From e006e3f8bc0b1aa1f51dc13bb1510b9a7dfd8aac Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Jun 07 2012 13:51:09 +0000 Subject: Fix CVE-2012-1820 Signed-off-by: Adam Tkac Conflicts: quagga.spec --- diff --git a/quagga-CVE-2012-1820.patch b/quagga-CVE-2012-1820.patch new file mode 100644 index 0000000..aae2d7b --- /dev/null +++ b/quagga-CVE-2012-1820.patch @@ -0,0 +1,74 @@ +@@ -, +, @@ + bgpd: CVE-2012-1820, DoS in bgp_capability_orf() + + An ORF (code 3) capability TLV is defined to contain exactly one + AFI/SAFI block. Function bgp_capability_orf(), which parses ORF + capability TLV, uses do-while cycle to call its helper function + bgp_capability_orf_entry(), which actually processes the AFI/SAFI data + block. The call is made at least once and repeated as long as the input + buffer has enough data for the next call. + + The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" + field of the provided AFI/SAFI block to verify, if it fits the input + buffer. However, the check is made based on the total length of the ORF + TLV regardless of the data already consumed by the previous helper + function call(s). This way, the check condition is only valid for the + first AFI/SAFI block inside an ORF capability TLV. + + For the subsequent calls of the helper function, if any are made, the + check condition may erroneously tell, that the current "Number of ORFs" + field fits the buffer boundary, where in fact it does not. This makes it + possible to trigger an assertion by feeding an OPEN message with a + specially-crafted malformed ORF capability TLV. + + This commit fixes the vulnerability by making the implementation follow + the spec. +--- a/bgpd/bgp_open.c ++++ a/bgpd/bgp_open.c +@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) + } + + /* validate number field */ +- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) ++ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) + { + zlog_info ("%s ORF Capability entry length error," + " Cap length %u, num %u", +@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) + } + + static int +-bgp_capability_orf (struct peer *peer, struct capability_header *hdr) +-{ +- struct stream *s = BGP_INPUT (peer); +- size_t end = stream_get_getp (s) + hdr->length; +- +- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); +- +- /* We must have at least one ORF entry, as the caller has already done +- * minimum length validation for the capability code - for ORF there must +- * at least one ORF entry (header and unknown number of pairs of bytes). +- */ +- do +- { +- if (bgp_capability_orf_entry (peer, hdr) == -1) +- return -1; +- } +- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); +- +- return 0; +-} +- +-static int + bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) + { + struct stream *s = BGP_INPUT (peer); +@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability, + break; + case CAPABILITY_CODE_ORF: + case CAPABILITY_CODE_ORF_OLD: +- if (bgp_capability_orf (peer, &caphdr)) ++ if (bgp_capability_orf_entry (peer, &caphdr)) + return -1; + break; + case CAPABILITY_CODE_RESTART: diff --git a/quagga.spec b/quagga.spec index 729ebe3..49bee75 100644 --- a/quagga.spec +++ b/quagga.spec @@ -32,7 +32,7 @@ Summary: Routing daemon Name: quagga Version: 0.99.20.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Daemons Source0: http://www.quagga.net/download/%{name}-%{version}.tar.gz @@ -40,6 +40,7 @@ Source1: quagga-filter-perl-requires.sh Source2: quagga-tmpfs.conf # upstream patches +Patch0: quagga-CVE-2012-1820.patch # Fedora patches Patch101: quagga-0.99.15-perl_pth.patch @@ -106,6 +107,7 @@ developing OSPF-API and quagga applications. %prep %setup -q +%patch0 -p1 -b .CVE-2012-1820 %patch101 -p1 -b .perl_pth %patch102 -p1 -b .posix %patch103 -p1 -b .man @@ -355,6 +357,9 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog +* Thu Jun 07 2012 Adam Tkac 0.99.20.1-2 +- fix CVE-2012-1820 + * Thu Mar 15 2012 Jiri Skala - 0.99.20.1-1 - updated to latest upstream version 0.99.20.1