Merge pull request #21211 from opensourcerouting/fix/cap_overflow_parsing_unknownbgpd: Check if we are not overusing error_data buffer when unknown cap received
bgpd: Check if we are not overusing error_data buffer when unknown cap receivedThere is no bounds check before the memcpy(). With Extended Message support
enabled, incoming OPEN messages can be up to 65535 bytes, so the total size
of unknown capability TLVs can far exceed 4096 bytes, overflowing the stack
buffer.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
ripngd: fix data handling in several placesDon't accept responses unless interface is configured; be
more careful with route_node before dereferencing the info
pointer; validate min and max packet size before processing.
Signed-off-by: Mark Stapp <mjs@cisco.com>
ripd: ensure simple-auth value is NULL-terminatedEnsure the simple-auth string is in a NULL-terminated
buffer before printing it with '%s'.
Signed-off-by: Mark Stapp <mjs@cisco.com>
ripd: use rn->info properly in process_response()route_node->info is a list, not a single object; use it
correctly, and avoid NULL-deref potential.
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Do not process route-refresh for AFI/SAFI if it's not negotiatedWe shouldn't allow processing AFI/SAFI received in route-refresh message if we
don't have this AFI/SAFI enabled for this peer.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
tests: Verify neighbor addr Sub-TLVs after link-params resetAdd test_step11() to the isis_te_topo1 topotest suite to verify
that the IPv4 and IPv6 Neighbor Address Sub-TLVs in the Extended IS
Reachability TLV are correctly restored after link-params changes.
The test removes link-params from r1-eth0 and then re-adds them,
and checks that the neighbor address Sub-TLVs are still present in
the TED on all routers after the reconfiguration.
Signed-off-by:...
isisd: Fix missing neighbor address Sub-TLVs after link-params changeWhen link-params are removed from an interface, Zebra notifies IS-IS via
the zebra_if_update_link_params hook, triggering isis_mpls_te_update().
That function calls isis_link_params_update(), which resets ext->status
to keep only SR-related Sub-TLV flags — clearing EXT_NEIGH_ADDR and
EXT_NEIGH_ADDR6, which control advertisement of the IPv4 and IPv6
Neighbor Address Sub-TLVs, so those Sub-TLVs d...
bgpd: include length in cluster_hash_cmp()For robustness, the lengths should be compared even when the
pointers are equal.
Signed-off-by: Enke Chen <enchen@paloaltonetworks.com>
bgpd: add config "nexthop prefer-global" for ipv6 address familyThis command is similar to "set ipv6 next-hop prefer-global" in a
route-map, but it's global and is applied to the ipv6 routes from
all neighbors.
BGP may receive a link-local ipv6 address, and a global IPv6 address
as the nexthops from a directly connected peer. The default in FRR
is to use the link-local address. This config would override the
default and use the global ipv6 address instead...
bgpd: fix BGP_ATTR_NEXT_HOP flag handling in bgp_attr_default_set()bgp_attr_default_set() unconditionally set the BGP_ATTR_NEXT_HOP flag
on every call, even though attr.nexthop (the IPv4 address field) is
all-zeros and not yet assigned. This flag is used by
BGP_ATTR_NEXTHOP_AFI_IP6 to distinguish IPv4 vs IPv6 nexthops, so
having it always set caused non-IPv4 routes to be misidentified.
Callers were working around this by manually calling UNSET_FLAG for
non-IPv...
tests: bgp_suppress_duplicates: simplify and split into four testsConvert the iBGP session between r1 and r2 to eBGP. This eliminates
rmap-to-r2 (which existed solely to normalize local-pref to 100 at
r2), next-hop-self, and the now-empty address-family block on r2.
Since local-pref is not carried over eBGP, drop the local_pref
parameter from _bgp_check_route_attributes().
Add a step to wait for the initial route to appear at r2 before
recording the baseline...
bgpd: Fix route-map cleanup ordering in SRv6 unicast SID exportWhen removing SRv6 unicast SID export config, route-map cleanup frees
rmap_name before looking up the route-map and decrementing its counter.
Reorder cleanup to first call route_map_lookup_by_name() and
route_map_counter_decrement(), then free rmap_name.
Apply the same ordering fix in the SRv6 unicast delete path for
consistency.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
bgpd: fix NHT for explicit link-local BGP peersWhen a BGP peer is configured with an explicit IPv6 link-local
address (neighbor fe80::1 interface swp1), the NHT peer-tracking
code skipped deriving the ifindex from the kernel-provided
scope_id because peer->conf_if is NULL for this configuration
style. This caused peer-tracking to create a BNC keyed with
ifindex 0 while path-tracking created a separate BNC keyed with
the real ifindex from s...
isisd: add unit test for remove_excess_adjs() memory leak fixAdd a test that verifies remove_excess_adjs() properly frees the
isis_vertex_adj it removes from the list. The test uses FRR's
per-MTYPE allocation counter (n_alloc) to assert that:
- After remove_excess_adjs(): exactly one MTYPE_ISIS_VERTEX_ADJ
allocation is freed (not just unlinked)
- After full list cleanup: all allocations return to baseline
Without the fix in the preceding commit, the ...
isisd: fix memory leak in remove_excess_adjs()When the number of adjacencies for a vertex exceeds
ISIS_MAX_PATH_SPLITS, remove_excess_adjs() calls list_delete_node()
which frees the listnode but does NOT free the isis_vertex_adj data
payload. This leaks one MTYPE_ISIS_VERTEX_ADJ allocation per call.
In large-scale deployments, each SPF run triggers this path
accumulating leaked memory.
Valgrind trace:
definitely lost: 3,332,608 bytes i...
bfdd: cap IPv6 echo reflection to declared lengthValidate IPv6 echo payload length and reflect only bep->len
bytes instead of raw receive length to avoid oversized
reflection payloads.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
bfdd: account for FP offset in echo length checksValidate echo packet length using bfd_offset + sizeof(*bep) so
forwarding-plane packets are not parsed past received data.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
bfdd: fix recv errno filter logic in a few placesUse logical AND when filtering EAGAIN/EWOULDBLOCK/EINTR in
bfd_recv_ipv4_fp(), bfd_recv_ipv4(), and bfd_recv_ipv6() so
only real socket errors are logged.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
Russ White
Mark Stapp
Carmine Scarpitta
Enke Chen
Soumya Roy
Quentin Baradat