diff options
Diffstat (limited to 'meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch')
| -rw-r--r-- | meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch new file mode 100644 index 0000000000..0ec02dc861 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch @@ -0,0 +1,42 @@ +From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001 +From: David Lamparter <equinox@opensourcerouting.org> +Date: Wed, 23 Jan 2013 05:50:24 +0100 +Subject: [PATCH] bgpd: relax ORF capability length handling + +Upstream-Status: Backport + +commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()" +made the length test in bgp_capability_orf_entry() stricter and is now +causing us to refuse (with CEASE) ORF capabilites carrying any excess +data. This does not conform to the robustness principle as laid out by +RFC1122 ("be liberal in what you accept"). + +Even worse, RFC5291 is quite unclear on how to use the ORF capability +with multiple AFI/SAFIs. It can be interpreted as either "use one +instance, stuff everything in" but also as "use multiple instances". +So, if not for applying robustness, we end up clearing sessions from +implementations going by the former interpretation. (or if anyone dares +add a byte of padding...) + +Cc: Denis Ovsienko <infrastation@yandex.ru> +Signed-off-by: David Lamparter <equinox@opensourcerouting.org> +--- + bgpd/bgp_open.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index af711cc..7bf3501 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) + } + + /* validate number field */ +- if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) ++ if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) + { + zlog_info ("%s ORF Capability entry length error," + " Cap length %u, num %u", +-- +1.7.5.4 + |