git.proxmox.com Git - mirror

author	Denis Ovsienko <infrastation@yandex.ru>
	Thu, 19 Apr 2012 16:34:13 +0000 (20:34 +0400)
committer	David Lamparter <equinox@opensourcerouting.org>
	Fri, 2 Nov 2012 06:07:15 +0000 (23:07 -0700)
commit	fe9bb6459afe0d55e56619cdc5061d8407cd1f15
tree	0de65deb7260c93592625348219f8933efbc1d04	tree
parent	d1d3ac9bad0caf7a9c465bb382b924009f0d9168	commit \| diff

bgpd: CVE-2012-1820, DoS in bgp_capability_orf()

An ORF (code 3) capability TLV is defined to contain exactly one
AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
capability TLV, uses do-while cycle to call its helper function
bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
block. The call is made at least once and repeated as long as the input
buffer has enough data for the next call.

The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
field of the provided AFI/SAFI block to verify, if it fits the input
buffer. However, the check is made based on the total length of the ORF
TLV regardless of the data already consumed by the previous helper
function call(s). This way, the check condition is only valid for the
first AFI/SAFI block inside an ORF capability TLV.

For the subsequent calls of the helper function, if any are made, the
check condition may erroneously tell, that the current "Number of ORFs"
field fits the buffer boundary, where in fact it does not. This makes it
possible to trigger an assertion by feeding an OPEN message with a
specially-crafted malformed ORF capability TLV.

This commit fixes the vulnerability by making the implementation follow
the spec.