quagga/0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch

From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul@jakma.org>
Date: Sat, 6 Jan 2018 21:20:51 +0000
Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN
 messages

Security issue: Quagga-2018-1975
See: https://www.quagga.net/security/Quagga-2018-1975.txt

* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
  loop due to checks that issue 'continue' without bumping the input
  pointer.
---
 bgpd/bgp_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index b3d601fc..f9338d8d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
 
   end = pnt + length;
 
-  while (pnt < end)
+  /* XXX: Streamify this */
+  for (; pnt < end; pnt += hdr->length + 3)
     {      
       /* We need at least action, capability code and capability length. */
       if (pnt + 3 > end)
@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
           zlog_warn ("%s unrecognized capability code: %d - ignored",
                      peer->host, hdr->code);
         }
-      pnt += hdr->length + 3;
     }
   return 0;
 }
-- 
2.14.3
Fix CVE-2018-5379, CVE-2018-5380, CVE-2018-5381, CVE-2018-5378 Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code Resolves: rhbz#1546008 Fixed CVE-2018-5380 - bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash Resolves: rhbz#1546006 Fixed CVE-2018-5381 - Infinite loop issue triggered by invalid OPEN message allows denial-of-service Resolves: rhbz#1546004 Fixed CVE-2018-5378 - bgpd does not properly bounds check the data sent with a NOTIFY allowing leak of sensitive data or crash Resolves: rhbz#1546009 2018-02-22 10:58:58 +00:00			`From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001`
			`From: Paul Jakma <paul@jakma.org>`
			`Date: Sat, 6 Jan 2018 21:20:51 +0000`
			`Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN`
			`messages`

			`Security issue: Quagga-2018-1975`
			`See: https://www.quagga.net/security/Quagga-2018-1975.txt`

			`* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite`
			`loop due to checks that issue 'continue' without bumping the input`
			`pointer.`
			`---`
			`bgpd/bgp_packet.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c`
			`index b3d601fc..f9338d8d 100644`
			`--- a/bgpd/bgp_packet.c`
			`+++ b/bgpd/bgp_packet.c`
			`@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer peer, u_char pnt, bgp_size_t length)`

			`end = pnt + length;`

			`- while (pnt < end)`
			`+ /* XXX: Streamify this */`
			`+ for (; pnt < end; pnt += hdr->length + 3)`
			`{`
			`/* We need at least action, capability code and capability length. */`
			`if (pnt + 3 > end)`
			`@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer peer, u_char pnt, bgp_size_t length)`
			`zlog_warn ("%s unrecognized capability code: %d - ignored",`
			`peer->host, hdr->code);`
			`}`
			`- pnt += hdr->length + 3;`
			`}`
			`return 0;`
			`}`
			`--`
			`2.14.3`