--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/quagga/patches/09-cve-2012-1820.patch Thu Jun 28 13:03:20 2012 -0700
@@ -0,0 +1,58 @@
+The following patch is pulled directly from the GIT repository
+for the quagga community. It fixes the following CVE:
+
+CVE-2012-1820.
+
+The patched CVE is included in Quagga 0.99.22. This patch
+file can be removed if Quagga is upgraded to that version.
+
+
+--- bgpd/bgp_open.c
++++ bgpd/bgp_open.c
+@@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p
+ }
+
+ /* validate number field */
+- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
++ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+ {
+ zlog_info ("%s ORF Capability entry length error,"
+ " Cap length %u, num %u",
+@@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p
+ }
+
+ static int
+-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
+-{
+- struct stream *s = BGP_INPUT (peer);
+- size_t end = stream_get_getp (s) + hdr->length;
+-
+- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
+-
+- /* We must have at least one ORF entry, as the caller has already done
+- * minimum length validation for the capability code - for ORF there must
+- * at least one ORF entry (header and unknown number of pairs of bytes).
+- */
+- do
+- {
+- if (bgp_capability_orf_entry (peer, hdr) == -1)
+- return -1;
+- }
+- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
+-
+- return 0;
+-}
+-
+-static int
+ bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
+ {
+ struct stream *s = BGP_INPUT (peer);
+@@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer,
+ break;
+ case CAPABILITY_CODE_ORF:
+ case CAPABILITY_CODE_ORF_OLD:
+- if (bgp_capability_orf (peer, &caphdr))
++ if (bgp_capability_orf_entry (peer, &caphdr))
+ return -1;
+ break;
+ case CAPABILITY_CODE_RESTART: