File quagga-0.99.17-CVE-2010-1674.patch of Package quagga.import5276

Overview Repositories Revisions Requests Users Attributes Meta

File quagga-0.99.17-CVE-2010-1674.patch of Package quagga.import5276

commit 5aadc3763588766490a25ef6b475f64ef88f8e0e
Author: Paul Jakma <paul@quagga.net>
Date:   Sun Dec 5 17:17:26 2010 +0000

bgpd/security: CVE-2010-1674 Fix crash due to extended-community parser error
    
    * bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs
      can leave attr->flag indicating ext-community is present, even though no
      extended-community object has been attached to the attr structure.  Thus a
      null-pointer dereference can occur later.
      (bgp_attr_community) No bug fixed here, but tidy up flow so it has same
      form as previous.
    
      Problem and fix thanks to anonymous reporter.

Index: quagga-0.99.17/bgpd/bgp_attr.c
===================================================================
--- quagga-0.99.17.orig/bgpd/bgp_attr.c
+++ quagga-0.99.17/bgpd/bgp_attr.c
@@ -1235,13 +1235,16 @@ bgp_attr_community (struct peer *peer, b
       attr->community = NULL;
       return 0;
     }
-  else
-    {
-      attr->community = 
-        community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length);
-      stream_forward_getp (peer->ibuf, length);
-    }
+  
+  attr->community =
+    community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length);
+  
+  /* XXX: fix community_parse to use stream API and remove this */
+  stream_forward_getp (peer->ibuf, length);
 
+  if (!attr->community)
+    return -1;
+  
   attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_COMMUNITIES);
 
   return 0;
@@ -1478,13 +1481,18 @@ bgp_attr_ext_communities (struct peer *p
     {
       if (attr->extra)
         attr->extra->ecommunity = NULL;
+      /* Empty extcomm doesn't seem to be invalid per se */
+      return 0;
     }
-  else
-    {
-      (bgp_attr_extra_get (attr))->ecommunity = 
-        ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length);
-      stream_forward_getp (peer->ibuf, length);
-    }
+
+  (bgp_attr_extra_get (attr))->ecommunity =
+    ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length);
+  /* XXX: fix ecommunity_parse to use stream API */
+  stream_forward_getp (peer->ibuf, length);
+  
+  if (!attr->extra->ecommunity)
+    return -1;
+  
   attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES);
 
   return 0;

Places

File quagga-0.99.17-CVE-2010-1674.patch of Package quagga.import5276

Places