diff options
Diffstat (limited to 'meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch')
-rw-r--r-- | meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch | 87 |
1 files changed, 0 insertions, 87 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch deleted file mode 100644 index 5a2ee1b2ca..0000000000 --- a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch +++ /dev/null @@ -1,87 +0,0 @@ -From fe9bb6459afe0d55e56619cdc5061d8407cd1f15 Mon Sep 17 00:00:00 2001 -From: Denis Ovsienko <infrastation@yandex.ru> -Date: Thu, 19 Apr 2012 20:34:13 +0400 -Subject: [PATCH] bgpd: CVE-2012-1820, DoS in bgp_capability_orf() - -Upstream-Status: Backport - -An ORF (code 3) capability TLV is defined to contain exactly one -AFI/SAFI block. Function bgp_capability_orf(), which parses ORF -capability TLV, uses do-while cycle to call its helper function -bgp_capability_orf_entry(), which actually processes the AFI/SAFI data -block. The call is made at least once and repeated as long as the input -buffer has enough data for the next call. - -The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" -field of the provided AFI/SAFI block to verify, if it fits the input -buffer. However, the check is made based on the total length of the ORF -TLV regardless of the data already consumed by the previous helper -function call(s). This way, the check condition is only valid for the -first AFI/SAFI block inside an ORF capability TLV. - -For the subsequent calls of the helper function, if any are made, the -check condition may erroneously tell, that the current "Number of ORFs" -field fits the buffer boundary, where in fact it does not. This makes it -possible to trigger an assertion by feeding an OPEN message with a -specially-crafted malformed ORF capability TLV. - -This commit fixes the vulnerability by making the implementation follow -the spec. ---- - bgpd/bgp_open.c | 26 ++------------------------ - 1 files changed, 2 insertions(+), 24 deletions(-) - -diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c -index d045dde..af711cc 100644 ---- a/bgpd/bgp_open.c -+++ b/bgpd/bgp_open.c -@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) - } - - /* validate number field */ -- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) -+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) - { - zlog_info ("%s ORF Capability entry length error," - " Cap length %u, num %u", -@@ -334,28 +334,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) - } - - static int --bgp_capability_orf (struct peer *peer, struct capability_header *hdr) --{ -- struct stream *s = BGP_INPUT (peer); -- size_t end = stream_get_getp (s) + hdr->length; -- -- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); -- -- /* We must have at least one ORF entry, as the caller has already done -- * minimum length validation for the capability code - for ORF there must -- * at least one ORF entry (header and unknown number of pairs of bytes). -- */ -- do -- { -- if (bgp_capability_orf_entry (peer, hdr) == -1) -- return -1; -- } -- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); -- -- return 0; --} -- --static int - bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) - { - struct stream *s = BGP_INPUT (peer); -@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability, - break; - case CAPABILITY_CODE_ORF: - case CAPABILITY_CODE_ORF_OLD: -- if (bgp_capability_orf (peer, &caphdr)) -+ if (bgp_capability_orf_entry (peer, &caphdr)) - return -1; - break; - case CAPABILITY_CODE_RESTART: --- -1.7.5.4 - |