1 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
new file mode 100644
index 0000000000..0ec02dc861
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
@@ -0,0 +1,42 @@
+From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001
+From: David Lamparter <equinox@opensourcerouting.org>
+Date: Wed, 23 Jan 2013 05:50:24 +0100
+Subject: [PATCH] bgpd: relax ORF capability length handling
+Upstream-Status: Backport
+commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
+made the length test in bgp_capability_orf_entry() stricter and is now
+causing us to refuse (with CEASE) ORF capabilites carrying any excess
+data.  This does not conform to the robustness principle as laid out by
+RFC1122 ("be liberal in what you accept").
+Even worse, RFC5291 is quite unclear on how to use the ORF capability
+with multiple AFI/SAFIs.  It can be interpreted as either "use one
+instance, stuff everything in" but also as "use multiple instances".
+So, if not for applying robustness, we end up clearing sessions from
+implementations going by the former interpretation.  (or if anyone dares
+add a byte of padding...)
+Cc: Denis Ovsienko <infrastation@yandex.ru>
+Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
+---
+ bgpd/bgp_open.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index af711cc..7bf3501 100644
+--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
+@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+     }
+   
+   /* validate number field */
+-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+     {
+       zlog_info ("%s ORF Capability entry length error,"
+                  " Cap length %u, num %u",
+-- 
+1.7.5.4

diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch new file mode 100644 index 0000000000..0ec02dc861 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
@@ -0,0 +1,42 @@
	1	From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001
	2	From: David Lamparter <equinox@opensourcerouting.org>
	3	Date: Wed, 23 Jan 2013 05:50:24 +0100
	4	Subject: [PATCH] bgpd: relax ORF capability length handling
	5
	6	Upstream-Status: Backport
	7
	8	commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
	9	made the length test in bgp_capability_orf_entry() stricter and is now
	10	causing us to refuse (with CEASE) ORF capabilites carrying any excess
	11	data. This does not conform to the robustness principle as laid out by
	12	RFC1122 ("be liberal in what you accept").
	13
	14	Even worse, RFC5291 is quite unclear on how to use the ORF capability
	15	with multiple AFI/SAFIs. It can be interpreted as either "use one
	16	instance, stuff everything in" but also as "use multiple instances".
	17	So, if not for applying robustness, we end up clearing sessions from
	18	implementations going by the former interpretation. (or if anyone dares
	19	add a byte of padding...)
	20
	21	Cc: Denis Ovsienko <infrastation@yandex.ru>
	22	Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
	23	---
	24	bgpd/bgp_open.c \| 2 +-
	25	1 files changed, 1 insertions(+), 1 deletions(-)
	26
	27	diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
	28	index af711cc..7bf3501 100644
	29	--- a/bgpd/bgp_open.c
	30	+++ b/bgpd/bgp_open.c
	31	@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer peer, struct capability_header hdr)
	32	}
	33
	34	/* validate number field */
	35	- if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
	36	+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
	37	{
	38	zlog_info ("%s ORF Capability entry length error,"
	39	" Cap length %u, num %u",
	40	--
	41	1.7.5.4
	42