/[packages]/updates/1/quagga/current/SOURCES/quagga-fix_CVE-2012-0255.diff
ViewVC logotype

Contents of /updates/1/quagga/current/SOURCES/quagga-fix_CVE-2012-0255.diff

Parent Directory Parent Directory | Revision Log Revision Log


Revision 232974 - (show annotations) (download)
Mon Apr 23 15:19:42 2012 UTC (11 years, 11 months ago) by luigiwalser
File size: 3125 byte(s)
fix CVE-2012-0249, CVE-2012-0250, CVE-2012-0255 (from upstream)
1 From 5861739f8c38bc36ea9955e5cb2be2bf2f482d70 Mon Sep 17 00:00:00 2001
2 From: Paul Jakma <paul@quagga.net>
3 Date: Mon, 09 Jan 2012 20:59:26 +0000
4 Subject: bgpd: Open option parse errors don't NOTIFY, resulting in abort & DoS
5
6 * bgp_packet.c: (bgp_open_receive) Errors from bgp_open_option_parse are
7 detected, and the code will stop processing the OPEN and return. However
8 it does so without calling bgp_notify_send to send a NOTIFY - which means
9 the peer FSM doesn't get stopped, and bgp_read will be called again later.
10 Because it returns, it doesn't go through the code near the end of the
11 function that removes the current message from the peer input streaam.
12 Thus the next call to bgp_read will try to parse a half-parsed stream as
13 if it were a new BGP message, leading to an assert later in the code when
14 it tries to read stuff that isn't there. Add the required call to
15 bgp_notify_send before returning.
16 * bgp_open.c: (bgp_capability_as4) Be a bit stricter, check the length field
17 corresponds to the only value it can be, which is the amount we're going to
18 read off the stream. And make sure the capability flag gets set, so
19 callers can know this capability was read, regardless.
20 (peek_for_as4_capability) Let bgp_capability_as4 do the length check.
21 ---
22 diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
23 index 82deb3d..b5b50bb 100644
24 --- a/bgpd/bgp_open.c
25 +++ b/bgpd/bgp_open.c
26 @@ -421,13 +421,20 @@ bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
27 static as_t
28 bgp_capability_as4 (struct peer *peer, struct capability_header *hdr)
29 {
30 + SET_FLAG (peer->cap, PEER_CAP_AS4_RCV);
31 +
32 + if (hdr->length != CAPABILITY_CODE_AS4_LEN)
33 + {
34 + zlog_err ("%s AS4 capability has incorrect data length %d",
35 + peer->host, hdr->length);
36 + return 0;
37 + }
38 +
39 as_t as4 = stream_getl (BGP_INPUT(peer));
40
41 if (BGP_DEBUG (as4, AS4))
42 zlog_debug ("%s [AS4] about to set cap PEER_CAP_AS4_RCV, got as4 %u",
43 peer->host, as4);
44 - SET_FLAG (peer->cap, PEER_CAP_AS4_RCV);
45 -
46 return as4;
47 }
48
49 @@ -689,9 +696,6 @@ peek_for_as4_capability (struct peer *peer, u_char length)
50
51 if (hdr.code == CAPABILITY_CODE_AS4)
52 {
53 - if (hdr.length != CAPABILITY_CODE_AS4_LEN)
54 - goto end;
55 -
56 if (BGP_DEBUG (as4, AS4))
57 zlog_info ("[AS4] found AS4 capability, about to parse");
58 as4 = bgp_capability_as4 (peer, &hdr);
59 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
60 index f5a74d1..5d8087a 100644
61 --- a/bgpd/bgp_packet.c
62 +++ b/bgpd/bgp_packet.c
63 @@ -1459,9 +1459,13 @@ bgp_open_receive (struct peer *peer, bgp_size_t size)
64 /* Open option part parse. */
65 if (optlen != 0)
66 {
67 - ret = bgp_open_option_parse (peer, optlen, &capability);
68 - if (ret < 0)
69 - return ret;
70 + if ((ret = bgp_open_option_parse (peer, optlen, &capability)) < 0)
71 + {
72 + bgp_notify_send (peer,
73 + BGP_NOTIFY_OPEN_ERR,
74 + BGP_NOTIFY_OPEN_UNACEP_HOLDTIME);
75 + return ret;
76 + }
77 }
78 else
79 {
80 --
81 cgit v0.9.0.2

  ViewVC Help
Powered by ViewVC 1.1.30