summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2023-08-28 18:49:18 +0800
committerKhem Raj <raj.khem@gmail.com>2023-08-28 08:55:26 -0700
commitee1026ab77dcb31b0f5cb723b4d998aab4c00382 (patch)
treee9378cb0c9da0bc4c7ab9780d4c940ef5554e4a5
parentf74d5dfd69a29bb364648d424d7575d46f033478 (diff)
downloadmeta-openembedded-ee1026ab77dcb31b0f5cb723b4d998aab4c00382.tar.gz
frr: Security fix CVE-2023-3748
CVE-2023-3748: A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3748 Patch from: https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch54
-rw-r--r--meta-networking/recipes-protocols/frr/frr_8.4.4.bb1
2 files changed, 55 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
new file mode 100644
index 000000000..4a8a7e1af
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
@@ -0,0 +1,54 @@
1From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001
2From: harryreps <harryreps@gmail.com>
3Date: Fri, 3 Mar 2023 23:17:14 +0000
4Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
5
6Replacing continue in loops to goto done so that index of packet buffer
7increases.
8
9Signed-off-by: harryreps <harryreps@gmail.com>
10
11CVE: CVE-2023-3748
12
13Upstream-Status: Backport
14[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0]
15
16Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
17---
18 babeld/message.c | 6 +++---
19 1 file changed, 3 insertions(+), 3 deletions(-)
20
21diff --git a/babeld/message.c b/babeld/message.c
22index 7d45d91bf..2bf233796 100644
23--- a/babeld/message.c
24+++ b/babeld/message.c
25@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
26 debugf(BABEL_DEBUG_COMMON,
27 "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
28 format_address(from), ifp->name);
29- continue;
30+ goto done;
31 }
32
33 /*
34@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
35 debugf(BABEL_DEBUG_COMMON,
36 "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
37 format_address(from), ifp->name);
38- continue;
39+ goto done;
40 }
41
42 DO_NTOHS(seqno, message + 4);
43@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
44 debugf(BABEL_DEBUG_COMMON,
45 "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
46 format_address(from), ifp->name);
47- continue;
48+ goto done;
49 }
50
51 changed = update_neighbour(neigh, seqno, interval);
52--
532.25.1
54
diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
index b87c3e78b..f32b52f33 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
12SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ 12SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
13 file://frr.pam \ 13 file://frr.pam \
14 file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ 14 file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
15 file://CVE-2023-3748.patch \
15 " 16 "
16 17
17SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" 18SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"