
|
"mtu-ignore" is an option ospfd used to mimic from the vendor's
implementation, now ospf6d will also implement it.
* ospf6_interface.h: extend ospf6_interface structure by one flag
* ospf6_interface.c: (ipv6_ospf6_mtu_ignore, no_ipv6_ospf6_mtu_ignore):
new declarations; (ospf6_interface_create): show initial value for
consistency; (ospf6_interface_show): print flag status
* ospf6_message.c: (ospf6_dbdesc_recv): consider interface-specific flag
when checking MTU
|
|
* ospf6_spf.c: Don't replace a node with another node with a lower
number of hops, instead get them from the queue in the correct
order. (Actually, the replacement crashed the ospf6d daemon
rather than worked.)
(cherry picked from commit 403138e189c24f6867824c4eeb668d11564e1ca0)
|
|
startup-config
* ospf6_interface.c: When '[no] ipv6 ospf6 advertise prefix-list'
appears in the startup configuration for ospf6d, a crash occurs,
because ospf6d attempts to schedule LSAs when the 'oi->area'
structure has not yet been initialized.
Now, when the command above is issued (either in the startup
configuration or at runtime), ospf6d will only schedule LSAs if
the 'oi->area' structure has been initalized. A similar test is
already used when handling the commands 'ipv6 ospf6 priority'
and 'ipv6 ospf6 cost'.
|
|
* ospf6d/ospf6_interface.c
* loopind(): sayonara
* ospf6d/ospf6_top.c
* ospf6_delete(): comment out, it might be useful if real shutdown is
added
|
|
* lib/prefix.h
* prefix6_bit(): add IPv6 wrapper for prefix_bit()
* ospf6d/ospf6_lsdb.c
* ospf6_lsdb_type_router_head(): employ prefix6_bit()
* ospf6_lsdb_type_head(): idem
|
|
Make one version of check prefix bit, and put it inline
with proper prototype. This gets rid of some macro's and also some
assert() that can never happen on a non-broken compiler.
* bgpd/bgp_table.c
* CHECK_BIT(): sayonara
* check_bit(): sayonara
* SET_LINK(): sayonara
* set_link(): make use of prefix_bit() instead of check_bit()
* bgp_node_match(): idem
* bgp_node_lookup(): idem
* bgp_node_get(): idem
* lib/prefix.h
* prefix_bit(): new inline version of check_bit()
* lib/table.c
* CHECK_BIT(): sayonara
* check_bit(): sayonara
* SET_LINK(): sayonara
* set_link(): make use of prefix_bit() instead of check_bit()
* route_node_match(): idem
* route_node_lookup(): idem
* route_node_get(): idem
* ospf6d/ospf6_lsdb.c
* CHECK_BIT(): sayonara
* ospf6_lsdb_lookup_next(): make use of prefix_bit() instead of
CHECK_BIT()
* ospf6_lsdb_type_router_head(): idem
* ospf6_lsdb_type_head(): idem
* ospf6d/ospf6_route.c
* CHECK_BIT(): sayonara
* ospf6_route_match_head() make use of prefix_bit() instead of
* CHECK_BIT()
|
|
It seems that there is a bug in ospf6d in ospf6_lsa_compare(): If LSA A
has sequence number smaller than 0x80000000 and LSA B has sequence
number larger than 0x80000000, ospf6_lsa_compare() returns that B is
more recent than A, although RFC says that sequence numbers should be
compared as signed numbers (0x8000001 smallest and 0x7FFFFFFF largest).
In ospfd, the function ospf_lsa_more_recent() has it right.
The problem appears when Quagga is used together with OSPFv3 in
development version of BIRD daemon ( http://bird.network.cz/ ),
which creates LSAs with maximum sequence number (0x7FFFFFFF)
as a part of flushing/premature aging LSA from OSPF area.
Because both daemons has different idea of which LSA instance
is more recent, it would lead to LSA storm.
|
|
* ospf6_lsdb.c: (ospf6_new_ls_id) Unlock the current LSA when breaking
out of the ospf6_lsdb_*_head() / ospf6_lsdb_*_next() loop early. No
explicit unlocking is needed when all LSAs are looped through
because ospf6_lsdb_*_next() manages everything in that case.
|
|
* ospf6_lsa.c: (ospf6_lsa_age_current) arithmetical compares make no sense
in non-host order..
|
|
* */*main.c: (main) Current versions of Gcc warn if the return value for
daemon() is not checked. So add a simple test and exit on failure.
|
|
*/*: ifp->flags is 64 bit unsigned which can not be handled by %l on 32
bit architectures - requires %ll and the appropriate cast.
|
|
* ospf6_lsa.c: (ospf6_lsa_premature_aging) set age to MAX_AGE - don't
rely on 0 magically meaning same.
(ospf6_lsa_age_current) handle MAXAGE.
|
|
|
|
Don't need command twice.
|
|
ospf6d will crash if attempting to remove interface when no areas have been
defined Check if any areas have been defined. Should prevent use of empty
pointer.
|
|
ospf6d will crash if this command is executed on a non-border-router.
Included test to verify that any routes are defined, preventing empty
pointer from being used.
|
|
Suggestion: Makes no sense to me that the statement to remove ospf6
configuration is located in OSPF6D_NODE.
Moved to CONFIG_NODE next to matching define command.
|
|
ospf6d will crash if the same range is defined twice.
There was no check if the same range had previously been defined,
thereby causing a later assert to fail.
|
|
The cmd_nodes used to configure vty, can mostly be static so
(basic data hiding 101).
|
|
Simple conversion of XMALLOC/memset to XCALLOC
|
|
Compiled on 32-bit and 64-bit linux gcc 4.1.2 platforms.
No run-time testing on 32-bit and limited run-time testing on 64-bit.
|
|
--without-crypto
Autoconfig work by me, the rest was done by
"Kirill K. Smirnov" <lich@math.spbu.ru>
|
|
- Add more stuff, archive libraries, etc..
|
|
|
|
|
|
2008-08-15 Paul Jakma <paul.jakma@sun.com>
* {ospf6d,ripngd}/*: Finish job of marking functions as static, or
exporting declarations for them, to quell warning noise with
Quagga's GCC default high-level of warning flags. Thus allowing
remaining, more useful warnings to be more easily seen.
|
|
2008-08-13 Paul P Komkoff Jr <i@stingr.net>
* configure.ac: add a configure flag and autoconf macro, which will
determine if your toolchain supports PIE.
* */Makefile.am: add corresponding CFLAGS and LDFLAGS into
appropriate places.
Signed-off-by: Paul Jakma <paul@quagga.net>
|
|
|
|
2008-05-29 Martin Nagy <mnagy@redhat.com>
* */*main.c: Sanity check port numbers before using.
|
|
2008-01-30 Peter Szilagyi <sp615@hszk.bme.hu>
* lib/stream.h: Remove named 'new' parameter in prototype
for c++ header compatibility.
* ospfd/ospf_opaque.h: ditto
* ospfd/ospfd.h: Renamed struct export to _export for c++
header compatibility.
* ospf6d/ospf6_area.h: ditto
|
|
2007-10-22 Phil Spagnolo <phillip.a.spagnolo@boeing.com>
* ospf6_asbr.c: (ospf6_asbr_lsentry_remove) Remove shortcut
of LSDB search - it's based on assumption non-BEST routes
can't have ASBR routes, which appears to be wrong. Safest to
search.
|
|
2007-06-07 Pavol Rusnak <prusnak@suse.cz>
* ospf6_lsa.c: (no_debug_ospf6_lsa_hex_cmd) Fix bug: must use strcmp
to compare strings.
|
|
2007-04-27 Andrew J. Schorr <ajschorr@alumni.princeton.edu>
* lib/smux.c: (smux_trap) Fix printf format to work with 64-bit size_t.
* ospf6d/ospf6_snmp.c: (ospfv3AreaEntry, ospfv3AreaLsdbEntry) Fix some
zlog_debug printf formats to work with 64-bit size_t.
|
|
2007-03-08 David Siebörger d.sieborger@ru.ac.za
* ospf6_neighbor.c: (ospf6_neighbor_show) Fix bug #322, ospf6d
wasn't updated to match thread times changing to relative
time.
|
|
2007-02-27 Pavol Rusnak <prusnak@suse.cz>
* ospf6_lsa.c: (ospf6_lsa_handler_name) Fix bug: must use strcmp
to compare strings.
|
|
(from pkgsrc)
|