The following patch is pulled directly from the GIT repository
for the quagga community. It fixes the following CVE:
CVE-2012-1820.
The patched CVE is included in Quagga 0.99.22. This patch
file can be removed if Quagga is upgraded to that version.
--- bgpd/bgp_open.c
+++ bgpd/bgp_open.c
@@ -244,7 +244,7 @@ bgp_capability_orf_entry (struct peer *p
}
/* validate number field */
- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
{
zlog_info ("%s ORF Capability entry length error,"
" Cap length %u, num %u",
@@ -348,28 +348,6 @@ bgp_capability_orf_entry (struct peer *p
}
static int
-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
-{
- struct stream *s = BGP_INPUT (peer);
- size_t end = stream_get_getp (s) + hdr->length;
-
- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
-
- /* We must have at least one ORF entry, as the caller has already done
- * minimum length validation for the capability code - for ORF there must
- * at least one ORF entry (header and unknown number of pairs of bytes).
- */
- do
- {
- if (bgp_capability_orf_entry (peer, hdr) == -1)
- return -1;
- }
- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
-
- return 0;
-}
-
-static int
bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
{
struct stream *s = BGP_INPUT (peer);
@@ -580,7 +558,7 @@ bgp_capability_parse (struct peer *peer,
break;
case CAPABILITY_CODE_ORF:
case CAPABILITY_CODE_ORF_OLD:
- if (bgp_capability_orf (peer, &caphdr))
+ if (bgp_capability_orf_entry (peer, &caphdr))
return -1;
break;
case CAPABILITY_CODE_RESTART: