UPDATE: net/quagga-1.2.3

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE: net/quagga-1.2.3

Gleydson Soares-3
Here's an update for quagga-1.2.3. this release includes security fixes.

https://www.quagga.net/security/Quagga-2018-0543.txt
https://www.quagga.net/security/Quagga-2018-1114.txt
https://www.quagga.net/security/Quagga-2018-1550.txt
https://www.quagga.net/security/Quagga-2018-1975.txt

full changelog at:
https://savannah.nongnu.org/forum/forum.php?forum_id=9095

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/quagga/Makefile,v
retrieving revision 1.56
diff -u -p -r1.56 Makefile
--- Makefile 11 Jan 2018 19:27:07 -0000 1.56
+++ Makefile 16 Feb 2018 20:39:11 -0000
@@ -2,8 +2,7 @@
 
 COMMENT= multi-threaded routing daemon
 
-DISTNAME= quagga-1.2.2
-REVISION= 1
+DISTNAME= quagga-1.2.3
 CATEGORIES= net
 MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/quagga/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo 3 Nov 2017 14:28:43 -0000 1.22
+++ distinfo 16 Feb 2018 20:39:11 -0000
@@ -1,2 +1,2 @@
-SHA256 (quagga-1.2.2.tar.gz) = Ui4i8r7uZOPwws3j0BVfO4ED9Pb8ir75LLQLw6TMKTE=
-SIZE (quagga-1.2.2.tar.gz) = 2986142
+SHA256 (quagga-1.2.3.tar.gz) = 7iwJB6EGkCq73K9jtPKMZyQcTzOWmJ7VTae0l27srTE=
+SIZE (quagga-1.2.3.tar.gz) = 2925444
Index: patches/patch-configure_ac
===================================================================
RCS file: /cvs/ports/net/quagga/patches/patch-configure_ac,v
retrieving revision 1.6
diff -u -p -r1.6 patch-configure_ac
--- patches/patch-configure_ac 3 Nov 2017 14:28:43 -0000 1.6
+++ patches/patch-configure_ac 16 Feb 2018 20:39:11 -0000
@@ -6,7 +6,7 @@ ip_mreq.imr_interface.
 Index: configure.ac
 --- configure.ac.orig
 +++ configure.ac
-@@ -1053,7 +1053,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [],
+@@ -1054,7 +1054,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [],
  AC_MSG_CHECKING([for BSD struct ip_mreq hack])
  AC_TRY_COMPILE([#ifdef HAVE_SYS_PARAM_H
  #include <sys/param.h>
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: net/quagga-1.2.3

Stuart Henderson
On 2018/02/16 17:48, Gleydson Soares wrote:
> Here's an update for quagga-1.2.3. this release includes security fixes.

yep, one of these is particularly nasty: use-after-free in a transitive
BGP attribute. this is one of those "one update message can kill all
quaggas on the internet" bugs.

> OK?

please remove termcap from WANTLIB, then ok with me.

reminder to readers: I am still looking for positive or negative
reports about OSPF and RIP following simplification of the diff
to multicast that went in with the previous update.

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: net/quagga-1.2.3

Gleydson Soares-3
> yep, one of these is particularly nasty: use-after-free in a transitive
> BGP attribute. this is one of those "one update message can kill all
> quaggas on the internet" bugs.

i've backported the security patches to -stable

potentially severe:
"bgpd/security: Fix double free of unknown attribute"
https://www.quagga.net/security/Quagga-2018-1114.txt

also fixes:
https://www.quagga.net/security/Quagga-2018-1550.txt
https://www.quagga.net/security/Quagga-2018-1975.txt 

the following is not needed for -stable, only affects >1.1.x
https://www.quagga.net/security/Quagga-2018-0543.txt

OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/quagga/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile 27 Jun 2016 19:55:48 -0000 1.52
+++ Makefile 16 Feb 2018 22:07:00 -0000
@@ -3,7 +3,7 @@
 COMMENT= multi-threaded routing daemon
 
 DISTNAME= quagga-1.0.20160315
-REVISION= 1
+REVISION= 2
 CATEGORIES= net
 MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/
 EXTRACT_SUFX= .tar.xz
Index: patches/patch-bgpd_bgp_attr_c
===================================================================
RCS file: patches/patch-bgpd_bgp_attr_c
diff -N patches/patch-bgpd_bgp_attr_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bgpd_bgp_attr_c 16 Feb 2018 22:07:00 -0000
@@ -0,0 +1,71 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+Index: bgpd/bgp_attr.c
+--- bgpd/bgp_attr.c.orig
++++ bgpd/bgp_attr.c
+@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster)
+ }
+
+ void
+-cluster_unintern (struct cluster_list *cluster)
++cluster_unintern (struct cluster_list **cluster)
+ {
+-  if (cluster->refcnt)
+-    cluster->refcnt--;
++  struct cluster_list *c = *cluster;
++  if (c->refcnt)
++    c->refcnt--;
+
+-  if (cluster->refcnt == 0)
++  if (c->refcnt == 0)
+     {
+-      hash_release (cluster_hash, cluster);
+-      cluster_free (cluster);
++      hash_release (cluster_hash, c);
++      cluster_free (c);
++      *cluster = NULL;
+     }
+ }
+
+@@ -344,15 +346,18 @@ transit_intern (struct transit *transit)
+ }
+
+ void
+-transit_unintern (struct transit *transit)
++transit_unintern (struct transit **transit)
+ {
+-  if (transit->refcnt)
+-    transit->refcnt--;
++  struct transit *t = *transit;
++  
++  if (t->refcnt)
++    t->refcnt--;
+
+-  if (transit->refcnt == 0)
++  if (t->refcnt == 0)
+     {
+-      hash_release (transit_hash, transit);
+-      transit_free (transit);
++      hash_release (transit_hash, t);
++      transit_free (t);
++      *transit = NULL;
+     }
+ }
+
+@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr)
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES));
+      
+       if (attr->extra->cluster)
+-        cluster_unintern (attr->extra->cluster);
++        cluster_unintern (&attr->extra->cluster);
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
+      
+       if (attr->extra->transit)
+-        transit_unintern (attr->extra->transit);
++        transit_unintern (&attr->extra->transit);
+     }
+ }
+
Index: patches/patch-bgpd_bgp_attr_h
===================================================================
RCS file: patches/patch-bgpd_bgp_attr_h
diff -N patches/patch-bgpd_bgp_attr_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bgpd_bgp_attr_h 16 Feb 2018 22:07:00 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+Index: bgpd/bgp_attr.h
+--- bgpd/bgp_attr.h.orig
++++ bgpd/bgp_attr.h
+@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void);
+
+ /* Cluster list prototypes. */
+ extern int cluster_loop_check (struct cluster_list *, struct in_addr);
+-extern void cluster_unintern (struct cluster_list *);
++extern void cluster_unintern (struct cluster_list **);
+
+ /* Transit attribute prototypes. */
+-void transit_unintern (struct transit *);
++void transit_unintern (struct transit **);
+
+ /* Below exported for unit-test purposes only */
+ struct bgp_attr_parser_args {
Index: patches/patch-bgpd_bgp_debug_c
===================================================================
RCS file: patches/patch-bgpd_bgp_debug_c
diff -N patches/patch-bgpd_bgp_debug_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bgpd_bgp_debug_c 16 Feb 2018 22:07:00 -0000
@@ -0,0 +1,91 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1550
+See: https://www.quagga.net/security/Quagga-2018-1550.txt
+
+Index: bgpd/bgp_debug.c
+--- bgpd/bgp_debug.c.orig
++++ bgpd/bgp_debug.c
+@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330
+ #include "log.h"
+ #include "sockunion.h"
+ #include "filter.h"
++#include "memory.h"
+
+ #include "bgpd/bgpd.h"
+ #include "bgpd/bgp_aspath.h"
+@@ -69,7 +70,8 @@ const struct message bgp_status_msg[] =
+   { Clearing,    "Clearing"    },
+   { Deleted,     "Deleted"     },
+ };
+-const int bgp_status_msg_max = BGP_STATUS_MAX;
++#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
++BGP_DEBUG_MSG_MAX (bgp_status_msg);
+
+ /* BGP message type string. */
+ const char *bgp_type_str[] =
+@@ -80,7 +82,8 @@ const char *bgp_type_str[] =
+   "NOTIFICATION",
+   "KEEPALIVE",
+   "ROUTE-REFRESH",
+-  "CAPABILITY"
++  "CAPABILITY",
++  NULL,
+ };
+
+ /* message for BGP-4 Notify */
+@@ -94,15 +97,15 @@ static const struct message bgp_notify_msg[] =
+   { BGP_NOTIFY_CEASE, "Cease"},
+   { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
+ };
+-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_msg);
+
+ static const struct message bgp_notify_head_msg[] =
+ {
+   { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
+   { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
+-  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
++  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
+ };
+-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
+
+ static const struct message bgp_notify_open_msg[] =
+ {
+@@ -115,7 +118,7 @@ static const struct message bgp_notify_open_msg[] =
+   { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"},
+   { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
+ };
+-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
+
+ static const struct message bgp_notify_update_msg[] =
+ {
+@@ -132,7 +135,7 @@ static const struct message bgp_notify_update_msg[] =
+   { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
+   { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
+ };
+-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
+
+ static const struct message bgp_notify_cease_msg[] =
+ {
+@@ -146,7 +149,7 @@ static const struct message bgp_notify_cease_msg[] =
+   { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
+   { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
+ };
+-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
+
+ static const struct message bgp_notify_capability_msg[] =
+ {
+@@ -155,7 +158,7 @@ static const struct message bgp_notify_capability_msg[
+   { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
+   { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
+ };
+-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
+
+ /* Origin strings. */
+ const char *bgp_origin_str[] = {"i","e","?"};
Index: patches/patch-bgpd_bgp_packet_c
===================================================================
RCS file: patches/patch-bgpd_bgp_packet_c
diff -N patches/patch-bgpd_bgp_packet_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bgpd_bgp_packet_c 16 Feb 2018 22:07:00 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1975
+See: https://www.quagga.net/security/Quagga-2018-1975.txt
+
+Index: bgpd/bgp_packet.c
+--- bgpd/bgp_packet.c.orig
++++ bgpd/bgp_packet.c
+@@ -2218,7 +2218,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *p
+
+   end = pnt + length;
+
+-  while (pnt < end)
++  /* XXX: Streamify this */
++  for (; pnt < end; pnt += hdr->length + 3)
+     {      
+       /* We need at least action, capability code and capability length. */
+       if (pnt + 3 > end)
+@@ -2306,7 +2307,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *p
+           zlog_warn ("%s unrecognized capability code: %d - ignored",
+                      peer->host, hdr->code);
+         }
+-      pnt += hdr->length + 3;
+     }
+   return 0;
+ }
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: net/quagga-1.2.3

Stuart Henderson
On 2018/02/16 19:11, Gleydson Soares wrote:
> > yep, one of these is particularly nasty: use-after-free in a transitive
> > BGP attribute. this is one of those "one update message can kill all
> > quaggas on the internet" bugs.
>
> i've backported the security patches to -stable

ah sorry for the dup work, I just committed Quagga-2018-1114 fix
to stable before I saw this ..

> potentially severe:
> "bgpd/security: Fix double free of unknown attribute"
> https://www.quagga.net/security/Quagga-2018-1114.txt
>
> also fixes:
> https://www.quagga.net/security/Quagga-2018-1550.txt
> https://www.quagga.net/security/Quagga-2018-1975.txt 

I skipped those, could pull them across but they're relatively minor.

> the following is not needed for -stable, only affects >1.1.x
> https://www.quagga.net/security/Quagga-2018-0543.txt
>
> OK?

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/quagga/Makefile,v
> retrieving revision 1.52
> diff -u -p -r1.52 Makefile
> --- Makefile 27 Jun 2016 19:55:48 -0000 1.52
> +++ Makefile 16 Feb 2018 22:07:00 -0000
> @@ -3,7 +3,7 @@
>  COMMENT= multi-threaded routing daemon
>  
>  DISTNAME= quagga-1.0.20160315
> -REVISION= 1
> +REVISION= 2
>  CATEGORIES= net
>  MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/
>  EXTRACT_SUFX= .tar.xz
> Index: patches/patch-bgpd_bgp_attr_c
> ===================================================================
> RCS file: patches/patch-bgpd_bgp_attr_c
> diff -N patches/patch-bgpd_bgp_attr_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bgpd_bgp_attr_c 16 Feb 2018 22:07:00 -0000
> @@ -0,0 +1,71 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1114
> +See: https://www.quagga.net/security/Quagga-2018-1114.txt
> +
> +Index: bgpd/bgp_attr.c
> +--- bgpd/bgp_attr.c.orig
> ++++ bgpd/bgp_attr.c
> +@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster)
> + }
> +
> + void
> +-cluster_unintern (struct cluster_list *cluster)
> ++cluster_unintern (struct cluster_list **cluster)
> + {
> +-  if (cluster->refcnt)
> +-    cluster->refcnt--;
> ++  struct cluster_list *c = *cluster;
> ++  if (c->refcnt)
> ++    c->refcnt--;
> +
> +-  if (cluster->refcnt == 0)
> ++  if (c->refcnt == 0)
> +     {
> +-      hash_release (cluster_hash, cluster);
> +-      cluster_free (cluster);
> ++      hash_release (cluster_hash, c);
> ++      cluster_free (c);
> ++      *cluster = NULL;
> +     }
> + }
> +
> +@@ -344,15 +346,18 @@ transit_intern (struct transit *transit)
> + }
> +
> + void
> +-transit_unintern (struct transit *transit)
> ++transit_unintern (struct transit **transit)
> + {
> +-  if (transit->refcnt)
> +-    transit->refcnt--;
> ++  struct transit *t = *transit;
> ++  
> ++  if (t->refcnt)
> ++    t->refcnt--;
> +
> +-  if (transit->refcnt == 0)
> ++  if (t->refcnt == 0)
> +     {
> +-      hash_release (transit_hash, transit);
> +-      transit_free (transit);
> ++      hash_release (transit_hash, t);
> ++      transit_free (t);
> ++      *transit = NULL;
> +     }
> + }
> +
> +@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr)
> +       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES));
> +      
> +       if (attr->extra->cluster)
> +-        cluster_unintern (attr->extra->cluster);
> ++        cluster_unintern (&attr->extra->cluster);
> +       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
> +      
> +       if (attr->extra->transit)
> +-        transit_unintern (attr->extra->transit);
> ++        transit_unintern (&attr->extra->transit);
> +     }
> + }
> +
> Index: patches/patch-bgpd_bgp_attr_h
> ===================================================================
> RCS file: patches/patch-bgpd_bgp_attr_h
> diff -N patches/patch-bgpd_bgp_attr_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bgpd_bgp_attr_h 16 Feb 2018 22:07:00 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1114
> +See: https://www.quagga.net/security/Quagga-2018-1114.txt
> +
> +Index: bgpd/bgp_attr.h
> +--- bgpd/bgp_attr.h.orig
> ++++ bgpd/bgp_attr.h
> +@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void);
> +
> + /* Cluster list prototypes. */
> + extern int cluster_loop_check (struct cluster_list *, struct in_addr);
> +-extern void cluster_unintern (struct cluster_list *);
> ++extern void cluster_unintern (struct cluster_list **);
> +
> + /* Transit attribute prototypes. */
> +-void transit_unintern (struct transit *);
> ++void transit_unintern (struct transit **);
> +
> + /* Below exported for unit-test purposes only */
> + struct bgp_attr_parser_args {
> Index: patches/patch-bgpd_bgp_debug_c
> ===================================================================
> RCS file: patches/patch-bgpd_bgp_debug_c
> diff -N patches/patch-bgpd_bgp_debug_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bgpd_bgp_debug_c 16 Feb 2018 22:07:00 -0000
> @@ -0,0 +1,91 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1550
> +See: https://www.quagga.net/security/Quagga-2018-1550.txt
> +
> +Index: bgpd/bgp_debug.c
> +--- bgpd/bgp_debug.c.orig
> ++++ bgpd/bgp_debug.c
> +@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330
> + #include "log.h"
> + #include "sockunion.h"
> + #include "filter.h"
> ++#include "memory.h"
> +
> + #include "bgpd/bgpd.h"
> + #include "bgpd/bgp_aspath.h"
> +@@ -69,7 +70,8 @@ const struct message bgp_status_msg[] =
> +   { Clearing,    "Clearing"    },
> +   { Deleted,     "Deleted"     },
> + };
> +-const int bgp_status_msg_max = BGP_STATUS_MAX;
> ++#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
> ++BGP_DEBUG_MSG_MAX (bgp_status_msg);
> +
> + /* BGP message type string. */
> + const char *bgp_type_str[] =
> +@@ -80,7 +82,8 @@ const char *bgp_type_str[] =
> +   "NOTIFICATION",
> +   "KEEPALIVE",
> +   "ROUTE-REFRESH",
> +-  "CAPABILITY"
> ++  "CAPABILITY",
> ++  NULL,
> + };
> +
> + /* message for BGP-4 Notify */
> +@@ -94,15 +97,15 @@ static const struct message bgp_notify_msg[] =
> +   { BGP_NOTIFY_CEASE, "Cease"},
> +   { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
> + };
> +-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_msg);
> +
> + static const struct message bgp_notify_head_msg[] =
> + {
> +   { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
> +   { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
> +-  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
> ++  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
> + };
> +-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
> +
> + static const struct message bgp_notify_open_msg[] =
> + {
> +@@ -115,7 +118,7 @@ static const struct message bgp_notify_open_msg[] =
> +   { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"},
> +   { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
> + };
> +-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
> +
> + static const struct message bgp_notify_update_msg[] =
> + {
> +@@ -132,7 +135,7 @@ static const struct message bgp_notify_update_msg[] =
> +   { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
> +   { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
> + };
> +-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
> +
> + static const struct message bgp_notify_cease_msg[] =
> + {
> +@@ -146,7 +149,7 @@ static const struct message bgp_notify_cease_msg[] =
> +   { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
> +   { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
> + };
> +-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
> +
> + static const struct message bgp_notify_capability_msg[] =
> + {
> +@@ -155,7 +158,7 @@ static const struct message bgp_notify_capability_msg[
> +   { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
> +   { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
> + };
> +-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
> ++BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
> +
> + /* Origin strings. */
> + const char *bgp_origin_str[] = {"i","e","?"};
> Index: patches/patch-bgpd_bgp_packet_c
> ===================================================================
> RCS file: patches/patch-bgpd_bgp_packet_c
> diff -N patches/patch-bgpd_bgp_packet_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bgpd_bgp_packet_c 16 Feb 2018 22:07:00 -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1975
> +See: https://www.quagga.net/security/Quagga-2018-1975.txt
> +
> +Index: bgpd/bgp_packet.c
> +--- bgpd/bgp_packet.c.orig
> ++++ bgpd/bgp_packet.c
> +@@ -2218,7 +2218,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *p
> +
> +   end = pnt + length;
> +
> +-  while (pnt < end)
> ++  /* XXX: Streamify this */
> ++  for (; pnt < end; pnt += hdr->length + 3)
> +     {      
> +       /* We need at least action, capability code and capability length. */
> +       if (pnt + 3 > end)
> +@@ -2306,7 +2307,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *p
> +           zlog_warn ("%s unrecognized capability code: %d - ignored",
> +                      peer->host, hdr->code);
> +         }
> +-      pnt += hdr->length + 3;
> +     }
> +   return 0;
> + }