diff options
| author | Jonas Gorski <jonas.gorski@bisdn.de> | 2023-05-10 12:32:03 +0200 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-24 10:47:53 -0400 |
| commit | 16718c0a0eb1593154451b6f1edc8ac66d5d21a9 (patch) | |
| tree | f2f8aedd9b537389323961888bebea4823bcefba | |
| parent | 49c8c1e74ecf81d8089d374b55f9a584f54cc4bc (diff) | |
| download | meta-openembedded-16718c0a0eb1593154451b6f1edc8ac66d5d21a9.tar.gz | |
frr: Security fix CVE-2022-40318
Add a security fix from the stable/8.2 branch:
CVE-2022-40318:
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By
crafting a BGP OPEN message with an option of type 0xff (Extended Length
from RFC 9072), attackers may cause a denial of service (assertion
failure and daemon restart, or out-of-bounds read). This is possible
because of inconsistent boundary checks that do not account for reading
3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in
bgp_open_option_parse in the bgp_open.c file, a different location (with
a different attack vector) relative to CVE-2022-40302.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-40318
https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/
Patch from:
https://github.com/FRRouting/frr/commit/72088b05d469a6b6a8b9a2b250885246ea0c2acb
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2022-40318.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-40318.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-40318.patch new file mode 100644 index 0000000000..9d6dcfb920 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-40318.patch | |||
| @@ -0,0 +1,81 @@ | |||
| 1 | From 72088b05d469a6b6a8b9a2b250885246ea0c2acb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Donald Sharp <sharpd@nvidia.com> | ||
| 3 | Date: Fri, 30 Sep 2022 08:57:43 -0400 | ||
| 4 | Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in | ||
| 5 | bgp_open_option_parse | ||
| 6 | |||
| 7 | In bgp_open_option_parse the code is checking that the | ||
| 8 | stream has at least 2 bytes to read ( the opt_type and | ||
| 9 | the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) | ||
| 10 | is configured then FRR is reading 3 bytes. Which is not good | ||
| 11 | since the packet could be badly formateed. Ensure that | ||
| 12 | FRR has the appropriate data length to read the data. | ||
| 13 | |||
| 14 | Signed-off-by: Donald Sharp <sharpd@nvidia.com> | ||
| 15 | (cherry picked from commit 1117baca3c592877a4d8a13ed6a1d9bd83977487) | ||
| 16 | |||
| 17 | CVE: CVE-2022-40318 | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | [https://github.com/FRRouting/frr/commit/72088b05d469a6b6a8b9a2b250885246ea0c2acb] | ||
| 21 | |||
| 22 | Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> | ||
| 23 | --- | ||
| 24 | bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++------- | ||
| 25 | 1 file changed, 28 insertions(+), 7 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c | ||
| 28 | index fe4c24a8c979..de550d2ac607 100644 | ||
| 29 | --- a/bgpd/bgp_open.c | ||
| 30 | +++ b/bgpd/bgp_open.c | ||
| 31 | @@ -1209,19 +1209,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length, | ||
| 32 | uint8_t opt_type; | ||
| 33 | uint16_t opt_length; | ||
| 34 | |||
| 35 | - /* Must have at least an OPEN option header */ | ||
| 36 | - if (STREAM_READABLE(s) < 2) { | ||
| 37 | + /* | ||
| 38 | + * Check that we can read the opt_type and fetch it | ||
| 39 | + */ | ||
| 40 | + if (STREAM_READABLE(s) < 1) { | ||
| 41 | zlog_info("%s Option length error", peer->host); | ||
| 42 | bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, | ||
| 43 | BGP_NOTIFY_OPEN_MALFORMED_ATTR); | ||
| 44 | return -1; | ||
| 45 | } | ||
| 46 | - | ||
| 47 | - /* Fetch option type and length. */ | ||
| 48 | opt_type = stream_getc(s); | ||
| 49 | - opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) | ||
| 50 | - ? stream_getw(s) | ||
| 51 | - : stream_getc(s); | ||
| 52 | + | ||
| 53 | + /* | ||
| 54 | + * Check the length of the stream to ensure that | ||
| 55 | + * FRR can properly read the opt_length. Then read it | ||
| 56 | + */ | ||
| 57 | + if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { | ||
| 58 | + if (STREAM_READABLE(s) < 2) { | ||
| 59 | + zlog_info("%s Option length error", peer->host); | ||
| 60 | + bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, | ||
| 61 | + BGP_NOTIFY_OPEN_MALFORMED_ATTR); | ||
| 62 | + return -1; | ||
| 63 | + } | ||
| 64 | + | ||
| 65 | + opt_length = stream_getw(s); | ||
| 66 | + } else { | ||
| 67 | + if (STREAM_READABLE(s) < 1) { | ||
| 68 | + zlog_info("%s Option length error", peer->host); | ||
| 69 | + bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, | ||
| 70 | + BGP_NOTIFY_OPEN_MALFORMED_ATTR); | ||
| 71 | + return -1; | ||
| 72 | + } | ||
| 73 | + | ||
| 74 | + opt_length = stream_getc(s); | ||
| 75 | + } | ||
| 76 | |||
| 77 | /* Option length check. */ | ||
| 78 | if (STREAM_READABLE(s) < opt_length) { | ||
| 79 | -- | ||
| 80 | 2.40.1 | ||
| 81 | |||