File Quagga-2018-1975-bdpd.bsc1079801.patch of Package quagga.6668

Overview Repositories Revisions Requests Users Attributes Meta

File Quagga-2018-1975-bdpd.bsc1079801.patch of Package quagga.6668

From 7c7476d4a3afd721b5228f781805045d3e7b3a10 Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul@jakma.org>
Date: Sat, 6 Jan 2018 21:20:51 +0000
Upstream: yes
References: Quagga-2018-1975,bsc#1079801
Subject: bgpd/security: fix infinite loop on certain invalid OPEN
 messages

Security issue: Quagga-2018-1975
See: https://www.quagga.net/security/Quagga-2018-1975.txt

* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
  loop due to checks that issue 'continue' without bumping the input
  pointer.
---
 bgpd/bgp_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index d115353f..bd3e8f35 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2179,7 +2179,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
   bgp = peer->bgp;
   end = pnt + length;
 
-  while (pnt < end)
+  /* XXX: Streamify this */
+  for (; pnt < end; pnt += hdr->length + 3)
     {      
       /* We need at least action, capability code and capability length. */
       if (pnt + 3 > end)
@@ -2267,7 +2268,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
           zlog_warn ("%s unrecognized capability code: %d - ignored",
                      peer->host, hdr->code);
         }
-      pnt += hdr->length + 3;
     }
   return 0;
 }
-- 
2.13.6

Places

File Quagga-2018-1975-bdpd.bsc1079801.patch of Package quagga.6668

Places