quagga: Security Advisory - CVE-2012-1820

The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1820 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Yue Tao <Yue.Tao@windriver.com> 2014-06-15 22:24:44 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2014-06-15 23:21:56 -0400
commit: 26b31ad72899a68d93029f5cce4afa63c3b78a6b (patch)
tree: e0d1c162da0fd449b4887e7f3b8e1c77ff0f1cfd
parent: d42a2e16056777615e6bcc126cdb92db3b4f9cdf (diff)
download: meta-openembedded-26b31ad72899a68d93029f5cce4afa63c3b78a6b.tar.gz
3 files changed, 131 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch
new file mode 100644
index 0000000000..5a2ee1b2ca
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch
@@ -0,0 +1,87 @@
+From fe9bb6459afe0d55e56619cdc5061d8407cd1f15 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <infrastation@yandex.ru>
+Date: Thu, 19 Apr 2012 20:34:13 +0400
+Subject: [PATCH] bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
+Upstream-Status: Backport
+An ORF (code 3) capability TLV is defined to contain exactly one
+AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
+capability TLV, uses do-while cycle to call its helper function
+bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
+block. The call is made at least once and repeated as long as the input
+buffer has enough data for the next call.
+The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
+field of the provided AFI/SAFI block to verify, if it fits the input
+buffer. However, the check is made based on the total length of the ORF
+TLV regardless of the data already consumed by the previous helper
+function call(s). This way, the check condition is only valid for the
+first AFI/SAFI block inside an ORF capability TLV.
+For the subsequent calls of the helper function, if any are made, the
+check condition may erroneously tell, that the current "Number of ORFs"
+field fits the buffer boundary, where in fact it does not. This makes it
+possible to trigger an assertion by feeding an OPEN message with a
+specially-crafted malformed ORF capability TLV.
+This commit fixes the vulnerability by making the implementation follow
+the spec.
+---
+ bgpd/bgp_open.c |   26 ++------------------------
+ 1 files changed, 2 insertions(+), 24 deletions(-)
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index d045dde..af711cc 100644
+--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
+@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+     }
+   
+   /* validate number field */
+-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+     {
+       zlog_info ("%s ORF Capability entry length error,"
+                  " Cap length %u, num %u",
+@@ -334,28 +334,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+ }
+ 
+ static int
+-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
+-{
+-  struct stream *s = BGP_INPUT (peer);
+-  size_t end = stream_get_getp (s) + hdr->length;
+-  
+-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
+-  
+-  /* We must have at least one ORF entry, as the caller has already done
+-   * minimum length validation for the capability code - for ORF there must
+-   * at least one ORF entry (header and unknown number of pairs of bytes).
+-   */
+-  do
+-    {
+-      if (bgp_capability_orf_entry (peer, hdr) == -1)
+-        return -1;
+-    } 
+-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
+-  
+-  return 0;
+-}
+-
+-static int
+ bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
+ {
+   struct stream *s = BGP_INPUT (peer);
+@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
+             break;
+           case CAPABILITY_CODE_ORF:
+           case CAPABILITY_CODE_ORF_OLD:
+-            if (bgp_capability_orf (peer, &caphdr))
+            if (bgp_capability_orf_entry (peer, &caphdr))
+               return -1;
+             break;
+           case CAPABILITY_CODE_RESTART:
+-- 
+1.7.5.4
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
new file mode 100644
index 0000000000..0ec02dc861
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
@@ -0,0 +1,42 @@
+From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001
+From: David Lamparter <equinox@opensourcerouting.org>
+Date: Wed, 23 Jan 2013 05:50:24 +0100
+Subject: [PATCH] bgpd: relax ORF capability length handling
+Upstream-Status: Backport
+commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
+made the length test in bgp_capability_orf_entry() stricter and is now
+causing us to refuse (with CEASE) ORF capabilites carrying any excess
+data.  This does not conform to the robustness principle as laid out by
+RFC1122 ("be liberal in what you accept").
+Even worse, RFC5291 is quite unclear on how to use the ORF capability
+with multiple AFI/SAFIs.  It can be interpreted as either "use one
+instance, stuff everything in" but also as "use multiple instances".
+So, if not for applying robustness, we end up clearing sessions from
+implementations going by the former interpretation.  (or if anyone dares
+add a byte of padding...)
+Cc: Denis Ovsienko <infrastation@yandex.ru>
+Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
+---
+ bgpd/bgp_open.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index af711cc..7bf3501 100644
+--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
+@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
+     }
+   
+   /* validate number field */
+-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+     {
+       zlog_info ("%s ORF Capability entry length error,"
+                  " Cap length %u, num %u",
+-- 
+1.7.5.4
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index 5eeb18bebf..5ab43b300e 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -36,6 +36,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga${QUAGGASUBDIR}/quagga-${PV}.tar.gz;name
           file://quagga.pam \
           file://ripd-fix-two-bugs-after-received-SIGHUP.patch \
           file://quagga-Avoid-duplicate-connected-address.patch \
+           file://0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch \
+           file://0001-bgpd-relax-ORF-capability-length-handling.patch \
 "
 PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"
author	Yue Tao <Yue.Tao@windriver.com>	2014-06-15 22:24:44 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2014-06-15 23:21:56 -0400
commit	26b31ad72899a68d93029f5cce4afa63c3b78a6b (patch)
tree	e0d1c162da0fd449b4887e7f3b8e1c77ff0f1cfd
parent	d42a2e16056777615e6bcc126cdb92db3b4f9cdf (diff)
download	meta-openembedded-26b31ad72899a68d93029f5cce4afa63c3b78a6b.tar.gz

diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch new file mode 100644 index 0000000000..5a2ee1b2ca --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch
@@ -0,0 +1,87 @@
		1	From fe9bb6459afe0d55e56619cdc5061d8407cd1f15 Mon Sep 17 00:00:00 2001
		2	From: Denis Ovsienko <infrastation@yandex.ru>
		3	Date: Thu, 19 Apr 2012 20:34:13 +0400
		4	Subject: [PATCH] bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
		5
		6	Upstream-Status: Backport
		7
		8	An ORF (code 3) capability TLV is defined to contain exactly one
		9	AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
		10	capability TLV, uses do-while cycle to call its helper function
		11	bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
		12	block. The call is made at least once and repeated as long as the input
		13	buffer has enough data for the next call.
		14
		15	The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
		16	field of the provided AFI/SAFI block to verify, if it fits the input
		17	buffer. However, the check is made based on the total length of the ORF
		18	TLV regardless of the data already consumed by the previous helper
		19	function call(s). This way, the check condition is only valid for the
		20	first AFI/SAFI block inside an ORF capability TLV.
		21
		22	For the subsequent calls of the helper function, if any are made, the
		23	check condition may erroneously tell, that the current "Number of ORFs"
		24	field fits the buffer boundary, where in fact it does not. This makes it
		25	possible to trigger an assertion by feeding an OPEN message with a
		26	specially-crafted malformed ORF capability TLV.
		27
		28	This commit fixes the vulnerability by making the implementation follow
		29	the spec.
		30	---
		31	bgpd/bgp_open.c \| 26 ++------------------------
		32	1 files changed, 2 insertions(+), 24 deletions(-)
		33
		34	diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
		35	index d045dde..af711cc 100644
		36	--- a/bgpd/bgp_open.c
		37	+++ b/bgpd/bgp_open.c
		38	@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer peer, struct capability_header hdr)
		39	}
		40
		41	/* validate number field */
		42	- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
		43	+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
		44	{
		45	zlog_info ("%s ORF Capability entry length error,"
		46	" Cap length %u, num %u",
		47	@@ -334,28 +334,6 @@ bgp_capability_orf_entry (struct peer peer, struct capability_header hdr)
		48	}
		49
		50	static int
		51	-bgp_capability_orf (struct peer peer, struct capability_header hdr)
		52	-{
		53	- struct stream *s = BGP_INPUT (peer);
		54	- size_t end = stream_get_getp (s) + hdr->length;
		55	-
		56	- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
		57	-
		58	- /* We must have at least one ORF entry, as the caller has already done
		59	- * minimum length validation for the capability code - for ORF there must
		60	- * at least one ORF entry (header and unknown number of pairs of bytes).
		61	- */
		62	- do
		63	- {
		64	- if (bgp_capability_orf_entry (peer, hdr) == -1)
		65	- return -1;
		66	- }
		67	- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
		68	-
		69	- return 0;
		70	-}
		71	-
		72	-static int
		73	bgp_capability_restart (struct peer peer, struct capability_header caphdr)
		74	{
		75	struct stream *s = BGP_INPUT (peer);
		76	@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer peer, size_t length, int mp_capability,
		77	break;
		78	case CAPABILITY_CODE_ORF:
		79	case CAPABILITY_CODE_ORF_OLD:
		80	- if (bgp_capability_orf (peer, &caphdr))
		81	+ if (bgp_capability_orf_entry (peer, &caphdr))
		82	return -1;
		83	break;
		84	case CAPABILITY_CODE_RESTART:
		85	--
		86	1.7.5.4
		87


diff --git a/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch new file mode 100644 index 0000000000..0ec02dc861 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-bgpd-relax-ORF-capability-length-handling.patch
@@ -0,0 +1,42 @@
		1	From 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f Mon Sep 17 00:00:00 2001
		2	From: David Lamparter <equinox@opensourcerouting.org>
		3	Date: Wed, 23 Jan 2013 05:50:24 +0100
		4	Subject: [PATCH] bgpd: relax ORF capability length handling
		5
		6	Upstream-Status: Backport
		7
		8	commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
		9	made the length test in bgp_capability_orf_entry() stricter and is now
		10	causing us to refuse (with CEASE) ORF capabilites carrying any excess
		11	data. This does not conform to the robustness principle as laid out by
		12	RFC1122 ("be liberal in what you accept").
		13
		14	Even worse, RFC5291 is quite unclear on how to use the ORF capability
		15	with multiple AFI/SAFIs. It can be interpreted as either "use one
		16	instance, stuff everything in" but also as "use multiple instances".
		17	So, if not for applying robustness, we end up clearing sessions from
		18	implementations going by the former interpretation. (or if anyone dares
		19	add a byte of padding...)
		20
		21	Cc: Denis Ovsienko <infrastation@yandex.ru>
		22	Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
		23	---
		24	bgpd/bgp_open.c \| 2 +-
		25	1 files changed, 1 insertions(+), 1 deletions(-)
		26
		27	diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
		28	index af711cc..7bf3501 100644
		29	--- a/bgpd/bgp_open.c
		30	+++ b/bgpd/bgp_open.c
		31	@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer peer, struct capability_header hdr)
		32	}
		33
		34	/* validate number field */
		35	- if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
		36	+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
		37	{
		38	zlog_info ("%s ORF Capability entry length error,"
		39	" Cap length %u, num %u",
		40	--
		41	1.7.5.4
		42


diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 5eeb18bebf..5ab43b300e 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -36,6 +36,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga${QUAGGASUBDIR}/quagga-${PV}.tar.gz;name
36	file://quagga.pam \	36	file://quagga.pam \
37	file://ripd-fix-two-bugs-after-received-SIGHUP.patch \	37	file://ripd-fix-two-bugs-after-received-SIGHUP.patch \
38	file://quagga-Avoid-duplicate-connected-address.patch \	38	file://quagga-Avoid-duplicate-connected-address.patch \
		39	file://0001-bgpd-CVE-2012-1820-DoS-in-bgp_capability_orf.patch \
		40	file://0001-bgpd-relax-ORF-capability-length-handling.patch \
39	"	41	"
40		42
41	PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"	43	PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"