From 7b306117fd12411a8b9427316c8a86e9a49f60b1 Mon Sep 17 00:00:00 2001 From: claudio Date: Mon, 3 May 2021 14:08:09 +0000 Subject: [PATCH] When negotiating multiprotocol capabilities only fall ack to AID_INET when no capability was sent to the peer (this happens if the multiprotocol capability got disabled). It is possible that local and remote systems end up with no shared AFI/SAFI pair. In this case the connection will not send or should not receive any UPDATE messages. The previous behaviour of falling back to AID_INET in that case can result in problematic behaviour when sessions are missconfigured. OK benno@, deraadt@ --- usr.sbin/bgpd/session.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index fc110506b2a..e2649432b9b 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.412 2021/04/27 09:12:23 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.413 2021/05/03 14:08:09 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -2557,11 +2557,12 @@ capa_neg_calc(struct peer *p) /* MP: both side must announce capability */ for (i = 0; i < AID_MAX; i++) { - if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) { + if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) p->capa.neg.mp[i] = 1; - hasmp = 1; - } else + else p->capa.neg.mp[i] = 0; + if (p->capa.ann.mp[i]) + hasmp = 1; } /* if no MP capability present default to IPv4 unicast mode */ if (!hasmp) -- 2.20.1