rpms/quagga
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix for CVE-2016-4049

Browse Source 
Resolves: #1331373
This commit is contained in:
Michal Sekletar 2016-10-21 15:57:23 +02:00
parent 3bceae60b2
commit 2fe5ab5d3d
2 changed files with 231 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

229
0003-bgpd-Fix-buffer-overflow-error-in-bgp_dump_routes_fu.patch Normal file
View File

@ -0,0 +1,229 @@
From af17d2eb7f641c7014a84a71bc0c700b28f1e638 Mon Sep 17 00:00:00 2001
From: Evgeny Uskov <eu@qrator.net>
Date: Wed, 13 Jan 2016 13:58:00 +0300
Subject: [PATCH 3/3] bgpd: Fix buffer overflow error in bgp_dump_routes_func
Now if the number of entries for some prefix is too large, multiple
TABLE_DUMP_V2 records are created. In the previous version in such
situation bgpd crashed with SIGABRT.
Resolves: #1331373
Cherry-picked from: b4e011985232f28d98e4df88c7cb13ee8f95ef46
Conflicts:
bgpd/bgp_dump.c
---
bgpd/bgp_dump.c | 175 +++++++++++++++++++++++++++++++-------------------------
1 file changed, 96 insertions(+), 79 deletions(-)
diff --git a/bgpd/bgp_dump.c b/bgpd/bgp_dump.c
index a3c9526..a8db612 100644
--- a/bgpd/bgp_dump.c
+++ b/bgpd/bgp_dump.c
@@ -271,11 +271,98 @@ bgp_dump_routes_index_table(struct bgp *bgp)
}
+static struct bgp_info *
+bgp_dump_route_node_record (int afi, struct bgp_node *rn,
+ struct bgp_info *info, unsigned int seq)
+{
+ struct stream *obuf;
+ size_t sizep;
+ size_t endp;
+
+ obuf = bgp_dump_obuf;
+ stream_reset (obuf);
+
+ /* MRT header */
+ if (afi == AFI_IP)
+ bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST);
+ else if (afi == AFI_IP6)
+ bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST);
+
+ /* Sequence number */
+ stream_putl (obuf, seq);
+
+ /* Prefix length */
+ stream_putc (obuf, rn->p.prefixlen);
+
+ /* Prefix */
+ if (afi == AFI_IP)
+ {
+ /* We'll dump only the useful bits (those not 0), but have to
+ * align on 8 bits */
+ stream_write (obuf, (u_char *) &rn->p.u.prefix4,
+ (rn->p.prefixlen + 7) / 8);
+ }
+ else if (afi == AFI_IP6)
+ {
+ /* We'll dump only the useful bits (those not 0), but have to
+ * align on 8 bits */
+ stream_write (obuf, (u_char *) &rn->p.u.prefix6,
+ (rn->p.prefixlen + 7) / 8);
+ }
+
+ /* Save where we are now, so we can overwride the entry count later */
+ sizep = stream_get_endp (obuf);
+
+ /* Entry count */
+ uint16_t entry_count = 0;
+
+ /* Entry count, note that this is overwritten later */
+ stream_putw (obuf, 0);
+
+ endp = stream_get_endp (obuf);
+ for (; info; info = info->next)
+ {
+ size_t cur_endp;
+
+ /* Peer index */
+ stream_putw (obuf, info->peer->table_dump_index);
+
+ /* Originated */
+#ifdef HAVE_CLOCK_MONOTONIC
+ stream_putl (obuf, time (NULL) - (bgp_clock () - info->uptime));
+#else
+ stream_putl (obuf, info->uptime);
+#endif /* HAVE_CLOCK_MONOTONIC */
+
+ /* Dump attribute. */
+ /* Skip prefix & AFI/SAFI for MP_NLRI */
+ bgp_dump_routes_attr (obuf, info->attr, &rn->p);
+
+ cur_endp = stream_get_endp (obuf);
+ if (cur_endp > BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER
+ + BGP_DUMP_HEADER_SIZE)
+ {
+ stream_set_endp (obuf, endp);
+ break;
+ }
+
+ entry_count++;
+ endp = cur_endp;
+ }
+
+ /* Overwrite the entry count, now that we know the right number */
+ stream_putw_at (obuf, sizep, entry_count);
+
+ bgp_dump_set_size (obuf, MSG_TABLE_DUMP_V2);
+ fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp);
+
+ return info;
+}
+
/* Runs under child process. */
static unsigned int
bgp_dump_routes_func (int afi, int first_run, unsigned int seq)
{
- struct stream *obuf;
struct bgp_info *info;
struct bgp_node *rn;
struct bgp *bgp;
@@ -294,87 +381,17 @@ bgp_dump_routes_func (int afi, int first_run, unsigned int seq)
if(first_run)
bgp_dump_routes_index_table(bgp);
- obuf = bgp_dump_obuf;
- stream_reset(obuf);
-
/* Walk down each BGP route. */
table = bgp->rib[afi][SAFI_UNICAST];
for (rn = bgp_table_top (table); rn; rn = bgp_route_next (rn))
{
- if(!rn->info)
- continue;
-
- stream_reset(obuf);
-
- /* MRT header */
- if (afi == AFI_IP)
- {
- bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST);
- }
-#ifdef HAVE_IPV6
- else if (afi == AFI_IP6)
- {
- bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST);
- }
-#endif /* HAVE_IPV6 */
-
- /* Sequence number */
- stream_putl(obuf, seq);
-
- /* Prefix length */
- stream_putc (obuf, rn->p.prefixlen);
-
- /* Prefix */
- if (afi == AFI_IP)
- {
- /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
- stream_write(obuf, (u_char *)&rn->p.u.prefix4, (rn->p.prefixlen+7)/8);
- }
-#ifdef HAVE_IPV6
- else if (afi == AFI_IP6)
- {
- /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
- stream_write (obuf, (u_char *)&rn->p.u.prefix6, (rn->p.prefixlen+7)/8);
- }
-#endif /* HAVE_IPV6 */
-
- /* Save where we are now, so we can overwride the entry count later */
- int sizep = stream_get_endp(obuf);
-
- /* Entry count */
- uint16_t entry_count = 0;
-
- /* Entry count, note that this is overwritten later */
- stream_putw(obuf, 0);
-
- for (info = rn->info; info; info = info->next)
- {
- entry_count++;
-
- /* Peer index */
- stream_putw(obuf, info->peer->table_dump_index);
-
- /* Originated */
-#ifdef HAVE_CLOCK_MONOTONIC
- stream_putl (obuf, time(NULL) - (bgp_clock() - info->uptime));
-#else
- stream_putl (obuf, info->uptime);
-#endif /* HAVE_CLOCK_MONOTONIC */
-
- /* Dump attribute. */
- /* Skip prefix & AFI/SAFI for MP_NLRI */
- bgp_dump_routes_attr (obuf, info->attr, &rn->p);
- }
-
- /* Overwrite the entry count, now that we know the right number */
- stream_putw_at (obuf, sizep, entry_count);
-
- seq++;
-
- bgp_dump_set_size(obuf, MSG_TABLE_DUMP_V2);
- fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp);
-
+ info = rn->info;
+ while (info)
+ {
+ info = bgp_dump_route_node_record(afi, rn, info, seq);
+ seq++;
+ }
}
fflush (bgp_dump_routes.fp);
@@ -854,8 +871,8 @@ bgp_dump_init (void)
memset (&bgp_dump_updates, 0, sizeof (struct bgp_dump));
memset (&bgp_dump_routes, 0, sizeof (struct bgp_dump));
- bgp_dump_obuf = stream_new (BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER
- + BGP_DUMP_HEADER_SIZE);
+ bgp_dump_obuf = stream_new ((BGP_MAX_PACKET_SIZE << 1)
+ + BGP_DUMP_MSG_HEADER + BGP_DUMP_HEADER_SIZE);
install_node (&bgp_dump_node, config_write_bgp_dump);
--
2.7.4

2
quagga.spec
View File

@ -30,6 +30,7 @@ Obsoletes: quagga-sysvinit
Patch0: 0001-systemd-various-service-file-improvements.patch Patch0: 0001-systemd-various-service-file-improvements.patch
Patch1: 0002-bgpd-Fix-VU-270232-VPNv4-NLRI-parser-memcpys-to-stac.patch Patch1: 0002-bgpd-Fix-VU-270232-VPNv4-NLRI-parser-memcpys-to-stac.patch
Patch2: 0003-bgpd-Fix-buffer-overflow-error-in-bgp_dump_routes_fu.patch
%define __perl_requires %{SOURCE1} %define __perl_requires %{SOURCE1}
@ -229,6 +230,7 @@ fi
* Fri Oct 21 2016 Michal Sekletar <msekleta@redhat.com> - 0.99.24.1-4 * Fri Oct 21 2016 Michal Sekletar <msekleta@redhat.com> - 0.99.24.1-4
- make routing daemons pull network.target into the boot transaction (#1387654) - make routing daemons pull network.target into the boot transaction (#1387654)
- fix for CVE-2016-2342 (#1316572) - fix for CVE-2016-2342 (#1316572)
- fix for CVE-2016-4049 (#1331373)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.24.1-3 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.24.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild