mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-14 14:17:20 +00:00
fe9bb6459a
An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call. The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV. For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current "Number of ORFs" field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV. This commit fixes the vulnerability by making the implementation follow the spec. |
||
|---|---|---|
| babeld | ||
| bgpd | ||
| doc | ||
| guile | ||
| init | ||
| isisd | ||
| lib | ||
| m4 | ||
| ospf6d | ||
| ospfclient | ||
| ospfd | ||
| pkgsrc | ||
| ports | ||
| redhat | ||
| ripd | ||
| ripngd | ||
| solaris | ||
| tests | ||
| tools | ||
| vtysh | ||
| watchquagga | ||
| zebra | ||
| .gitignore | ||
| AUTHORS | ||
| bootstrap.sh | ||
| ChangeLog | ||
| configure.ac | ||
| COPYING | ||
| COPYING.LIB | ||
| HACKING.pending | ||
| HACKING.tex | ||
| INSTALL.quagga.txt | ||
| Makefile.am | ||
| NEWS | ||
| README | ||
| README.NetBSD | ||
| REPORTING-BUGS | ||
| SERVICES | ||
| stamp-h.in | ||
| TODO | ||
| update-autotools | ||
Quagga is free software that manages various IPv4 and IPv6 routing protocols. Currently Quagga supports BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng as well as very early support for IS-IS. See the file INSTALL.quagga.txt for building and installation instructions. See the file REPORTING-BUGS to report bugs. Quagga is free software. See the file COPYING for copying conditions.