[quagga/f15] Fix CVE-2012-1820

Adam Tkac atkac at fedoraproject.org
Thu Jun 7 13:51:44 UTC 2012 

commit e006e3f8bc0b1aa1f51dc13bb1510b9a7dfd8aac
Author: Adam Tkac <atkac at redhat.com>
Date:   Thu Jun 7 12:04:24 2012 +0200

    Fix CVE-2012-1820
    
    Signed-off-by: Adam Tkac <atkac at redhat.com>
    
    Conflicts:
    	quagga.spec

 quagga-CVE-2012-1820.patch |   74 ++++++++++++++++++++++++++++++++++++++++++++
 quagga.spec                |    7 +++-
 2 files changed, 80 insertions(+), 1 deletions(-)
---
diff --git a/quagga-CVE-2012-1820.patch b/quagga-CVE-2012-1820.patch
new file mode 100644
index 0000000..aae2d7b
--- /dev/null
+++ b/quagga-CVE-2012-1820.patch
@@ -0,0 +1,74 @@
+@@ -, +, @@ 
+    bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
+    
+    An ORF (code 3) capability TLV is defined to contain exactly one
+    AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
+    capability TLV, uses do-while cycle to call its helper function
+    bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
+    block. The call is made at least once and repeated as long as the input
+    buffer has enough data for the next call.
+    
+    The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
+    field of the provided AFI/SAFI block to verify, if it fits the input
+    buffer. However, the check is made based on the total length of the ORF
+    TLV regardless of the data already consumed by the previous helper
+    function call(s). This way, the check condition is only valid for the
+    first AFI/SAFI block inside an ORF capability TLV.
+    
+    For the subsequent calls of the helper function, if any are made, the
+    check condition may erroneously tell, that the current "Number of ORFs"
+    field fits the buffer boundary, where in fact it does not. This makes it
+    possible to trigger an assertion by feeding an OPEN message with a
+    specially-crafted malformed ORF capability TLV.
+    
+    This commit fixes the vulnerability by making the implementation follow
+    the spec.
+--- a/bgpd/bgp_open.c	
++++ a/bgpd/bgp_open.c	
+@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+     }
+   
+   /* validate number field */
+-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
++  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+     {
+       zlog_info ("%s ORF Capability entry length error,"
+                  " Cap length %u, num %u",
+@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+ }
+ 
+ static int
+-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
+-{
+-  struct stream *s = BGP_INPUT (peer);
+-  size_t end = stream_get_getp (s) + hdr->length;
+-  
+-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
+-  
+-  /* We must have at least one ORF entry, as the caller has already done
+-   * minimum length validation for the capability code - for ORF there must
+-   * at least one ORF entry (header and unknown number of pairs of bytes).
+-   */
+-  do
+-    {
+-      if (bgp_capability_orf_entry (peer, hdr) == -1)
+-        return -1;
+-    } 
+-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
+-  
+-  return 0;
+-}
+-
+-static int
+ bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
+ {
+   struct stream *s = BGP_INPUT (peer);
+@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
+             break;
+           case CAPABILITY_CODE_ORF:
+           case CAPABILITY_CODE_ORF_OLD:
+-            if (bgp_capability_orf (peer, &caphdr))
++            if (bgp_capability_orf_entry (peer, &caphdr))
+               return -1;
+             break;
+           case CAPABILITY_CODE_RESTART:
diff --git a/quagga.spec b/quagga.spec
index 729ebe3..49bee75 100644
--- a/quagga.spec
+++ b/quagga.spec
@@ -32,7 +32,7 @@
 Summary:    Routing daemon
 Name:       quagga
 Version:    0.99.20.1
-Release:    1%{?dist}
+Release:    2%{?dist}
 License:    GPLv2+
 Group:      System Environment/Daemons
 Source0:    http://www.quagga.net/download/%{name}-%{version}.tar.gz
@@ -40,6 +40,7 @@ Source1:    quagga-filter-perl-requires.sh
 Source2:    quagga-tmpfs.conf
 
 # upstream patches
+Patch0: quagga-CVE-2012-1820.patch
 
 # Fedora patches
 Patch101:     quagga-0.99.15-perl_pth.patch
@@ -106,6 +107,7 @@ developing OSPF-API and quagga applications.
 %prep
 %setup  -q
 
+%patch0 -p1 -b .CVE-2012-1820
 %patch101 -p1 -b .perl_pth
 %patch102 -p1 -b .posix
 %patch103 -p1 -b .man
@@ -355,6 +357,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Jun 07 2012 Adam Tkac <atkac redhat com> 0.99.20.1-2
+- fix CVE-2012-1820
+
 * Thu Mar 15 2012 Jiri Skala <jskala at redhat.com> - 0.99.20.1-1
 - updated to latest upstream version 0.99.20.1

More information about the scm-commits mailing list