From: claudio Date: Mon, 3 May 2021 14:08:09 +0000 (+0000) Subject: When negotiating multiprotocol capabilities only fall ack to AID_INET when X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7b306117fd12411a8b9427316c8a86e9a49f60b1;p=openbsd When negotiating multiprotocol capabilities only fall ack to AID_INET when no capability was sent to the peer (this happens if the multiprotocol capability got disabled). It is possible that local and remote systems end up with no shared AFI/SAFI pair. In this case the connection will not send or should not receive any UPDATE messages. The previous behaviour of falling back to AID_INET in that case can result in problematic behaviour when sessions are missconfigured. OK benno@, deraadt@ --- diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index fc110506b2a..e2649432b9b 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.412 2021/04/27 09:12:23 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.413 2021/05/03 14:08:09 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -2557,11 +2557,12 @@ capa_neg_calc(struct peer *p) /* MP: both side must announce capability */ for (i = 0; i < AID_MAX; i++) { - if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) { + if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) p->capa.neg.mp[i] = 1; - hasmp = 1; - } else + else p->capa.neg.mp[i] = 0; + if (p->capa.ann.mp[i]) + hasmp = 1; } /* if no MP capability present default to IPv4 unicast mode */ if (!hasmp)