diff options
Diffstat (limited to 'net/quagga/files/patch-CVE-2010-1674')
| -rw-r--r-- | net/quagga/files/patch-CVE-2010-1674 | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/net/quagga/files/patch-CVE-2010-1674 b/net/quagga/files/patch-CVE-2010-1674 new file mode 100644 index 000000000000..6ff20eff5485 --- /dev/null +++ b/net/quagga/files/patch-CVE-2010-1674 @@ -0,0 +1,67 @@ +commit ca0f29480d22837f99b9ac42cf64a8d656bfcac5 +Author: Paul Jakma <paul@quagga.net> +Date: Sun Dec 5 17:17:26 2010 +0000 + + bgpd/security: CVE-2010-1674 Fix crash due to extended-community parser error + + * bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs + can leave attr->flag indicating ext-community is present, even though no + extended-community object has been attached to the attr structure. Thus a + null-pointer dereference can occur later. + (bgp_attr_community) No bug fixed here, but tidy up flow so it has same + form as previous. + + Problem and fix thanks to anonymous reporter. + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index ae0dc88..c6fd3a5 100644 +--- bgpd/bgp_attr.c ++++ bgpd/bgp_attr.c +@@ -1235,13 +1235,16 @@ bgp_attr_community (struct peer *peer, bgp_size_t length, + attr->community = NULL; + return 0; + } +- else +- { +- attr->community = +- community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); +- stream_forward_getp (peer->ibuf, length); +- } ++ ++ attr->community = ++ community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); ++ ++ /* XXX: fix community_parse to use stream API and remove this */ ++ stream_forward_getp (peer->ibuf, length); + ++ if (!attr->community) ++ return -1; ++ + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_COMMUNITIES); + + return 0; +@@ -1478,13 +1481,18 @@ bgp_attr_ext_communities (struct peer *peer, bgp_size_t length, + { + if (attr->extra) + attr->extra->ecommunity = NULL; ++ /* Empty extcomm doesn't seem to be invalid per se */ ++ return 0; + } +- else +- { +- (bgp_attr_extra_get (attr))->ecommunity = +- ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); +- stream_forward_getp (peer->ibuf, length); +- } ++ ++ (bgp_attr_extra_get (attr))->ecommunity = ++ ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); ++ /* XXX: fix ecommunity_parse to use stream API */ ++ stream_forward_getp (peer->ibuf, length); ++ ++ if (!attr->extra->ecommunity) ++ return -1; ++ + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES); + + return 0; |