[quagga-dev 8578] Re: [quagga-users 12172] Quagga 0.99.18 Released (addressing CVE-2010-1674)

paul at jakma.org paul at jakma.org
Tue Mar 22 12:30:52 GMT 2011


On Tue, 22 Mar 2011, Greg Troxel wrote:

>
> We are using it, and I have some unpublished minor patches to it that I
> have on my todo list to push back.

Aha, excellent :)

> It's a core protocol feature of OSPF, and I don't think removing it 
> is reasonable.

I wouldn't call it a 'core' feature, but if you're using it I can 
understand you'd feel that way. ;) The problem though is supporting 
it. Do you have code we could use for testing it? E.g. an API client 
to inject opaques, or unit tests, etc. Even better, would you be able 
to help support the opaque stuff?

> Certainly the minimal fix is in order immediately, because the 
> current release is a regression from the previous one.  Or we can 
> back out all the ospf changes and release a point release with just 
> the BGP changes.

I strongly suspect the vast majority of ospfd users are using it for 
routing, and don't use opaques. For them the ospfd patches fix a 
number of problems.

> Longer term, I think you're right about making it use the general 
> refresh infrastructure.  But I don't think a desire to do that 
> eventually is good cause to break what's been there and mostly ok.

> opaque support doesn't actually get enabled unless you put capability
> opaque in the config, so I think it should default to on at compile time
> (and then off at run time); that will at least let us keep the
> compile-time path ok.

ACK, optional off features are pretty evil.

See attached 2 patches, to configure.ac and a compile fix for opaque, 
can you test? (It'll take 60 minutes at least to test - you need to 
make sure an opaque LSA stays stable and has to be refreshed, obv).

regards,
-- 
Paul Jakma  paul at jakma.org  twitter: @pjakma  PGP: 64A2FF6A
Fortune:
The only "intuitive" interface is the nipple. After that, it's all learned.
(Bruce Ediger, bediger at teal.csn.org, in comp.os.linux.misc, on X interfaces.)
-------------- next part --------------
commit 36de261b57eab7a7539fb6527a1f02f3898cbafd
Author: Paul Jakma <paul at quagga.net>
Date:   Tue Mar 22 10:18:05 2011 +0000

    build: change sense of opaque-{lsa,te} enable args to enable by default
    
    * configure.ac: (AC_ARG_ENABLE({ospf-te,opaque-lsa})) reverse the sense to
      --disable
      (enable_{opaque_lsa,ospf_te}) treat as enabled unless explicitly disabled.

diff --git a/configure.ac b/configure.ac
index 4409d20..27d26ef 100755
--- a/configure.ac
+++ b/configure.ac
@@ -219,15 +219,14 @@ AC_ARG_WITH(libpam,
 AC_ARG_ENABLE(tcp-zebra,
 [  --enable-tcp-zebra      enable TCP/IP socket connection between zebra and protocol daemon])
 AC_ARG_ENABLE(opaque-lsa,
-[  --enable-opaque-lsa     enable OSPF Opaque-LSA with OSPFAPI support (RFC2370)])
+  AC_HELP_STRING([--disable-opaque-lsa],[do not build OSPF Opaque-LSA with OSPFAPI support (RFC2370)]))
 AC_ARG_ENABLE(ospfapi,
-[  --disable-ospfapi       do not build OSPFAPI to access the OSPF LSA Database, 
-                          (this is the default if --enable-opaque-lsa is not set)])
+[  --disable-ospfapi       do not build OSPFAPI to access the OSPF LSA Database])
 AC_ARG_ENABLE(ospfclient,
 [  --disable-ospfclient    do not build OSPFAPI client for OSPFAPI, 
                           (this is the default if --disable-ospfapi is set)])
 AC_ARG_ENABLE(ospf-te,
-[  --enable-ospf-te        enable Traffic Engineering Extension to OSPF])
+  AC_HELP_STRING([--disable-ospf-te],[disable Traffic Engineering Extension to OSPF]))
 AC_ARG_ENABLE(multipath,
 [  --enable-multipath=ARG  enable multipath function, ARG must be digit])
 AC_ARG_ENABLE(user,
@@ -292,11 +291,11 @@ if test "${enable_tcp_zebra}" = "yes"; then
   AC_DEFINE(HAVE_TCP_ZEBRA,,Use TCP for zebra communication)
 fi
 
-if test "${enable_opaque_lsa}" = "yes"; then
+if test "${enable_opaque_lsa}" != "no"; then
   AC_DEFINE(HAVE_OPAQUE_LSA,,OSPF Opaque LSA)
 fi
 
-if test "${enable_ospf_te}" = "yes"; then
+if test "${enable_ospf_te}" != "no"; then
   AC_DEFINE(HAVE_OPAQUE_LSA,,OSPF Opaque LSA)
   AC_DEFINE(HAVE_OSPF_TE,,OSPF TE)
 fi
-------------- next part --------------
diff --git a/ospfd/ospf_lsa.h b/ospfd/ospf_lsa.h
index fee3470..72e2f8a 100644
--- a/ospfd/ospf_lsa.h
+++ b/ospfd/ospf_lsa.h
@@ -114,6 +114,9 @@ struct ospf_lsa
 
   /* Refreshement List or Queue */
   int refresh_list;
+  
+  /* For Type-9 Opaque-LSAs */
+  struct ospf_interface *oi;
 };
 
 /* OSPF LSA Link Type. */
diff --git a/ospfd/ospf_nsm.c b/ospfd/ospf_nsm.c
index 279d2a0..cbc3171 100644
--- a/ospfd/ospf_nsm.c
+++ b/ospfd/ospf_nsm.c
@@ -216,7 +216,7 @@ ospf_db_summary_add (struct ospf_neighbor *nbr, struct ospf_lsa *lsa)
     {
     case OSPF_OPAQUE_LINK_LSA:
       /* Exclude type-9 LSAs that does not have the same "oi" with "nbr". */
-      if (lsa->oi != nbr->oi)
+      if (nbr->oi && ospf_if_exists (lsa->oi) != nbr->oi)
           return 0;
       break;
     case OSPF_OPAQUE_AREA_LSA:
diff --git a/ospfd/ospf_opaque.c b/ospfd/ospf_opaque.c
index 6e90011..aa126e1 100644
--- a/ospfd/ospf_opaque.c
+++ b/ospfd/ospf_opaque.c
@@ -251,7 +251,7 @@ struct ospf_opaque_functab
   void (* config_write_debug )(struct vty *vty);
   void (* show_opaque_info   )(struct vty *vty, struct ospf_lsa *lsa);
   int  (* lsa_originator)(void *arg);
-  void (* lsa_refresher )(struct ospf_lsa *lsa);
+  struct ospf_lsa *(* lsa_refresher )(struct ospf_lsa *lsa);
   int (* new_lsa_hook)(struct ospf_lsa *lsa);
   int (* del_lsa_hook)(struct ospf_lsa *lsa);
 };
@@ -354,7 +354,7 @@ ospf_register_opaque_functab (
   void (* config_write_debug )(struct vty *vty),
   void (* show_opaque_info   )(struct vty *vty, struct ospf_lsa *lsa),
   int  (* lsa_originator)(void *arg),
-  void (* lsa_refresher )(struct ospf_lsa *lsa),
+  struct ospf_lsa *(* lsa_refresher )(struct ospf_lsa *lsa),
   int (* new_lsa_hook)(struct ospf_lsa *lsa),
   int (* del_lsa_hook)(struct ospf_lsa *lsa))
 {
@@ -1608,12 +1608,13 @@ out:
   return new;
 }
 
-void
+struct ospf_lsa *
 ospf_opaque_lsa_refresh (struct ospf_lsa *lsa)
 {
   struct ospf *ospf;
   struct ospf_opaque_functab *functab;
-
+  struct ospf_lsa *new = NULL;
+  
   ospf = ospf_lookup ();
 
   if ((functab = ospf_opaque_functab_lookup (lsa)) == NULL
@@ -1633,9 +1634,9 @@ ospf_opaque_lsa_refresh (struct ospf_lsa *lsa)
       ospf_lsa_flush (ospf, lsa);
     }
   else
-    (* functab->lsa_refresher)(lsa);
+    new = (* functab->lsa_refresher)(lsa);
 
-  return;
+  return new;
 }
 
 /*------------------------------------------------------------------------*
diff --git a/ospfd/ospf_opaque.h b/ospfd/ospf_opaque.h
index f49fe46..2273064 100644
--- a/ospfd/ospf_opaque.h
+++ b/ospfd/ospf_opaque.h
@@ -120,7 +120,7 @@ ospf_register_opaque_functab (
   void (* config_write_debug )(struct vty *vty),
   void (* show_opaque_info   )(struct vty *vty, struct ospf_lsa *lsa),
   int  (* lsa_originator)(void *arg),
-  void (* lsa_refresher )(struct ospf_lsa *lsa),
+  struct ospf_lsa *(* lsa_refresher )(struct ospf_lsa *lsa),
   int (* new_lsa_hook)(struct ospf_lsa *lsa),
   int (* del_lsa_hook)(struct ospf_lsa *lsa)
 );
@@ -143,7 +143,7 @@ extern void ospf_opaque_lsa_originate_schedule (struct ospf_interface *oi,
 						int *init_delay);
 extern struct ospf_lsa *ospf_opaque_lsa_install (struct ospf_lsa *,
 						 int rt_recalc);
-extern void ospf_opaque_lsa_refresh (struct ospf_lsa *lsa);
+extern struct ospf_lsa *ospf_opaque_lsa_refresh (struct ospf_lsa *lsa);
 
 extern void ospf_opaque_lsa_reoriginate_schedule (void *lsa_type_dependent,
 						  u_char lsa_type,


More information about the Quagga-dev mailing list