Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 589837 Details for
Bug 817580
CVE-2012-1820 quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV (VU#962587)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
fixing patch
790d1e263e8800bc49d0038d481591ecb4e37b88.patch (text/plain), 3.24 KB, created by
Denis Ovsienko
on 2012-06-06 11:10:40 UTC
(
hide
)
Description:
fixing patch
Filename:
MIME Type:
Creator:
Denis Ovsienko
Created:
2012-06-06 11:10:40 UTC
Size:
3.24 KB
patch
obsolete
>commit 790d1e263e8800bc49d0038d481591ecb4e37b88 >Author: Denis Ovsienko <infrastation@yandex.ru> >Date: Thu Apr 19 20:34:13 2012 +0400 > > bgpd: CVE-2012-1820, DoS in bgp_capability_orf() > > An ORF (code 3) capability TLV is defined to contain exactly one > AFI/SAFI block. Function bgp_capability_orf(), which parses ORF > capability TLV, uses do-while cycle to call its helper function > bgp_capability_orf_entry(), which actually processes the AFI/SAFI data > block. The call is made at least once and repeated as long as the input > buffer has enough data for the next call. > > The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" > field of the provided AFI/SAFI block to verify, if it fits the input > buffer. However, the check is made based on the total length of the ORF > TLV regardless of the data already consumed by the previous helper > function call(s). This way, the check condition is only valid for the > first AFI/SAFI block inside an ORF capability TLV. > > For the subsequent calls of the helper function, if any are made, the > check condition may erroneously tell, that the current "Number of ORFs" > field fits the buffer boundary, where in fact it does not. This makes it > possible to trigger an assertion by feeding an OPEN message with a > specially-crafted malformed ORF capability TLV. > > This commit fixes the vulnerability by making the implementation follow > the spec. > >diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c >index 7d2cb9b..1ae1567 100644 >--- a/bgpd/bgp_open.c >+++ b/bgpd/bgp_open.c >@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) > } > > /* validate number field */ >- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) >+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) > { > zlog_info ("%s ORF Capability entry length error," > " Cap length %u, num %u", >@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) > } > > static int >-bgp_capability_orf (struct peer *peer, struct capability_header *hdr) >-{ >- struct stream *s = BGP_INPUT (peer); >- size_t end = stream_get_getp (s) + hdr->length; >- >- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); >- >- /* We must have at least one ORF entry, as the caller has already done >- * minimum length validation for the capability code - for ORF there must >- * at least one ORF entry (header and unknown number of pairs of bytes). >- */ >- do >- { >- if (bgp_capability_orf_entry (peer, hdr) == -1) >- return -1; >- } >- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); >- >- return 0; >-} >- >-static int > bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) > { > struct stream *s = BGP_INPUT (peer); >@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability, > break; > case CAPABILITY_CODE_ORF: > case CAPABILITY_CODE_ORF_OLD: >- if (bgp_capability_orf (peer, &caphdr)) >+ if (bgp_capability_orf_entry (peer, &caphdr)) > return -1; > break; > case CAPABILITY_CODE_RESTART:
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 817580
: 589837