Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:bird2 User: [email protected] Usertags: pu
This upload collects the fixes from the latest 2.17.x stable release. Some fix possible crashes, but the ASPA fix is critical for internet exchange points route server to being able to actually use ASPA. If this upload is not approved then I will have to make it a backport.d.n package and tell the community to use that. The relevant tests are also backported (and the build fails without them). diff -Nru bird2-2.17.1/debian/changelog bird2-2.17.1/debian/changelog --- bird2-2.17.1/debian/changelog 2025-12-18 00:21:35.000000000 +0100 +++ bird2-2.17.1/debian/changelog 2026-04-06 18:25:36.000000000 +0200 @@ -1,3 +1,13 @@ +bird2 (2.17.1-1+deb13u2) stable; urgency=medium + + * Backport all fixes from upstream 2.17.4: + + ASPA: Fix downstream validation + + BGP: Fix restart behavior on reconfiguration + + Filters: Fix string attributes + + Logging: Fix error handling + + -- Marco d'Itri <[email protected]> Mon, 06 Apr 2026 18:25:36 +0200 + bird2 (2.17.1-1+deb13u1) stable; urgency=medium * New maintainer. diff -Nru bird2-2.17.1/debian/patches/series bird2-2.17.1/debian/patches/series --- bird2-2.17.1/debian/patches/series 2025-12-18 00:21:35.000000000 +0100 +++ bird2-2.17.1/debian/patches/series 2026-04-06 18:25:36.000000000 +0200 @@ -2,3 +2,16 @@ backport-02-067f361d backport-03-f8770e81 backport-04-c4d54c21 +backport-05-1867ffa +backport-06-9c7d028 +backport-07-cad5353 +backport-08-b143f6e +backport-09-f7eb6f1 +backport-10-87a77ae +backport-11-3c83997 +backport-12-de64c80 +backport-13-b4e228d +backport-14-4be9672 +backport-15-650e2fa +backport-16-3beb709 +backport-17-954b305 diff -Nru bird2-2.17.1/debian/patches/backport-05-1867ffa bird2-2.17.1/debian/patches/backport-05-1867ffa --- bird2-2.17.1/debian/patches/backport-05-1867ffa 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-05-1867ffa 2026-04-06 18:15:14.000000000 +0200 @@ -0,0 +1,26 @@ +From 1867ffae9d6bc76572f5876abf5337dba54f5da6 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <[email protected]> +Date: Tue, 10 Feb 2026 01:10:28 +0100 +Subject: Netlink: Fix handling of RTAX_CC_ALGO netlink attribute + +The kernel-provided congestion control algorithm (RTAX_CC_ALGO) is stored in +an EAF_TYPE_STRING adata blob without the terminating NULL. When exporting +metrics back to netlink, the value is treated as a C string and passed to +nl_add_attr_str(), which uses strlen(str)+1. This may read past the allocated +adata and leak adjacent memory or crash. + +Minor change by committer. + +diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c +index 299f132fe..8be5112c4 100644 +--- a/sysdep/linux/netlink.c ++++ b/sysdep/linux/netlink.c +@@ -1876,7 +1876,7 @@ nl_parse_route(struct nl_parse_state *s, struct nlmsghdr *h) + } + else if (t == RTAX_CC_ALGO) + { +- struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo)); ++ struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo) + 1); + memcpy(ad->data, cc_algo, ad->length); + + ea->attrs[n++] = (eattr) { diff -Nru bird2-2.17.1/debian/patches/backport-06-9c7d028 bird2-2.17.1/debian/patches/backport-06-9c7d028 --- bird2-2.17.1/debian/patches/backport-06-9c7d028 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-06-9c7d028 2026-04-06 18:16:08.000000000 +0200 @@ -0,0 +1,19 @@ +From 9c7d028465f4c9c28106b58b4514e5c6644bdeab Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <[email protected]> +Date: Tue, 10 Feb 2026 01:16:51 +0100 +Subject: Lib: Fix mem_hash_mix_str() infinite loop/OOB read + + +diff --git a/lib/hash.h b/lib/hash.h +index 3c173958f..41409e47e 100644 +--- a/lib/hash.h ++++ b/lib/hash.h +@@ -219,7 +219,7 @@ static inline void + mem_hash_mix_str(u64 *h, const char *s) + { + const u64 multiplier = 0xb38bc09a61202731ULL; +- while (s) ++ while (*s) + *h = *h * multiplier + *s++; + } + diff -Nru bird2-2.17.1/debian/patches/backport-07-cad5353 bird2-2.17.1/debian/patches/backport-07-cad5353 --- bird2-2.17.1/debian/patches/backport-07-cad5353 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-07-cad5353 2026-04-06 18:20:01.000000000 +0200 @@ -0,0 +1,22 @@ +From cad5353aaa0b198f3cb8397424710c3656e50f7a Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Tue, 10 Feb 2026 03:41:59 +0100 +Subject: Filter: Fix string ordering + +Function strcmp() returns negative / 0 / positive, but val_compare() +is expected to return -1 / 0 / 1. + +diff --git a/filter/data.c b/filter/data.c +index f5a9e5eec..a685aa1a4 100644 +--- a/filter/data.c ++++ b/filter/data.c +@@ -210,7 +210,8 @@ val_compare(const struct f_val *v1, const struct f_val *v2) + case T_NET: + return net_compare(v1->val.net, v2->val.net); + case T_STRING: +- return strcmp(v1->val.s, v2->val.s); ++ int i = strcmp(v1->val.s, v2->val.s); ++ return (i > 0) - (i < 0); + case T_PATH: + return as_path_compare(v1->val.ad, v2->val.ad); + case T_ROUTE: diff -Nru bird2-2.17.1/debian/patches/backport-08-b143f6e bird2-2.17.1/debian/patches/backport-08-b143f6e --- bird2-2.17.1/debian/patches/backport-08-b143f6e 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-08-b143f6e 2026-04-06 18:20:29.000000000 +0200 @@ -0,0 +1,19 @@ +From b143f6ea8e9cdd3c461d109e94b542106d12e1b0 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Tue, 10 Feb 2026 04:12:22 +0100 +Subject: Filter: Fix definition after label + + +diff --git a/filter/data.c b/filter/data.c +index a685aa1a4..eb0612c63 100644 +--- a/filter/data.c ++++ b/filter/data.c +@@ -209,7 +209,7 @@ val_compare(const struct f_val *v1, const struct f_val *v2) + return ipa_compare(v1->val.ip, v2->val.ip); + case T_NET: + return net_compare(v1->val.net, v2->val.net); +- case T_STRING: ++ case T_STRING:; + int i = strcmp(v1->val.s, v2->val.s); + return (i > 0) - (i < 0); + case T_PATH: diff -Nru bird2-2.17.1/debian/patches/backport-09-f7eb6f1 bird2-2.17.1/debian/patches/backport-09-f7eb6f1 --- bird2-2.17.1/debian/patches/backport-09-f7eb6f1 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-09-f7eb6f1 2026-04-06 18:21:10.000000000 +0200 @@ -0,0 +1,24 @@ +From f7eb6f1611eb0a17ddb804c38acaab7e031c8126 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Thu, 29 May 2025 17:34:35 +0200 +Subject: Nest: Fix route update after preference change + +The route preference was ignored in route comparison, therefore if +a protocol changed it and then reloaded routes, they were ignored +and routes with the old prefernce were kept. + +The bug was introduced 5 years ago, when preference was moved from +struct rte to struct rta. + +diff --git a/nest/rt-attr.c b/nest/rt-attr.c +index 7c49af174..e10e1ecbf 100644 +--- a/nest/rt-attr.c ++++ b/nest/rt-attr.c +@@ -1182,6 +1182,7 @@ rta_same(rta *x, rta *y) + return (x->source == y->source && + x->scope == y->scope && + x->dest == y->dest && ++ x->pref == y->pref && + x->igp_metric == y->igp_metric && + ipa_equal(x->from, y->from) && + x->hostentry == y->hostentry && diff -Nru bird2-2.17.1/debian/patches/backport-10-87a77ae bird2-2.17.1/debian/patches/backport-10-87a77ae --- bird2-2.17.1/debian/patches/backport-10-87a77ae 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-10-87a77ae 2026-04-06 18:21:57.000000000 +0200 @@ -0,0 +1,35 @@ +From 87a77ae542d8b29bb26432eb65ced254536c2895 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Tue, 3 Jun 2025 16:56:41 +0200 +Subject: BGP: Do route refresh after preference change + +Reconfiguration of preference is handled by nest code by asking for +reload, but in case of BGP with import table, that just reloaded routes +with the old preference. In BGP, we can handle that by triggering full +route refresh. + +Although, it would be probably better to set preference in nest, when +a route is propagated from the import table. + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index c8f90fadb..203715258 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2830,12 +2830,16 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + if ((new->gw_mode != old->gw_mode) || + (new->next_hop_prefer != old->next_hop_prefer) || + (new->aigp != old->aigp) || +- (new->cost != old->cost)) ++ (new->cost != old->cost) || ++ (new->c.preference != old->c.preference)) + { + /* import_changed itself does not force ROUTE_REFRESH when import_table is active */ + if (c->c.in_table && (c->c.channel_state == CS_UP)) + bgp_schedule_packet(p->conn, c, PKT_ROUTE_REFRESH); + ++ /* Note that preference is already handled in channel_reconfigure(), ++ but we need it handle again here for the ROUTE_REFRESH trigger */ ++ + *import_changed = 1; + } + diff -Nru bird2-2.17.1/debian/patches/backport-11-3c83997 bird2-2.17.1/debian/patches/backport-11-3c83997 --- bird2-2.17.1/debian/patches/backport-11-3c83997 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-11-3c83997 2026-04-06 18:22:19.000000000 +0200 @@ -0,0 +1,35 @@ +From 3c839977ebb9f2eb3b683e002fffa17be9a3e6e5 Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Wed, 4 Jun 2025 14:53:36 +0200 +Subject: BGP: Restart if route refresh is impossible on attribute change + +In previous commit, we force route refresh when some protocol attributes +change. Yet, when the neighbor doesn't support route refresh, we have to +restart the session, not send an unsupported request. + +Note: if the neighbor is restarting right now with graceful restart +enabled, we keep the stale routes until the neighbor converges again. + +Related to #268 + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index 203715258..d38666fab 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2833,7 +2833,15 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + (new->cost != old->cost) || + (new->c.preference != old->c.preference)) + { +- /* import_changed itself does not force ROUTE_REFRESH when import_table is active */ ++ /* Route refresh needed, these attributes are set by BGP itself ++ * and even if import table exists, we can't use it */ ++ ++ /* Route refresh impossible, restart is needed */ ++ if ((c->c.channel_state == CS_UP) && !p->route_refresh) ++ return 0; ++ ++ /* Force ROUTE_REFRESH with import table; otherwise ++ * it will be forced by import_changed set to 1 later */ + if (c->c.in_table && (c->c.channel_state == CS_UP)) + bgp_schedule_packet(p->conn, c, PKT_ROUTE_REFRESH); + diff -Nru bird2-2.17.1/debian/patches/backport-12-de64c80 bird2-2.17.1/debian/patches/backport-12-de64c80 --- bird2-2.17.1/debian/patches/backport-12-de64c80 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-12-de64c80 2026-04-06 18:22:44.000000000 +0200 @@ -0,0 +1,32 @@ +From de64c80119c14d733e465a0f428f3eff7aee6e74 Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Wed, 25 Jun 2025 13:00:11 +0200 +Subject: BGP: restart on outgoing next hop setting change + +When next hop self / keep / address changed, BGP only reloaded +the exports but it didn't apply the changes. To fix this problem +before actually implementing a proper change detection algorithm, +we restart the protocol if this setting changes. + +Fixes #280. + +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index d38666fab..d8a4a69eb 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2851,10 +2851,13 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + *import_changed = 1; + } + ++ /* Outgoing next hop setting is too complex to update, forcing restart. */ + if (!ipa_equal(new->next_hop_addr, old->next_hop_addr) || + (new->next_hop_self != old->next_hop_self) || +- (new->next_hop_keep != old->next_hop_keep) || +- (new->llnh_format != old->llnh_format) || ++ (new->next_hop_keep != old->next_hop_keep)) ++ return 0; ++ ++ if ((new->llnh_format != old->llnh_format) || + (new->aigp != old->aigp) || + (new->aigp_originate != old->aigp_originate)) + *export_changed = 1; diff -Nru bird2-2.17.1/debian/patches/backport-13-b4e228d bird2-2.17.1/debian/patches/backport-13-b4e228d --- bird2-2.17.1/debian/patches/backport-13-b4e228d 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-13-b4e228d 2026-04-06 18:23:06.000000000 +0200 @@ -0,0 +1,52 @@ +From b4e228d141b327fb19b862180f0fd03dc058a782 Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Tue, 29 Jul 2025 14:15:08 +0200 +Subject: BGP: Do not restart when next hop keep/self is changed + +The change in dade7147eb6b62b2d58d478a370baef513d96975 forces BGP to restart +even if next hop self and next hop keep changes, which can be updated just by +reloading export, while explicit next hop address can not. + +Related to #280. + +diff --git a/doc/bird.sgml b/doc/bird.sgml +index 3e024f4c1..6595dc327 100644 +--- a/doc/bird.sgml ++++ b/doc/bird.sgml +@@ -3925,7 +3925,6 @@ direction (re-export of routes to the BGP neighbor): + + <itemize> + <item><cf/export/ +- <item><cf/next hop address/ + <item><cf/next hop self/ + <item><cf/next hop keep/ + <item><cf/link local next hop format/ +@@ -3962,6 +3961,7 @@ direction (re-export of routes to the BGP neighbor): + <item><cf/graceful restart/ + <item><cf/long lived graceful restart/ + <item><cf/long lived stale time/ ++ <item><cf/next hop address/ + <item><cf/extended next hop/ + <item><cf/add paths/ + <item><cf/import table/ +diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c +index d8a4a69eb..818edeeba 100644 +--- a/proto/bgp/bgp.c ++++ b/proto/bgp/bgp.c +@@ -2852,12 +2852,12 @@ bgp_channel_reconfigure(struct channel *C, struct channel_config *CC, int *impor + } + + /* Outgoing next hop setting is too complex to update, forcing restart. */ +- if (!ipa_equal(new->next_hop_addr, old->next_hop_addr) || +- (new->next_hop_self != old->next_hop_self) || +- (new->next_hop_keep != old->next_hop_keep)) ++ if (!ipa_equal(new->next_hop_addr, old->next_hop_addr)) + return 0; + +- if ((new->llnh_format != old->llnh_format) || ++ if ((new->next_hop_self != old->next_hop_self) || ++ (new->next_hop_keep != old->next_hop_keep) || ++ (new->llnh_format != old->llnh_format) || + (new->aigp != old->aigp) || + (new->aigp_originate != old->aigp_originate)) + *export_changed = 1; diff -Nru bird2-2.17.1/debian/patches/backport-14-4be9672 bird2-2.17.1/debian/patches/backport-14-4be9672 --- bird2-2.17.1/debian/patches/backport-14-4be9672 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-14-4be9672 2026-04-06 18:25:36.000000000 +0200 @@ -0,0 +1,63 @@ +From 4be967290ee7ca2f6b0439c08e16999e7bbd5f66 Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Sat, 14 Mar 2026 18:42:03 +0100 +Subject: Filter: Document and extend ASPA verification tests + +These extensions minimalistically replicate the downstream bug reported +by Evann DREUMONT. (See next commit.) + +Issue: #355 + +diff --git a/filter/test.conf b/filter/test.conf +index 3df9b6975..18a531ada 100644 +--- a/filter/test.conf ++++ b/filter/test.conf +@@ -2395,10 +2395,19 @@ bt_test_suite(t_roa_check, "Testing ROA"); + + aspa table at; + ++# ASPA structure: ++# ++# ++# 65544 65545 ++# | \ / \ / | ++# 65540 65542 65543 65541 ++# | | ++# 65550 65551 ++ + protocol static + { + aspa { table at; }; +- route aspa 65540 providers 65544; ++ route aspa 65540 providers 65544, 65549; + route aspa 65541 providers 65545; + route aspa 65542 providers 65544, 65545; + route aspa 65543 providers 65544, 65545; +@@ -2440,6 +2449,27 @@ function t_aspa_check() + p3.prepend(65544); + bt_assert(aspa_check(at, p3, false) = ASPA_INVALID); + bt_assert(aspa_check(at, p3, true) = ASPA_INVALID); ++ ++ bgppath p4 = +empty+; ++ p4.prepend(65540); ++ p4.prepend(65544); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p4, true) = ASPA_VALID); ++ ++ p4.prepend(65545); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p4, true) = ASPA_INVALID); ++ ++ p4.prepend(65555); ++ ++ bt_assert(aspa_check(at, p4, false) = ASPA_UNKNOWN); ++ bt_assert(aspa_check(at, p4, true) = ASPA_INVALID); ++ ++ bgppath p5 = +empty+.prepend(65550).prepend(65540).prepend(65549); ++ bt_assert(aspa_check(at, p5, false) = ASPA_VALID); ++ bt_assert(aspa_check(at, p5, true) = ASPA_VALID); + } + + bt_test_suite(t_aspa_check, "Testing ASPA (our tests)"); diff -Nru bird2-2.17.1/debian/patches/backport-15-650e2fa bird2-2.17.1/debian/patches/backport-15-650e2fa --- bird2-2.17.1/debian/patches/backport-15-650e2fa 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-15-650e2fa 2026-04-06 18:25:36.000000000 +0200 @@ -0,0 +1,100 @@ +From 650e2fab9968e23bf90baf6a5818d603525bbda1 Mon Sep 17 00:00:00 2001 +From: Evann DREUMONT <[email protected]> +Date: Sat, 7 Feb 2026 23:59:12 +0100 +Subject: ASPA: Finish official test case coverage + +This commit implements missing test cases based on the official ASPA +path verification examples to expand coverage. + +Also, one of the custom test was incorrect, because while there is no valid +ASPA this could be seen, from a downstream perspective, as peering. + +This commit was originally a complete fix of the ASPA verification. +Reduced significantly by committer. + +diff --git a/filter/test.conf b/filter/test.conf +index 18a531ada..c21d74614 100644 +--- a/filter/test.conf ++++ b/filter/test.conf +@@ -2447,7 +2447,7 @@ function t_aspa_check() + bgppath p3 = +empty+; + p3.prepend(65541); + p3.prepend(65544); +- bt_assert(aspa_check(at, p3, false) = ASPA_INVALID); ++ bt_assert(aspa_check(at, p3, false) = ASPA_VALID); + bt_assert(aspa_check(at, p3, true) = ASPA_INVALID); + + bgppath p4 = +empty+; +@@ -2484,6 +2484,13 @@ protocol static + route aspa 65543 providers 65546; + route aspa 65544 providers 65546, 65547; + route aspa 65547 transit; ++ route aspa 65548 transit; ++ route aspa 65550 transit; ++ route aspa 65551 providers 65550; ++ route aspa 65552 transit; ++ route aspa 65553 transit; ++ route aspa 65554 providers 65553; ++ route aspa 65555 providers 65554; + } + + function t_aspa_check_official() +@@ -2493,6 +2500,7 @@ function t_aspa_check_official() + bool UP = true; bool DOWN = false; + bgppath p; + ++ # Examples of Upstream Path Verification + # F-G is a lateral peer, we do not prepend + p = +empty+.prepend(A).prepend(C).prepend(F); + bt_assert(aspa_check(at_official, p, UP) = ASPA_VALID); +@@ -2528,6 +2536,50 @@ function t_aspa_check_official() + # E-D is a lateral peer, we do not prepend + p = +empty+.prepend(B).prepend(E); + bt_assert(aspa_check(at_official, p, UP) = ASPA_VALID); ++ ++ # Examples of Downstream Path Verification ++ p = +empty+.prepend(A).prepend(C).prepend(F).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(A).prepend(D).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(D).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(D).prepend(G).prepend(E); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(G).prepend(D).prepend(F).prepend(C); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_UNKNOWN); ++ ++ p = +empty+.prepend(B).prepend(E).prepend(G).prepend(D); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(B).prepend(E).prepend(G).prepend(D).prepend(C); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(A).prepend(C).prepend(F); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ # Topology Contains Complex BGP Relationships ++ int H = 65548; int J = 65549; int K = 65550; int L = 65551; ++ int P = 65552; int Q = 65553; int R = 65554; int S = 65555; ++ ++ p = +empty+.prepend(H).prepend(J); ++ bt_assert(aspa_check(at_official, p, UP) = ASPA_INVALID); ++ ++ p = +empty+.prepend(H).prepend(J).prepend(K); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_INVALID); ++ ++ p = +empty+.prepend(P).prepend(Q); ++ bt_assert(aspa_check(at_official, p, UP) = ASPA_INVALID); ++ ++ p = +empty+.prepend(P).prepend(Q); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); ++ ++ p = +empty+.prepend(P).prepend(Q).prepend(R); ++ bt_assert(aspa_check(at_official, p, DOWN) = ASPA_VALID); + } + + bt_test_suite(t_aspa_check_official, "Testing ASPA (official tests)"); diff -Nru bird2-2.17.1/debian/patches/backport-16-3beb709 bird2-2.17.1/debian/patches/backport-16-3beb709 --- bird2-2.17.1/debian/patches/backport-16-3beb709 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-16-3beb709 2026-04-06 18:23:41.000000000 +0200 @@ -0,0 +1,97 @@ +From 3beb709b225b3bc1aceae1763adaf95096efa88a Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Sat, 14 Mar 2026 21:57:46 +0100 +Subject: ASPA: Fix downstream check for two-point apex + +The ASPA algorithm is quite complex if one wants to execute it fast. +Most notably, the performance-critical part is looking up the ASPA +records, and we are trying to reduce that to minimum. + +Yet, in that effort, we missed the fact that in the downstream +algorithm, the down-ramp and up-ramp may touch, i.e. their top ends +have a lateral peering. + +The original idea was to find the point where the down-ramp is +impossible to be extended, and from there on, the algorithm is basically +just the upstream algorithm. But it isn't, most notably with the lateral +peering scenario it is much more complex than this. + +This issue was discovered by several people, and got a fix submitted by +Evann DREUMONT. That fix was correct but replaced the algorithm too +deeply. We don't want to do such large changes (including semantics) +inside the stable versions, and we have some more plans with all of this +considering performance, as soon as more ASPA records emerge. + +This patch therefore simply removes the force_upstream shortcut from +where the down ramp is terminated, fixes the downstream code so that +it works without that shortcut, and explicitly allows the two-apex +downstream scenario. + +Original-By: Evann DREUMONT <[email protected]> + +diff --git a/nest/rt-table.c b/nest/rt-table.c +index ed364d351..1d50e5d05 100644 +--- a/nest/rt-table.c ++++ b/nest/rt-table.c +@@ -432,44 +432,40 @@ end_of_aspa:; + else if (!found) + { + /* Extend max-downstream (min-downstream is stopped by unknown) */ +- max_down = ap+1; ++ if (max_down == ap) ++ max_down = ap+1; + + /* Move min-upstream (can't include unknown) */ + min_up = ap; + } + +- /* ASPA exists and downstream may be extended */ +- else if (down) +- { +- /* Extending max-downstream always */ +- max_down = ap+1; +- +- /* Extending min-downstream unless unknown seen */ +- if (min_down == ap) +- min_down = ap+1; +- +- /* Downstream only */ +- if (!up) +- min_up = max_up = ap; +- } +- +- /* No extension for downstream, force upstream only from now */ ++ /* ASPA exists */ + else + { +- force_upstream = 1; ++ /* Downstream may be extended by this AS */ ++ if (down) ++ { ++ /* Extending max-downstream unless invalid seen */ ++ if (max_down == ap) ++ max_down = ap+1; ++ ++ /* Extending min-downstream unless unknown seen */ ++ if (min_down == ap) ++ min_down = ap+1; ++ } + +- /* Not even upstream, move the ending here */ ++ /* Move upstream end unless extensible */ + if (!up) + min_up = max_up = ap; + } + } + + /* Is the path surely valid? */ +- if (min_up <= min_down) ++ if (min_up <= min_down + !force_upstream) + return ASPA_VALID; + + /* Is the path maybe valid? */ +- if (max_up <= max_down) ++ if (max_up <= max_down + !force_upstream) + return ASPA_UNKNOWN; + + /* Now there is surely a valley there. */ diff -Nru bird2-2.17.1/debian/patches/backport-17-954b305 bird2-2.17.1/debian/patches/backport-17-954b305 --- bird2-2.17.1/debian/patches/backport-17-954b305 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-17-954b305 2026-04-06 18:24:08.000000000 +0200 @@ -0,0 +1,31 @@ +From 954b30568a5e18d5b99b13d9157ae0e902b4bf7b Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Thu, 19 Mar 2026 12:01:15 +0100 +Subject: Log: Set a reasonable lower bound for the log file size limit + +The log rotation needs a minimal file size. The 16 kB limit imposed +by this commit effectively allows about 150 lines to fit into one file, +and by that all the accompanying log messages (e.g. with debug latency) +fit into there and don't cause another rotation. + +Issue: #370 + +diff --git a/sysdep/unix/config.Y b/sysdep/unix/config.Y +index f4e70d198..be85848de 100644 +--- a/sysdep/unix/config.Y ++++ b/sysdep/unix/config.Y +@@ -48,7 +48,13 @@ syslog_name: + + log_limit: + /* empty */ +- | expr text { this_log->limit = $1; this_log->backup = $2; } ++ | expr text { ++ if ($1 < 16384) ++ cf_error("Log file size limit too low, must be at least 16384."); ++ ++ this_log->limit = $1; ++ this_log->backup = $2; ++ } + ; + + log_file: -- ciao, Marco
signature.asc
Description: PGP signature
