From: David Lamparter <equinox@opensourcerouting.org>
Date: Wed, 23 Jan 2013 04:50:24 +0000 (+0100)
Subject: bgpd: relax ORF capability length handling
X-Git-Tag: frr-2.0-rc1~1696
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=5e728e929942d39ce5a4ab3d01c33f7b688c4e3f;p=mirror%2Ffrr.git

bgpd: relax ORF capability length handling

commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
made the length test in bgp_capability_orf_entry() stricter and is now
causing us to refuse (with CEASE) ORF capabilites carrying any excess
data.  This does not conform to the robustness principle as laid out by
RFC1122 ("be liberal in what you accept").

Even worse, RFC5291 is quite unclear on how to use the ORF capability
with multiple AFI/SAFIs.  It can be interpreted as either "use one
instance, stuff everything in" but also as "use multiple instances".
So, if not for applying robustness, we end up clearing sessions from
implementations going by the former interpretation.  (or if anyone dares
add a byte of padding...)

Cc: Denis Ovsienko <infrastation@yandex.ru>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---

diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index af711cc8ce..7bf350165b 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
     }
   
   /* validate number field */
-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
     {
       zlog_info ("%s ORF Capability entry length error,"
                  " Cap length %u, num %u",