bgpd: CVE-2012-1820, DoS in bgp_capability_orf()

[mirror_frr.git] / bgpd / bgp_open.c

diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index d045dde542f63835b874e518d8a810e681b0d085..af711cc8ceba87bea72958983bca69b7b138767f 100644 (file)
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
     }
   
   /* validate number field */
-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
     {
       zlog_info ("%s ORF Capability entry length error,"
                  " Cap length %u, num %u",
@@ -333,28 +333,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
   return 0;
 }
 
-static int
-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
-{
-  struct stream *s = BGP_INPUT (peer);
-  size_t end = stream_get_getp (s) + hdr->length;
-  
-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
-  
-  /* We must have at least one ORF entry, as the caller has already done
-   * minimum length validation for the capability code - for ORF there must
-   * at least one ORF entry (header and unknown number of pairs of bytes).
-   */
-  do
-    {
-      if (bgp_capability_orf_entry (peer, hdr) == -1)
-        return -1;
-    } 
-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
-  
-  return 0;
-}
-
 static int
 bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
 {
@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
             break;
           case CAPABILITY_CODE_ORF:
           case CAPABILITY_CODE_ORF_OLD:
-            if (bgp_capability_orf (peer, &caphdr))
+            if (bgp_capability_orf_entry (peer, &caphdr))
               return -1;
             break;
           case CAPABILITY_CODE_RESTART: