$OpenBSD: patch-bgpd_bgp_open_c,v 1.3 2012/12/08 18:42:43 brad Exp $

DoS in bgp_capability_orf(). CVE-2012-1820

--- bgpd/bgp_open.c.orig	Sat Dec  8 03:33:55 2012
+++ bgpd/bgp_open.c	Sat Dec  8 03:35:17 2012
@@ -232,7 +232,7 @@ bgp_capability_orf_entry (struct peer *peer, struct ca
     }
   
   /* validate number field */
-  if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+  if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
     {
       zlog_info ("%s ORF Capability entry length error,"
                  " Cap length %u, num %u",
@@ -336,28 +336,6 @@ bgp_capability_orf_entry (struct peer *peer, struct ca
 }
 
 static int
-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
-{
-  struct stream *s = BGP_INPUT (peer);
-  size_t end = stream_get_getp (s) + hdr->length;
-  
-  assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
-  
-  /* We must have at least one ORF entry, as the caller has already done
-   * minimum length validation for the capability code - for ORF there must
-   * at least one ORF entry (header and unknown number of pairs of bytes).
-   */
-  do
-    {
-      if (bgp_capability_orf_entry (peer, hdr) == -1)
-        return -1;
-    } 
-  while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
-  
-  return 0;
-}
-
-static int
 bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
 {
   struct stream *s = BGP_INPUT (peer);
@@ -575,7 +553,7 @@ bgp_capability_parse (struct peer *peer, size_t length
             break;
           case CAPABILITY_CODE_ORF:
           case CAPABILITY_CODE_ORF_OLD:
-            if (bgp_capability_orf (peer, &caphdr))
+            if (bgp_capability_orf_entry (peer, &caphdr))
               return -1;
             break;
           case CAPABILITY_CODE_RESTART:
