Fix a BGP DoS issue in bgp_capability_orf(). CVE-2012-1820

ok sthen@
2012-12-08 18:42:43 +00:00 · 2012-12-08 18:42:43 +00:00 · 3343f77fdb
commit 3343f77fdb
parent bffe0c9da8
2 changed files with 55 additions and 1 deletions
--- a/net/quagga/Makefile
+++ b/net/quagga/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.30 2012/09/19 16:35:06 sthen Exp $
+# $OpenBSD: Makefile,v 1.31 2012/12/08 18:42:43 brad Exp $

 COMMENT=	multi-threaded routing daemon

 DISTNAME=	quagga-0.99.21
+REVISION=	0
 SHARED_LIBS=	ospf		0.0 \
 		ospfapiclient	0.0 \
 		zebra		0.0
--- a/net/quagga/patches/patch-bgpd_bgp_open_c
+++ b/net/quagga/patches/patch-bgpd_bgp_open_c
@ -0,0 +1,53 @@
+$OpenBSD: patch-bgpd_bgp_open_c,v 1.3 2012/12/08 18:42:43 brad Exp $
+
+DoS in bgp_capability_orf(). CVE-2012-1820
+
+--- bgpd/bgp_open.c.orig	Sat Dec  8 03:33:55 2012
+++ bgpd/bgp_open.c	Sat Dec  8 03:35:17 2012
+@@ -232,7 +232,7 @@ bgp_capability_orf_entry (struct peer *peer, struct ca
+     }
+   
+   /* validate number field */
+-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+     {
+       zlog_info ("%s ORF Capability entry length error,"
+                  " Cap length %u, num %u",
+@@ -336,28 +336,6 @@ bgp_capability_orf_entry (struct peer *peer, struct ca
+ }
+ 
+ static int
+-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
+-{
+-  struct stream *s = BGP_INPUT (peer);
+-  size_t end = stream_get_getp (s) + hdr->length;
+-  
+-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
+-  
+-  /* We must have at least one ORF entry, as the caller has already done
+-   * minimum length validation for the capability code - for ORF there must
+-   * at least one ORF entry (header and unknown number of pairs of bytes).
+-   */
+-  do
+-    {
+-      if (bgp_capability_orf_entry (peer, hdr) == -1)
+-        return -1;
+-    } 
+-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
+-  
+-  return 0;
+-}
+-
+-static int
+ bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
+ {
+   struct stream *s = BGP_INPUT (peer);
+@@ -575,7 +553,7 @@ bgp_capability_parse (struct peer *peer, size_t length
+             break;
+           case CAPABILITY_CODE_ORF:
+           case CAPABILITY_CODE_ORF_OLD:
+-            if (bgp_capability_orf (peer, &caphdr))
+            if (bgp_capability_orf_entry (peer, &caphdr))
+               return -1;
+             break;
+           case CAPABILITY_CODE_RESTART: