Merge pull request #21345 from opensourcerouting/fix/bgp_srv6_BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_lenbgpd: Fix srv6 type parsing and EVPN type-5 NLRI prefix lengh parsing for IPv4
bgpd: remove dest list from batch-clearing codeRemove unused list type and data structs from the batch-clearing
code.
Signed-off-by: Mark Stapp <mjs@cisco.com>
tests: ensure bgp confederation work after changing its commandAdditionally, removed a few white spaces in the code comment.
Signed-off-by: anlan_cs <anlan_cs@126.com>
bgpd: EVPN json brief optimizationWhen show bgp l2vpn evpn route brief json in scale scenraio,
we allocate json_paths memory but never free it. So, bgpd is
shooting up its memory really quick.
Signed-off-by: harini <hnattamaisub@nvidia.com>
bgpd: fix "use-after-free" for updgrp```
==607689== Invalid read of size 4
==607689== at 0x30A1BD: group_announce_route_walkcb (bgp_updgrp_adv.c:227)
==607689== by 0x307FCA: update_group_walkcb (bgp_updgrp.c:1815)
==607689== by 0x490CDAF: hash_walk (hash.c:272)
==607689== by 0x308BEE: update_group_af_walk (bgp_updgrp.c:2175)
==607689== by 0x30C341: group_announce_route (bgp_updgrp_adv.c:1192)
==607689== by 0x2C2E...
doc: fix indentation error in pim docRecent change to the pim user doc triggered a sphinx error;
update to clear that error.
Signed-off-by: Mark Stapp <mjs@cisco.com>
Merge pull request #21351 from opensourcerouting/fix/bgp_attr_parse_stream_position_validationbgpd: Reset the stream to attr_start + attribute_len when WITHDRAWN
pimd: fix crash due to double freelocal_membership_del may delete the ifchannel and last upstream,
which runs pim_channel_oil_upstream_deref() and frees the channel_oil.
IGMP still holds *oilp in that case; a second pim_channel_oil_del()
corrupts the RB tree (typed_rb_remove on freed / zeroed links).
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
ci: Do not trigger Github action when PR is labeled/unlabeledThat causes frrbot to require an approval for running these actions.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Reset the stream to attr_start + attribute_len when WITHDRAWNbgp_attr_parse does goto done early on WITHDRAW without draining endp,
so stream_pnt(s) lands in the middle of the attribute data.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Check if Local-Node and Remote-Node TLVs length is within boundariesstream_get_tlv_hdr checked desc_len against STREAM_READABLE, not against the
enclosing NLRI's remaining byte budget.
A crafted desc_len could cause bgp_ls_decode_node_descriptor to consume bytes
from subsequent NLRIs packed in the same UPDATE.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Validate EVPN Type-5 NLRI prefix length for IPv4The IP prefix length ippfx_len is only validated against IPV6_MAX_BITLEN,
but never cross-checked with the address family determined by psize.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Check if sub TLV's length is sufficient for BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFOWhen parsing an SRv6 L3 Service SID_INFO sub-TLV, the code checks
STREAM_READABLE >= 21 but not the sub-TLV's declared length. A crafted sub-TLV
with length=5 but sufficient stream data causes the parser to read 21 bytes,
overshooting by 16.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
eigrpd: skip unknown and ignored TLVsTry to skip unknown TLVs in places where we don't process
all types.
Reported-by: Haruto Kimura (Stella) <harutokimura0608@gmail.com>
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Verify if we correctly parsed BGP-LS attributeThe loop condition while (stream_get_getp(s) < end_pos) does not catch
overshooting. If a sub-parser (e.g. parse_prefix_sid) reads length bytes but
length was crafted to extend past end_pos, the stream pointer ends up beyond
end_pos.
The < condition then terminates the loop normally, and return 0 follows success,
with the stream pointer at the wrong offset.
Signed-off-by: Donatas Abraitis <do...
bgpd: Check the length also when parsing ENCAP attr sub-TLVsIf we don't check for length against 0, then we have a test (length < 1) that
triggers the whole ENCAP attr to be malformed.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Validate prefixlen before subtracting when parsing labeled unicast NLRIWhen multiple labels are consumed without BOS, BSIZE(llen) can exceed prefixlen,
causing a uint16_t underflow to 65535.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
doc: document common daemon options and link -w referencesThe common invocation options (defined in lib/libfrr.c) are already
documented in basic.rst under the common-invocation-options label,
but several daemon pages refer to them only as "documented elsewhere"
without an actual reference.
- Replace all "documented elsewhere" occurences with a proper
:ref:`common-invocation-options` link in pathd, pbr, sharp, static, and
vrrp docs
- Document the f...
bgpd: Return zero labels if no BOS found and it's not a withdraw labelWhen bgp_nlri_get_labels() encounters a label without the Bottom-of-Stack (BOS)
bit, it consumes subsequent prefix bytes as additional labels, only emitting a
warning.
If a peer sends prefixlen=48, a 3-byte label without BOS, and 3 bytes of
prefix (e.g., 10.0.0.0/24), the parser reads both as labels (llen=6), leaving
0 bytes of prefix data.
The resulting p.prefixlen = 48 - 48 = 0 installs a /...
bgpd: Fix signed overflow in hexstr2num()The function accumulates num = hexstr[i] + 256 * num into a signed int.
The operator encoding allows up to 8-byte values, causing signed overflow.
The result is then silently truncated to uint16_t when stored
(mval->value = value), meaning a port value of 0x10050 becomes port 80.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
eigrpd: Improve packet validationHarden validation of lengths before accessing packets;
detect and handle invalid INT TLVs where they're created.
Reported-by: Haruto Kimura (Stella) <harutokimura0608@gmail.com>
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Move rpki strict check to bgp_accept()Current code checks on bgp_start and bgp_establish()
to prevent incoming and outgoing connections when rpki strict mode
is on and bgp is not connected to rpki. Modify the code such that
the bgp_establish() code is no longer the place to check this
it should be in bgp_accept(). Without this there is a very reproducible
crash that happens because the check in bgp_establish() is immediately
afte...
tests: Add new bgp rpki testingAdd these tests to the bgp rpki topotest to better test the rpki code:
a) Test that RPKI invalid state is handled correctly.
b) Ensures that neighbor rpki strict works correctly
c) Add match rpki invalid route-map and ensure it works correctly.
d) Add match rpki-extcommunity and ensure it works correctly.
e) Add IPv6 RPKI validation and ensure it works correctly.
Signed-off-by: Donald Sharp <...
pceplib: validate during of_list TLV decodingValidate buffer length in OF TLV decoding; avoid casting buffer
as integer pointer; count advance by 2-bytes.
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Check if prefixlen is not 0 when parsing flowspec stuffWhen len == 0, this wraps to UINT32_MAX/SIZE_MAX, causing an unbounded read
from whatever memory follows the buffer. Currently mitigated for the validation
path (caller checks psize == 0), but bgp_flowspec_contains_prefix and bgp_fs_nlri_get_string take len from stored prefix data and have no such guard.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent len_string going negative when trying to display flowspec entriesThe bgp_fs_nlri_get_string() function writes flowspec component strings into
a 512-byte stack buffer (BGP_FLOWSPEC_STRING_DISPLAY_MAX). It tracks remaining
space using len_string, which is decremented by the return value of snprintf.
The critical bug: when snprintf truncates output, it returns the number of
characters that would have been written, not the number actually written.
This causes ...
tests: add topotest for PIM allow-rp featureAdd a new topotest to verify the 'ip pim allow-rp' functionality.
The test validates that PIM joins with mismatched RP addresses are
rejected by default, accepted when allow-rp is enabled, and properly
filtered when using the rp-list prefix-list option.
Signed-off-by: Soumya Roy <souroy@nvidia.com>
pimd: add YANG/northbound support for allow-rp configurationWire the allow-rp CLI through the northbound framework with
proper YANG modeling, replacing direct struct field manipulation.
Add IPv6 pim allow-rp command support.
Integrate allow-rp CLI with the northbound framework using proper
YANG modeling, replacing direct struct field manipulation. Add IPv6
pim allow-rp command support.
Signed-off-by: Soumya Roy <souroy@nvidia.com>
pimd: refactor allow-rp logic and remove unused parameter- Remove unused 'allow_rp' parameter from recv_join() function.
The parameter was passed but never used; the code accessed
pim_ifp->allow_rp directly instead.
- Consolidate all allow-rp checking logic into pim_is_rp_allowed().
The function now handles the allow_rp enable check internally,
making the calling code cleaner and the function self-contained.
- Update function documentation ...
pimd: fix the crash by doing NULL check for pim interfaceAdded the NULL check befor accessing pim interface while processing
command "no ip pim allow-rp rp-list sample"
Ticket: #3864208
Testing:
before:
tor-11(config-if)# no ip pim allow-rp rp-list policy
vtysh: error reading from pimd: Success (0)Warning: closing connection to pimd because of an I/O error!
Broadcast message from root@tor-11 (somewhere) (Thu Apr 18 21:15:45 2024):
cumulus-core: R...
Carmine Scarpitta
Mark Stapp
anlan_cs
harini
Gabriel Goller
Donald Sharp
Soumya Roy