quagga/patches/005-Quagga-2018-1975.patch

   1 From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001
   2 From: Paul Jakma <paul@jakma.org>
   3 Date: Sat, 6 Jan 2018 21:20:51 +0000
   4 Subject: bgpd/security: fix infinite loop on certain invalid OPEN messages
   5
   6 Security issue: Quagga-2018-1975
   7 See: https://www.quagga.net/security/Quagga-2018-1975.txt
   8
   9 * bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
  10   loop due to checks that issue 'continue' without bumping the input
  11   pointer.
  12
  13 --- a/bgpd/bgp_packet.c
  14 +++ b/bgpd/bgp_packet.c
  15 @@ -2251,7 +2251,8 @@ bgp_capability_msg_parse (struct peer *p
  16
  17    end = pnt + length;
  18
  19 -  while (pnt < end)
  20 +  /* XXX: Streamify this */
  21 +  for (; pnt < end; pnt += hdr->length + 3)
  22      {
  23        /* We need at least action, capability code and capability length. */
  24        if (pnt + 3 > end)
  25 @@ -2339,7 +2340,6 @@ bgp_capability_msg_parse (struct peer *p
  26            zlog_warn ("%s unrecognized capability code: %d - ignored",
  27                       peer->host, hdr->code);
  28          }
  29 -      pnt += hdr->length + 3;
  30      }
  31    return 0;
  32  }