[quagga-dev 10603] Re: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver

Florian Weimer fweimer at redhat.com
Mon Jul 15 14:53:49 BST 2013

On 07/15/2013 03:23 PM, David Lamparter wrote:
> I don't see the "-a" command line option to ospfd anywhere in Fedora
> build stuff...  (apparently, the init scripts come from Quagga git's
> redhat/ directory?)

Adding "OSPFD_OPTS=-a" to /etc/sysconfig/quagga is a supported use case, 
I think.  At least the mechanism is there.

>> D-Bus (the wire format and perhaps even the entire stack) would be a
>> candidate as well.
> Not sure if D-Bus is suitable.  For one thing, Quagga needs to run on
> OpenWRT and the likes, with minimum possible footprint.  Also, the
> overhead incurred by D-Bus may be too large.

It's hard to tell whether D-Bus or Protobuf has larger overhead. 
Protobuf requires multiple cycles to encode an integer, while with 
D-Bus, it can be a single store.  Encoding size of Protobuf integers 
depends on the value, while D-Bus integers are fixed-width, so a 
comparison of storage requirements is difficult.

Florian Weimer / Red Hat Product Security Team

More information about the Quagga-dev mailing list