diff -r 11762b8a16cb -r e630b9a06d32 components/quagga/patches/09-cve-2012-1820.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/quagga/patches/09-cve-2012-1820.patch Fri Jun 29 18:38:09 2012 -0700 @@ -0,0 +1,58 @@ +The following patch is pulled directly from the GIT repository +for the quagga community. It fixes the following CVE: + +CVE-2012-1820. + +The patched CVE is included in Quagga 0.99.22. This patch +file can be removed if Quagga is upgraded to that version. + + +--- bgpd/bgp_open.c ++++ bgpd/bgp_open.c +@@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p + } + + /* validate number field */ +- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) ++ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) + { + zlog_info ("%s ORF Capability entry length error," + " Cap length %u, num %u", +@@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p + } + + static int +-bgp_capability_orf (struct peer *peer, struct capability_header *hdr) +-{ +- struct stream *s = BGP_INPUT (peer); +- size_t end = stream_get_getp (s) + hdr->length; +- +- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); +- +- /* We must have at least one ORF entry, as the caller has already done +- * minimum length validation for the capability code - for ORF there must +- * at least one ORF entry (header and unknown number of pairs of bytes). +- */ +- do +- { +- if (bgp_capability_orf_entry (peer, hdr) == -1) +- return -1; +- } +- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); +- +- return 0; +-} +- +-static int + bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) + { + struct stream *s = BGP_INPUT (peer); +@@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer, + break; + case CAPABILITY_CODE_ORF: + case CAPABILITY_CODE_ORF_OLD: +- if (bgp_capability_orf (peer, &caphdr)) ++ if (bgp_capability_orf_entry (peer, &caphdr)) + return -1; + break; + case CAPABILITY_CODE_RESTART: