This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
This vulnerability (CERT-FI #514839) was reported by CROSS project.
When Database Description LSA header list contains trailing zero octets,
ospf6d tries to process this data as an LSA header. This triggers an
assertion in the code and ospf6d shuts down.
* ospf6_lsa.c
* ospf6_lsa_is_changed(): handle header-only argument(s)
appropriately, do not treat LSA length underrun as a fatal error.
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.
* ospf_flood.c
* ospf_flood(): check return value of ospf_lsa_install()
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* lib/prefix.h
* IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
* bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
reporting, explain meaning of RFC4271 section 6.3 and implement it
lib: provide more information in case of failed LOOKUP.
* log.[ch]
* mes_lookup: add a parameter with the name of the message list, print
the name in case of failure.
* LOOKUP macro: pass the name of the message list.
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
Fritz Reichmann [Wed, 14 Sep 2011 15:31:51 +0000 (19:31 +0400)]
isisd: fix crash on "no router isis" (BZ#536)
The crash is due to threads accessing data that gets destroyed
during the removal of the configuration.
* isis_circuit.c: Destroy adjacencies to stop adjacency expiry thread.
Stop PSNP threads.
* isisd.c: Change state of circuit back to INIT and reassign the
circuit structure to isis->init_circ_list rather than destroying
the circuit data structure. Stop SPF threads. Stop LSP generation
threads.
* isisd.h: Add pointers to LSP threads into area structure in order to
stop them in isisd.c
* isis_lsp.c: Store pointer to LSP thread in area structure.
* isis_pdu.c: Stop PDU generation for a circuit with a removed area.
* isis_pfpacket.c: Stop processing received PDUs for a circuit with a
removed area.
Tom Goff [Wed, 10 Nov 2010 21:02:38 +0000 (13:02 -0800)]
ospf6d: Fix memory allocation issues in SPF
* ospf6_area.c: Call ospf6_spf_table_finish() before deleting the spf
table. This ensures that the associated ospf6_vertex structures
are also freed.
* ospf6_spf.c: Only allocate a priority queue when a spf calculation
is actually performed.
Tom Goff [Wed, 10 Nov 2010 21:02:11 +0000 (13:02 -0800)]
ospf6d: Extend the "[no] debug ospf6 route" vty commands
* ospf6_route.c ([no_]debug_ospf6_route) Include memory as a debug
option. This allows ospf6 route memory debugging to be enabled or
disabled interactively or from a config file.
Peter Pentchev [Mon, 12 Sep 2011 12:30:31 +0000 (16:30 +0400)]
bgpd: fix parsing of graceful restart cap. (#663)
"While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
* bgp_capability_restart(): actually process the last AFI/SAFI block
build: build ospfd as Position-Independed Executable (if appropriate)
Since 46bc0e432e75, all the binaries are built as Position-Independed
Executables (if available and enabled). ospfd was missed for some
unknown reason.
Denis Ovsienko [Sat, 20 Aug 2011 19:12:00 +0000 (23:12 +0400)]
ospf6d: add missing include
Two extern declarations in ospf6_abr.h are based on struct ospf6_route,
which may not be available at the time ospf6_abr.h is included. This may
lead to warnings after including ospf6_abr.h just for the structures
defined in it.
Dmitrij Tejblum [Thu, 18 Aug 2011 16:22:17 +0000 (20:22 +0400)]
lib: simplify interface of setsockopt_multicast_ipv4().
* sockopt.[ch] (setsockopt_ipv4_multicast): ifindex is now mandatory (all
non-ancient OSes can use it anyway), and if_addr parameter (the address
of the interface) is now gone. (setsockopt_ipv4_multicast_if):
IP_MULTICAST_IF processing moved to this new function
* ospf_network.c (ospf_if_add_allspfrouters, ospf_if_drop_allspfrouters,
ospf_if_add_alldrouters, ospf_if_drop_alldrouters, ospf_if_ipmulticast),
rip_interface.c (ipv4_multicast_join, ipv4_multicast_leave,
rip_interface_new): adapt to the new interface
Denis Ovsienko [Mon, 8 Aug 2011 15:36:44 +0000 (19:36 +0400)]
bgpd: dismiss some zlookup checks
bgp_nexthop_onlink(): zlookup is not used here at all
bgp_nexthop_lookup_ipv6(): rely on the detection performed by "query"
function (this also changes the fallback value to 0), reorder if-block
bgp_nexthop_lookup(): idem
Denis Ovsienko [Fri, 5 Aug 2011 17:47:08 +0000 (21:47 +0400)]
bgpd: add "show ip bgp scan detail" command
* bgp_nexthop.c: (show_ip_bgp_scan) transform into
show_ip_bgp_scan_tables(), which uses inet_ntop() and can dump
nexthops on request; (show_ip_bgp_scan_detail_cmd) new function
Denis Ovsienko [Fri, 5 Aug 2011 14:52:52 +0000 (18:52 +0400)]
bgpd: touch nexthop handling code
bgp_nexthop_lookup_ipv6(): declare variables where they are actually
used, drop no-op initialization (the field is already 0)
bgp_nexthop_lookup(): ditto
bgp_nexthop_check_ebgp(): rename to bgp_nexthop_onlink()
bgp_nexthop_cache_changed(): rename to bgp_nexthop_cache_different()
* bgpd: (bgp_damp_parameter_set) The BGP reuse_index is not initialized
properly. This would cause sporadic crash when disabling dampening. Use
XCALLOC correctly and the right size array is initialized and no memset is
needed.
* ospf_route.c: Function ospf_asbr_route_cmp is called uniquely from
ospf_route_cmp() when the flag OSPF_RFC1583_COMPATIBLE is not set.
Therefore, the check that the flag is set doesn't make sense at all
and it can consequently be removed without doing any harm.
Signed-off-by: Alexandre Chappuis <alc@open.ch> Signed-off-by: Roman Hoog Antink <rha@open.ch>
* bgp_route.c: (route_vty_out*) The local prefix, metric and weight values
are all stored as uint32_t. Change the format to %u so that large values
are not displayed as negative integers.
Paul Jakma [Wed, 23 Mar 2011 10:30:30 +0000 (10:30 +0000)]
bgpd: Fix compile failure if IPv6 build was disabled.
* bgp_route.c: ({no_,}ipv6_bgp_network_ttl_cmd) depends on ipv6_bgp_network
which is HAVE_IPV6, so these should be too.
(bgp_route_init) and the installs should be similarly ifdefed
This change is based on Xavier Beaudouin's patch (which fixes detection
of 3 config.h macros on FreeBSD without any impact to Linux build of
Quagga) and FreeBSD port patch (which fixes 5 config.h macros, but
breaks the Linux build), it fixes 5 macros and works for both FreeBSD 8
and Linux.
ospf6d: check MTU with message header size in mind
* ospf6_message.c: (ospf6_packet_max): new function, return maximum IPv6
payload on an interface; (ospf6_hello_send, ospf6_dbdesc_send,
ospf6_dbdesc_send_newone, ospf6_lsreq_send, ospf6_lsupdate_send_neighbor,
ospf6_lsupdate_send_interface, ospf6_lsack_send_neighbor,
ospf6_lsack_send_interface): compare message size with the maximum
payload instead of the MTU.
"mtu-ignore" is an option ospfd used to mimic from the vendor's
implementation, now ospf6d will also implement it.
* ospf6_interface.h: extend ospf6_interface structure by one flag
* ospf6_interface.c: (ipv6_ospf6_mtu_ignore, no_ipv6_ospf6_mtu_ignore):
new declarations; (ospf6_interface_create): show initial value for
consistency; (ospf6_interface_show): print flag status
* ospf6_message.c: (ospf6_dbdesc_recv): consider interface-specific flag
when checking MTU
Paul Jakma [Mon, 4 Jul 2011 20:41:59 +0000 (00:41 +0400)]
bgpd: Remove AS Path limit/TTL functionality
* draft-ietf-idr-as-pathlimit doesn't seem to have gone anywhere, and its
author does not think it will make progress in IDR. Remove all support
introduced for it, but leave stubs for the commands to avoid breaking
any configurations.
Paul Jakma [Sun, 5 Dec 2010 17:17:26 +0000 (17:17 +0000)]
bgpd/security: CVE-2010-1674 Fix crash due to extended-community parser error
* bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs
can leave attr->flag indicating ext-community is present, even though no
extended-community object has been attached to the attr structure. Thus a
null-pointer dereference can occur later.
(bgp_attr_community) No bug fixed here, but tidy up flow so it has same
form as previous.
Andrew J. Schorr [Thu, 24 Feb 2011 10:52:14 +0000 (13:52 +0300)]
ripd: resolve debug statements issue (bug 442)
...A nasty bug, if you forgot to disable debugging, stored the config
and reboot your machine - if you really depend on ripd, then the machine
will not fully come back on the network, because ripd fails.
(cherry picked from commit 0fa0335316ce14a79ea4bbb0c40e1322c9941dd3)
Dmitrij Tejblum [Fri, 14 Jan 2011 15:27:05 +0000 (18:27 +0300)]
bgpd: fix handling of "Unsupported Capability"
* bgp_packet.c: (bgp_notify_receive) justify the difference between
BGP_NOTIFY_OPEN_UNSUP_PARAM and BGP_NOTIFY_OPEN_UNSUP_CAPBL cases, as
it is explained in RFC5492, page 3, paragraph 1.
"Unsupported Capability" error does not mean, that the peer doesn't
support capabilities advertisement -- quite the opposite (if the peer
would not support capabilities advertisement, the code would be
"Unsupported Optional Parameter"). Thus there is no reason to mark
the peer as one non-supporting capabilities advertisement.
Example: suppose the peer is in fact IPv6-only, but we didn't configure
anything address-family specific for it. Then, the peer would refuse
the session with "Unsupported Capability" code. If we internally set
the peer as non-supporting capabilities advertisement after that, we
will not be able to establish the session with it ever, even with a
fixed configuration -- IPv6-only BGP session cannot be established
without capabilities.
In practice an edge case would be seen as the same IPv6 peer working
with its "neighbor" block read from bgpd.conf, but not working, when
slowly input in "conf t" mode.
(cherry picked from commit c7aa8abd8788c3607ad0131f02e892cf92221e40)
Dmitrij Tejblum [Thu, 13 Jan 2011 15:25:40 +0000 (18:25 +0300)]
ospf6d: fix crash in SPF calculation
* ospf6_spf.c: Don't replace a node with another node with a lower
number of hops, instead get them from the queue in the correct
order. (Actually, the replacement crashed the ospf6d daemon
rather than worked.)
(cherry picked from commit 403138e189c24f6867824c4eeb668d11564e1ca0)
Greg Troxel [Wed, 3 Nov 2010 11:37:23 +0000 (07:37 -0400)]
infrastructure: Express preference for published git repos
* HACKING: Express notion that a published git repository is
preferred. Fold request for commit message into patch section.
Express desire for comments in code explaining correctness of
post-commit state, and for commit message to explain correctness of
the change.
Dmitry Tejblum [Mon, 18 Oct 2010 15:05:39 +0000 (19:05 +0400)]
zclient: fix router-id calculation for IPv6 (#595)
If router-id is not specified in ospf6d.conf, ospf6d will get it from
the zebra daemon. But ospf6d originates Link LSAs before the router-id
is returned by zebra, thus this router's Link LSAs will be flooded
with AdvRouter set to 0.
* zclient.c: zclient_start(): send ZEBRA_INTERFACE_ADD message after
ZEBRA_ROUTER_ID_ADD, not before
Michael Lambert [Thu, 22 Jul 2010 17:20:55 +0000 (13:20 -0400)]
bgpd, lib: adopt afi_t and safi_t in several places
* bgpd/bgp_attr.c, bgpd/bgp_open.h, bgpd/bgp_route.c, lib/prefix.c,
lib/prefix.h: Various integer types were being used where, if we
had strict type checking, afi_t and safi_t would be required.
bgpd/bgp_packet.c:bgp_update_packet(): When extracting the peer, don't
fail to extract it because "binfo->extra" is NULL. While one should
certainly avoid dereferencing binfo->extra, that's not a good reason
not to use binfo->peer.
Fixes https://bugzilla.quagga.net/show_bug.cgi?id=497.
Patch by Eric Sobocinksi.
Chris Hall [Mon, 9 Aug 2010 18:31:37 +0000 (22:31 +0400)]
bgpd: fix handling of AS path data
* bgpd/bgp_aspath.c
* assegments_parse(): add handling of AS4_PATH input, update bounds
checks, add check for AS segment type
* aspath_parse(): add handling of AS4_PATH input, expect
assegments_parse() to do length checking
* aspath_empty(): update for the new function prototype
* bgpd/bgp_aspath.h: ditto
* tests/aspath_test.c: ditto
* bgpd/bgp_attr.c
* bgp_attr_aspath(): add handling of AS4_PATH input, update flags
checks, change returned type
* bgp_attr_as4_path(): discard, superseded by bgp_attr_aspath()
* bgp_attr_parse(): update respectively
Chris Hall [Fri, 14 May 2010 12:38:39 +0000 (16:38 +0400)]
bgpd: tighten bounds checking in RR ORF msg reader
* bgp_packet.c: (bgp_route_refresh_receive) add validation of
"Length" (RFC5292) field value, check input stream bounds
each time bytes are pulled from it
projects / mirror_frr.git / log