components/quagga/patches/09-cve-2012-1820.patch
author Mike Sullivan <Mike.Sullivan@Oracle.COM>
Wed, 29 Aug 2012 11:05:56 -0700
changeset 957 255465c5756f
parent 897 f239fb8865f3
permissions -rw-r--r--
Close of build 04.
The following patch is pulled directly from the GIT repository
for the quagga community. It fixes the following CVE:

CVE-2012-1820.

The patched CVE is included in Quagga 0.99.22. This patch
file can be removed if Quagga is upgraded to that version.


--- bgpd/bgp_open.c
+++ bgpd/bgp_open.c
@@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p
     }
   
   /* validate number field */
-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
     {
       zlog_info ("%s ORF Capability entry length error,"
                  " Cap length %u, num %u",
@@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p
 }
 
 static int
-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
-{
-  struct stream *s = BGP_INPUT (peer);
-  size_t end = stream_get_getp (s) + hdr->length;
-  
-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
-  
-  /* We must have at least one ORF entry, as the caller has already done
-   * minimum length validation for the capability code - for ORF there must
-   * at least one ORF entry (header and unknown number of pairs of bytes).
-   */
-  do
-    {
-      if (bgp_capability_orf_entry (peer, hdr) == -1)
-        return -1;
-    } 
-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
-  
-  return 0;
-}
-
-static int
 bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
 {
   struct stream *s = BGP_INPUT (peer);
@@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer,
             break;
           case CAPABILITY_CODE_ORF:
           case CAPABILITY_CODE_ORF_OLD:
-            if (bgp_capability_orf (peer, &caphdr))
+            if (bgp_capability_orf_entry (peer, &caphdr))
               return -1;
             break;
           case CAPABILITY_CODE_RESTART: