157a198d30
Fixes the following security issues:
CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not
properly bounds check data sent with a NOTIFY to a peer, if an
attribute length is invalid. A configured BGP peer can take
advantage of this bug to read memory from the bgpd process or cause
a denial of service (daemon crash).
https://www.quagga.net/security/Quagga-2018-0543.txt
CVE-2018-5379
It was discovered that the Quagga BGP daemon, bgpd, can double-free
memory when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes, resulting in a denial of
service (bgpd daemon crash).
https://www.quagga.net/security/Quagga-2018-1114.txt
CVE-2018-5380
It was discovered that the Quagga BGP daemon, bgpd, does not
properly handle internal BGP code-to-string conversion tables.
https://www.quagga.net/security/Quagga-2018-1550.txt
CVE-2018-5381
It was discovered that the Quagga BGP daemon, bgpd, can enter an
infinite loop if sent an invalid OPEN message by a configured peer.
A configured peer can take advantage of this flaw to cause a denial
of service (bgpd daemon not responding to any other events; BGP
sessions will drop and not be reestablished; unresponsive CLI
interface).
https://www.quagga.net/security/Quagga-2018-1975.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001
|
|
From: Paul Jakma <paul@jakma.org>
|
|
Date: Sat, 6 Jan 2018 21:20:51 +0000
|
|
Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN
|
|
messages
|
|
|
|
Security issue: Quagga-2018-1975
|
|
See: https://www.quagga.net/security/Quagga-2018-1975.txt
|
|
|
|
* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
|
|
loop due to checks that issue 'continue' without bumping the input
|
|
pointer.
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
bgpd/bgp_packet.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
|
index b3d601fc..f9338d8d 100644
|
|
--- a/bgpd/bgp_packet.c
|
|
+++ b/bgpd/bgp_packet.c
|
|
@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
|
|
|
|
end = pnt + length;
|
|
|
|
- while (pnt < end)
|
|
+ /* XXX: Streamify this */
|
|
+ for (; pnt < end; pnt += hdr->length + 3)
|
|
{
|
|
/* We need at least action, capability code and capability length. */
|
|
if (pnt + 3 > end)
|
|
@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
|
|
zlog_warn ("%s unrecognized capability code: %d - ignored",
|
|
peer->host, hdr->code);
|
|
}
|
|
- pnt += hdr->length + 3;
|
|
}
|
|
return 0;
|
|
}
|
|
--
|
|
2.11.0
|
|
|