diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/filter.c | 8 | ||||
| -rw-r--r-- | lib/filter.h | 3 | ||||
| -rw-r--r-- | lib/plist.c | 4 | ||||
| -rw-r--r-- | lib/privs.c | 21 | ||||
| -rw-r--r-- | lib/sockopt.c | 23 | ||||
| -rw-r--r-- | lib/sockopt.h | 4 | ||||
| -rw-r--r-- | lib/vrf.c | 4 | ||||
| -rw-r--r-- | lib/vty.c | 5 |
8 files changed, 61 insertions, 11 deletions
diff --git a/lib/filter.c b/lib/filter.c index d753c9d874..2b9ba87137 100644 --- a/lib/filter.c +++ b/lib/filter.c @@ -1259,6 +1259,14 @@ filter_set_zebra (struct vty *vty, const char *name_str, const char *type_str, struct access_list *access; struct prefix p; + if (strlen(name_str) > ACL_NAMSIZ) + { + vty_out (vty, "%% ACL name %s is invalid: length exceeds " + "%d characters%s", + name_str, ACL_NAMSIZ, VTY_NEWLINE); + return CMD_WARNING; + } + /* Check of filter type. */ if (strncmp (type_str, "p", 1) == 0) type = FILTER_PERMIT; diff --git a/lib/filter.h b/lib/filter.h index e6ccd33b3a..6b5ccb52ec 100644 --- a/lib/filter.h +++ b/lib/filter.h @@ -25,6 +25,9 @@ #include "if.h" +/* Maximum ACL name length */ +#define ACL_NAMSIZ 128 + /* Filter direction. */ #define FILTER_IN 0 #define FILTER_OUT 1 diff --git a/lib/plist.c b/lib/plist.c index 279c85d6d6..41cae020de 100644 --- a/lib/plist.c +++ b/lib/plist.c @@ -326,6 +326,9 @@ prefix_list_get (afi_t afi, int orf, const char *name) return plist; } +static void prefix_list_trie_del (struct prefix_list *plist, + struct prefix_list_entry *pentry); + /* Delete prefix-list from prefix_list_master and free it. */ static void prefix_list_delete (struct prefix_list *plist) @@ -339,6 +342,7 @@ prefix_list_delete (struct prefix_list *plist) for (pentry = plist->head; pentry; pentry = next) { next = pentry->next; + prefix_list_trie_del (plist, pentry); prefix_list_entry_free (pentry); plist->count--; } diff --git a/lib/privs.c b/lib/privs.c index ac2a8454c5..376d6f3365 100644 --- a/lib/privs.c +++ b/lib/privs.c @@ -251,7 +251,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) } /* we have caps, we have no need to ever change back the original user */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { @@ -531,7 +532,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) /* we have caps, we have no need to ever change back the original user * change real, effective and saved to the specified user. */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { @@ -602,7 +604,8 @@ zprivs_caps_terminate (void) int zprivs_change_uid (zebra_privs_ops_t op) { - + if (zprivs_state.zsuid == zprivs_state.zuid) + return 0; if (op == ZPRIVS_RAISE) return seteuid (zprivs_state.zsuid); else if (op == ZPRIVS_LOWER) @@ -766,7 +769,8 @@ zprivs_init(struct zebra_privs_t *zprivs) } } - if (ngroups) + /* add groups only if we changed uid - otherwise skip */ + if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setgroups (ngroups, groups) ) { @@ -776,7 +780,8 @@ zprivs_init(struct zebra_privs_t *zprivs) } } - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) { /* change group now, forever. uid we do later */ if ( setregid (zprivs_state.zgid, zprivs_state.zgid) ) @@ -797,7 +802,8 @@ zprivs_init(struct zebra_privs_t *zprivs) * This is not worth that much security wise, but all we can do. */ zprivs_state.zsuid = geteuid(); - if ( zprivs_state.zuid ) + /* only change uid if we don't have the correct one */ + if (( zprivs_state.zuid ) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (-1, zprivs_state.zuid) ) { @@ -824,7 +830,8 @@ zprivs_terminate (struct zebra_privs_t *zprivs) #ifdef HAVE_CAPABILITIES zprivs_caps_terminate(); #else /* !HAVE_CAPABILITIES */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { diff --git a/lib/sockopt.c b/lib/sockopt.c index 2a9f907cb3..91b0602b3a 100644 --- a/lib/sockopt.c +++ b/lib/sockopt.c @@ -29,6 +29,29 @@ #include "sockopt.h" #include "sockunion.h" +/* Replace the path of given defaultpath with newpath, but keep filename */ +void +set_socket_path (char *path, const char *defaultpath, char *newpath, int maxsize) +{ + const char *sock_name; + + sock_name = strrchr(defaultpath, '/'); + if (sock_name) + /* skip '/' */ + sock_name++; + else + /* + * VTYSH_PATH configured as relative path + * during config? Should really never happen for + * sensible config + */ + sock_name = defaultpath; + + strlcpy (path, newpath, maxsize); + strlcat (path, "/", maxsize); + strlcat (path, sock_name, maxsize); +} + void setsockopt_so_recvbuf (int sock, int size) { diff --git a/lib/sockopt.h b/lib/sockopt.h index 1b7be1e49f..d5724ce60f 100644 --- a/lib/sockopt.h +++ b/lib/sockopt.h @@ -24,6 +24,10 @@ #include "sockunion.h" +/* Override (vty) socket paths, but keep the filename */ +extern void set_socket_path (char *path, const char *defaultpath, + char *newpath, int maxsize); + extern void setsockopt_so_recvbuf (int sock, int size); extern void setsockopt_so_sendbuf (const int sock, int size); extern int getsockopt_so_sendbuf (const int sock); @@ -482,11 +482,9 @@ DEFUN (vrf, { int idx_name = 1; const char *vrfname = argv[idx_name]->arg; - struct vrf *vrfp; - size_t sl; - if ((sl = strlen(vrfname)) > VRF_NAMSIZ) + if (strlen(vrfname) > VRF_NAMSIZ) { vty_out (vty, "%% VRF name %s is invalid: length exceeds " "%d characters%s", @@ -2022,7 +2022,10 @@ vty_serv_un (const char *path) zprivs_get_ids(&ids); - if (ids.gid_vty > 0) + /* Hack: ids.gid_vty is actually a uint, but we stored -1 in it + earlier for the case when we don't need to chown the file + type casting it here to make a compare */ + if ((int)ids.gid_vty > 0) { /* set group of socket */ if ( chown (path, -1, ids.gid_vty) ) |