v.ims.1 - Bump version

Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons

.gitignore

@@ -6,3 +6,6 @@
 /frr-7.4.tar.gz
 /frr-7.5.tar.gz
 /frr-7.5.1.tar.gz
+/frr-8.0.1.tar.gz
+/frr-8.2.tar.gz
+/frr-8.2.2.tar.gz

0001-use-python3.patch

@@ -1,20 +0,0 @@
-diff --git a/tools/frr-reload.py b/tools/frr-reload.py
-index 208fb11..0692adc 100755
---- a/tools/frr-reload.py
-+++ b/tools/frr-reload.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # Frr Reloader
- # Copyright (C) 2014 Cumulus Networks, Inc.
- #
-diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
-index 540b7a1..0876ebb 100755
---- a/tools/generate_support_bundle.py
-+++ b/tools/generate_support_bundle.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- 
- ########################################################
- ### Python Script to generate the FRR support bundle ###

0002-enable-openssl.patch

@@ -19,7 +19,7 @@ index 0b7af18..0533e24 100644
  	lib/skiplist.c \
  	lib/sockopt.c \
 @@ -170,7 +170,6 @@ pkginclude_HEADERS += \
- 	lib/linklist.h \
+ 	lib/link_state.h \
  	lib/log.h \
  	lib/log_vty.h \
 -	lib/md5.h \
@@ -27,7 +27,7 @@ index 0b7af18..0533e24 100644
  	lib/module.h \
  	lib/monotime.h \
 @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
- 	lib/routemap.h \
+ 	lib/route_opaque.h \
  	lib/sbuf.h \
  	lib/seqlock.h \
 -	lib/sha256.h \

0005-icc-options.patch

@@ -1,52 +0,0 @@
-From 4e90d19ea3de6b8938d097d84f6df3fcf6eb0422 Mon Sep 17 00:00:00 2001
-From: Mark Stapp <mjs@voltanet.io>
-Date: Mon, 15 Feb 2021 13:59:02 -0500
-Subject: [PATCH] build: detect ICC, only try ICC options if ICC
-
-Some ICC command-line options can cause confusion for other
-compilers; test for ICC specifically, and only try to use those
-options if ICC is being used.
-
-Signed-off-by: Mark Stapp <mjs@voltanet.io>
----
- configure.ac | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 266f37a1129..f3d1f38986a 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -191,6 +191,11 @@ CXXFLAGS="$orig_cxxflags"
- AC_PROG_CC_C99
- dnl NB: see C11 below
- 
-+dnl Some special handling for ICC later on
-+if test "$CC" = "icc"; then
-+    cc_is_icc="yes"
-+fi
-+
- PKG_PROG_PKG_CONFIG
- 
- dnl it's 2019, sed is sed.
-@@ -252,7 +257,9 @@ AC_DEFUN([AC_LINK_IFELSE_FLAGS], [{
- 
- dnl ICC won't bail on unknown options without -diag-error 10006
- dnl need to do this first so we get useful results for the other options
--AC_C_FLAG([-diag-error 10006])
-+if test "$cc_is_icc" = "yes"; then
-+    AC_C_FLAG([-diag-error 10006])
-+fi
- 
- dnl AC_PROG_CC_C99 may change CC to include -std=gnu99 or something
- ac_cc="$CC"
-@@ -335,7 +342,9 @@ AC_SUBST([CXX_COMPAT_CFLAGS])
- dnl ICC emits a broken warning for const char *x = a ? "b" : "c";
- dnl for some reason the string consts get 'promoted' to char *,
- dnl triggering a const to non-const conversion warning.
--AC_C_FLAG([-diag-disable 3179])
-+if test "$cc_is_icc" = "yes"; then
-+    AC_C_FLAG([-diag-disable 3179])
-+fi
- 
- if test "$enable_werror" = "yes" ; then
-   WERROR="-Werror"

0005-remove-grpc-test.patch

@@ -0,0 +1,23 @@
+diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
+index 7b5eaa4..5c82f69 100644
+--- a/tests/lib/subdir.am
++++ b/tests/lib/subdir.am
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
+ 
+-##############################################################################
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-
+-if GRPC
+-check_PROGRAMS += tests/lib/test_grpc
+-endif
+-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
+-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
+-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
+-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-
+-
+ ##############################################################################
+ if ZEROMQ
+ check_PROGRAMS += tests/lib/test_zmq

0006-cve-2022-26126.patch

@@ -0,0 +1,461 @@
+From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 10 Feb 2022 22:49:41 -0500
+Subject: [PATCH] isisd: fix #10505 using base64 encoding
+
+Using base64 instead of the raw string to encode
+the binary data.
+
+Signed-off-by: whichbug <whichbug@github.com>
+---
+ isisd/isis_nb_notifications.c |  16 +--
+ lib/base64.c                  | 193 ++++++++++++++++++++++++++++++++++
+ lib/base64.h                  |  45 ++++++++
+ lib/subdir.am                 |   2 +
+ lib/yang_wrappers.c           |  59 +++++++++++
+ lib/yang_wrappers.h           |   7 ++
+ 6 files changed, 314 insertions(+), 8 deletions(-)
+ create mode 100644 lib/base64.c
+ create mode 100644 lib/base64.h
+
+diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
+index f219632acf7..fd7b1b3159a 100644
+--- a/isisd/isis_nb_notifications.c
++++ b/isisd/isis_nb_notifications.c
+@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
+@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
+@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
+@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, reason);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
+@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
+@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
+@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, version);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
+@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 	/* ignore offset and tlv_type which cannot be set properly */
+ 
+diff --git a/lib/base64.c b/lib/base64.c
+new file mode 100644
+index 00000000000..e3f238969b3
+--- /dev/null
++++ b/lib/base64.c
+@@ -0,0 +1,193 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#include "base64.h"
++
++static const int CHARS_PER_LINE = 72;
++static const char *ENCODING =
++	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
++
++void base64_init_encodestate(struct base64_encodestate *state_in)
++{
++	state_in->step = step_A;
++	state_in->result = 0;
++	state_in->stepcount = 0;
++}
++
++char base64_encode_value(char value_in)
++{
++	if (value_in > 63)
++		return '=';
++	return ENCODING[(int)value_in];
++}
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in)
++{
++	const char *plainchar = plaintext_in;
++	const char *const plaintextend = plaintext_in + length_in;
++	char *codechar = code_out;
++	char result;
++	char fragment;
++
++	result = state_in->result;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_A:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_A;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result = (fragment & 0x0fc) >> 2;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x003) << 4;
++				/* fall through */
++			case step_B:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_B;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0f0) >> 4;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x00f) << 2;
++				/* fall through */
++			case step_C:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_C;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0c0) >> 6;
++				*codechar++ = base64_encode_value(result);
++				result  = (fragment & 0x03f) >> 0;
++				*codechar++ = base64_encode_value(result);
++
++				++(state_in->stepcount);
++				if (state_in->stepcount == CHARS_PER_LINE/4) {
++					*codechar++ = '\n';
++					state_in->stepcount = 0;
++				}
++		}
++	}
++	/* control should not reach here */
++	return codechar - code_out;
++}
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
++{
++	char *codechar = code_out;
++
++	switch (state_in->step) {
++	case step_B:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		*codechar++ = '=';
++		break;
++	case step_C:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		break;
++	case step_A:
++		break;
++	}
++	*codechar++ = '\n';
++
++	return codechar - code_out;
++}
++
++
++signed char base64_decode_value(signed char value_in)
++{
++	static const signed char decoding[] = {
++		62, -1, -1, -1, 63, 52, 53, 54,
++		55, 56, 57, 58, 59, 60, 61, -1,
++		-1, -1, -2, -1, -1, -1, 0, 1,
++		2,  3, 4, 5, 6, 7, 8, 9,
++		10, 11, 12, 13, 14, 15, 16, 17,
++		18, 19, 20, 21, 22, 23, 24, 25,
++		-1, -1, -1, -1, -1, -1, 26, 27,
++		28, 29, 30, 31, 32, 33, 34, 35,
++		36, 37, 38, 39, 40, 41, 42, 43,
++		44, 45, 46, 47, 48, 49, 50, 51
++	};
++	value_in -= 43;
++	if (value_in < 0 || value_in >= 80)
++		return -1;
++	return decoding[(int)value_in];
++}
++
++void base64_init_decodestate(struct base64_decodestate *state_in)
++{
++	state_in->step = step_a;
++	state_in->plainchar = 0;
++}
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in)
++{
++	const char *codec = code_in;
++	char *plainc = plaintext_out;
++	signed char fragmt;
++
++	*plainc = state_in->plainchar;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_a:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_a;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc = (fragmt & 0x03f) << 2;
++				/* fall through */
++			case step_b:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_b;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x030) >> 4;
++				*plainc = (fragmt & 0x00f) << 4;
++				/* fall through */
++			case step_c:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_c;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x03c) >> 2;
++				*plainc = (fragmt & 0x003) << 6;
++				/* fall through */
++			case step_d:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_d;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++   |= (fragmt & 0x03f);
++		}
++	}
++	/* control should not reach here */
++	return plainc - plaintext_out;
++}
+diff --git a/lib/base64.h b/lib/base64.h
+new file mode 100644
+index 00000000000..3dc1559aa48
+--- /dev/null
++++ b/lib/base64.h
+@@ -0,0 +1,45 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#ifndef _BASE64_H_
++#define _BASE64_H_
++
++enum base64_encodestep {
++	step_A, step_B, step_C
++};
++
++struct base64_encodestate {
++	enum base64_encodestep step;
++	char result;
++	int stepcount;
++};
++
++void base64_init_encodestate(struct base64_encodestate *state_in);
++
++char base64_encode_value(char value_in);
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in);
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
++
++
++enum base64_decodestep {
++	step_a, step_b, step_c, step_d
++};
++
++struct base64_decodestate {
++	enum base64_decodestep step;
++	char plainchar;
++};
++
++void base64_init_decodestate(struct base64_decodestate *state_in);
++
++signed char base64_decode_value(signed char value_in);
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in);
++
++#endif /* _BASE64_H_ */
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 648ab7f14a1..f8f82f2766f 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
+ lib_libfrr_la_SOURCES = \
+ 	lib/agg_table.c \
+ 	lib/atomlist.c \
++	lib/base64.c \
+ 	lib/bfd.c \
+ 	lib/buffer.c \
+ 	lib/checksum.c \
+@@ -177,6 +178,7 @@ clippy_scan += \
+ pkginclude_HEADERS += \
+ 	lib/agg_table.h \
+ 	lib/atomlist.h \
++	lib/base64.h \
+ 	lib/bfd.h \
+ 	lib/bitfield.h \
+ 	lib/buffer.h \
+diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
+index 85aa003db72..bee76c6e0f5 100644
+--- a/lib/yang_wrappers.c
++++ b/lib/yang_wrappers.c
+@@ -19,6 +19,7 @@
+ 
+ #include <zebra.h>
+ 
++#include "base64.h"
+ #include "log.h"
+ #include "lib_errors.h"
+ #include "northbound.h"
+@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
+ 			  xpath);
+ }
+ 
++/*
++ * Primitive type: binary.
++ */
++struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
++				       size_t len)
++{
++	char *value_str;
++	struct base64_encodestate s;
++	int cnt;
++	char *c;
++	struct yang_data *data;
++
++	value_str = (char *)malloc(len * 2);
++	base64_init_encodestate(&s);
++	cnt = base64_encode_block(value, len, value_str, &s);
++	c = value_str + cnt;
++	cnt = base64_encode_blockend(c, &s);
++	c += cnt;
++	*c = 0;
++	data = yang_data_new(xpath, value_str);
++	free(value_str);
++	return data;
++}
++
++size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++				 const struct lyd_node *dnode,
++				 const char *xpath_fmt, ...)
++{
++	const char *canon;
++	size_t cannon_len;
++	size_t decode_len;
++	size_t ret_len;
++	size_t cnt;
++	char *value_str;
++	struct base64_decodestate s;
++
++	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
++	cannon_len = strlen(canon);
++	decode_len = cannon_len;
++	value_str = (char *)malloc(decode_len);
++	base64_init_decodestate(&s);
++	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
++
++	ret_len = size > cnt ? cnt : size;
++	memcpy(buf, value_str, ret_len);
++	if (size < cnt) {
++		char xpath[XPATH_MAXLEN];
++
++		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
++		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
++			  "%s: value was truncated [xpath %s]", __func__,
++			  xpath);
++	}
++	free(value_str);
++	return ret_len;
++}
++
++
+ /*
+  * Primitive type: empty.
+  */
+diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
+index d781dfb1e42..56b314876f2 100644
+--- a/lib/yang_wrappers.h
++++ b/lib/yang_wrappers.h
+@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
+ extern void yang_get_default_string_buf(char *buf, size_t size,
+ 					const char *xpath_fmt, ...);
+ 
++/* binary */
++extern struct yang_data *yang_data_new_binary(const char *xpath,
++					      const char *value, size_t len);
++extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++					const struct lyd_node *dnode,
++					const char *xpath_fmt, ...);
++
+ /* empty */
+ extern struct yang_data *yang_data_new_empty(const char *xpath);
+ extern bool yang_dnode_get_empty(const struct lyd_node *dnode,

0006-move-to-libexec.patch

@@ -1,17 +0,0 @@
-diff --git a/tools/frr.service b/tools/frr.service
-index aa45f42..402def8 100644
---- a/tools/frr.service
-+++ b/tools/frr.service
-@@ -17,9 +17,9 @@ WatchdogSec=60s
- RestartSec=5
- Restart=on-abnormal
- LimitNOFILE=1024
--ExecStart=/usr/lib/frr/frrinit.sh start
--ExecStop=/usr/lib/frr/frrinit.sh stop
--ExecReload=/usr/lib/frr/frrinit.sh reload
-+ExecStart=/usr/libexec/frr/frrinit.sh start
-+ExecStop=/usr/libexec/frr/frrinit.sh stop
-+ExecReload=/usr/libexec/frr/frrinit.sh reload
- 
- [Install]
- WantedBy=multi-user.target

0007-ospfd-crash.patch

@@ -1,108 +0,0 @@
-From 4f08c715db6893ff439d0a39bf4506cd26256d13 Mon Sep 17 00:00:00 2001
-From: Igor Ryzhov <iryzhov@nfware.com>
-Date: Fri, 18 Jun 2021 13:06:13 +0300
-Subject: [PATCH] lib: remove pure attribute from functions that modify memory
-
-Almost all functions currently marked with pure attribute acquire a
-route_node lock. By marking them pure we allow compiler to optimize the
-code and not call them when it already knows the return value. This is
-completely incorrect.
-
-Only two of eleven functions can be marked as pure. And they still won't
-be optimized because they are never called from the same function twice.
-Let's remove the ext_pure macro completely to reduce the chance of
-repeating this mistake in the future.
-
-Fixes #8866, #8809, #8595, #6992.
-
-Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
----
- lib/compiler.h |  9 ---------
- lib/table.h    | 44 ++++++++++++++++++++------------------------
- 2 files changed, 20 insertions(+), 33 deletions(-)
-
-diff --git a/lib/compiler.h b/lib/compiler.h
-index bbfe01b569c..e805eb8be48 100644
---- a/lib/compiler.h
-+++ b/lib/compiler.h
-@@ -123,15 +123,6 @@ extern "C" {
- #define assume(x)
- #endif
- 
--/* pure = function does not modify memory & return value is the same if
-- * memory hasn't changed (=> allows compiler to optimize)
-- *
-- * Mostly autodetected by the compiler if function body is available (i.e.
-- * static inline functions in headers).  Since that implies it should only be
-- * used in headers for non-inline functions, the "extern" is included here.
-- */
--#define ext_pure	extern __attribute__((pure))
--
- /* for helper functions defined inside macros */
- #define macro_inline	static inline __attribute__((unused))
- #define macro_pure	static inline __attribute__((unused, pure))
-diff --git a/lib/table.h b/lib/table.h
-index 7e383dce808..5dec69ee7ea 100644
---- a/lib/table.h
-+++ b/lib/table.h
-@@ -197,29 +197,25 @@ static inline void route_table_set_info(struct route_table *table, void *d)
- 	table->info = d;
- }
- 
--/* ext_pure => extern __attribute__((pure))
-- *   does not modify memory (but depends on mem), allows compiler to optimize
-- */
--
- extern void route_table_finish(struct route_table *table);
--ext_pure struct route_node *route_top(struct route_table *table);
--ext_pure struct route_node *route_next(struct route_node *node);
--ext_pure struct route_node *route_next_until(struct route_node *node,
--					     const struct route_node *limit);
-+extern struct route_node *route_top(struct route_table *table);
-+extern struct route_node *route_next(struct route_node *node);
-+extern struct route_node *route_next_until(struct route_node *node,
-+					   const struct route_node *limit);
- extern struct route_node *route_node_get(struct route_table *table,
- 					 union prefixconstptr pu);
--ext_pure struct route_node *route_node_lookup(struct route_table *table,
--					      union prefixconstptr pu);
--ext_pure struct route_node *route_node_lookup_maynull(struct route_table *table,
--						      union prefixconstptr pu);
--ext_pure struct route_node *route_node_match(struct route_table *table,
--					     union prefixconstptr pu);
--ext_pure struct route_node *route_node_match_ipv4(struct route_table *table,
--						  const struct in_addr *addr);
--ext_pure struct route_node *route_node_match_ipv6(struct route_table *table,
--						  const struct in6_addr *addr);
--
--ext_pure unsigned long route_table_count(struct route_table *table);
-+extern struct route_node *route_node_lookup(struct route_table *table,
-+					    union prefixconstptr pu);
-+extern struct route_node *route_node_lookup_maynull(struct route_table *table,
-+						    union prefixconstptr pu);
-+extern struct route_node *route_node_match(struct route_table *table,
-+					   union prefixconstptr pu);
-+extern struct route_node *route_node_match_ipv4(struct route_table *table,
-+						const struct in_addr *addr);
-+extern struct route_node *route_node_match_ipv6(struct route_table *table,
-+						const struct in6_addr *addr);
-+
-+extern unsigned long route_table_count(struct route_table *table);
- 
- extern struct route_node *route_node_create(route_table_delegate_t *delegate,
- 					    struct route_table *table);
-@@ -228,10 +224,10 @@ extern void route_node_destroy(route_table_delegate_t *delegate,
- 			       struct route_table *table,
- 			       struct route_node *node);
- 
--ext_pure struct route_node *route_table_get_next(struct route_table *table,
--						 union prefixconstptr pu);
--ext_pure int route_table_prefix_iter_cmp(const struct prefix *p1,
--					 const struct prefix *p2);
-+extern struct route_node *route_table_get_next(struct route_table *table,
-+					       union prefixconstptr pu);
-+extern int route_table_prefix_iter_cmp(const struct prefix *p1,
-+				       const struct prefix *p2);
- 
- /*
-  * Iterator functions.

frr.spec

@@ -1,11 +1,13 @@
+%global dist .ims.1%{?dist}
+
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
 %define _legacy_common_support 1
 
 Name:           frr
-Version:        7.5.1
-Release:        9%{?dist}
+Version:        8.2.2
+Release:        2%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
@@ -14,13 +16,11 @@ Source1:        %{name}-tmpfiles.conf
 Source2:        %{name}-sysusers.conf
 
 Patch0000:      0000-remove-babeld-and-ldpd.patch
-Patch0001:      0001-use-python3.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
-Patch0005:      0005-icc-options.patch
-Patch0006:      0006-move-to-libexec.patch
-Patch0007:      0007-ospfd-crash.patch
+Patch0005:      0005-remove-grpc-test.patch
+Patch0006:      0006-cve-2022-26126.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -100,6 +100,7 @@ autoreconf -ivf
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
     --with-crypto=openssl \
+    --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
     --enable-grpc
 
@@ -169,18 +170,12 @@ fi
 %systemd_preun frr.service
 
 %check
+#this should be temporary, the grpc test is just badly designed
+rm tests/lib/*grpc*
 %make_build check PYTHON=%{__python3}
 
 %files
 %license COPYING
-%doc zebra/zebra.conf.sample
-%doc isisd/isisd.conf.sample
-%doc ripd/ripd.conf.sample
-%doc bgpd/bgpd.conf.sample*
-%doc ospfd/ospfd.conf.sample
-%doc ospf6d/ospf6d.conf.sample
-%doc ripngd/ripngd.conf.sample
-%doc pimd/pimd.conf.sample
 %doc doc/mpls
 %dir %attr(750,frr,frr) %{_sysconfdir}/frr
 %dir %attr(755,frr,frr) %{_localstatedir}/log/frr
@@ -204,6 +199,19 @@ fi
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
+- Fix for CVE-2022-16126
+
+* Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
+- New version 8.2.2
+
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+- New version 8.2 (rhbz#2020439)
+- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
+
+* Thu Jan 20 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- Rebasing to 8.0.1 due to newer libyang library
+
 * Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
 - Rebuild for grpc 1.39
 

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-7.5.1.tar.gz) = 1c27420594e52647090da3556e5c62d6f916903c4fa86e5110f1e86152f07d3ce4252bc859d36c9d218dc96a80b245c8b9eee97f370d818cb39be187b6c3546e
+SHA512 (frr-8.2.2.tar.gz) = 2a3e189d8de09bd66bc4a49147bec681d48626d8cb268dc03f42b58064c066b35082114ff97d7333ae4029f759b78e216c8460c2611df7f6659675dc5f9b69b2
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d