nhrpd: stop debugging auth credentialsDon't log/debug credentials. The output code was bugged, and
was willing to overrun temporary char buffers - just remove
the code.
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: fix release intermediate SIDs upon changing locatorOn a BGP SRv6 setup with loc1 locator on default instance, and the user
wants to change locator from from loc2 to loc3 in vrf Vrf20.
Sometimes, the resulting SIDs are the SIDS assigned for Vrf20 are the
ones from loc1 assigned at command 'no locator loc2', whereas the
expectation should be the SIDS from loc3. The below show command
shows that 2001:db8:1:1:3:: from loc1 is not released.
> r1# ...
topotests: add test to control sid assignment when changing locatorThe move of vrf20 from loc2 to loc3 should result in appropriate
assignment of the SID 2003:db8:1:1:1::.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bgpd: Harden SRv6 Service Data parser for SID Structure lengthRFC 9252 defines the SRv6 SID Structure Sub-Sub-TLV (Type 1) with
a fixed Value length of 6 octets.
Update bgp_attr_srv6_service_data() to reject Type 1 entries whose
declared length is not exactly 6, instead of accepting any length >= 6.
This tightens parser correctness and prevents malformed Type 1
encodings from being treated as valid.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Clearly check for AS4 against 0 valueUse BGP_AS_ZERO, instead of !as4 for readability.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Reject Link NLRIs without Link DescriptorA valid Link NLRI must include a Local Node Descriptor, a Remote Node
Descriptor, and a Link Descriptor.
After decoding Protocol-ID, Identifier, and the Local/Remote Node Descriptors,
ensure there is still Link Descriptor data to decode.
If no bytes remain for the Link Descriptor, treat the NLRI as malformed and
fail decode.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Consolidate redundant stream bounds checks in bgp_ls_decode_nlriReplace two separate STREAM_READABLE checks for reading NLRI Type and Length
with a single combined check. Use symbolic constants BGP_LS_NLRI_TYPE_SIZE and
BGP_LS_NLRI_LENGTH_SIZE instead of magic number 4, improving readability and
maintainability.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: Return immediately when dynamic capability action is not validWithout returning immediately, we continue the loop that advances pnt pointer,
which is not good. We should send the notification (which is already done), and
return.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent out-of-bound reading handling soft version dynamic capabilityFixes: 784cf95c4377ec84b25fb5801fdfaa20450325de ("bgpd: Try to handle software version capability with the new encoding format")
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent zero-length BGP-LS MT-ID TLVAn attacker can craft a BGP-LS update containing an MT-ID TLV with zero
length (tlv_len == 0). This passes existing validation (0 % 2 == 0 and
0 <= MAX), causing XCALLOC(MTYPE_BGP_LS_NLRI, 0) to be called. This
results in unexpected behavior.
This fix validates tlv_len > 0 before allocation in both link and prefix
descriptor MT-ID TLV decoder, savoiding unexpected behavior from zero-length
inp...
ospf6d: update auth sequence number after validating digestTest for valid sequence number before validating auth digest,
but don't update the neighbor's sequence number value until
after validating.
Reported-by: Bronson Yen <bronson@calif.io>
Signed-off-by: Mark Stapp <mjs@cisco.com>
Merge pull request #21486 from opensourcerouting/fix/bgp_print_link_type_correctly_according_to_remote_as_autobgpd: Print neighbor link type correctly according to local-as
Merge pull request #21551 from opensourcerouting/fix/bgp_inter_confederation_ebgpbgpd: Replace the actual local-as when using replace-as with the confederation
isisd: Preserve flags when copying SRv6 End SID sub-TLVPreserve the flags field when duplicating an SRv6 End SID sub-TLV by
copying it into the cloned entry.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
isisd: continue hardening SRV6 tlv parsingAdd more validation for SRV6 END.X and LAN_END.X subsubtlvs.
Ensure allocated subsubtlv pointer is freed in error cleanup paths.
Signed-off-by: Mark Stapp <mjs@cisco.com>
Reported-by: Bronson Yen <bronson@calif.io>
isisd: consume leftover bytes after FAD sub-sub-TLV loopWhen the FAD sub-sub-TLV loop exits normally with 1-2 bytes remaining
(too small for another header), the stream position falls out of sync
with the declared subtlv length. Add a post-loop forward to consume
the leftover bytes on normal exit only, not on the error-break path
where the bytes were already consumed.
Signed-off-by: Tristan Madani <tristan@live.fr>
eigrpd: fix byte order in Hello TLV decode functionsThe auth_type and length fields in EIGRP Hello TLV structures are
network byte order, but several decode functions compare them against
host-order constants without ntohs().
Add ntohs() to all affected comparisons:
- eigrp_hello_authentication_decode: auth_type and length checks
- eigrp_hello_parameter_decode: length check
- eigrp_sw_version_decode: length check
- eigrp_peer_termination_decode...
lib: northbound: distinguish unknown schema node from key mismatchWhen an mgmt edit-config arrives with an xpath that cannot be resolved
against the data tree, lyd_find_path returns an error and mgmtd emits
"List keys in xpath and data tree are different" for two distinct
failure modes:
- the xpath names a schema node that does not exist (typo, e.g.
"prefix-lst" instead of "prefix-list"); and
- the xpath resolves to a valid schema node, but the key p...
bgp_evpn: fix memleak when configuring rdDirect leak of 14 byte(s) in 1 object(s) allocated from:
#0 0x7bea082f74e8 in strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7bea07e3ca5a in qstrdup lib/memory.c:123
#2 0x63e8ac7e7349 in evpn_configure_rd bgpd/bgp_evpn_vty.c:2401
#3 0x63e8ac7e7349 in bgp_evpn_vni_rd bgpd/bgp_evpn_vty.c:6439
#4 0x7bea07db2926 in cmd_execute_command_real lib/command.c:...
bgpd: fix neighbor IP comparison for IPv6 memcmp return valuesRootcause and fix:
In bgp bestpath selection,IPv6 peer addresses are ordered with
memcmp in sockunion_cmp(), so the return value can be any negative
or positive integer (e.g. 2), not only -1, 0, or 1.
The BGP neighbor-IP step compared ret to exactly ±1, so
other positive/negative values fell through to the default branch and
leading to select the wrong path. Using ret > 0 and ret < 0 instead.
...
bgpd: Replace the actual local-as when using replace-as with the confederationIf we have something like:
router bgp 12345
no bgp ebgp-requires-policy
bgp confederation identifier 64512
neighbor 192.168.1.1 remote-as 65004
neighbor 192.168.3.3 remote-as 64515
neighbor 192.168.3.3 remove-private-AS all replace-AS
Then 192.168.3.3 receives a route with AS PATH: 64512 12345, but 12345 should
be replaced to 64512 because the peering is done using 64512 <-> 64515.
Sign...
eigrpd: enforce minimum TLV length in Hello handlerThe Hello TLV parser accepts TLVs with length 1, 2, or 3 because
the condition only checks length > 0. Since the TLV header itself
is 4 bytes (type + length), a declared length smaller than
EIGRP_TLV_HDR_LENGTH causes the pointer to advance by less than
one header width, misaligning all subsequent TLV reads.
Tighten the check to require length >= EIGRP_TLV_HDR_LENGTH.
Signed-off-by: Tristan M...
isisd: use correct min size values for srv6 subtlvsUse the correct min sizes for the SRV6_ENDX and
LAN_ENDX SID subtlvs.
Reported-by: Tristan Madani <TristanInSec@gmail.com>
Signed-off-by: Mark Stapp <mjs@cisco.com>
Donald Sharp
Mark Stapp
Philippe Guibert
Donatas Abraitis
TristanInSec
Reinaldo Saraiva
Loïc Sang
harini