aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch')
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
new file mode 100644
index 0000000000..77a011dbc9
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
@@ -0,0 +1,58 @@
+From f316975cedd8ef17d47b56be0d3d21711fe44a25 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 2 Nov 2022 13:24:48 -0400
+Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
+ read
+
+If a operator receives an invalid packet that is of insufficient size
+then it is possible for BGP to assert during reading of the packet
+instead of gracefully resetting the connection with the peer.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+(cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78)
+
+CVE: CVE-2022-43681
+
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/766eec1b7accffe2c04a5c9ebb14e9f487bb9f78]
+
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+---
+ bgpd/bgp_packet.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index bcd47e32d453..5225db29fe09 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1176,8 +1176,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
+ || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
+ uint8_t opttype;
+
++ if (STREAM_READABLE(peer->curr) < 1) {
++ flog_err(
++ EC_BGP_PKT_OPEN,
++ "%s: stream does not have enough bytes for extended optional parameters",
++ peer->host);
++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
++ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
++ return BGP_Stop;
++ }
++
+ opttype = stream_getc(peer->curr);
+ if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
++ if (STREAM_READABLE(peer->curr) < 2) {
++ flog_err(
++ EC_BGP_PKT_OPEN,
++ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
++ peer->host);
++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
++ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
++ return BGP_Stop;
++ }
+ optlen = stream_getw(peer->curr);
+ SET_FLAG(peer->sflags,
+ PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
+--
+2.40.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 00:29:50 +0000