File quagga-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch of Package quagga.3363

Index: quagga-0.99.22.1/bgpd/bgp_dump.c
===================================================================
--- quagga-0.99.22.1.orig/bgpd/bgp_dump.c
+++ quagga-0.99.22.1/bgpd/bgp_dump.c
@@ -271,110 +271,130 @@ bgp_dump_routes_index_table(struct bgp *
 }
 
 
-/* Runs under child process. */
-static unsigned int
-bgp_dump_routes_func (int afi, int first_run, unsigned int seq)
+static struct bgp_info *
+bgp_dump_route_node_record (int afi, struct bgp_node *rn, struct bgp_info *info, unsigned int seq)
 {
   struct stream *obuf;
-  struct bgp_info *info;
-  struct bgp_node *rn;
-  struct bgp *bgp;
-  struct bgp_table *table;
-
-  bgp = bgp_get_default ();
-  if (!bgp)
-    return seq;
-
-  if (bgp_dump_routes.fp == NULL)
-    return seq;
-
-  /* Note that bgp_dump_routes_index_table will do ipv4 and ipv6 peers,
-     so this should only be done on the first call to bgp_dump_routes_func.
-     ( this function will be called once for ipv4 and once for ipv6 ) */
-  if(first_run)
-    bgp_dump_routes_index_table(bgp);
+  size_t sizep;
+  size_t endp;
 
   obuf = bgp_dump_obuf;
   stream_reset(obuf);
 
-  /* Walk down each BGP route. */
-  table = bgp->rib[afi][SAFI_UNICAST];
-
-  for (rn = bgp_table_top (table); rn; rn = bgp_route_next (rn))
+  /* MRT header */
+  if (afi == AFI_IP)
     {
-      if(!rn->info)
-        continue;
-
-      stream_reset(obuf);
-
-      /* MRT header */
-      if (afi == AFI_IP)
-        {
-          bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST);
-        }
+      bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV4_UNICAST);
+    }
 #ifdef HAVE_IPV6
-      else if (afi == AFI_IP6)
-        {
-          bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST);
-        }
+  else if (afi == AFI_IP6)
+    {
+      bgp_dump_header (obuf, MSG_TABLE_DUMP_V2, TABLE_DUMP_V2_RIB_IPV6_UNICAST);
+    }
 #endif /* HAVE_IPV6 */
+  /* Sequence number */
+  stream_putl(obuf, seq);
 
-      /* Sequence number */
-      stream_putl(obuf, seq);
-
-      /* Prefix length */
-      stream_putc (obuf, rn->p.prefixlen);
+  /* Prefix length */
+  stream_putc (obuf, rn->p.prefixlen);
 
-      /* Prefix */
-      if (afi == AFI_IP)
-        {
-          /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
-          stream_write(obuf, (u_char *)&rn->p.u.prefix4, (rn->p.prefixlen+7)/8);
-        }
+  /* Prefix */
+  if (afi == AFI_IP)
+  {
+    /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
+    stream_write(obuf, (u_char *)&rn->p.u.prefix4, (rn->p.prefixlen+7)/8);
+  }
 #ifdef HAVE_IPV6
-      else if (afi == AFI_IP6)
-        {
-          /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
-          stream_write (obuf, (u_char *)&rn->p.u.prefix6, (rn->p.prefixlen+7)/8);
-        }
+  else if (afi == AFI_IP6)
+  {
+    /* We'll dump only the useful bits (those not 0), but have to align on 8 bits */
+    stream_write (obuf, (u_char *)&rn->p.u.prefix6, (rn->p.prefixlen+7)/8);
+  }
 #endif /* HAVE_IPV6 */
 
-      /* Save where we are now, so we can overwride the entry count later */
-      int sizep = stream_get_endp(obuf);
+  /* Save where we are now, so we can overwride the entry count later */
+  sizep = stream_get_endp(obuf);
 
-      /* Entry count */
-      uint16_t entry_count = 0;
+  /* Entry count */
+  uint16_t entry_count = 0;
 
-      /* Entry count, note that this is overwritten later */
-      stream_putw(obuf, 0);
+  /* Entry count, note that this is overwritten later */
+  stream_putw(obuf, 0);
 
-      for (info = rn->info; info; info = info->next)
-        {
-          entry_count++;
+  endp = stream_get_endp(obuf);
+  for (; info; info = info->next)
+  {
+    size_t cur_endp;
 
-          /* Peer index */
-          stream_putw(obuf, info->peer->table_dump_index);
+    /* Peer index */
+    stream_putw(obuf, info->peer->table_dump_index);
 
-          /* Originated */
+    /* Originated */
 #ifdef HAVE_CLOCK_MONOTONIC
           stream_putl (obuf, time(NULL) - (bgp_clock() - info->uptime));
 #else
-          stream_putl (obuf, info->uptime);
+    stream_putl (obuf, info->uptime);
 #endif /* HAVE_CLOCK_MONOTONIC */
 
-          /* Dump attribute. */
-          /* Skip prefix & AFI/SAFI for MP_NLRI */
-          bgp_dump_routes_attr (obuf, info->attr, &rn->p);
-        }
+    /* Dump attribute. */
+    /* Skip prefix & AFI/SAFI for MP_NLRI */
+    bgp_dump_routes_attr (obuf, info->attr, &rn->p);
 
-      /* Overwrite the entry count, now that we know the right number */
-      stream_putw_at (obuf, sizep, entry_count);
+    cur_endp = stream_get_endp(obuf);
+    if (cur_endp > BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER
+                   + BGP_DUMP_HEADER_SIZE)
+    {
+      stream_set_endp(obuf, endp);
+      break;
+    }
 
-      seq++;
+    entry_count++;
+    endp = cur_endp;
+  }
 
-      bgp_dump_set_size(obuf, MSG_TABLE_DUMP_V2);
-      fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp);
+  /* Overwrite the entry count, now that we know the right number */
+  stream_putw_at (obuf, sizep, entry_count);
 
+  bgp_dump_set_size(obuf, MSG_TABLE_DUMP_V2);
+  fwrite (STREAM_DATA (obuf), stream_get_endp (obuf), 1, bgp_dump_routes.fp);
+
+  return info;
+}
+
+
+/* Runs under child process. */
+static unsigned int
+bgp_dump_routes_func (int afi, int first_run, unsigned int seq)
+{
+  struct bgp_info *info;
+  struct bgp_node *rn;
+  struct bgp *bgp;
+  struct bgp_table *table;
+
+  bgp = bgp_get_default ();
+  if (!bgp)
+    return seq;
+
+  if (bgp_dump_routes.fp == NULL)
+    return seq;
+
+  /* Note that bgp_dump_routes_index_table will do ipv4 and ipv6 peers,
+     so this should only be done on the first call to bgp_dump_routes_func.
+     ( this function will be called once for ipv4 and once for ipv6 ) */
+  if(first_run)
+    bgp_dump_routes_index_table(bgp);
+
+  /* Walk down each BGP route. */
+  table = bgp->rib[afi][SAFI_UNICAST];
+
+  for (rn = bgp_table_top (table); rn; rn = bgp_route_next (rn))
+    {
+      info = rn->info;
+      while (info)
+      {
+        info = bgp_dump_route_node_record(afi, rn, info, seq);
+        seq++;
+      }
     }
 
   fflush (bgp_dump_routes.fp);
@@ -854,8 +874,8 @@ bgp_dump_init (void)
   memset (&bgp_dump_updates, 0, sizeof (struct bgp_dump));
   memset (&bgp_dump_routes, 0, sizeof (struct bgp_dump));
 
-  bgp_dump_obuf = stream_new (BGP_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER
-                              + BGP_DUMP_HEADER_SIZE);
+  bgp_dump_obuf = stream_new ((BGP_MAX_PACKET_SIZE << 1)
+                              + BGP_DUMP_MSG_HEADER + BGP_DUMP_HEADER_SIZE);
 
   install_node (&bgp_dump_node, config_write_bgp_dump);
 
openSUSE Build Service is sponsored by