Check prefix, address, and max lengths while decoding. #154
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DRiKE
approved these changes
Aug 2, 2021
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Aug 23, 2021
Pkgsrc changes: * Re-compute checksums Upstream changes: Released 2021-08-23 No changes since 0.10.0-rc3. Released 2021-08-02. New * Strict checking for address and prefix lengths in certificates, and for prefix and max-length in ROAs. (via [rpki #154], based on an error report by [@job]) [rpki #154]: NLnetLabs/rpki-rs#154 [@job]: https://github.com/job Released 2021-07-27. Bug Fixes * Fix the missing line feed in the summary output format. ([#625]) * The RTR server now returns the correct PDU as a cache reset response, which is returned when the server cannot provide a delta update to a client. Previously, a broken End of Data PDU was returned. (Via [rpki #151].) * Make parsing of local exception files much more strict to avoid introducing illegal VRPs into the data set. Parsing will now fail if any aspect of a prefix or prefix assertion is incorrect. This includes a non-zero host portion of a prefix. ([#627]) [#625]: NLnetLabs/routinator#625 [#627]: NLnetLabs/routinator#627 [rpki #151]: NLnetLabs/rpki-rs#151 Breaking changes * Data is now stored directly in the file system again. This returns memory consumption to pre-0.9 levels. All improvements to robustness have been maintained. ([#590], [#601], [#604]) * The `json` and `jsonext` output formats now include a `metadata` object that contains the time the data set was created in the `generated` and `generatedTime` fields as Unix and ISO time stamps, respectively. ([#605]) * The JSON output of the `validate` command and the of the `/validity` HTTP endpoint now include a `generatedTime` field that provides the generation time of the data set that was used for validation as an ISO time stamp. ([#605]) * The default RRDP timeout (via the `rrdp-timeout` option) has been increased to 300 seconds. ([#612]) New * The maximum over delta steps performed during an update of an RRDP repository is now be limited via the `rrdp-max-delta` option. If more steps are necessary, the snapshot is used instead. This will improve the update times in cases where Routinator isnât running constantly. The default limit is 100 steps. ([#615]) * It is now possible to disable the use of the gzip transfer encoding in the RRDP client via the new `rrdp-disable-gzip` option. ([#602]) * The start of a validation run is now logged as an info message. ([#609]) * A reference to the global help appears now at the end of a sub-commandâs help message. ([#607]) * A summary of the data set similar to the `summary` output format is now logged at log level info at the end of a validation run. ([#617]) Bug Fixes * Catch and log error output from rsync. ([#577]) * Local exception files that contain prefix assertions with a shorter max-length than the prefix length are now rejected instead of adding these invalid prefix assertions to the output data set. ([#608]) * The `rrdp-timeout` command line option was setting both the RRDP timeout and the RRDP connection timeout. Now the `rrdp-connect-timeout` is correctly used for the latter. (Note: The config file was using the correct keys.) ([#611]) * Added `--rrdp-fallback-time` option to the command line parser. It was documented and supposed to be present previously, but wasnât. ([#614]) Other * In the JSON metrics for RRDP repositories, the fields `serial`, `session`, `delta`, and `snapshotReason` are left out entirely when the server reported not changes via a 304 response. ([#613]) [#577]: NLnetLabs/routinator#577 [#590]: NLnetLabs/routinator#590 [#601]: NLnetLabs/routinator#601 [#602]: NLnetLabs/routinator#602 [#604]: NLnetLabs/routinator#604 [#605]: NLnetLabs/routinator#605 [#607]: NLnetLabs/routinator#607 [#608]: NLnetLabs/routinator#608 [#609]: NLnetLabs/routinator#609 [#611]: NLnetLabs/routinator#611 [#612]: NLnetLabs/routinator#612 [#613]: NLnetLabs/routinator#613 [#614]: NLnetLabs/routinator#614 [#615]: NLnetLabs/routinator#615 [#617]: NLnetLabs/routinator#617
12 tasks
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Oct 23, 2021
Pkgsrc changes: * Update dependencies, version# and checksums. Upstream changes: Released 2021-09-20. No changes since 0.10.1-rc3. Released 2021-09-15. Other Changes * Update UI to 0.3.4. ([#651]) * Fixed links for prefixes. [#651]: NLnetLabs/routinator#651 Released 2021-09-13. Bug Fixes * Redirect `/` to `/ui` to bring back the UI for the blank hostname. ([#648]) Other Changes * Update UI to 0.3.3. * Fixes UI loading with query parameters. [#648]: NLnetLabs/routinator#648 Released 2021-09-13. Other Changes * Extended UI with BGP and allocation data lookups. ([#635]) * The UI now lives in its own crate [routinator-ui]. ([#635]) [#635]: NLnetLabs/routinator#635 [routinator-ui]: https://crates.io/crates/routinator-ui Released 2021-08-23 No changes since 0.10.0-rc3. Released 2021-08-02. New * Strict checking for address and prefix lengths in certificates, and for prefix and max-length in ROAs. (via [rpki #154], based on an error report by [@job]) [rpki #154]: NLnetLabs/rpki-rs#154 [@job]: https://github.com/job Released 2021-07-27. Bug Fixes * Fix the missing line feed in the summary output format. ([#625]) * The RTR server now returns the correct PDU as a cache reset response, which is returned when the server cannot provide a delta update to a client. Previously, a broken End of Data PDU was returned. (Via [rpki #151].) * Make parsing of local exception files much more strict to avoid introducing illegal VRPs into the data set. Parsing will now fail if any aspect of a prefix or prefix assertion is incorrect. This includes a non-zero host portion of a prefix. ([#627]) [#625]: NLnetLabs/routinator#625 [#627]: NLnetLabs/routinator#627 [rpki #151]: NLnetLabs/rpki-rs#151
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds address family-based checks for the lengths of addresses and prefixes in resource certificates and for prefix lengths and max-length in ROAs.
The PR is based on an error report by @job.