author  Mike Sullivan <Mike.Sullivan@Oracle.COM> 
Wed, 29 Aug 2012 11:05:56 0700  
changeset 957  255465c5756f 
parent 897  f239fb8865f3 
permissions  rwrr 
7153585 Problem with network/quagga
1 
The following patch is pulled directly from the GIT repository 
for the quagga community. It fixes the following CVE: 
CVE20121820. 
The patched CVE is included in Quagga 0.99.22. This patch 
file can be removed if Quagga is upgraded to that version. 
 bgpd/bgp_open.c 
+++ bgpd/bgp_open.c 
@@ 244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p 
} 
/* validate number field */ 
 if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr>length) 
+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr>length) 
{ 
zlog_info ("%s ORF Capability entry length error," 
" Cap length %u, num %u", 
@@ 348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p 
} 
static int 
bgp_capability_orf (struct peer *peer, struct capability_header *hdr) 
{ 
 struct stream *s = BGP_INPUT (peer); 
 size_t end = stream_get_getp (s) + hdr>length; 
 assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); 
 /* We must have at least one ORF entry, as the caller has already done 
 * minimum length validation for the capability code  for ORF there must 
 * at least one ORF entry (header and unknown number of pairs of bytes). 
 */ 
 do 
 { 
 if (bgp_capability_orf_entry (peer, hdr) == 1) 
 return 1; 
 } 
 while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); 
 return 0; 
} 
static int 
bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) 
{ 
struct stream *s = BGP_INPUT (peer); 
@@ 580,7 +558,7 @@ bgp_capability_parse (struct peer *peer, 
break; 
case CAPABILITY_CODE_ORF: 
case CAPABILITY_CODE_ORF_OLD: 
 if (bgp_capability_orf (peer, &caphdr)) 
+ if (bgp_capability_orf_entry (peer, &caphdr)) 
return 1; 
break; 
case CAPABILITY_CODE_RESTART: 