Chris Luke [Tue, 18 Oct 2011 13:26:51 +0000 (17:26 +0400)]
bgpd: justify capabilities for TOS setting
To set the TOS bits on TCP connections, platforms that restrict
capabilities need the priv level to be raised before the sockopt
is set, and this requires the ZCAP_NET_ADMIN priv.
* bgp_main.c: update _caps_p to include ZCAP_NET_ADMIN
* bgp_network.c
* bgp_connect(): request ZPRIVS_RAISE/ZPRIVS_LOWER
* bgp_listener(): request ZPRIVS_RAISE earlier
Denis Ovsienko [Tue, 18 Oct 2011 09:55:07 +0000 (13:55 +0400)]
bgpd: use bgp_attr_malformed()
Some of the recent attribute flags/length checks copied from QRE use
bgp_notify_send_with_data() directly, but master branch assumes
using bgp_attr_malformed().
Denis Ovsienko [Mon, 10 Oct 2011 17:08:33 +0000 (21:08 +0400)]
bgpd: add flag checks for MP_(UN)REACH_NLRI
* bgp_attr.[ch]
* bgp_mp_reach_parse(): add extra arguments and a uniform flag
check block
* bgp_mp_unreach_parse(): idem
* bgp_attr_parse(): provide extra arguments
* bgp_mp_attr_test.c
* parse_test(): justify respective calls
* bgp_attr.c
* bgp_attr_cluster_list(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra arguments
* bgp_attr.c
* bgp_attr_originator_id(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra arguments
IPv6 supports the same concept of differentiated service for routing
protocols as IPv4, but like too many things, the standards committee
decided that having two names for the same thing wasn't good enough and
introduced a third more generic term transport class.
The socket option to set transport class works the same as IPv4, but the
arguments are different.
* lib/sockopt.[ch]
* setsockopt_ipv6_tclass(): new function
* bgpd/bgp_network.c
* bgp_connect(): set socket option
* bgp_listener(): set socket option
* ospf6d/ospf6_network.c
* ospf6_set_transport_class(): new function
* ospf6_serv_sock(): set socket option
* ripngd/ripngd.c
* ripng_make_socket(): set socket option
Denis Ovsienko [Wed, 12 Oct 2011 09:54:21 +0000 (13:54 +0400)]
bgpd: fix regression in improved attr flag checks
Commit 2febf323411c1aed9d7694898f852ce2ef36a7e5 assumed every flag
bit except optional/transitive/partial unset, which at times could
not be true for "extended length" bit.
* bgp_attr.c
* bgp_attr_origin(): exclude BGP_ATTR_FLAG_EXTLEN from comparison
* bgp_attr_nexthop(): idem
* bgp_attr_med(): idem
* bgp_attr_local_pref(): idem
* bgp_attr_atomic(): idem
Peter Pentchev [Mon, 12 Sep 2011 12:30:31 +0000 (16:30 +0400)]
bgpd: fix parsing of graceful restart cap. (#663)
"While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
* bgp_capability_restart(): actually process the last AFI/SAFI block
Denis Ovsienko [Sat, 8 Oct 2011 09:54:48 +0000 (13:54 +0400)]
bgpd: improve attr length error handling (BZ#679)
* bgp_attr.c
* bgp_attr_parse(): provide extra argument to bgp_attr_aggregator()
* bgp_attr_local_pref(): use bgp_notify_send_with_data()
* bgp_attr_atomic(): idem
* bgp_attr_aggregator(): idem
Do not check each of the Optional/Transitive/Partial attribute
flag bits, when their only valid combination is known in advance,
but still perform bit-deep error message logging. This change
assumes unused (low-order) 4 bits of the flag octet cleared.
* bgp_attr.c
* bgp_attr_origin(): rewrite check
* bgp_attr_nexthop(): idem
* bgp_attr_med(): idem
* bgp_attr_local_pref(): idem
* bgp_attr_atomic(): idem
ORIGIN handling function used to have "partial" bit check and recent
commits added it for NEXT_HOP, MULTI_EXIT_DISC and ATOMIC_AGGREGATE
cases. This commit adds "partial" check for AS_PATH and LOCAL_PREF
cases, which should leave attributes 1 through 6 inclusive completely
covered with attribute flags checks.
* bgp_attr.c
* bgp_attr_origin(): use bit-by-bit checks for better diagnostics
* bgp_attr_aspath(): add flag check
* bgp_attr_local_pref(): idem
* lib/prefix.h
* IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
* bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
reporting, explain meaning of RFC4271 section 6.3 and implement it
lib: provide more information in case of failed LOOKUP.
* log.[ch]
* mes_lookup: add a parameter with the name of the message list, print
the name in case of failure.
* LOOKUP macro: pass the name of the message list.
Dmitrij Tejblum [Thu, 18 Aug 2011 16:22:17 +0000 (20:22 +0400)]
lib: simplify interface of setsockopt_multicast_ipv4().
* sockopt.[ch] (setsockopt_ipv4_multicast): ifindex is now mandatory (all
non-ancient OSes can use it anyway), and if_addr parameter (the address
of the interface) is now gone. (setsockopt_ipv4_multicast_if):
IP_MULTICAST_IF processing moved to this new function
* ospf_network.c (ospf_if_add_allspfrouters, ospf_if_drop_allspfrouters,
ospf_if_add_alldrouters, ospf_if_drop_alldrouters, ospf_if_ipmulticast),
rip_interface.c (ipv4_multicast_join, ipv4_multicast_leave,
rip_interface_new): adapt to the new interface
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
This change is based on Xavier Beaudouin's patch (which fixes detection
of 3 config.h macros on FreeBSD without any impact to Linux build of
Quagga) and FreeBSD port patch (which fixes 5 config.h macros, but
breaks the Linux build), it fixes 5 macros and works for both FreeBSD 8
and Linux.
Fritz Reichmann [Wed, 14 Sep 2011 15:31:51 +0000 (19:31 +0400)]
isisd: fix crash on "no router isis" (BZ#536)
The crash is due to threads accessing data that gets destroyed
during the removal of the configuration.
* isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread.
Stop PSNP threads.
* isisd.c: Change state of circuit back to INIT and reassign the
circuit structure to isis->init_circ_list rather than destroying
the circuit data structure. Stop SPF threads. Stop LSP generation
threads.
* isisd.h: Add pointers to LSP threads into area structure in order to
stop them in isisd.c
* isis_lsp.c: Store pointer to LSP thread in area structure.
* isis_pdu.c: Stop PDU generation for a circuit with a removed area.
* isis_pfpacket.c: Stop processing received PDUs for a circuit with a
removed area.
* ospf_route.c: Function ospf_asbr_route_cmp is called uniquely from
ospf_route_cmp() when the flag OSPF_RFC1583_COMPATIBLE is not set.
Therefore, the check that the flag is set doesn't make sense at all
and it can consequently be removed without doing any harm.
Signed-off-by: Alexandre Chappuis <alc@open.ch> Signed-off-by: Roman Hoog Antink <rha@open.ch>
This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
This vulnerability (CERT-FI #514839) was reported by CROSS project.
When Database Description LSA header list contains trailing zero octets,
ospf6d tries to process this data as an LSA header. This triggers an
assertion in the code and ospf6d shuts down.
* ospf6_lsa.c
* ospf6_lsa_is_changed(): handle header-only argument(s)
appropriately, do not treat LSA length underrun as a fatal error.
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
* ospf_flood(): check return value of ospf_lsa_install()
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
Denis Ovsienko [Sat, 20 Aug 2011 19:12:00 +0000 (23:12 +0400)]
ospf6d: add missing include
Two extern declarations in ospf6_abr.h are based on struct ospf6_route,
which may not be available at the time ospf6_abr.h is included. This may
lead to warnings after including ospf6_abr.h just for the structures
defined in it.
Paul Jakma [Fri, 29 Jul 2011 17:16:25 +0000 (18:16 +0100)]
Merge branch 'attr-errors'
Contains BGP fixes:
- set extcommunity crash: tihs patch tries to make the refcounting more robust
but does not fully solve the problem, sadly.
- BGP attribute error handling: Little testing.
"mtu-ignore" is an option ospfd used to mimic from the vendor's
implementation, now ospf6d will also implement it.
* ospf6_interface.h: extend ospf6_interface structure by one flag
* ospf6_interface.c: (ipv6_ospf6_mtu_ignore, no_ipv6_ospf6_mtu_ignore):
new declarations; (ospf6_interface_create): show initial value for
consistency; (ospf6_interface_show): print flag status
* ospf6_message.c: (ospf6_dbdesc_recv): consider interface-specific flag
when checking MTU
Paul Jakma [Mon, 11 Apr 2011 15:31:43 +0000 (16:31 +0100)]
bgpd: trivial format / warning fixes
* bgp_aspath.c: (assegments_parse) just bail early if length doesn't match
and fix the formatting.
* bgp_network.c: add include needed for set_nonblocking
* bgp_packet.c: formatting
Michael Lambert [Mon, 13 Sep 2010 15:48:11 +0000 (11:48 -0400)]
bgpd: fix memory leak when deleting a community
* bgp_routemap.c: (route_set_community_delete) When deleting a
community in a route-map the old community was being orphaned. Like
the description of the same code in route_set_community, this is a
hack, not a true fix.
Paul Jakma [Tue, 29 Mar 2011 13:18:49 +0000 (14:18 +0100)]
bgpd: Fix merge error in jhash commit
* bgp_attr.c: (attrhash_key_make) 98e30f should have changed jhash2 to jhash.
These kinds of merge errors would be reduced and life would be easier if
people would submit fully-formed fixes that could be chucked directly into
git-am.
* bgpd.h: Add error code for setting GTSM on iBGP
* bgpd.c: (peer_ttl_security_hops_set) use previous error code and signal
incompatibility of GTSM+iBGP to vty.
Consider the session state when setting GTSM, and reset Open/Active peers
to let them pick up new TTL from start.
Greg Troxel [Thu, 24 Mar 2011 14:19:43 +0000 (10:19 -0400)]
build: treat opaque-lsa default correctly for ospfapi
In deciding whether to default ospfapi to on or off, use the same rule
for opaque-lsa as earlier: != no rather than = yes, so that not having
set it implies yes.
* bgp_vty.c: (peer_ebgp_multihop_{un,}set_vty) tail-call cleanup.
({no_,}neighbor_ttl_security) ditto.
* bgpd.c: (peer_ttl_security_hops_set) Peer group checks and TTL set only
need to be done on transition.
* sockunion.c: (sockopt_minttl) remove always-on debug and improve readability.
Nick Hilliard [Wed, 23 Mar 2011 15:33:17 +0000 (15:33 +0000)]
bgpd: RFC 5082 Generalized TTL Security Mechanism support
* bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used
to verify that incoming packets have been sent from neighbours no more
than X IP hops away. In other words, this allows packets that were sent from
further away (i.e. not by the neighbour with known distance, and so possibly
a miscreant) to be filtered out.
* lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL
using the IP_MINTTL socket opt.
* bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command
error for minttl.
(struct peer) add a config variable, to store the configured minttl.
(peer_ttl_security_hops_{set,unset}) configuration handlers
* bgpd.c: (peer_group_get) init gtsm_hops
(peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and
GTSM can't both be active for a peer at the same time.
(peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with
ebgp_multihop.
(bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X".
* bgp_vty.c: (bgp_vty_return) message for
BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK
(peer_ebgp_multihop_{un,}set_vty)
* bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate.
(bgp_connect) ditto for outbound.
Paul Jakma [Wed, 23 Mar 2011 10:30:30 +0000 (10:30 +0000)]
bgpd: Fix compile failure if IPv6 build was disabled.
* bgp_route.c: ({no_,}ipv6_bgp_network_ttl_cmd) depends on ipv6_bgp_network
which is HAVE_IPV6, so these should be too.
(bgp_route_init) and the installs should be similarly ifdefed
bgpd: attribute jhash call should use a standard interface to in6_addr data
* bgp_attr.c; (attrhash_key_make) s6_addr is only member of in6_addr
guaranteed to be available - s6_addr32 isn't. Fix to be more portable, and
thus allow compilation on BSD again.
Paul Jakma [Tue, 22 Mar 2011 15:23:55 +0000 (15:23 +0000)]
ospfd: Compile fix for opaque support
* ospfd: Refresher logic cleanup broke OSPF opaque, which does its own thing
with regard to refresher logic and which also, in the protocol, requires
implementations to keep state of which OI an LSA is received on (rather
than providing information in the LSA to allow it to be looked up - as
other LSAs requiring such assocation were careful to do).
* ospf_lsa.h: (struct ospf_interface) Add back the pointer to oi, but only
for type-9 now.
* ospf_nsm.c: (ospf_db_summary_add) check the oi actually exists first -
doesn't obviate the need for opaque to ensure oi pointers get cleaned up
when ospf_interfaces disappear.
* ospf_opaque.{c,h}: (ospf_opaque_functab,ospf_opaque_lsa_refresh) Refresher
LSA functions now need to return the LSA to the general refresh logic,
to indicate whether the LSA was refreshed.
Paul Jakma [Tue, 22 Mar 2011 10:18:05 +0000 (10:18 +0000)]
build: change sense of opaque-{lsa,te} enable args to enable by default
* configure.ac: (AC_ARG_ENABLE({ospf-te,opaque-lsa})) reverse the sense to
--disable
(enable_{opaque_lsa,ospf_te}) treat as enabled unless explicitly disabled.
projects / mirror / frr.git / log