From 29c60afb6b661fcb7251bd16a2d59605b4756e01 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 15:37:02 -0400
Subject: [PATCH 1/9] bgpd: Free allocated stream in error code

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 bgpd/bgp_updgrp_packet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bgpd/bgp_updgrp_packet.c b/bgpd/bgp_updgrp_packet.c
index 567e1e927e..51abc19bea 100644
--- a/bgpd/bgp_updgrp_packet.c
+++ b/bgpd/bgp_updgrp_packet.c
@@ -451,6 +451,7 @@ bpacket_reformat_for_peer (struct bpacket *pkt, struct peer_af *paf)
 		/* TODO: handle IPv6 nexthops */
 		zlog_warn ("%s: %s: invalid MP nexthop length (AFI IP): %u",
                 	   __func__, peer->host, nhlen);
+                stream_free (s);
 		return NULL;
 	    }
 
@@ -542,6 +543,7 @@ bpacket_reformat_for_peer (struct bpacket *pkt, struct peer_af *paf)
 		/* TODO: handle IPv4 nexthops */
 		zlog_warn ("%s: %s: invalid MP nexthop length (AFI IP6): %u",
                 	   __func__, peer->host, nhlen);
+                stream_free (s);
 		return NULL;
 	    }
 

From 6201488ab3230d2a4d3a1dd100971b40105f6496 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 15:42:13 -0400
Subject: [PATCH 2/9] zebra: Fix possible buffer overrun

Use the correct size of the string.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 zebra/zebra_vty.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/zebra/zebra_vty.c b/zebra/zebra_vty.c
index 6f1c81eda1..3eb6e85a4c 100644
--- a/zebra/zebra_vty.c
+++ b/zebra/zebra_vty.c
@@ -740,7 +740,7 @@ vty_show_ip_route_detail (struct vty *vty, struct route_node *rn, int mcast)
 	    case NEXTHOP_TYPE_IPV6:
 	    case NEXTHOP_TYPE_IPV6_IFINDEX:
 	      vty_out (vty, " %s",
-		       inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, BUFSIZ));
+		       inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, sizeof buf));
 	      if (nexthop->ifindex)
 		vty_out (vty, ", via %s",
                          ifindex2ifname (nexthop->ifindex, re->vrf_id));
@@ -793,7 +793,7 @@ vty_show_ip_route_detail (struct vty *vty, struct route_node *rn, int mcast)
            {
              vty_out (vty, ", label %s",
                       mpls_label2str (nexthop->nh_label->num_labels,
-                                      nexthop->nh_label->label, buf, BUFSIZ, 1));
+                                      nexthop->nh_label->label, buf, sizeof buf, 1));
            }
 
 	  vty_out (vty, "%s", VTY_NEWLINE);
@@ -890,7 +890,7 @@ vty_show_ip_route (struct vty *vty, struct route_node *rn, struct route_entry *r
               break;
             case NEXTHOP_TYPE_IPV6:
             case NEXTHOP_TYPE_IPV6_IFINDEX:
-              json_object_string_add(json_nexthop, "ip", inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, BUFSIZ));
+              json_object_string_add(json_nexthop, "ip", inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, sizeof buf));
               json_object_string_add(json_nexthop, "afi", "ipv6");
 
               if (nexthop->ifindex)
@@ -1001,7 +1001,7 @@ vty_show_ip_route (struct vty *vty, struct route_node *rn, struct route_entry *r
         case NEXTHOP_TYPE_IPV6:
 	case NEXTHOP_TYPE_IPV6_IFINDEX:
 	  vty_out (vty, " via %s",
-		   inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, BUFSIZ));
+		   inet_ntop (AF_INET6, &nexthop->gate.ipv6, buf, sizeof buf));
 	  if (nexthop->ifindex)
 	    vty_out (vty, ", %s",
                      ifindex2ifname (nexthop->ifindex, re->vrf_id));
@@ -1053,7 +1053,7 @@ vty_show_ip_route (struct vty *vty, struct route_node *rn, struct route_entry *r
        {
          vty_out (vty, ", label %s",
                   mpls_label2str (nexthop->nh_label->num_labels,
-                                  nexthop->nh_label->label, buf, BUFSIZ, 1));
+                                  nexthop->nh_label->label, buf, sizeof buf, 1));
        }
 
       if (CHECK_FLAG (re->flags, ZEBRA_FLAG_BLACKHOLE))
@@ -1929,7 +1929,7 @@ static_config (struct vty *vty, afi_t afi, safi_t safi, const char *cmd)
                 vty_out (vty, " %s", inet_ntoa (si->addr.ipv4));
                 break;
               case STATIC_IPV6_GATEWAY:
-                vty_out (vty, " %s", inet_ntop (AF_INET6, &si->addr.ipv6, buf, BUFSIZ));
+                vty_out (vty, " %s", inet_ntop (AF_INET6, &si->addr.ipv6, buf, sizeof buf));
                 break;
               case STATIC_IFINDEX:
                 vty_out (vty, " %s", si->ifname);
@@ -1939,7 +1939,7 @@ static_config (struct vty *vty, afi_t afi, safi_t safi, const char *cmd)
                 break;
               case STATIC_IPV6_GATEWAY_IFINDEX:
                 vty_out (vty, " %s %s",
-                         inet_ntop (AF_INET6, &si->addr.ipv6, buf, BUFSIZ),
+                         inet_ntop (AF_INET6, &si->addr.ipv6, buf, sizeof buf),
                          ifindex2ifname (si->ifindex, si->vrf_id));
                 break;
               }

From 4af0ab6d7d442e7701d17d12c15407d7d04ea4bb Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 15:53:27 -0400
Subject: [PATCH 3/9] eigrpd: Fix use after free

Signed-off-by: Donald Sharp <sharpd@Cumulusnetworks.com>
---
 eigrpd/eigrp_hello.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
index 0b370219b8..3ac7c8add9 100644
--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
@@ -122,7 +122,7 @@ eigrp_hello_timer (struct thread *thread)
  * Note the addition of K6 for the new extended metrics, and does not apply to
  * older TLV packet formats.
  */
-static void
+static struct eigrp_neighbor *
 eigrp_hello_parameter_decode (struct eigrp_neighbor *nbr,
                               struct eigrp_tlv_hdr_type *tlv)			      
 {
@@ -172,6 +172,7 @@ eigrp_hello_parameter_decode (struct eigrp_neighbor *nbr,
               zlog_info ("Neighbor %s (%s) is down: Interface PEER-TERMINATION received",
                          inet_ntoa (nbr->src),ifindex2ifname (nbr->ei->ifp->ifindex, VRF_DEFAULT));
               eigrp_nbr_delete (nbr);
+              return NULL;
             }
           else
             {
@@ -181,6 +182,8 @@ eigrp_hello_parameter_decode (struct eigrp_neighbor *nbr,
             }
         }
     }
+
+  return nbr;
 }
 
 static u_char
@@ -349,7 +352,9 @@ eigrp_hello_receive (struct eigrp *eigrp, struct ip *iph, struct eigrp_header *e
         switch (type)
           {
           case EIGRP_TLV_PARAMETER:
-            eigrp_hello_parameter_decode(nbr, tlv_header);
+            nbr = eigrp_hello_parameter_decode(nbr, tlv_header);
+            if (!nbr)
+              return;
             break;
           case EIGRP_TLV_AUTH:
             {

From 60805e322ec54242c996e235a486b27e2a5f8cfe Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:09:29 -0400
Subject: [PATCH 4/9] eigrpd: Cleanup leaked dest_addr

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 eigrpd/eigrp_interface.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/eigrpd/eigrp_interface.c b/eigrpd/eigrp_interface.c
index 26643452cb..a9deafe257 100644
--- a/eigrpd/eigrp_interface.c
+++ b/eigrpd/eigrp_interface.c
@@ -291,13 +291,13 @@ eigrp_if_up (struct eigrp_interface *ei)
 
   /*Add connected entry to topology table*/
 
-  struct prefix_ipv4 *dest_addr = prefix_ipv4_new ();
+  struct prefix_ipv4 dest_addr;
 
-  dest_addr->family = AF_INET;
-  dest_addr->prefix = ei->connected->address->u.prefix4;
-  dest_addr->prefixlen = ei->connected->address->prefixlen;
-  apply_mask_ipv4 (dest_addr);
-  pe = eigrp_topology_table_lookup_ipv4 (eigrp->topology_table, dest_addr);
+  dest_addr.family = AF_INET;
+  dest_addr.prefix = ei->connected->address->u.prefix4;
+  dest_addr.prefixlen = ei->connected->address->prefixlen;
+  apply_mask_ipv4 (&dest_addr);
+  pe = eigrp_topology_table_lookup_ipv4 (eigrp->topology_table, &dest_addr);
 
   if (pe == NULL)
     {
@@ -305,7 +305,7 @@ eigrp_if_up (struct eigrp_interface *ei)
       pe->serno = eigrp->serno;
       pe->destination_ipv4 = prefix_ipv4_new ();
       prefix_copy ((struct prefix *)pe->destination_ipv4,
-		   (struct prefix *)dest_addr);
+		   (struct prefix *)&dest_addr);
       pe->af = AF_INET;
       pe->nt = EIGRP_TOPOLOGY_TYPE_CONNECTED;
 

From d52ecaa1de6efa1fc400c8f25d674f40babc6e2f Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:13:51 -0400
Subject: [PATCH 5/9] eigrpd: Fix leak of ep

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 eigrpd/eigrp_query.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
index 774461a097..3ef8f9a975 100644
--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
@@ -160,6 +160,7 @@ eigrp_send_query (struct eigrp_interface *ei)
   struct eigrp_neighbor *nbr;
   struct eigrp_prefix_entry *pe;
   char has_tlv;
+  bool ep_saved = false;
 
   ep = eigrp_packet_new(ei->ifp->mtu);
 
@@ -218,6 +219,7 @@ eigrp_send_query (struct eigrp_interface *ei)
         {
           /*Put packet to retransmission queue*/
           eigrp_fifo_push_head(nbr->retrans_queue, ep);
+          ep_saved = true;
 
           if (nbr->retrans_queue->count == 1)
             {
@@ -225,4 +227,7 @@ eigrp_send_query (struct eigrp_interface *ei)
             }
         }
     }
+
+  if (!ep_saved)
+    eigrp_packet_free(ep);
 }

From 73d11e2ec1c689b3882ce8cf8e8afe4f51515230 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:18:54 -0400
Subject: [PATCH 6/9] eigrpd: Use correct memory operation

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 eigrpd/eigrp_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index 2d02acc00b..d252f91313 100644
--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
@@ -185,7 +185,7 @@ eigrp_check_md5_digest (struct stream *s,
   eigrph->checksum = 0;
 
   auth_TLV =(struct TLV_MD5_Authentication_Type *) (s->data + EIGRP_HEADER_LEN);
-  memcpy(auth_TLV->digest, "0", sizeof(auth_TLV->digest));
+  memset(auth_TLV->digest, 0, sizeof(auth_TLV->digest));
 
   ibuf = s->data;
   backup_end = s->endp;

From 4dfa484627d28e435e4d162aba55b5ac201dd535 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:31:49 -0400
Subject: [PATCH 7/9] eigrpd: Correctly size the dump data

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 eigrpd/eigrp_dump.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eigrpd/eigrp_dump.c b/eigrpd/eigrp_dump.c
index c2fbe29cfc..4f0e3dd876 100644
--- a/eigrpd/eigrp_dump.c
+++ b/eigrpd/eigrp_dump.c
@@ -51,14 +51,14 @@
 /* Enable debug option variables -- valid only session. */
 unsigned long term_debug_eigrp = 0;
 unsigned long term_debug_eigrp_nei = 0;
-unsigned long term_debug_eigrp_packet[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+unsigned long term_debug_eigrp_packet[11] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 unsigned long term_debug_eigrp_zebra = 6;
 unsigned long term_debug_eigrp_transmit = 0;
 
 /* Configuration debug option variables. */
 unsigned long conf_debug_eigrp = 0;
 unsigned long conf_debug_eigrp_nei = 0;
-unsigned long conf_debug_eigrp_packet[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+unsigned long conf_debug_eigrp_packet[11] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 unsigned long conf_debug_eigrp_zebra = 0;
 unsigned long conf_debug_eigrp_transmit = 0;
 

From 43cb4d1106de0f5ca92bc309c30cbcb2f3064e75 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:36:32 -0400
Subject: [PATCH 8/9] zebra: Fix uninitialized memory access with src_p

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 zebra/rt_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index 88cdfbcae1..a22e080f40 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -296,6 +296,8 @@ netlink_route_change_read_unicast (struct sockaddr_nl *snl, struct nlmsghdr *h,
       p.family = AF_INET;
       memcpy (&p.u.prefix4, dest, 4);
       p.prefixlen = rtm->rtm_dst_len;
+
+      src_p.prefixlen = 0;   // Forces debug below to not display anything
     }
   else if (rtm->rtm_family == AF_INET6)
     {

From d722f26e09086bd3c7c2c37bd93e38fdd599954d Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 10 Jun 2017 16:39:41 -0400
Subject: [PATCH 9/9] zebra: Fix memory leak

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 zebra/zebra_vty.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/zebra/zebra_vty.c b/zebra/zebra_vty.c
index 3eb6e85a4c..8b5af69bff 100644
--- a/zebra/zebra_vty.c
+++ b/zebra/zebra_vty.c
@@ -3098,6 +3098,8 @@ DEFUN (ip_zebra_import_table_distance,
   int distance = ZEBRA_TABLE_DISTANCE_DEFAULT;
   char *rmap = strmatch (argv[argc - 2]->text, "route-map") ?
                XSTRDUP(MTYPE_ROUTE_MAP_NAME, argv[argc - 1]->arg) : NULL;
+  int ret;
+
   if (argc == 7 || (argc == 5 && !rmap))
     VTY_GET_INTEGER_RANGE("distance", distance, argv[4]->arg, 1, 255);
 
@@ -3115,7 +3117,11 @@ DEFUN (ip_zebra_import_table_distance,
       return CMD_WARNING;
     }
 
-  return (zebra_import_table(AFI_IP, table_id, distance, rmap, 1));
+  ret = zebra_import_table(AFI_IP, table_id, distance, rmap, 1);
+  if (rmap)
+    XFREE(MTYPE_ROUTE_MAP_NAME, rmap);
+
+  return ret;
 }
 
 DEFUN (no_ip_zebra_import_table,