diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2018-02-19 16:50:59 +0100 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-02-19 23:48:35 +0100 |
| commit | 157a198d304224c12fa0d91d977a6619d021f5c6 (patch) | |
| tree | 304d0f60c9f35127c468b78d2ae24467ab14949b /package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch | |
| parent | 737278c2ccb607c4a5a8b3bb0d817c25a2dc2602 (diff) | |
| download | buildroot-157a198d304224c12fa0d91d977a6619d021f5c6.tar.gz buildroot-157a198d304224c12fa0d91d977a6619d021f5c6.zip | |
quagga: add upstream security fixes
Fixes the following security issues:
CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not
properly bounds check data sent with a NOTIFY to a peer, if an
attribute length is invalid. A configured BGP peer can take
advantage of this bug to read memory from the bgpd process or cause
a denial of service (daemon crash).
https://www.quagga.net/security/Quagga-2018-0543.txt
CVE-2018-5379
It was discovered that the Quagga BGP daemon, bgpd, can double-free
memory when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes, resulting in a denial of
service (bgpd daemon crash).
https://www.quagga.net/security/Quagga-2018-1114.txt
CVE-2018-5380
It was discovered that the Quagga BGP daemon, bgpd, does not
properly handle internal BGP code-to-string conversion tables.
https://www.quagga.net/security/Quagga-2018-1550.txt
CVE-2018-5381
It was discovered that the Quagga BGP daemon, bgpd, can enter an
infinite loop if sent an invalid OPEN message by a configured peer.
A configured peer can take advantage of this flaw to cause a denial
of service (bgpd daemon not responding to any other events; BGP
sessions will drop and not be reestablished; unresponsive CLI
interface).
https://www.quagga.net/security/Quagga-2018-1975.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch')
| -rw-r--r-- | package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch b/package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch new file mode 100644 index 0000000000..0a06da9330 --- /dev/null +++ b/package/quagga/0008-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch @@ -0,0 +1,43 @@ +From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001 +From: Paul Jakma <paul@jakma.org> +Date: Sat, 6 Jan 2018 21:20:51 +0000 +Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN + messages + +Security issue: Quagga-2018-1975 +See: https://www.quagga.net/security/Quagga-2018-1975.txt + +* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite + loop due to checks that issue 'continue' without bumping the input + pointer. + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + bgpd/bgp_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index b3d601fc..f9338d8d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length) + + end = pnt + length; + +- while (pnt < end) ++ /* XXX: Streamify this */ ++ for (; pnt < end; pnt += hdr->length + 3) + { + /* We need at least action, capability code and capability length. */ + if (pnt + 3 > end) +@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length) + zlog_warn ("%s unrecognized capability code: %d - ignored", + peer->host, hdr->code); + } +- pnt += hdr->length + 3; + } + return 0; + } +-- +2.11.0 + |
