head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.8 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.6 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.4 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.2 pkgsrc-2011Q2-base:1.4 pkgsrc-2010Q2:1.3.0.22 pkgsrc-2010Q2-base:1.3 pkgsrc-2010Q1:1.3.0.20 pkgsrc-2010Q1-base:1.3 pkgsrc-2009Q4:1.3.0.18 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q3:1.3.0.16 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.3.0.14 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.12 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.10 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.8 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.6 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.4 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.2 pkgsrc-2008Q1:1.2.0.26 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.24 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.22 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.20 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.18 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.16 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.14 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.12 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.10 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.8 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.6 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.4 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.2.0.2 pkgsrc-2005Q1-base:1.2 pkgsrc-2004Q4:1.1.1.1.0.10 pkgsrc-2004Q4-base:1.1.1.1 pkgsrc-2004Q3:1.1.1.1.0.8 pkgsrc-2004Q3-base:1.1.1.1 pkgsrc-2004Q2:1.1.1.1.0.6 pkgsrc-2004Q2-base:1.1.1.1 pkgsrc-2004Q1:1.1.1.1.0.4 pkgsrc-2004Q1-base:1.1.1.1 pkgsrc-2003Q4:1.1.1.1.0.2 pkgsrc-2003Q4-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.4 date 2010.08.31.13.20.13; author gdt; state dead; branches; next 1.3; 1.3 date 2008.05.13.22.30.47; author tonnerre; state Exp; branches; next 1.2; 1.2 date 2005.03.02.19.15.07; author reed; state dead; branches 1.2.26.1; next 1.1; 1.1 date 2003.08.13.07.26.57; author itojun; state Exp; branches 1.1.1.1; next ; 1.2.26.1 date 2008.05.15.08.44.57; author rtr; state Exp; branches; next ; 1.1.1.1 date 2003.08.13.07.26.57; author itojun; state Exp; branches; next ; desc @@ 1.4 log @Replace with contents of quagga-devel, thus upgrading to 0.99.17. @ text @$NetBSD: patch-ab,v 1.3 2008/05/13 22:30:47 tonnerre Exp $ --- bgpd/bgp_attr.c +++ bgpd/bgp_attr.c @@@@ -39,7 +39,7 @@@@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "bgpd/bgp_ecommunity.h" /* Attribute strings for logging. */ -struct message attr_str [] = +static struct message attr_str [] = { { BGP_ATTR_ORIGIN, "ORIGIN" }, { BGP_ATTR_AS_PATH, "AS_PATH" }, @@@@ -58,6 +58,7 @@@@ struct message attr_str [] = { BGP_ATTR_MP_UNREACH_NLRI, "MP_UNREACH_NLRI" }, { 0, NULL } }; +int attr_str_max = sizeof(attr_str)/sizeof(attr_str[0]); struct hash *cluster_hash; @@@@ -922,24 +923,30 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, { u_int16_t afi; u_char safi; - u_char snpa_num; - u_char snpa_len; - u_char *lim; bgp_size_t nlri_len; + size_t start; int ret; struct stream *s; /* Set end of packet. */ - s = peer->ibuf; - lim = stream_pnt (s) + length; - + s = BGP_INPUT(peer); + start = stream_get_getp(s); + + /* safe to read statically sized header? */ +#define BGP_MP_REACH_MIN_SIZE 5 + if ((length > STREAM_READABLE(s)) || (length < BGP_MP_REACH_MIN_SIZE)) + return -1; + /* Load AFI, SAFI. */ afi = stream_getw (s); safi = stream_getc (s); /* Get nexthop length. */ attr->mp_nexthop_len = stream_getc (s); - + + if (STREAM_READABLE(s) < attr->mp_nexthop_len) + return -1; + /* Nexthop length check. */ switch (attr->mp_nexthop_len) { @@@@ -986,31 +993,28 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, break; } - snpa_num = stream_getc (s); - - while (snpa_num--) - { - snpa_len = stream_getc (s); - stream_forward (s, (snpa_len + 1) >> 1); - } + if (!STREAM_READABLE(s)) + return -1; + + { + u_char val; + if ((val = stream_getc (s))) + zlog_warn ("%s sent non-zero value, %u, for defunct SNPA-length field", + peer->host, val); + } + + /* must have nrli_len, what is left of the attribute */ + nlri_len = length - (stream_get_getp(s) - start); + if ((!nlri_len) || (nlri_len > STREAM_READABLE(s))) + return -1; - /* If peer is based on old draft-00. I read NLRI length from the - packet. */ - if (peer->version == BGP_VERSION_MP_4_DRAFT_00) - { - bgp_size_t nlri_total_len; - nlri_total_len = stream_getw (s); - } - - nlri_len = lim - stream_pnt (s); - if (safi != BGP_SAFI_VPNV4) { ret = bgp_nlri_sanity_check (peer, afi, stream_pnt (s), nlri_len); if (ret < 0) return -1; } - + mp_update->afi = afi; mp_update->safi = safi; mp_update->nlri = stream_pnt (s); @@@@ -1023,24 +1027,26 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, /* Multiprotocol unreachable parse */ int -bgp_mp_unreach_parse (struct peer *peer, int length, +bgp_mp_unreach_parse (struct peer *peer, bgp_size_t length, struct bgp_nlri *mp_withdraw) { struct stream *s; u_int16_t afi; u_char safi; - u_char *lim; u_int16_t withdraw_len; int ret; s = peer->ibuf; - lim = stream_pnt (s) + length; +#define BGP_MP_UNREACH_MIN_SIZE 3 + if ((length > STREAM_READABLE(s)) || (length < BGP_MP_UNREACH_MIN_SIZE)) + return -1; + afi = stream_getw (s); safi = stream_getc (s); - - withdraw_len = lim - stream_pnt (s); - + + withdraw_len = length - BGP_MP_UNREACH_MIN_SIZE; + if (safi != BGP_SAFI_VPNV4) { ret = bgp_nlri_sanity_check (peer, afi, stream_pnt (s), withdraw_len); @@@@ -1271,13 +1277,23 @@@@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, /* If error occured immediately return to the caller. */ if (ret < 0) - return ret; + { + zlog (peer->log, LOG_WARNING, + "%s: Attribute %s, parse error", + peer->host, + LOOKUP (attr_str, type)); + bgp_notify_send (peer, + BGP_NOTIFY_UPDATE_ERR, + BGP_NOTIFY_UPDATE_MAL_ATTR); + return ret; + } /* Check the fetched length. */ if (BGP_INPUT_PNT (peer) != attr_endp) { zlog (peer->log, LOG_WARNING, - "%s BGP attribute fetch error", peer->host); + "%s: BGP attribute %s, fetch error", + peer->host, LOOKUP (attr_str, type)); bgp_notify_send (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR); @@@@ -1289,7 +1305,8 @@@@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, if (BGP_INPUT_PNT (peer) != endp) { zlog (peer->log, LOG_WARNING, - "%s BGP attribute length mismatch", peer->host); + "%s BGP attribute %s, length mismatch", + peer->host, LOOKUP (attr_str, type)); bgp_notify_send (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR); diff --git a/doc/quagga.info b/doc/quagga.info diff --git a/lib/stream.h b/lib/stream.h index f7a94ea..a85e413 100644 @ 1.3 log @Add patch for CVE-2007-1995 for stable quagga (NLRI attributes denial of service). @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update to 0.98.2. This is from riz AT boogers.sf.ca.us via PR #29518 with some slight modifications. Also some review by Greg Troxel (who is a quagga developer). This is based on the pkgsrc-wip version. This has many changes. But ChangeLog is incomplete. This uses USE_LIBTOOL. Uses rcd scripts provide from quagga distribution (are pkgsrc/NetBSD style). Adds USE_ZEBRA_OSPF_OPAQUELSA build definition for --enable-opaque-lsa. All patches removed. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.1 2003/08/13 07:26:57 itojun Exp $ d3 176 a178 25 --- ospf6d/Makefile.am.orig Sat Jun 29 15:20:39 2002 +++ ospf6d/Makefile.am Wed Jul 10 08:34:31 2002 @@@@ -34,15 +34,17 @@@@ EXTRA_DIST = $(sysconf_DATA) +sysconfdatadir=$(datadir)/examples/quagga + install-sysconfDATA: $(sysconf_DATA) @@$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(sysconfdir) + $(mkinstalldirs) $(DESTDIR)$(sysconfdatadir) @@list='$(sysconf_DATA)'; for p in $$list; do \ if test -f $(srcdir)/$$p; then \ - echo " $(INSTALL_SDATA) $(srcdir)/$$p $(DESTDIR)$(sysconfdir)/$$p"; \ - $(INSTALL_SDATA) $(srcdir)/$$p $(DESTDIR)$(sysconfdir)/$$p; \ + echo " $(INSTALL_SDATA) $(srcdir)/$$p $(DESTDIR)$(sysconfdatadir)/$$p"; \ + $(INSTALL_SDATA) $(srcdir)/$$p $(DESTDIR)$(sysconfdatadir)/$$p; \ else if test -f $$p; then \ - echo " $(INSTALL_SDATA) $$p $(DESTDIR)$(sysconfdir)/$$p"; \ - $(INSTALL_SDATA) $$p $(DESTDIR)$(sysconfdir)/$$p; \ + echo " $(INSTALL_SDATA) $$p $(DESTDIR)$(sysconfdatadir)/$$p"; \ + $(INSTALL_SDATA) $$p $(DESTDIR)$(sysconfdatadir)/$$p; \ fi; fi; \ done @ 1.2.26.1 log @pullup ticket #2376 - requested by tonnerre quagga: fixes denial of service revisions pulled up: - pkgsrc/net/quagga/Makefile 1.31 - pkgsrc/net/quagga/distinfo 1.10 - pkgsrc/net/quagga/patches/patch-ab 1.3 - pkgsrc/net/quagga/patches/patch-ac 1.3 Module Name: pkgsrc Committed By: tonnerre Date: Tue May 13 22:30:47 UTC 2008 Modified Files: pkgsrc/net/quagga: Makefile distinfo Added Files: pkgsrc/net/quagga/patches: patch-ab patch-ac Log Message: Add patch for CVE-2007-1995 for stable quagga (NLRI attributes denial of service). @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.3 2008/05/13 22:30:47 tonnerre Exp $ d3 25 a27 176 --- bgpd/bgp_attr.c +++ bgpd/bgp_attr.c @@@@ -39,7 +39,7 @@@@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "bgpd/bgp_ecommunity.h" /* Attribute strings for logging. */ -struct message attr_str [] = +static struct message attr_str [] = { { BGP_ATTR_ORIGIN, "ORIGIN" }, { BGP_ATTR_AS_PATH, "AS_PATH" }, @@@@ -58,6 +58,7 @@@@ struct message attr_str [] = { BGP_ATTR_MP_UNREACH_NLRI, "MP_UNREACH_NLRI" }, { 0, NULL } }; +int attr_str_max = sizeof(attr_str)/sizeof(attr_str[0]); struct hash *cluster_hash; @@@@ -922,24 +923,30 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, { u_int16_t afi; u_char safi; - u_char snpa_num; - u_char snpa_len; - u_char *lim; bgp_size_t nlri_len; + size_t start; int ret; struct stream *s; /* Set end of packet. */ - s = peer->ibuf; - lim = stream_pnt (s) + length; - + s = BGP_INPUT(peer); + start = stream_get_getp(s); + + /* safe to read statically sized header? */ +#define BGP_MP_REACH_MIN_SIZE 5 + if ((length > STREAM_READABLE(s)) || (length < BGP_MP_REACH_MIN_SIZE)) + return -1; + /* Load AFI, SAFI. */ afi = stream_getw (s); safi = stream_getc (s); /* Get nexthop length. */ attr->mp_nexthop_len = stream_getc (s); - + + if (STREAM_READABLE(s) < attr->mp_nexthop_len) + return -1; + /* Nexthop length check. */ switch (attr->mp_nexthop_len) { @@@@ -986,31 +993,28 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, break; } - snpa_num = stream_getc (s); - - while (snpa_num--) - { - snpa_len = stream_getc (s); - stream_forward (s, (snpa_len + 1) >> 1); - } + if (!STREAM_READABLE(s)) + return -1; + + { + u_char val; + if ((val = stream_getc (s))) + zlog_warn ("%s sent non-zero value, %u, for defunct SNPA-length field", + peer->host, val); + } + + /* must have nrli_len, what is left of the attribute */ + nlri_len = length - (stream_get_getp(s) - start); + if ((!nlri_len) || (nlri_len > STREAM_READABLE(s))) + return -1; - /* If peer is based on old draft-00. I read NLRI length from the - packet. */ - if (peer->version == BGP_VERSION_MP_4_DRAFT_00) - { - bgp_size_t nlri_total_len; - nlri_total_len = stream_getw (s); - } - - nlri_len = lim - stream_pnt (s); - if (safi != BGP_SAFI_VPNV4) { ret = bgp_nlri_sanity_check (peer, afi, stream_pnt (s), nlri_len); if (ret < 0) return -1; } - + mp_update->afi = afi; mp_update->safi = safi; mp_update->nlri = stream_pnt (s); @@@@ -1023,24 +1027,26 @@@@ bgp_mp_reach_parse (struct peer *peer, bgp_size_t length, struct attr *attr, /* Multiprotocol unreachable parse */ int -bgp_mp_unreach_parse (struct peer *peer, int length, +bgp_mp_unreach_parse (struct peer *peer, bgp_size_t length, struct bgp_nlri *mp_withdraw) { struct stream *s; u_int16_t afi; u_char safi; - u_char *lim; u_int16_t withdraw_len; int ret; s = peer->ibuf; - lim = stream_pnt (s) + length; +#define BGP_MP_UNREACH_MIN_SIZE 3 + if ((length > STREAM_READABLE(s)) || (length < BGP_MP_UNREACH_MIN_SIZE)) + return -1; + afi = stream_getw (s); safi = stream_getc (s); - - withdraw_len = lim - stream_pnt (s); - + + withdraw_len = length - BGP_MP_UNREACH_MIN_SIZE; + if (safi != BGP_SAFI_VPNV4) { ret = bgp_nlri_sanity_check (peer, afi, stream_pnt (s), withdraw_len); @@@@ -1271,13 +1277,23 @@@@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, /* If error occured immediately return to the caller. */ if (ret < 0) - return ret; + { + zlog (peer->log, LOG_WARNING, + "%s: Attribute %s, parse error", + peer->host, + LOOKUP (attr_str, type)); + bgp_notify_send (peer, + BGP_NOTIFY_UPDATE_ERR, + BGP_NOTIFY_UPDATE_MAL_ATTR); + return ret; + } /* Check the fetched length. */ if (BGP_INPUT_PNT (peer) != attr_endp) { zlog (peer->log, LOG_WARNING, - "%s BGP attribute fetch error", peer->host); + "%s: BGP attribute %s, fetch error", + peer->host, LOOKUP (attr_str, type)); bgp_notify_send (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR); @@@@ -1289,7 +1305,8 @@@@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, if (BGP_INPUT_PNT (peer) != endp) { zlog (peer->log, LOG_WARNING, - "%s BGP attribute length mismatch", peer->host); + "%s BGP attribute %s, length mismatch", + peer->host, LOOKUP (attr_str, type)); bgp_notify_send (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR); diff --git a/doc/quagga.info b/doc/quagga.info diff --git a/lib/stream.h b/lib/stream.h index f7a94ea..a85e413 100644 @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.5 2002/08/25 21:50:21 jlam Exp $ @ 1.1.1.1 log @quagga-0.96, fork of zebra @ text @@