Attachment 589837 Details for Bug 817580 – fixing patch

[patch] fixing patch

790d1e263e8800bc49d0038d481591ecb4e37b88.patch (text/plain), 3.24 KB, created by Denis Ovsienko on 2012-06-06 11:10:40 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Denis Ovsienko

Created: 2012-06-06 11:10:40 UTC

Size: 3.24 KB

patch

obsolete

>commit 790d1e263e8800bc49d0038d481591ecb4e37b88
>Author: Denis Ovsienko <infrastation@yandex.ru>
>Date:   Thu Apr 19 20:34:13 2012 +0400
>
>    bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
>    
>    An ORF (code 3) capability TLV is defined to contain exactly one
>    AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
>    capability TLV, uses do-while cycle to call its helper function
>    bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
>    block. The call is made at least once and repeated as long as the input
>    buffer has enough data for the next call.
>    
>    The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
>    field of the provided AFI/SAFI block to verify, if it fits the input
>    buffer. However, the check is made based on the total length of the ORF
>    TLV regardless of the data already consumed by the previous helper
>    function call(s). This way, the check condition is only valid for the
>    first AFI/SAFI block inside an ORF capability TLV.
>    
>    For the subsequent calls of the helper function, if any are made, the
>    check condition may erroneously tell, that the current "Number of ORFs"
>    field fits the buffer boundary, where in fact it does not. This makes it
>    possible to trigger an assertion by feeding an OPEN message with a
>    specially-crafted malformed ORF capability TLV.
>    
>    This commit fixes the vulnerability by making the implementation follow
>    the spec.
>
>diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
>index 7d2cb9b..1ae1567 100644
>--- a/bgpd/bgp_open.c
>+++ b/bgpd/bgp_open.c
>@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
>     }
>   
>   /* validate number field */
>-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
>+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
>     {
>       zlog_info ("%s ORF Capability entry length error,"
>                  " Cap length %u, num %u",
>@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
> }
> 
> static int
>-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
>-{
>-  struct stream *s = BGP_INPUT (peer);
>-  size_t end = stream_get_getp (s) + hdr->length;
>-  
>-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
>-  
>-  /* We must have at least one ORF entry, as the caller has already done
>-   * minimum length validation for the capability code - for ORF there must
>-   * at least one ORF entry (header and unknown number of pairs of bytes).
>-   */
>-  do
>-    {
>-      if (bgp_capability_orf_entry (peer, hdr) == -1)
>-        return -1;
>-    } 
>-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
>-  
>-  return 0;
>-}
>-
>-static int
> bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
> {
>   struct stream *s = BGP_INPUT (peer);
>@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
>             break;
>           case CAPABILITY_CODE_ORF:
>           case CAPABILITY_CODE_ORF_OLD:
>-            if (bgp_capability_orf (peer, &caphdr))
>+            if (bgp_capability_orf_entry (peer, &caphdr))
>               return -1;
>             break;
>           case CAPABILITY_CODE_RESTART:

Actions: View | Diff

Attachments on bug 817580: 589837