tests: Remove `show running bgpd` from the topotestsIn the future bgp is going to transition to using mgmtd and
the `show running-config bgpd` command is going to dissapear.
Let's facilitate this by going ahead and removing this special
case code for the future.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
isisd: anchor stream position in SRv6 End.X SID sub-TLV parsingUse stream_get_getp/stream_set_getp to anchor the stream position at
sub-TLV data entry and sync to the sub-TLV end on all code paths in
the End.X SID (subtlv 43) and LAN End.X SID (subtlv 44) handlers.
This ensures the stream stays aligned with the outer loop sum
accounting when unpack_tlvs() partially consumes bytes before
returning an error, and when trailing bytes exist after
sub-sub-TLVs ...
bgpd: Let the stream track how much was writtenCoverity is complaining about this:
** CID 1670454: Insecure data handling (INTEGER_OVERFLOW)
/bgpd/bgp_ls_nlri.c: 1946 in bgp_ls_encode_link_nlri()
1940 /* Link Descriptors */
1941 ret = bgp_ls_encode_link_descriptor(s, &nlri->link_desc);
1942 if (ret < 0)
1943 return -1;
1944 written += ret;
1945
>>> CID 1670454: Insecure data handli...
bgpd: Removed dead json code pathThe test for json_flags and the removal is not needed. There is
no code path where it is ever set at this point, so remove.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
mgmtd: Use correct printf formatting type.Coverity was, rightly, complaining about a formatting type
that was not correct across all platforms. Fix.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
nhrpd: stop debugging auth credentialsDon't log/debug credentials. The output code was bugged, and
was willing to overrun temporary char buffers - just remove
the code.
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: fix release intermediate SIDs upon changing locatorOn a BGP SRv6 setup with loc1 locator on default instance, and the user
wants to change locator from from loc2 to loc3 in vrf Vrf20.
Sometimes, the resulting SIDs are the SIDS assigned for Vrf20 are the
ones from loc1 assigned at command 'no locator loc2', whereas the
expectation should be the SIDS from loc3. The below show command
shows that 2001:db8:1:1:3:: from loc1 is not released.
> r1# ...
topotests: add test to control sid assignment when changing locatorThe move of vrf20 from loc2 to loc3 should result in appropriate
assignment of the SID 2003:db8:1:1:1::.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bgpd: Harden SRv6 Service Data parser for SID Structure lengthRFC 9252 defines the SRv6 SID Structure Sub-Sub-TLV (Type 1) with
a fixed Value length of 6 octets.
Update bgp_attr_srv6_service_data() to reject Type 1 entries whose
declared length is not exactly 6, instead of accepting any length >= 6.
This tightens parser correctness and prevents malformed Type 1
encodings from being treated as valid.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Clearly check for AS4 against 0 valueUse BGP_AS_ZERO, instead of !as4 for readability.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Reject Link NLRIs without Link DescriptorA valid Link NLRI must include a Local Node Descriptor, a Remote Node
Descriptor, and a Link Descriptor.
After decoding Protocol-ID, Identifier, and the Local/Remote Node Descriptors,
ensure there is still Link Descriptor data to decode.
If no bytes remain for the Link Descriptor, treat the NLRI as malformed and
fail decode.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Consolidate redundant stream bounds checks in bgp_ls_decode_nlriReplace two separate STREAM_READABLE checks for reading NLRI Type and Length
with a single combined check. Use symbolic constants BGP_LS_NLRI_TYPE_SIZE and
BGP_LS_NLRI_LENGTH_SIZE instead of magic number 4, improving readability and
maintainability.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Return immediately when dynamic capability action is not validWithout returning immediately, we continue the loop that advances pnt pointer,
which is not good. We should send the notification (which is already done), and
return.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent out-of-bound reading handling soft version dynamic capabilityFixes: 784cf95c4377ec84b25fb5801fdfaa20450325de ("bgpd: Try to handle software version capability with the new encoding format")
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent zero-length BGP-LS MT-ID TLVAn attacker can craft a BGP-LS update containing an MT-ID TLV with zero
length (tlv_len == 0). This passes existing validation (0 % 2 == 0 and
0 <= MAX), causing XCALLOC(MTYPE_BGP_LS_NLRI, 0) to be called. This
results in unexpected behavior.
This fix validates tlv_len > 0 before allocation in both link and prefix
descriptor MT-ID TLV decoder, savoiding unexpected behavior from zero-length
inp...
ospf6d: update auth sequence number after validating digestTest for valid sequence number before validating auth digest,
but don't update the neighbor's sequence number value until
after validating.
Reported-by: Bronson Yen <bronson@calif.io>
Signed-off-by: Mark Stapp <mjs@cisco.com>
Merge pull request #21486 from opensourcerouting/fix/bgp_print_link_type_correctly_according_to_remote_as_autobgpd: Print neighbor link type correctly according to local-as
Merge pull request #21551 from opensourcerouting/fix/bgp_inter_confederation_ebgpbgpd: Replace the actual local-as when using replace-as with the confederation
isisd: Preserve flags when copying SRv6 End SID sub-TLVPreserve the flags field when duplicating an SRv6 End SID sub-TLV by
copying it into the cloned entry.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
isisd: continue hardening SRV6 tlv parsingAdd more validation for SRV6 END.X and LAN_END.X subsubtlvs.
Ensure allocated subsubtlv pointer is freed in error cleanup paths.
Signed-off-by: Mark Stapp <mjs@cisco.com>
Reported-by: Bronson Yen <bronson@calif.io>
isisd: consume leftover bytes after FAD sub-sub-TLV loopWhen the FAD sub-sub-TLV loop exits normally with 1-2 bytes remaining
(too small for another header), the stream position falls out of sync
with the declared subtlv length. Add a post-loop forward to consume
the leftover bytes on normal exit only, not on the error-break path
where the bytes were already consumed.
Signed-off-by: Tristan Madani <tristan@live.fr>
eigrpd: fix byte order in Hello TLV decode functionsThe auth_type and length fields in EIGRP Hello TLV structures are
network byte order, but several decode functions compare them against
host-order constants without ntohs().
Add ntohs() to all affected comparisons:
- eigrp_hello_authentication_decode: auth_type and length checks
- eigrp_hello_parameter_decode: length check
- eigrp_sw_version_decode: length check
- eigrp_peer_termination_decode...
lib: northbound: distinguish unknown schema node from key mismatchWhen an mgmt edit-config arrives with an xpath that cannot be resolved
against the data tree, lyd_find_path returns an error and mgmtd emits
"List keys in xpath and data tree are different" for two distinct
failure modes:
- the xpath names a schema node that does not exist (typo, e.g.
"prefix-lst" instead of "prefix-list"); and
- the xpath resolves to a valid schema node, but the key p...
bgp_evpn: fix memleak when configuring rdDirect leak of 14 byte(s) in 1 object(s) allocated from:
#0 0x7bea082f74e8 in strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7bea07e3ca5a in qstrdup lib/memory.c:123
#2 0x63e8ac7e7349 in evpn_configure_rd bgpd/bgp_evpn_vty.c:2401
#3 0x63e8ac7e7349 in bgp_evpn_vni_rd bgpd/bgp_evpn_vty.c:6439
#4 0x7bea07db2926 in cmd_execute_command_real lib/command.c:...
Carmine Scarpitta
Donald Sharp
TristanInSec
Mark Stapp
Philippe Guibert
Donatas Abraitis
Reinaldo Saraiva
Loïc Sang