|
1 The following patch is pulled directly from the GIT repository |
|
2 for the quagga community. It fixes the following CVE: |
|
3 |
|
4 CVE-2012-1820. |
|
5 |
|
6 The patched CVE is included in Quagga 0.99.22. This patch |
|
7 file can be removed if Quagga is upgraded to that version. |
|
8 |
|
9 |
|
10 --- bgpd/bgp_open.c |
|
11 +++ bgpd/bgp_open.c |
|
12 @@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p |
|
13 } |
|
14 |
|
15 /* validate number field */ |
|
16 - if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) |
|
17 + if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) |
|
18 { |
|
19 zlog_info ("%s ORF Capability entry length error," |
|
20 " Cap length %u, num %u", |
|
21 @@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p |
|
22 } |
|
23 |
|
24 static int |
|
25 -bgp_capability_orf (struct peer *peer, struct capability_header *hdr) |
|
26 -{ |
|
27 - struct stream *s = BGP_INPUT (peer); |
|
28 - size_t end = stream_get_getp (s) + hdr->length; |
|
29 - |
|
30 - assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); |
|
31 - |
|
32 - /* We must have at least one ORF entry, as the caller has already done |
|
33 - * minimum length validation for the capability code - for ORF there must |
|
34 - * at least one ORF entry (header and unknown number of pairs of bytes). |
|
35 - */ |
|
36 - do |
|
37 - { |
|
38 - if (bgp_capability_orf_entry (peer, hdr) == -1) |
|
39 - return -1; |
|
40 - } |
|
41 - while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); |
|
42 - |
|
43 - return 0; |
|
44 -} |
|
45 - |
|
46 -static int |
|
47 bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) |
|
48 { |
|
49 struct stream *s = BGP_INPUT (peer); |
|
50 @@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer, |
|
51 break; |
|
52 case CAPABILITY_CODE_ORF: |
|
53 case CAPABILITY_CODE_ORF_OLD: |
|
54 - if (bgp_capability_orf (peer, &caphdr)) |
|
55 + if (bgp_capability_orf_entry (peer, &caphdr)) |
|
56 return -1; |
|
57 break; |
|
58 case CAPABILITY_CODE_RESTART: |