summaryrefslogtreecommitdiffstats
path: root/bgpd
diff options
context:
space:
mode:
authorDavid Lamparter <equinox@opensourcerouting.org>2013-01-23 05:50:24 +0100
committerDavid Lamparter <equinox@opensourcerouting.org>2013-02-01 17:55:04 +0100
commit5e728e929942d39ce5a4ab3d01c33f7b688c4e3f (patch)
tree6f2b2413fc182b75b589fdb340c813d7da944771 /bgpd
parentbgpd: don't try to reconcile AS4_PATH with NULL (diff)
downloadfrr-5e728e929942d39ce5a4ab3d01c33f7b688c4e3f.tar.xz
frr-5e728e929942d39ce5a4ab3d01c33f7b688c4e3f.zip
bgpd: relax ORF capability length handling
commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()" made the length test in bgp_capability_orf_entry() stricter and is now causing us to refuse (with CEASE) ORF capabilites carrying any excess data. This does not conform to the robustness principle as laid out by RFC1122 ("be liberal in what you accept"). Even worse, RFC5291 is quite unclear on how to use the ORF capability with multiple AFI/SAFIs. It can be interpreted as either "use one instance, stuff everything in" but also as "use multiple instances". So, if not for applying robustness, we end up clearing sessions from implementations going by the former interpretation. (or if anyone dares add a byte of padding...) Cc: Denis Ovsienko <infrastation@yandex.ru> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Diffstat (limited to 'bgpd')
-rw-r--r--bgpd/bgp_open.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index af711cc8c..7bf350165 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -230,7 +230,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
}
/* validate number field */
- if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
{
zlog_info ("%s ORF Capability entry length error,"
" Cap length %u, num %u",