diff options
Diffstat (limited to 'meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch')
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch new file mode 100644 index 0000000000..9d5f306fe4 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch @@ -0,0 +1,42 @@ +From f2a5c583fc8f7c515f3d6e6f929dcbcc61f7e4b7 Mon Sep 17 00:00:00 2001 +From: Donald Sharp <sharpd@nvidia.com> +Date: Mon, 20 Nov 2023 11:43:27 +0000 +Subject: [PATCH 1/6] bgpd: Flowspec overflow issue + +According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>> +Specifying 0 as a length makes BGP get all warm on the inside. Which +in this case is not a good thing at all. Prevent warmth, stay cold +on the inside. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donald Sharp <sharpd@nvidia.com> + +CVE: CVE-2023-38406 + +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/0b999c886e241c52bd1f7ef0066700e4b618ebb3] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + bgpd/bgp_flowspec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index 3e2b1ac49..95fbd340a 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + psize); + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } ++ ++ if (psize == 0) { ++ flog_err(EC_BGP_FLOWSPEC_PACKET, ++ "Flowspec NLRI length 0 which makes no sense"); ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; ++ } ++ + if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { + flog_err( + EC_BGP_FLOWSPEC_PACKET, +-- +2.40.0 |