Vincent Bernat [Sun, 12 Dec 2021 13:25:13 +0000 (14:25 +0100)]
interfaces: detect interface index changes
When an interface is deleted and recreated, we didn't detect any
change and just updated its index. However, the handles we had on this
interface are now invalid. Ensure the interface is correctly
reinitialized in this case.
Vincent Bernat [Sun, 19 Sep 2021 19:18:47 +0000 (21:18 +0200)]
sonmp: fix heap overflow when reading SONMP packets
By sending short SONMP packets, an attacker can make the decoder crash
by reading too much data on the heap. SONMP packets are fixed in size,
just ensure we get the enough bytes to contain a SONMP packet.
lldpcli: remove redundant "ports" parameters from cap and mgmt cmds
The commands below were introduced as global commands, but all of them
except the first one were missing code to ignore "ports" parameter
```
configure lldp capabilities-advertisements
unconfigure lldp capabilities-advertisements
unconfigure lldp management-addresses-advertisements
configure lldp management-addresses-advertisements
```
Vincent Bernat [Sun, 29 Aug 2021 19:57:07 +0000 (21:57 +0200)]
interfaces-bsd: do not consider an interface when it is down
At least on OpenBSD, an interface can be oper down while
`IFF_RUNNING`. Check the link state and removes the `IFF_RUNNING` flag
in this case. Something similar may work with FreeBSD and NetBSD, but
it may not be needed. It does not work with MacOS.
Vincent Bernat [Fri, 4 Jun 2021 16:51:13 +0000 (18:51 +0200)]
lldpcli: require powerpairs for Dot3 power even when PD
This reverts commit 7056d802b9c595dd16f1354649bb7ae2f8b8880c. I may
have been hasty in removing this as my understanding is that the PSE
would impose the value to the PD, but it could be the other way
around. Some implementations do not like to have 0 as the value here
and will ignore the whole TLV.
Vincent Bernat [Tue, 4 May 2021 19:46:30 +0000 (21:46 +0200)]
client: put lock file in the same directory as the socket
The whole deal I was trying to solve is the fact that I cannot put the
lock here because I was unprivileged. Just let lldpd create the lock
in the same way it creates the socket (same privileges).
Vincent Bernat [Tue, 4 May 2021 13:55:21 +0000 (15:55 +0200)]
client: use a dedicated file lock to prevent concurrent changes
We were using a lock on the Unix socket. This was working on Linux but
this is not portable. Therefore, we have to use a dedicated file for
this purpose. We use /var/lock by default.
We don't do a secure creation as the lock file is only opened in
append mode, so a symlink attack could only create empty file or reset
the timestamp of a file. No content can be erased this way.
Vincent Bernat [Fri, 30 Apr 2021 09:03:14 +0000 (11:03 +0200)]
priv: explain why we don't use ethtool
I have tested on a few servers I have access to and none of them
supported the use of this ethtool command. So, keep using sysfs
instead (with the drawback that 1. debugfs should be mounted, 2. we
need to tell systemd we want to tune through sysfs).
Vincent Bernat [Sun, 25 Apr 2021 17:08:26 +0000 (19:08 +0200)]
daemon: fix some use of "if defined"
`#if defined HOST_OS_FREEBSD || HOST_OS_NETBSD` is not the same as
`#if defined HOST_OS_FREEBSD || defined HOST_OS_NETBSD`. This doesn't
really matter in our case, but for consistency, fix these cases. Also,
don't use parentheses as they are not useful in our case (or we should
put them everywhere).
Vincent Bernat [Sun, 21 Mar 2021 12:56:19 +0000 (13:56 +0100)]
client: make it easier for Coverity to understand commands_new()
Never returning NULL is not enough to make Coverity understands we
don't leak anything. Remove the branch in commands_new() as it must
never happen, except for the root node.
Vincent Bernat [Sun, 21 Mar 2021 10:32:25 +0000 (11:32 +0100)]
interfaces: use an array of MAC addresses when defining supported protocols
In interfaces.c, we were handling it as a table while in lldpd.c, we
were copy-pasting the same condition three times. This was confusing
for analysis tools.
Vincent Bernat [Sun, 21 Mar 2021 11:05:16 +0000 (12:05 +0100)]
daemon: annotate "daemonisation" to help Coverity
When daemonizing, we need to use /dev/null for stdin, stdout, and
stderr. If one of these file descriptors happen to be already closed,
we need to close the new file descriptor only if > 2. This is
confusing confusing for Coverity, annotate it correctly.
Not all locations are annotated because not all of them are detected,
for some reason.