From 40642c0136fecf1b37f08dc456c175c7a75ebe98 Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Sun, 19 Jul 2020 18:11:36 +0300
Subject: main/quagga: cherry pick ipsec SA counter overflow fix

Hopefully fixes #11755
---
 ...001-nhrpd-change-ipsec-SA-count-to-32-bit.patch | 28 ++++++++++++++++++++++
 main/quagga/APKBUILD                               |  4 +++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 main/quagga/0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch

diff --git a/main/quagga/0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch b/main/quagga/0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch
new file mode 100644
index 00000000000..79ecaebfb3d
--- /dev/null
+++ b/main/quagga/0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch
@@ -0,0 +1,28 @@
+From fc6fefacad2a82f1d0470ba73015e117076b6116 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Sun, 19 Jul 2020 18:07:31 +0300
+Subject: [PATCH] nhrpd: change ipsec SA count to 32-bit
+
+Under certain misconfigurations, the SA count can be unusually high
+and wrap 8-bit counter. That leads to premature free, and crash.
+Make the count 32-bit to avoid crash in these rare conditions.
+---
+ nhrpd/nhrpd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
+index 9222ad4e..7c73717f 100644
+--- a/nhrpd/nhrpd.h
++++ b/nhrpd/nhrpd.h
+@@ -123,7 +123,7 @@ enum nhrp_notify_type {
+ 
+ struct nhrp_vc {
+ 	struct notifier_list notifier_list;
+-	uint8_t ipsec;
++	uint32_t ipsec;
+ 	uint8_t updating;
+ 	uint8_t abort_migration;
+ 
+-- 
+2.27.0
+
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 381b8fb3074..c0cf8b84eef 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=quagga
 pkgver=1.2.4
-pkgrel=3
+pkgrel=4
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF, BGP and NHRP"
 url="http://quagga.net/"
 arch="all"
@@ -16,6 +16,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-dbg"
 pkgusers="quagga"
 pkggroups="quagga"
 source="https://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.gz
+	0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch
 	1001-bgpd-allow-using-ebgp-multihop-for-ibgp-connections.patch
 	dont-hook-core-signals.patch
 
@@ -67,6 +68,7 @@ package() {
 	install -o quagga -g quagga -d -m755 "$pkgdir"/etc/quagga
 }
 sha512sums="3e72440bcccfd3c1a449a62b7ff8623441256399a2bee0a39fa0a19694a5a78ac909c5c2128a24735bc034ea8b0811827293b480a2584a3a4c8ae36be9cf1fcd  quagga-1.2.4.tar.gz
+264103030fa8d57e7e7bd8a271b258dd8bae86242e15431060e20827b62de46be6f59617c216161aa7bc141c9e18a5aecbdb342545288340024c40f46c717aa4  0001-nhrpd-change-ipsec-SA-count-to-32-bit.patch
 dfa33341119fe51caa7bc33b44256f57361f2e3f8192862cca215b312ceb68e6a8c264dbf2a43d6244e6152bfad110cb0fdbefb065d95dd50389cf613d9720b3  1001-bgpd-allow-using-ebgp-multihop-for-ibgp-connections.patch
 5ef5c5e6d70d991b33b13a062e25b6fbde395dceee36aea29384b0640a48d2957ed5f50d416a1f2f770bf69bae2340133e35b1114be7e1fa722eb6d3d021f37a  dont-hook-core-signals.patch
 13b5b57e10df013bd2d931abc49bf76b8c4dee59dbceab22c9f151ccb988b2c5f7167f2909027d5e0f990b59da8de115667b02484aee9a67d347625700f6cacd  bgpd.initd
-- 
cgit v1.2.3