The following patch is pulled directly from the GIT repository

for the quagga community. It fixes the following CVE:

CVE-2012-1820.

The patched CVE is included in Quagga 0.99.22. This patch

file can be removed if Quagga is upgraded to that version.

--- bgpd/bgp_open.c

+++ bgpd/bgp_open.c

@@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p

     }

   /* validate number field */

-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)

+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)

     {

       zlog_info ("%s ORF Capability entry length error,"

                  " Cap length %u, num %u",

@@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p

 }

 static int

-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)

-{

-  struct stream *s = BGP_INPUT (peer);

-  size_t end = stream_get_getp (s) + hdr->length;

-  

-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);

-  

-  /* We must have at least one ORF entry, as the caller has already done

-   * minimum length validation for the capability code - for ORF there must

-   * at least one ORF entry (header and unknown number of pairs of bytes).

-   */

-  do

-    {

-      if (bgp_capability_orf_entry (peer, hdr) == -1)

-        return -1;

-    } 

-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);

-  

-  return 0;

-}

-

-static int

 bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)

 {

   struct stream *s = BGP_INPUT (peer);

@@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer,

             break;

           case CAPABILITY_CODE_ORF:

           case CAPABILITY_CODE_ORF_OLD:

-            if (bgp_capability_orf (peer, &caphdr))

+            if (bgp_capability_orf_entry (peer, &caphdr))

               return -1;

             break;

           case CAPABILITY_CODE_RESTART: