diff options
| author | Yue Tao <Yue.Tao@windriver.com> | 2014-06-15 22:24:44 -0400 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2014-06-15 23:21:56 -0400 |
| commit | 26b31ad72899a68d93029f5cce4afa63c3b78a6b (patch) | |
| tree | e0d1c162da0fd449b4887e7f3b8e1c77ff0f1cfd /meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch | |
| parent | d42a2e16056777615e6bcc126cdb92db3b4f9cdf (diff) | |
| download | meta-openembedded-26b31ad72899a68d93029f5cce4afa63c3b78a6b.tar.gz | |
quagga: Security Advisory - CVE-2012-1820
The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier
allows remote attackers to cause a denial of service (assertion failure
and daemon exit) by leveraging a BGP peering relationship and sending a
malformed Outbound Route Filtering (ORF) capability TLV in an OPEN
message.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1820
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch')
| -rw-r--r-- | meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch new file mode 100644 index 0000000000..0ec02dc861 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: David Lamparter <equinox@opensourcerouting.org> | ||
| 3 | Date: Wed, 23 Jan 2013 05:50:24 +0100 | ||
| 4 | Subject: [PATCH] bgpd: relax ORF capability length handling | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | |||
| 8 | commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()" | ||
| 9 | made the length test in bgp_capability_orf_entry() stricter and is now | ||
| 10 | causing us to refuse (with CEASE) ORF capabilites carrying any excess | ||
| 11 | data. This does not conform to the robustness principle as laid out by | ||
| 12 | RFC1122 ("be liberal in what you accept"). | ||
| 13 | |||
| 14 | Even worse, RFC5291 is quite unclear on how to use the ORF capability | ||
| 15 | with multiple AFI/SAFIs. It can be interpreted as either "use one | ||
| 16 | instance, stuff everything in" but also as "use multiple instances". | ||
| 17 | So, if not for applying robustness, we end up clearing sessions from | ||
| 18 | implementations going by the former interpretation. (or if anyone dares | ||
| 19 | add a byte of padding...) | ||
| 20 | |||
| 21 | Cc: Denis Ovsienko <infrastation@yandex.ru> | ||
| 22 | Signed-off-by: David Lamparter <equinox@opensourcerouting.org> | ||
| 23 | --- | ||
| 24 | bgpd/bgp_open.c | 2 +- | ||
| 25 | 1 files changed, 1 insertions(+), 1 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c | ||
| 28 | index af711cc..7bf3501 100644 | ||
| 29 | --- a/bgpd/bgp_open.c | ||
| 30 | +++ b/bgpd/bgp_open.c | ||
| 31 | @@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) | ||
| 32 | } | ||
| 33 | |||
| 34 | /* validate number field */ | ||
| 35 | - if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) | ||
| 36 | + if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) | ||
| 37 | { | ||
| 38 | zlog_info ("%s ORF Capability entry length error," | ||
| 39 | " Cap length %u, num %u", | ||
| 40 | -- | ||
| 41 | 1.7.5.4 | ||
| 42 | |||