frr: Fix CVE-2023-38802 and CVE-2023-41358

CVE-2023-38802: FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation). CVE-2023-41358: An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38802 https://nvd.nist.gov/vuln/detail/CVE-2023-41358 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-09-05 13:12:21 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-09-06 09:12:30 -0400
commit: 0901bb4c6a315a48a0fcb49a51e0ff6547e37087 (patch)
tree: 23e9bcfab4863c7739ba28f0b005ff9cb5686a9f
parent: bef3ed137ba5cea67b8ed862b1af599d1c8e3867 (diff)
download: meta-openembedded-0901bb4c6a315a48a0fcb49a51e0ff6547e37087.tar.gz
3 files changed, 243 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
new file mode 100644
index 0000000000..60801bf06e
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
@@ -0,0 +1,136 @@
+From ad32e04f3db364694edc678327326ae6b771db9e Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 5 Sep 2023 11:30:53 +0000
+Subject: [PATCH 1/2] bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute
+Before this path we used session reset method, which is discouraged by rfc7606.
+Handle this as rfc requires.
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2023-38802
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
+ 1 file changed, 25 insertions(+), 36 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 5d06991e2..b10a60351 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1310,6 +1310,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+        case BGP_ATTR_LARGE_COMMUNITIES:
+        case BGP_ATTR_ORIGINATOR_ID:
+        case BGP_ATTR_CLUSTER_LIST:
+       case BGP_ATTR_ENCAP:
+                return BGP_ATTR_PARSE_WITHDRAW;
+        case BGP_ATTR_MP_REACH_NLRI:
+        case BGP_ATTR_MP_UNREACH_NLRI:
+@@ -2411,26 +2412,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ }
+ /* Parse Tunnel Encap attribute in an UPDATE */
+-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-                         bgp_size_t length, /* IN: attr's length field */
+-                         struct attr *attr, /* IN: caller already allocated */
+-                         uint8_t flag,      /* IN: attr's flags field */
+-                         uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ {
+-       bgp_size_t total;
+        uint16_t tunneltype = 0;
+-
+-       total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+       struct peer *const peer = args->peer;
+       struct attr *const attr = args->attr;
+       bgp_size_t length = args->length;
+       uint8_t type = args->type;
+       uint8_t flag = args->flags;
+        if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
+            || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
+-               zlog_info(
+-                       "Tunnel Encap attribute flag isn't optional and transitive %d",
+-                       flag);
+-               bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-                                         BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
+-                                         startp, total);
+-               return -1;
+               zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+                        flag);
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                         args->total);
+        }
+        if (BGP_ATTR_ENCAP == type) {
+@@ -2438,12 +2434,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+                uint16_t tlv_length;
+                if (length < 4) {
+-                       zlog_info(
+                       zlog_err(
+                                "Tunnel Encap attribute not long enough to contain outer T,L");
+-                       bgp_notify_send_with_data(
+-                               peer, BGP_NOTIFY_UPDATE_ERR,
+-                               BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-                       return -1;
+                       return bgp_attr_malformed(args,
+                                                 BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+                }
+                tunneltype = stream_getw(BGP_INPUT(peer));
+                tlv_length = stream_getw(BGP_INPUT(peer));
+@@ -2473,13 +2468,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+                }
+                if (sublength > length) {
+-                       zlog_info(
+-                               "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+-                               sublength, length);
+-                       bgp_notify_send_with_data(
+-                               peer, BGP_NOTIFY_UPDATE_ERR,
+-                               BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-                       return -1;
+                       zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+                                sublength, length);
+                       return bgp_attr_malformed(args,
+                                                 BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+                }
+                /* alloc and copy sub-tlv */
+@@ -2527,13 +2520,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+        if (length) {
+                /* spurious leftover data */
+-               zlog_info(
+-                       "Tunnel Encap attribute length is bad: %d leftover octets",
+-                       length);
+-               bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-                                         BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+-                                         startp, total);
+-               return -1;
+               zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+                        length);
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                         args->total);
+        }
+        return 0;
+@@ -3332,8 +3322,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
+                case BGP_ATTR_VNC:
+ #endif
+                case BGP_ATTR_ENCAP:
+-                       ret = bgp_attr_encap(type, peer, length, attr, flag,
+-                                            startp);
+                       ret = bgp_attr_encap(&attr_args);
+                        break;
+                case BGP_ATTR_PREFIX_SID:
+                        ret = bgp_attr_prefix_sid(&attr_args);
+--
+2.40.0
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
new file mode 100644
index 0000000000..e10d3e5267
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
@@ -0,0 +1,105 @@
+From ef9b66e742f9016b3bf283920b528cf20d2c969f Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 5 Sep 2023 11:36:13 +0000
+Subject: [PATCH 2/2] bgpd: Do not process NLRIs if the attribute length is
+ zero
+```
+3  0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
+4  0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
+5  <signal handler called>
+6  0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
+    at bgpd/bgp_routemap.c:2258
+7  0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
+    match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
+8  0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
+    afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
+    at bgpd/bgp_route.c:1772
+9  0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
+    attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
+    num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
+10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
+    at bgpd/bgp_route.c:6249
+11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
+    packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
+12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
+13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
+14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
+15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
+16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
+```
+With the configuration:
+```
+frr version 9.1-dev-MyOwnFRRVersion
+frr defaults traditional
+hostname ip-172-31-13-140
+log file /tmp/debug.log
+log syslog
+service integrated-vtysh-config
+!
+debug bgp keepalives
+debug bgp neighbor-events
+debug bgp updates in
+debug bgp updates out
+!
+router bgp 100
+ bgp router-id 9.9.9.9
+ no bgp ebgp-requires-policy
+ bgp bestpath aigp
+ neighbor 172.31.2.47 remote-as 200
+ !
+ address-family ipv4 unicast
+  neighbor 172.31.2.47 default-originate
+  neighbor 172.31.2.47 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+!
+```
+The issue is that we try to process NLRIs even if the attribute length is 0.
+Later bgp_update() will handle route-maps and a crash occurs because all the
+attributes are NULL, including aspath, where we dereference.
+According to the RFC 4271:
+A value of 0 indicates that neither the Network Layer
+         Reachability Information field nor the Path Attribute field is
+         present in this UPDATE message.
+But with a fuzzed UPDATE message this can be faked. I think it's reasonable
+to skip processing NLRIs if both update_len and attribute_len are 0.
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2023-41358
+Upstream-Status: Backport [https://github.com/FRRouting/frr/pull/14260/commits/28ccc24d38df1d51ed8a563507e5d6f6171fdd38]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ bgpd/bgp_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 0166dc6a2..2fd28aae3 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -1767,7 +1767,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+        /* Network Layer Reachability Information. */
+        update_len = end - stream_pnt(s);
+-       if (update_len) {
+       if (update_len && attribute_len) {
+                /* Set NLRI portion to structure. */
+                nlris[NLRI_UPDATE].afi = AFI_IP;
+                nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+--
+2.40.0
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 1897eb2abd..7af584835f 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -18,6 +18,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2022-43681.patch \
           file://CVE-2023-31489.patch \
           file://CVE-2023-31490.patch \
+           file://CVE-2023-38802.patch \
+           file://CVE-2023-41358.patch \
           file://frr.pam \
              "
author	Narpat Mali <narpat.mali@windriver.com>	2023-09-05 13:12:21 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-09-06 09:12:30 -0400
commit	0901bb4c6a315a48a0fcb49a51e0ff6547e37087 (patch)
tree	23e9bcfab4863c7739ba28f0b005ff9cb5686a9f
parent	bef3ed137ba5cea67b8ed862b1af599d1c8e3867 (diff)
download	meta-openembedded-0901bb4c6a315a48a0fcb49a51e0ff6547e37087.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch new file mode 100644 index 0000000000..60801bf06e --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
@@ -0,0 +1,136 @@
		1	From ad32e04f3db364694edc678327326ae6b771db9e Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Tue, 5 Sep 2023 11:30:53 +0000
		4	Subject: [PATCH 1/2] bgpd: Use treat-as-withdraw for tunnel encapsulation
		5	attribute
		6
		7	Before this path we used session reset method, which is discouraged by rfc7606.
		8
		9	Handle this as rfc requires.
		10
		11	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		12
		13	CVE: CVE-2023-38802
		14
		15	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186]
		16
		17	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		18	---
		19	bgpd/bgp_attr.c \| 61 ++++++++++++++++++++-----------------------------
		20	1 file changed, 25 insertions(+), 36 deletions(-)
		21
		22	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		23	index 5d06991e2..b10a60351 100644
		24	--- a/bgpd/bgp_attr.c
		25	+++ b/bgpd/bgp_attr.c
		26	@@ -1310,6 +1310,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		27	case BGP_ATTR_LARGE_COMMUNITIES:
		28	case BGP_ATTR_ORIGINATOR_ID:
		29	case BGP_ATTR_CLUSTER_LIST:
		30	+ case BGP_ATTR_ENCAP:
		31	return BGP_ATTR_PARSE_WITHDRAW;
		32	case BGP_ATTR_MP_REACH_NLRI:
		33	case BGP_ATTR_MP_UNREACH_NLRI:
		34	@@ -2411,26 +2412,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
		35	}
		36
		37	/* Parse Tunnel Encap attribute in an UPDATE */
		38	-static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		39	- bgp_size_t length, /* IN: attr's length field */
		40	- struct attr attr, / IN: caller already allocated */
		41	- uint8_t flag, /* IN: attr's flags field */
		42	- uint8_t *startp)
		43	+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
		44	{
		45	- bgp_size_t total;
		46	uint16_t tunneltype = 0;
		47	-
		48	- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
		49	+ struct peer *const peer = args->peer;
		50	+ struct attr *const attr = args->attr;
		51	+ bgp_size_t length = args->length;
		52	+ uint8_t type = args->type;
		53	+ uint8_t flag = args->flags;
		54
		55	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
		56	\|\| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
		57	- zlog_info(
		58	- "Tunnel Encap attribute flag isn't optional and transitive %d",
		59	- flag);
		60	- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
		61	- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
		62	- startp, total);
		63	- return -1;
		64	+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
		65	+ flag);
		66	+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		67	+ args->total);
		68	}
		69
		70	if (BGP_ATTR_ENCAP == type) {
		71	@@ -2438,12 +2434,11 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		72	uint16_t tlv_length;
		73
		74	if (length < 4) {
		75	- zlog_info(
		76	+ zlog_err(
		77	"Tunnel Encap attribute not long enough to contain outer T,L");
		78	- bgp_notify_send_with_data(
		79	- peer, BGP_NOTIFY_UPDATE_ERR,
		80	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
		81	- return -1;
		82	+ return bgp_attr_malformed(args,
		83	+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		84	+ args->total);
		85	}
		86	tunneltype = stream_getw(BGP_INPUT(peer));
		87	tlv_length = stream_getw(BGP_INPUT(peer));
		88	@@ -2473,13 +2468,11 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		89	}
		90
		91	if (sublength > length) {
		92	- zlog_info(
		93	- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
		94	- sublength, length);
		95	- bgp_notify_send_with_data(
		96	- peer, BGP_NOTIFY_UPDATE_ERR,
		97	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
		98	- return -1;
		99	+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
		100	+ sublength, length);
		101	+ return bgp_attr_malformed(args,
		102	+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		103	+ args->total);
		104	}
		105
		106	/* alloc and copy sub-tlv */
		107	@@ -2527,13 +2520,10 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		108
		109	if (length) {
		110	/* spurious leftover data */
		111	- zlog_info(
		112	- "Tunnel Encap attribute length is bad: %d leftover octets",
		113	- length);
		114	- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
		115	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		116	- startp, total);
		117	- return -1;
		118	+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
		119	+ length);
		120	+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		121	+ args->total);
		122	}
		123
		124	return 0;
		125	@@ -3332,8 +3322,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer peer, struct attr attr,
		126	case BGP_ATTR_VNC:
		127	#endif
		128	case BGP_ATTR_ENCAP:
		129	- ret = bgp_attr_encap(type, peer, length, attr, flag,
		130	- startp);
		131	+ ret = bgp_attr_encap(&attr_args);
		132	break;
		133	case BGP_ATTR_PREFIX_SID:
		134	ret = bgp_attr_prefix_sid(&attr_args);
		135	--
		136	2.40.0


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch new file mode 100644 index 0000000000..e10d3e5267 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-41358.patch
@@ -0,0 +1,105 @@
		1	From ef9b66e742f9016b3bf283920b528cf20d2c969f Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Tue, 5 Sep 2023 11:36:13 +0000
		4	Subject: [PATCH 2/2] bgpd: Do not process NLRIs if the attribute length is
		5	zero
		6
		7	```
		8	3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
		9	4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
		10	5 <signal handler called>
		11	6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
		12	at bgpd/bgp_routemap.c:2258
		13	7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
		14	match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
		15	8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
		16	afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
		17	at bgpd/bgp_route.c:1772
		18	9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
		19	attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
		20	num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
		21	10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
		22	at bgpd/bgp_route.c:6249
		23	11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
		24	packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
		25	12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
		26	13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
		27	14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
		28	15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
		29	16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
		30	```
		31
		32	With the configuration:
		33
		34	```
		35	frr version 9.1-dev-MyOwnFRRVersion
		36	frr defaults traditional
		37	hostname ip-172-31-13-140
		38	log file /tmp/debug.log
		39	log syslog
		40	service integrated-vtysh-config
		41	!
		42	debug bgp keepalives
		43	debug bgp neighbor-events
		44	debug bgp updates in
		45	debug bgp updates out
		46	!
		47	router bgp 100
		48	bgp router-id 9.9.9.9
		49	no bgp ebgp-requires-policy
		50	bgp bestpath aigp
		51	neighbor 172.31.2.47 remote-as 200
		52	!
		53	address-family ipv4 unicast
		54	neighbor 172.31.2.47 default-originate
		55	neighbor 172.31.2.47 route-map RM_IN in
		56	exit-address-family
		57	exit
		58	!
		59	route-map RM_IN permit 10
		60	set as-path prepend 200
		61	exit
		62	!
		63	```
		64
		65	The issue is that we try to process NLRIs even if the attribute length is 0.
		66
		67	Later bgp_update() will handle route-maps and a crash occurs because all the
		68	attributes are NULL, including aspath, where we dereference.
		69
		70	According to the RFC 4271:
		71
		72	A value of 0 indicates that neither the Network Layer
		73	Reachability Information field nor the Path Attribute field is
		74	present in this UPDATE message.
		75
		76	But with a fuzzed UPDATE message this can be faked. I think it's reasonable
		77	to skip processing NLRIs if both update_len and attribute_len are 0.
		78
		79	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		80	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		81
		82	CVE: CVE-2023-41358
		83
		84	Upstream-Status: Backport [https://github.com/FRRouting/frr/pull/14260/commits/28ccc24d38df1d51ed8a563507e5d6f6171fdd38]
		85
		86	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		87	---
		88	bgpd/bgp_packet.c \| 2 +-
		89	1 file changed, 1 insertion(+), 1 deletion(-)
		90
		91	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		92	index 0166dc6a2..2fd28aae3 100644
		93	--- a/bgpd/bgp_packet.c
		94	+++ b/bgpd/bgp_packet.c
		95	@@ -1767,7 +1767,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
		96	/* Network Layer Reachability Information. */
		97	update_len = end - stream_pnt(s);
		98
		99	- if (update_len) {
		100	+ if (update_len && attribute_len) {
		101	/* Set NLRI portion to structure. */
		102	nlris[NLRI_UPDATE].afi = AFI_IP;
		103	nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
		104	--
		105	2.40.0


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 1897eb2abd..7af584835f 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -18,6 +18,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
18	file://CVE-2022-43681.patch \	18	file://CVE-2022-43681.patch \
19	file://CVE-2023-31489.patch \	19	file://CVE-2023-31489.patch \
20	file://CVE-2023-31490.patch \	20	file://CVE-2023-31490.patch \
		21	file://CVE-2023-38802.patch \
		22	file://CVE-2023-41358.patch \
21	file://frr.pam \	23	file://frr.pam \
22	"	24	"
23		25