)]}'
{
  "commit": "fe9bb6459afe0d55e56619cdc5061d8407cd1f15",
  "tree": "0de65deb7260c93592625348219f8933efbc1d04",
  "parents": [
    "d1d3ac9bad0caf7a9c465bb382b924009f0d9168"
  ],
  "author": {
    "name": "Denis Ovsienko",
    "email": "infrastation@yandex.ru",
    "time": "Thu Apr 19 20:34:13 2012 +0400"
  },
  "committer": {
    "name": "David Lamparter",
    "email": "equinox@opensourcerouting.org",
    "time": "Thu Nov 01 23:07:15 2012 -0700"
  },
  "message": "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()\n\nAn ORF (code 3) capability TLV is defined to contain exactly one\nAFI/SAFI block. Function bgp_capability_orf(), which parses ORF\ncapability TLV, uses do-while cycle to call its helper function\nbgp_capability_orf_entry(), which actually processes the AFI/SAFI data\nblock. The call is made at least once and repeated as long as the input\nbuffer has enough data for the next call.\n\nThe helper function, bgp_capability_orf_entry(), uses \"Number of ORFs\"\nfield of the provided AFI/SAFI block to verify, if it fits the input\nbuffer. However, the check is made based on the total length of the ORF\nTLV regardless of the data already consumed by the previous helper\nfunction call(s). This way, the check condition is only valid for the\nfirst AFI/SAFI block inside an ORF capability TLV.\n\nFor the subsequent calls of the helper function, if any are made, the\ncheck condition may erroneously tell, that the current \"Number of ORFs\"\nfield fits the buffer boundary, where in fact it does not. This makes it\npossible to trigger an assertion by feeding an OPEN message with a\nspecially-crafted malformed ORF capability TLV.\n\nThis commit fixes the vulnerability by making the implementation follow\nthe spec.\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d045dde542f63835b874e518d8a810e681b0d085",
      "old_mode": 33188,
      "old_path": "bgpd/bgp_open.c",
      "new_id": "af711cc8ceba87bea72958983bca69b7b138767f",
      "new_mode": 33188,
      "new_path": "bgpd/bgp_open.c"
    }
  ]
}