Commit ce07207c for quagga.net

commit ce07207c50a3d1f05d6dd49b5294282e59749787
Author: Paul Jakma <paul@jakma.org>
Date:   Sat Jan 6 21:20:51 2018 +0000

    bgpd/security: fix infinite loop on certain invalid OPEN messages

    Security issue: Quagga-2018-1975
    See: https://www.quagga.net/security/Quagga-2018-1975.txt

    * bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
      loop due to checks that issue 'continue' without bumping the input
      pointer.

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index b3d601fc..f9338d8d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)

   end = pnt + length;

-  while (pnt < end)
+  /* XXX: Streamify this */
+  for (; pnt < end; pnt += hdr->length + 3)
     {
       /* We need at least action, capability code and capability length. */
       if (pnt + 3 > end)
@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
           zlog_warn ("%s unrecognized capability code: %d - ignored",
                      peer->host, hdr->code);
         }
-      pnt += hdr->length + 3;
     }
   return 0;
 }