From 019cbf70946466f6c8a5e7ad03d45994702b3277 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Wed, 22 Jul 2015 12:35:36 -0700
Subject: [PATCH] The MD5 password configured for a BGP peer was incorrectly
 getting deleted from the listen socket in some situations. This would lead to
 incorrect behavior where a BGP connection from a peer that does not specify
 the MD5 option would be accepted.

---
 bgpd/bgp_network.c | 9 ++++++++-
 bgpd/bgpd.c        | 7 ++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index c8d20e83f8..f1ce97eff9 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -61,11 +61,18 @@ bgp_md5_set_socket (int socket, union sockunion *su, const char *password)
 {
   int ret = -1;
   int en = ENOSYS;
+  union sockunion su2;
   
   assert (socket >= 0);
   
 #if HAVE_DECL_TCP_MD5SIG  
-  ret = sockopt_tcp_signature (socket, su, password);
+  /* Ensure there is no extraneous port information. */
+  memcpy (&su2, su, sizeof (union sockunion));
+  if (su2.sa.sa_family == AF_INET)
+    su2.sin.sin_port = 0;
+  else
+    su2.sin6.sin6_port = 0;
+  ret = sockopt_tcp_signature (socket, &su2, password);
   en  = errno;
 #endif /* HAVE_TCP_MD5SIG */
   
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index ba5a516294..380a45559d 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -1110,8 +1110,6 @@ peer_xfer_config (struct peer *peer_dst, struct peer *peer_src)
   if (peer_src->password && !peer_dst->password)
     peer_dst->password =  XSTRDUP (MTYPE_PEER_PASSWORD, peer_src->password);
 
-  bgp_md5_set (peer_dst);
-
   for (afi = AFI_IP; afi < AFI_MAX; afi++)
     for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++)
       {
@@ -1618,10 +1616,12 @@ peer_delete (struct peer *peer)
   struct bgp *bgp;
   struct bgp_filter *filter;
   struct listnode *pn;
+  int accept_peer;
 
   assert (peer->status != Deleted);
 
   bgp = peer->bgp;
+  accept_peer = CHECK_FLAG (peer->sflags, PEER_STATUS_ACCEPT_PEER);
 
   if (CHECK_FLAG (peer->sflags, PEER_STATUS_NSF_WAIT))
     peer_nsf_stop (peer);
@@ -1664,7 +1664,8 @@ peer_delete (struct peer *peer)
       XFREE (MTYPE_PEER_PASSWORD, peer->password);
       peer->password = NULL;
 
-      if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
+      if (!accept_peer &&
+          ! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
 	bgp_md5_set (peer);
     }
   
-- 
2.39.5