Merge pull request #21351 from opensourcerouting/fix/bgp_attr_parse_stream_position_validationbgpd: Reset the stream to attr_start + attribute_len when WITHDRAWN
pimd: fix crash due to double freelocal_membership_del may delete the ifchannel and last upstream,
which runs pim_channel_oil_upstream_deref() and frees the channel_oil.
IGMP still holds *oilp in that case; a second pim_channel_oil_del()
corrupts the RB tree (typed_rb_remove on freed / zeroed links).
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
ci: Do not trigger Github action when PR is labeled/unlabeledThat causes frrbot to require an approval for running these actions.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Reset the stream to attr_start + attribute_len when WITHDRAWNbgp_attr_parse does goto done early on WITHDRAW without draining endp,
so stream_pnt(s) lands in the middle of the attribute data.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
eigrpd: skip unknown and ignored TLVsTry to skip unknown TLVs in places where we don't process
all types.
Reported-by: Haruto Kimura (Stella) <harutokimura0608@gmail.com>
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Verify if we correctly parsed BGP-LS attributeThe loop condition while (stream_get_getp(s) < end_pos) does not catch
overshooting. If a sub-parser (e.g. parse_prefix_sid) reads length bytes but
length was crafted to extend past end_pos, the stream pointer ends up beyond
end_pos.
The < condition then terminates the loop normally, and return 0 follows success,
with the stream pointer at the wrong offset.
Signed-off-by: Donatas Abraitis <do...
bgpd: Check the length also when parsing ENCAP attr sub-TLVsIf we don't check for length against 0, then we have a test (length < 1) that
triggers the whole ENCAP attr to be malformed.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Validate prefixlen before subtracting when parsing labeled unicast NLRIWhen multiple labels are consumed without BOS, BSIZE(llen) can exceed prefixlen,
causing a uint16_t underflow to 65535.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
doc: document common daemon options and link -w referencesThe common invocation options (defined in lib/libfrr.c) are already
documented in basic.rst under the common-invocation-options label,
but several daemon pages refer to them only as "documented elsewhere"
without an actual reference.
- Replace all "documented elsewhere" occurences with a proper
:ref:`common-invocation-options` link in pathd, pbr, sharp, static, and
vrrp docs
- Document the f...
bgpd: Return zero labels if no BOS found and it's not a withdraw labelWhen bgp_nlri_get_labels() encounters a label without the Bottom-of-Stack (BOS)
bit, it consumes subsequent prefix bytes as additional labels, only emitting a
warning.
If a peer sends prefixlen=48, a 3-byte label without BOS, and 3 bytes of
prefix (e.g., 10.0.0.0/24), the parser reads both as labels (llen=6), leaving
0 bytes of prefix data.
The resulting p.prefixlen = 48 - 48 = 0 installs a /...
bgpd: Fix signed overflow in hexstr2num()The function accumulates num = hexstr[i] + 256 * num into a signed int.
The operator encoding allows up to 8-byte values, causing signed overflow.
The result is then silently truncated to uint16_t when stored
(mval->value = value), meaning a port value of 0x10050 becomes port 80.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
eigrpd: Improve packet validationHarden validation of lengths before accessing packets;
detect and handle invalid INT TLVs where they're created.
Reported-by: Haruto Kimura (Stella) <harutokimura0608@gmail.com>
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Move rpki strict check to bgp_accept()Current code checks on bgp_start and bgp_establish()
to prevent incoming and outgoing connections when rpki strict mode
is on and bgp is not connected to rpki. Modify the code such that
the bgp_establish() code is no longer the place to check this
it should be in bgp_accept(). Without this there is a very reproducible
crash that happens because the check in bgp_establish() is immediately
afte...
tests: Add new bgp rpki testingAdd these tests to the bgp rpki topotest to better test the rpki code:
a) Test that RPKI invalid state is handled correctly.
b) Ensures that neighbor rpki strict works correctly
c) Add match rpki invalid route-map and ensure it works correctly.
d) Add match rpki-extcommunity and ensure it works correctly.
e) Add IPv6 RPKI validation and ensure it works correctly.
Signed-off-by: Donald Sharp <...
pceplib: validate during of_list TLV decodingValidate buffer length in OF TLV decoding; avoid casting buffer
as integer pointer; count advance by 2-bytes.
Signed-off-by: Mark Stapp <mjs@cisco.com>
bgpd: Check if prefixlen is not 0 when parsing flowspec stuffWhen len == 0, this wraps to UINT32_MAX/SIZE_MAX, causing an unbounded read
from whatever memory follows the buffer. Currently mitigated for the validation
path (caller checks psize == 0), but bgp_flowspec_contains_prefix and bgp_fs_nlri_get_string take len from stored prefix data and have no such guard.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
bgpd: Prevent len_string going negative when trying to display flowspec entriesThe bgp_fs_nlri_get_string() function writes flowspec component strings into
a 512-byte stack buffer (BGP_FLOWSPEC_STRING_DISPLAY_MAX). It tracks remaining
space using len_string, which is decremented by the return value of snprintf.
The critical bug: when snprintf truncates output, it returns the number of
characters that would have been written, not the number actually written.
This causes ...
tests: add topotest for PIM allow-rp featureAdd a new topotest to verify the 'ip pim allow-rp' functionality.
The test validates that PIM joins with mismatched RP addresses are
rejected by default, accepted when allow-rp is enabled, and properly
filtered when using the rp-list prefix-list option.
Signed-off-by: Soumya Roy <souroy@nvidia.com>
pimd: add YANG/northbound support for allow-rp configurationWire the allow-rp CLI through the northbound framework with
proper YANG modeling, replacing direct struct field manipulation.
Add IPv6 pim allow-rp command support.
Integrate allow-rp CLI with the northbound framework using proper
YANG modeling, replacing direct struct field manipulation. Add IPv6
pim allow-rp command support.
Signed-off-by: Soumya Roy <souroy@nvidia.com>
pimd: refactor allow-rp logic and remove unused parameter- Remove unused 'allow_rp' parameter from recv_join() function.
The parameter was passed but never used; the code accessed
pim_ifp->allow_rp directly instead.
- Consolidate all allow-rp checking logic into pim_is_rp_allowed().
The function now handles the allow_rp enable check internally,
making the calling code cleaner and the function self-contained.
- Update function documentation ...
pimd: fix the crash by doing NULL check for pim interfaceAdded the NULL check befor accessing pim interface while processing
command "no ip pim allow-rp rp-list sample"
Ticket: #3864208
Testing:
before:
tor-11(config-if)# no ip pim allow-rp rp-list policy
vtysh: error reading from pimd: Success (0)Warning: closing connection to pimd because of an I/O error!
Broadcast message from root@tor-11 (somewhere) (Thu Apr 18 21:15:45 2024):
cumulus-core: R...
pimd: add allow-rp knob to ignore incorrect rpWhen processing a (*,G) source list entry, the RFC dictates that the
source address provided must match the RP address. In some situations
it's desirable to forego this check. This patch adds a simple boolean
knob, configurable on a per-interface basis, to disable that check.
Alternatively, one can specify a prefix-list, which will act as a
whitelist for what RP addresses to allow.
Signed-off...
Merge pull request #21214 from LabNConsulting/chopps/fix-swapped-vals-and-setsockoptlib: fix swapped values, bad setsockopt, and intermittent test failure
bgpd: Revalidate locally originated routes against RPKI changesWithout this patch we evaluated only adj_in for a particular peer, which means
we never re-advertise locally originated route if RPKI state changes, e.g.:
if RPKI state changes from VALID to INVALID, we still advertise this route
to the peer even if we have a route-map that denies announcing INVALID routes.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Mark Stapp
Donatas Abraitis
Mark Stapp
Gabriel Goller
Donald Sharp
Soumya Roy
