aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch')
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch127
1 files changed, 127 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch
new file mode 100644
index 0000000000..17ba41037c
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch
@@ -0,0 +1,127 @@
+From 1c4882b83a1db705abd5d384dd0b7ef4c0e3b4ee Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 20 Nov 2023 14:11:13 +0000
+Subject: [PATCH 3/6] bgpd: Handle MP_REACH_NLRI malformed packets with session
+ reset
+
+Avoid crashing bgpd.
+
+```
+(gdb)
+bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341
+2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN);
+(gdb)
+stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320
+320 {
+(gdb)
+321 STREAM_VERIFY_SANE(s);
+(gdb)
+323 if (STREAM_READABLE(s) < size) {
+(gdb)
+34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
+(gdb)
+
+Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault.
+0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050,
+ object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282
+2282 if (path->attr->aspath->refcnt)
+(gdb)
+```
+
+With the configuration:
+
+```
+ neighbor 127.0.0.1 remote-as external
+ neighbor 127.0.0.1 passive
+ neighbor 127.0.0.1 ebgp-multihop
+ neighbor 127.0.0.1 disable-connected-check
+ neighbor 127.0.0.1 update-source 127.0.0.2
+ neighbor 127.0.0.1 timers 3 90
+ neighbor 127.0.0.1 timers connect 1
+ address-family ipv4 unicast
+ redistribute connected
+ neighbor 127.0.0.1 default-originate
+ neighbor 127.0.0.1 route-map RM_IN in
+ exit-address-family
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+```
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+
+CVE: CVE-2023-46752
+
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ bgpd/bgp_attr.c | 6 +-----
+ bgpd/bgp_attr.h | 1 -
+ bgpd/bgp_packet.c | 6 +-----
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index b10a60351..e0542356c 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2207,7 +2207,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
+
+ mp_update->afi = afi;
+ mp_update->safi = safi;
+- return BGP_ATTR_PARSE_EOR;
++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
+ }
+
+ mp_update->afi = afi;
+@@ -3345,10 +3345,6 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
+ goto done;
+ }
+
+- if (ret == BGP_ATTR_PARSE_EOR) {
+- goto done;
+- }
+-
+ if (ret == BGP_ATTR_PARSE_ERROR) {
+ flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
+ "%s: Attribute %s, parse error", peer->host,
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 781bfdec3..69f962134 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -378,7 +378,6 @@ typedef enum {
+ /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ */
+ BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+- BGP_ATTR_PARSE_EOR = -4,
+ } bgp_attr_parse_ret_t;
+
+ struct bpacket_attr_vec_arr;
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 2fd28aae3..261695198 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1843,8 +1843,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
+ * and MP EoR should have only an empty MP_UNREACH
+ */
+- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
+- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
+ afi_t afi = 0;
+ safi_t safi;
+ struct graceful_restart_info *gr_info;
+@@ -1865,9 +1864,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ && nlris[NLRI_MP_WITHDRAW].length == 0) {
+ afi = nlris[NLRI_MP_WITHDRAW].afi;
+ safi = nlris[NLRI_MP_WITHDRAW].safi;
+- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
+- afi = nlris[NLRI_MP_UPDATE].afi;
+- safi = nlris[NLRI_MP_UPDATE].safi;
+ }
+
+ if (afi && peer->afc[afi][safi]) {
+--
+2.40.0
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 11:10:58 +0000