BGP: Only accept prefixes for negotiated address families

When handling a received Update message, only process and store the
prefixes if the corresponding address family has been negotiated with
the peer. Prior to this change, the receive processing only checked
whether the address family was locally configured, trusting to the peer
to not advertise prefixes for an address family that has not been
negotiated. Most implementations conform to this but a misbehavior could
result in processing and memory overhead.

Signed-off-by: Vivek Venkatraman <vivek@cumulusnetworks.com>
Reviewed-by:   Donald Sharp <sharpd@cumulusnetworks.com>
Reviewed-by:   Daniel Walton <dwalton@cumulusnetworks.com>

Ticket: CM-5594
Reviewed By: CCR-3946
Testing Done: Sanity test (good case)
This commit is contained in:
vivek 2016-01-07 22:14:38 -08:00
parent a656dafaf2
commit 4b150ae78a

View File

@ -1499,9 +1499,10 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
}
}
/* NLRI is processed only when the peer is configured specific
Address Family and Subsequent Address Family. */
if (peer->afc[AFI_IP][SAFI_UNICAST])
/* NLRI is processed only when the the corresponding address-family
* has been negotiated with the peer.
*/
if (peer->afc_nego[AFI_IP][SAFI_UNICAST])
{
if (withdraw.length)
bgp_nlri_parse (peer, NULL, &withdraw);
@ -1538,7 +1539,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
zlog_debug ("rcvd End-of-RIB for IPv4 Unicast from %s", peer->host);
}
}
if (peer->afc[AFI_IP][SAFI_MULTICAST])
if (peer->afc_nego[AFI_IP][SAFI_MULTICAST])
{
if (mp_update.length
&& mp_update.afi == AFI_IP
@ -1572,7 +1573,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
zlog_debug ("rcvd End-of-RIB for IPv4 Multicast from %s", peer->host);
}
}
if (peer->afc[AFI_IP6][SAFI_UNICAST])
if (peer->afc_nego[AFI_IP6][SAFI_UNICAST])
{
if (mp_update.length
&& mp_update.afi == AFI_IP6
@ -1605,7 +1606,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
zlog_debug ("rcvd End-of-RIB for IPv6 Unicast from %s", peer->host);
}
}
if (peer->afc[AFI_IP6][SAFI_MULTICAST])
if (peer->afc_nego[AFI_IP6][SAFI_MULTICAST])
{
if (mp_update.length
&& mp_update.afi == AFI_IP6
@ -1639,7 +1640,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
zlog_debug ("rcvd End-of-RIB for IPv6 Multicast from %s", peer->host);
}
}
if (peer->afc[AFI_IP][SAFI_MPLS_VPN])
if (peer->afc_nego[AFI_IP][SAFI_MPLS_VPN])
{
if (mp_update.length
&& mp_update.afi == AFI_IP