diff options
| author |   phessler <phessler@openbsd.org> | 2017-05-26 20:55:30 +0000 |
|---|---|---|
| committer | phessler <phessler@openbsd.org> | 2017-05-26 20:55:30 +0000 |
| commit | 447ed31498a99bc4520e39bbd792499d5663f59d (patch) | |
| tree | 6329817280ba0a7bc1a46a9948098dae5f1b0c00 | |
| parent | sshbuf_consume: reset empty buffer; ok djm@ (diff) | |
| download | wireguard-openbsd-447ed31498a99bc4520e39bbd792499d5663f59d.tar.xz wireguard-openbsd-447ed31498a99bc4520e39bbd792499d5663f59d.zip | |
AS 0 is special and should be considered an error.
Drop the session if it shows during OPEN or CAPA, or mark as invalid if
it is part of an Update.
required by RFC 7607
man page OK jmc@
OK florian@ benno@ claudio@
| -rw-r--r-- | usr.sbin/bgpd/bgpd.8 | 14 | ||||
| -rw-r--r-- | usr.sbin/bgpd/parse.y | 7 | ||||
| -rw-r--r-- | usr.sbin/bgpd/rde_attr.c | 10 | ||||
| -rw-r--r-- | usr.sbin/bgpd/session.c | 18 |
4 files changed, 43 insertions, 6 deletions
diff --git a/usr.sbin/bgpd/bgpd.8 b/usr.sbin/bgpd/bgpd.8 index 3e332d9b04f..c978ea79a94 100644 --- a/usr.sbin/bgpd/bgpd.8 +++ b/usr.sbin/bgpd/bgpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.8,v 1.52 2017/02/19 11:38:24 phessler Exp $ +.\" $OpenBSD: bgpd.8,v 1.53 2017/05/26 20:55:30 phessler Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 19 2017 $ +.Dd $Mdocdate: May 26 2017 $ .Dt BGPD 8 .Os .Sh NAME @@ -357,6 +357,16 @@ control socket .Re .Pp .Rs +.%A W. Kumari +.%A R. Bush +.%A H. Schiller +.%A K. Patel +.%D August 2015 +.%R RFC 7607 +.%T Codification of AS 0 Processing +.Re +.Pp +.Rs .%D August 2011 .%R draft-ietf-grow-mrt-17 .%T MRT routing information export format diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index ec2f34358ee..eaab552b8af 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.300 2017/05/26 14:08:51 phessler Exp $ */ +/* $OpenBSD: parse.y,v 1.301 2017/05/26 20:55:30 phessler Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -3661,6 +3661,11 @@ neighbor_consistent(struct peer *p) return (-1); } + if (p->conf.remote_as == 0) { + yyerror("peer AS may not be zero"); + return (-1); + } + /* set default values if they where undefined */ p->conf.ebgp = (p->conf.remote_as != conf->as); if (p->conf.announce_type == ANNOUNCE_UNDEF) diff --git a/usr.sbin/bgpd/rde_attr.c b/usr.sbin/bgpd/rde_attr.c index e54227b93e1..64d3aaea3d9 100644 --- a/usr.sbin/bgpd/rde_attr.c +++ b/usr.sbin/bgpd/rde_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_attr.c,v 1.97 2017/01/24 04:22:42 benno Exp $ */ +/* $OpenBSD: rde_attr.c,v 1.98 2017/05/26 20:55:30 phessler Exp $ */ /* * Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> @@ -426,7 +426,7 @@ aspath_verify(void *data, u_int16_t len, int as4byte) u_int8_t *seg = data; u_int16_t seg_size, as_size = 2; u_int8_t seg_len, seg_type; - int error = 0; + int i, error = 0; if (len & 1) /* odd length aspath are invalid */ @@ -460,6 +460,12 @@ aspath_verify(void *data, u_int16_t len, int as4byte) if (seg_size == 0) /* empty aspath segments are not allowed */ return (AS_ERR_BAD); + + /* RFC 7607 - AS 0 is considered malformed */ + for (i = 0; i < seg_len; i++) { + if (aspath_extract(seg, i) == 0) + return (AS_ERR_SOFT); + } } return (error); /* aspath is valid but probably not loop free */ } diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 6a23577c6d0..c1d98b78947 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.359 2017/02/13 14:48:44 phessler Exp $ */ +/* $OpenBSD: session.c,v 1.360 2017/05/26 20:55:30 phessler Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -2017,6 +2017,14 @@ parse_open(struct peer *peer) memcpy(&short_as, p, sizeof(short_as)); p += sizeof(short_as); as = peer->short_as = ntohs(short_as); + if (as == 0) { + log_peer_warnx(&peer->conf, + "peer requests unacceptable AS %u", as); + session_notification(peer, ERR_OPEN, ERR_OPEN_AS, + NULL, 0); + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); + return (-1); + } memcpy(&oholdtime, p, sizeof(oholdtime)); p += sizeof(oholdtime); @@ -2477,6 +2485,14 @@ parse_capabilities(struct peer *peer, u_char *d, u_int16_t dlen, u_int32_t *as) } memcpy(&remote_as, capa_val, sizeof(remote_as)); *as = ntohl(remote_as); + if (*as == 0) { + log_peer_warnx(&peer->conf, + "peer requests unacceptable AS %u", *as); + session_notification(peer, ERR_OPEN, ERR_OPEN_AS, + NULL, 0); + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); + return (-1); + } peer->capa.peer.as4byte = 1; break; default: |