diff options
Diffstat (limited to 'meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch')
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch new file mode 100644 index 0000000000..77a011dbc9 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch @@ -0,0 +1,58 @@ +From f316975cedd8ef17d47b56be0d3d21711fe44a25 Mon Sep 17 00:00:00 2001 +From: Donald Sharp <sharpd@nvidia.com> +Date: Wed, 2 Nov 2022 13:24:48 -0400 +Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to + read + +If a operator receives an invalid packet that is of insufficient size +then it is possible for BGP to assert during reading of the packet +instead of gracefully resetting the connection with the peer. + +Signed-off-by: Donald Sharp <sharpd@nvidia.com> +(cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78) + +CVE: CVE-2022-43681 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/766eec1b7accffe2c04a5c9ebb14e9f487bb9f78] + +Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> +--- + bgpd/bgp_packet.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index bcd47e32d453..5225db29fe09 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1176,8 +1176,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size) + || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) { + uint8_t opttype; + ++ if (STREAM_READABLE(peer->curr) < 1) { ++ flog_err( ++ EC_BGP_PKT_OPEN, ++ "%s: stream does not have enough bytes for extended optional parameters", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return BGP_Stop; ++ } ++ + opttype = stream_getc(peer->curr); + if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) { ++ if (STREAM_READABLE(peer->curr) < 2) { ++ flog_err( ++ EC_BGP_PKT_OPEN, ++ "%s: stream does not have enough bytes to read the extended optional parameters optlen", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return BGP_Stop; ++ } + optlen = stream_getw(peer->curr); + SET_FLAG(peer->sflags, + PEER_STATUS_EXT_OPT_PARAMS_LENGTH); +-- +2.40.1 + |