1 files changed, 0 insertions, 87 deletions

diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch
deleted file mode 100644
index 5a2ee1b2ca..0000000000
--- a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From fe9bb6459afe0d55e56619cdc5061d8407cd1f15 Mon Sep 17 00:00:00 2001
-From: Denis Ovsienko <infrastation@yandex.ru>
-Date: Thu, 19 Apr 2012 20:34:13 +0400
-Subject: [PATCH] bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
-
-Upstream-Status: Backport
-
-An ORF (code 3) capability TLV is defined to contain exactly one
-AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
-capability TLV, uses do-while cycle to call its helper function
-bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
-block. The call is made at least once and repeated as long as the input
-buffer has enough data for the next call.
-
-The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
-field of the provided AFI/SAFI block to verify, if it fits the input
-buffer. However, the check is made based on the total length of the ORF
-TLV regardless of the data already consumed by the previous helper
-function call(s). This way, the check condition is only valid for the
-first AFI/SAFI block inside an ORF capability TLV.
-
-For the subsequent calls of the helper function, if any are made, the
-check condition may erroneously tell, that the current "Number of ORFs"
-field fits the buffer boundary, where in fact it does not. This makes it
-possible to trigger an assertion by feeding an OPEN message with a
-specially-crafted malformed ORF capability TLV.
-
-This commit fixes the vulnerability by making the implementation follow
-the spec.
----
- bgpd/bgp_open.c |   26 ++------------------------
- 1 files changed, 2 insertions(+), 24 deletions(-)
-
-diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
-index d045dde..af711cc 100644
---- a/bgpd/bgp_open.c
-+++ b/bgpd/bgp_open.c
-@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
-     }
-   
-   /* validate number field */
--  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
-+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
-     {
-       zlog_info ("%s ORF Capability entry length error,"
-                  " Cap length %u, num %u",
-@@ -334,28 +334,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
- }
- 
- static int
--bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
--{
--  struct stream *s = BGP_INPUT (peer);
--  size_t end = stream_get_getp (s) + hdr->length;
--  
--  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
--  
--  /* We must have at least one ORF entry, as the caller has already done
--   * minimum length validation for the capability code - for ORF there must
--   * at least one ORF entry (header and unknown number of pairs of bytes).
--   */
--  do
--    {
--      if (bgp_capability_orf_entry (peer, hdr) == -1)
--        return -1;
--    } 
--  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
--  
--  return 0;
--}
--
--static int
- bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
- {
-   struct stream *s = BGP_INPUT (peer);
-@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
-             break;
-           case CAPABILITY_CODE_ORF:
-           case CAPABILITY_CODE_ORF_OLD:
--            if (bgp_capability_orf (peer, &caphdr))
-+            if (bgp_capability_orf_entry (peer, &caphdr))
-               return -1;
-             break;
-           case CAPABILITY_CODE_RESTART:
--- 
-1.7.5.4
-