Hello community, here is the log from the commit of package quagga for openSUSE:Factory checked in at 2016-05-05 12:12:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/quagga (Old) and /work/SRC/openSUSE:Factory/.quagga.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "quagga" Changes: -------- --- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2016-04-08 09:39:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.quagga.new/quagga.changes 2016-05-05 12:12:26.000000000 +0200 @@ -1,0 +2,7 @@ +Wed May 4 13:32:20 UTC 2016 - [email protected] + +- Add quagga-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch + Fix for a buffer overflow error in bgp_dump_routes_func. + (CVE-2016-4049, bsc#977012) + +------------------------------------------------------------------- New: ---- quagga-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.cXOoVT/_old 2016-05-05 12:12:27.000000000 +0200 +++ /var/tmp/diff_new_pack.cXOoVT/_new 2016-05-05 12:12:27.000000000 +0200 @@ -49,6 +49,7 @@ Patch2: %{name}-add-table_test-return-value.patch Patch3: 0001-systemd-change-the-WantedBy-target.patch Patch4: %{name}-autoconf-detect-AM_SILENT_RULES.patch +Patch5: %{name}-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch BuildRequires: autoconf >= 2.6 BuildRequires: automake >= 1.6 BuildRequires: libtool @@ -110,6 +111,7 @@ %patch2 -p 1 %patch3 -p 1 %patch4 -p 1 +%patch5 -p 1 %build if ! ls /proc/net/{dev,route,snmp} >/dev/null; then ++++++ quagga-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch ++++++ Index: quagga-1.0.20160315/bgpd/bgp_dump.c =================================================================== --- quagga-1.0.20160315.orig/bgpd/bgp_dump.c +++ quagga-1.0.20160315/bgpd/bgp_dump.c @@ -297,11 +297,96 @@ bgp_dump_routes_index_table(struct bgp * } +static struct bgp_info * +bgp_dump_route_node_record (int afi, struct bgp_node *rn, struct bgp_info *info, unsigned int seq) +{ + struct stream *obuf; + size_t sizep; + size_t endp; + + obuf = bgp_dump_obuf; + stream_reset(obuf); + + /* MRT header */ + if (afi == AFI_IP) + bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST, + BGP_DUMP_ROUTES); + else if (afi == AFI_IP6) + bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST, + BGP_DUMP_ROUTES); + + /* Sequence number */ + stream_putl(obuf, seq); + + /* Prefix length */ + stream_putc (obuf, rn->p.prefixlen); + + /* Prefix */ + if (afi == AFI_IP) + { + /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */ + stream_write(obuf, (u_char *)&rn->p.u.prefix4, (rn->p.prefixlen+7)/8); + } + else if (afi == AFI_IP6) + { + /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */ + stream_write (obuf, (u_char *)&rn->p.u.prefix6, (rn->p.prefixlen+7)/8); + } + + /* Save where we are now, so we can overwride the entry count later */ + sizep = stream_get_endp(obuf); + + /* Entry count */ + uint16_t entry_count = 0; + + /* Entry count, note that this is overwritten later */ + stream_putw(obuf, 0); + + endp = stream_get_endp(obuf); + for (; info; info = info->next) + { + size_t cur_endp; + + /* Peer index */ + stream_putw(obuf, info->peer->table_dump_index); + + /* Originated */ +#ifdef HAVE_CLOCK_MONOTONIC + stream_putl (obuf, time(NULL) - (bgp_clock() - info->uptime)); +#else + stream_putl (obuf, info->uptime); +#endif /* HAVE_CLOCK_MONOTONIC */ + + /* Dump attribute. */ + /* Skip prefix & AFI/SAFI for MP_NLRI */ + bgp_dump_routes_attr (obuf, info->attr, &rn->p); + + cur_endp = stream_get_endp(obuf); + if (cur_endp > BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER + + BGP_DUMP_HEADER_SIZE) + { + stream_set_endp(obuf, endp); + break; + } + + entry_count++; + endp = cur_endp; + } + + /* Overwrite the entry count, now that we know the right number */ + stream_putw_at (obuf, sizep, entry_count); + + bgp_dump_set_size(obuf, MSG_TABLE_DUMP_V2); + fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp); + + return info; +} + + /* Runs under child process. */ static unsigned int bgp_dump_routes_func (int afi, int first_run, unsigned int seq) { - struct stream *obuf; struct bgp_info *info; struct bgp_node *rn; struct bgp *bgp; @@ -320,81 +405,17 @@ bgp_dump_routes_func (int afi, int first if(first_run) bgp_dump_routes_index_table(bgp); - obuf = bgp_dump_obuf; - stream_reset(obuf); - /* Walk down each BGP route. */ table = bgp->rib[afi][SAFI_UNICAST]; for (rn = bgp_table_top (table); rn; rn = bgp_route_next (rn)) { - if(!rn->info) - continue; - - stream_reset(obuf); - - /* MRT header */ - if (afi == AFI_IP) - bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST, - BGP_DUMP_ROUTES); - else if (afi == AFI_IP6) - bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST, - BGP_DUMP_ROUTES); - - /* Sequence number */ - stream_putl(obuf, seq); - - /* Prefix length */ - stream_putc (obuf, rn->p.prefixlen); - - /* Prefix */ - if (afi == AFI_IP) - { - /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */ - stream_write(obuf, (u_char *)&rn->p.u.prefix4, (rn->p.prefixlen+7)/8); - } - else if (afi == AFI_IP6) - { - /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */ - stream_write (obuf, (u_char *)&rn->p.u.prefix6, (rn->p.prefixlen+7)/8); - } - - /* Save where we are now, so we can overwride the entry count later */ - int sizep = stream_get_endp(obuf); - - /* Entry count */ - uint16_t entry_count = 0; - - /* Entry count, note that this is overwritten later */ - stream_putw(obuf, 0); - - for (info = rn->info; info; info = info->next) - { - entry_count++; - - /* Peer index */ - stream_putw(obuf, info->peer->table_dump_index); - - /* Originated */ -#ifdef HAVE_CLOCK_MONOTONIC - stream_putl (obuf, time(NULL) - (bgp_clock() - info->uptime)); -#else - stream_putl (obuf, info->uptime); -#endif /* HAVE_CLOCK_MONOTONIC */ - - /* Dump attribute. */ - /* Skip prefix & AFI/SAFI for MP_NLRI */ - bgp_dump_routes_attr (obuf, info->attr, &rn->p); - } - - /* Overwrite the entry count, now that we know the right number */ - stream_putw_at (obuf, sizep, entry_count); - - seq++; - - bgp_dump_set_size(obuf, MSG_TABLE_DUMP_V2); - fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp); - + info = rn->info; + while (info) + { + info = bgp_dump_route_node_record(afi, rn, info, seq); + seq++; + } } fflush (bgp_dump_routes.fp); @@ -841,8 +862,8 @@ bgp_dump_init (void) memset (&bgp_dump_updates, 0, sizeof (struct bgp_dump)); memset (&bgp_dump_routes, 0, sizeof (struct bgp_dump)); - bgp_dump_obuf = stream_new (BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER - + BGP_DUMP_HEADER_SIZE); + bgp_dump_obuf = stream_new ((BGP_MAX_PACKET_SIZE << 1) + + BGP_DUMP_MSG_HEADER + BGP_DUMP_HEADER_SIZE); install_node (&bgp_dump_node, config_write_bgp_dump);
