[quagga-dev 10603] Re: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver
fweimer at redhat.com
Mon Jul 15 14:53:49 BST 2013
On 07/15/2013 03:23 PM, David Lamparter wrote:
> I don't see the "-a" command line option to ospfd anywhere in Fedora
> build stuff... (apparently, the init scripts come from Quagga git's
> redhat/ directory?)
Adding "OSPFD_OPTS=-a" to /etc/sysconfig/quagga is a supported use case,
I think. At least the mechanism is there.
>> D-Bus (the wire format and perhaps even the entire stack) would be a
>> candidate as well.
> Not sure if D-Bus is suitable. For one thing, Quagga needs to run on
> OpenWRT and the likes, with minimum possible footprint. Also, the
> overhead incurred by D-Bus may be too large.
It's hard to tell whether D-Bus or Protobuf has larger overhead.
Protobuf requires multiple cycles to encode an integer, while with
D-Bus, it can be a single store. Encoding size of Protobuf integers
depends on the value, while D-Bus integers are fixed-width, so a
comparison of storage requirements is difficult.
Florian Weimer / Red Hat Product Security Team
More information about the Quagga-dev