frr: fix for CVE-2023-31490

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 https://github.com/FRRouting/frr/issues/13099 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Fixup so patch would apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-07-13 05:52:49 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-07-16 15:31:05 -0400
commit: 8ab74bed48e882b880f2e9c2e195f4b1c95c0b0e (patch)
tree: a4abc3459493f150d9913ffd7b17eea22597868d
parent: b541346589eb61cdb57357477f12fdf4c8179c05 (diff)
download: meta-openembedded-8ab74bed48e882b880f2e9c2e195f4b1c95c0b0e.tar.gz
2 files changed, 161 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch
new file mode 100644
index 0000000000..893c856c66
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch
@@ -0,0 +1,160 @@
+From 72c13aac2eb7c8f3a10ad806d80ab635c28f4c04 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 21 Jun 2023 15:24:50 +0000
+Subject: [PATCH] bgpd: Ensure stream received has enough data
+BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
+fully trust the length value specified in the nlri.
+Always ensure that the amount of data we need to read
+can be fullfilled.
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+CVE: CVE-2023-31490
+Upstream-Status: Backport [https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ bgpd/bgp_attr.c | 79 ++++++++++++++++---------------------------------
+ 1 file changed, 25 insertions(+), 54 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 2154baf4e..5d06991e2 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -2722,9 +2722,21 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+        uint8_t sid_type, sid_flags;
+        char buf[BUFSIZ];
+       /*
+        * Check that we actually have at least as much data as
+        * specified by the length field
+        */
+       if (STREAM_READABLE(peer->curr) < length) {
+               flog_err(
+                       EC_BGP_ATTR_LEN,
+                       "Prefix SID specifies length %hu, but only %zu bytes remain",
+                       length, STREAM_READABLE(peer->curr));
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                                         args->total);
+       }
+
+        if (type == BGP_PREFIX_SID_LABEL_INDEX) {
+-               if (STREAM_READABLE(peer->curr) < length
+-                   || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
+               if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
+                        flog_err(EC_BGP_ATTR_LEN,
+                                 "Prefix SID label index length is %hu instead of %u",
+                                 length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
+@@ -2746,12 +2758,8 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+                /* Store label index; subsequently, we'll check on
+                 * address-family */
+                attr->label_index = label_index;
+-       }
+-
+-       /* Placeholder code for the IPv6 SID type */
+-       else if (type == BGP_PREFIX_SID_IPV6) {
+-               if (STREAM_READABLE(peer->curr) < length
+-                   || length != BGP_PREFIX_SID_IPV6_LENGTH) {
+       } else if (type == BGP_PREFIX_SID_IPV6) {
+               if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
+                        flog_err(EC_BGP_ATTR_LEN,
+                                 "Prefix SID IPv6 length is %hu instead of %u",
+                                 length, BGP_PREFIX_SID_IPV6_LENGTH);
+@@ -2765,10 +2773,7 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+                stream_getw(peer->curr);
+                stream_get(&ipv6_sid, peer->curr, 16);
+-       }
+-
+-       /* Placeholder code for the Originator SRGB type */
+-       else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
+       } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
+                /*
+                 * ietf-idr-bgp-prefix-sid-05:
+                 *     Length is the total length of the value portion of the
+@@ -2793,19 +2798,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+                                args->total);
+                }
+-               /*
+-                * Check that we actually have at least as much data as
+-                * specified by the length field
+-                */
+-               if (STREAM_READABLE(peer->curr) < length) {
+-                       flog_err(EC_BGP_ATTR_LEN,
+-                                "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
+-                                length, STREAM_READABLE(peer->curr));
+-                       return bgp_attr_malformed(
+-                               args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+-                               args->total);
+-               }
+-
+                /*
+                 * Check that the portion of the TLV containing the sequence of
+                 * SRGBs corresponds to a multiple of the SRGB size; to get
+@@ -2829,12 +2821,8 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+                        stream_get(&srgb_base, peer->curr, 3);
+                        stream_get(&srgb_range, peer->curr, 3);
+                }
+-       }
+-
+-       /* Placeholder code for the VPN-SID Service type */
+-       else if (type == BGP_PREFIX_SID_VPN_SID) {
+-               if (STREAM_READABLE(peer->curr) < length
+-                   || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
+       } else if (type == BGP_PREFIX_SID_VPN_SID) {
+               if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
+                        flog_err(EC_BGP_ATTR_LEN,
+                                 "Prefix SID VPN SID length is %hu instead of %u",
+                                 length, BGP_PREFIX_SID_VPN_SID_LENGTH);
+@@ -2870,39 +2858,22 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
+                attr->srv6_vpn->sid_flags = sid_flags;
+                sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
+                attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn);
+-       }
+-
+-       /* Placeholder code for the SRv6 L3 Service type */
+-       else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
+-               if (STREAM_READABLE(peer->curr) < length) {
+       } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
+               if (STREAM_READABLE(peer->curr) < 1) {
+                        flog_err(
+                                EC_BGP_ATTR_LEN,
+-                               "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
+-                               length, STREAM_READABLE(peer->curr));
+-                       return bgp_attr_malformed(args,
+-                                BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+-                                args->total);
+                               "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
+                       return bgp_attr_malformed(
+                               args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                               args->total);
+                }
+-
+                /* ignore reserved */
+                stream_getc(peer->curr);
+                return bgp_attr_srv6_service(args);
+        }
+-
+        /* Placeholder code for Unsupported TLV */
+        else {
+-
+-               if (STREAM_READABLE(peer->curr) < length) {
+-                       flog_err(
+-                               EC_BGP_ATTR_LEN,
+-                               "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
+-                               length, STREAM_READABLE(peer->curr));
+-                       return bgp_attr_malformed(
+-                               args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+-                               args->total);
+-               }
+-
+                if (bgp_debug_update(peer, NULL, NULL, 1))
+                        zlog_debug(
+                                "%s attr Prefix-SID sub-type=%u is not supported, skipped",
+--
+2.40.0
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index c98607a0dc..1897eb2abd 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2022-40318.patch \
           file://CVE-2022-43681.patch \
           file://CVE-2023-31489.patch \
+           file://CVE-2023-31490.patch \
           file://frr.pam \
              "
author	Narpat Mali <narpat.mali@windriver.com>	2023-07-13 05:52:49 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-07-16 15:31:05 -0400
commit	8ab74bed48e882b880f2e9c2e195f4b1c95c0b0e (patch)
tree	a4abc3459493f150d9913ffd7b17eea22597868d
parent	b541346589eb61cdb57357477f12fdf4c8179c05 (diff)
download	meta-openembedded-8ab74bed48e882b880f2e9c2e195f4b1c95c0b0e.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch new file mode 100644 index 0000000000..893c856c66 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31490.patch
@@ -0,0 +1,160 @@
		1	From 72c13aac2eb7c8f3a10ad806d80ab635c28f4c04 Mon Sep 17 00:00:00 2001
		2	From: Donald Sharp <sharpd@nvidia.com>
		3	Date: Wed, 21 Jun 2023 15:24:50 +0000
		4	Subject: [PATCH] bgpd: Ensure stream received has enough data
		5
		6	BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
		7	fully trust the length value specified in the nlri.
		8	Always ensure that the amount of data we need to read
		9	can be fullfilled.
		10
		11	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		12	Signed-off-by: Donald Sharp <sharpd@nvidia.com>
		13
		14	CVE: CVE-2023-31490
		15
		16	Upstream-Status: Backport [https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802]
		17
		18	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		19	---
		20	bgpd/bgp_attr.c \| 79 ++++++++++++++++---------------------------------
		21	1 file changed, 25 insertions(+), 54 deletions(-)
		22
		23	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		24	index 2154baf4e..5d06991e2 100644
		25	--- a/bgpd/bgp_attr.c
		26	+++ b/bgpd/bgp_attr.c
		27	@@ -2722,9 +2722,21 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		28	uint8_t sid_type, sid_flags;
		29	char buf[BUFSIZ];
		30
		31	+ /*
		32	+ * Check that we actually have at least as much data as
		33	+ * specified by the length field
		34	+ */
		35	+ if (STREAM_READABLE(peer->curr) < length) {
		36	+ flog_err(
		37	+ EC_BGP_ATTR_LEN,
		38	+ "Prefix SID specifies length %hu, but only %zu bytes remain",
		39	+ length, STREAM_READABLE(peer->curr));
		40	+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
		41	+ args->total);
		42	+ }
		43	+
		44	if (type == BGP_PREFIX_SID_LABEL_INDEX) {
		45	- if (STREAM_READABLE(peer->curr) < length
		46	- \|\| length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
		47	+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
		48	flog_err(EC_BGP_ATTR_LEN,
		49	"Prefix SID label index length is %hu instead of %u",
		50	length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
		51	@@ -2746,12 +2758,8 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		52	/* Store label index; subsequently, we'll check on
		53	* address-family */
		54	attr->label_index = label_index;
		55	- }
		56	-
		57	- /* Placeholder code for the IPv6 SID type */
		58	- else if (type == BGP_PREFIX_SID_IPV6) {
		59	- if (STREAM_READABLE(peer->curr) < length
		60	- \|\| length != BGP_PREFIX_SID_IPV6_LENGTH) {
		61	+ } else if (type == BGP_PREFIX_SID_IPV6) {
		62	+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
		63	flog_err(EC_BGP_ATTR_LEN,
		64	"Prefix SID IPv6 length is %hu instead of %u",
		65	length, BGP_PREFIX_SID_IPV6_LENGTH);
		66	@@ -2765,10 +2773,7 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		67	stream_getw(peer->curr);
		68
		69	stream_get(&ipv6_sid, peer->curr, 16);
		70	- }
		71	-
		72	- /* Placeholder code for the Originator SRGB type */
		73	- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
		74	+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
		75	/*
		76	* ietf-idr-bgp-prefix-sid-05:
		77	* Length is the total length of the value portion of the
		78	@@ -2793,19 +2798,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		79	args->total);
		80	}
		81
		82	- /*
		83	- * Check that we actually have at least as much data as
		84	- * specified by the length field
		85	- */
		86	- if (STREAM_READABLE(peer->curr) < length) {
		87	- flog_err(EC_BGP_ATTR_LEN,
		88	- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
		89	- length, STREAM_READABLE(peer->curr));
		90	- return bgp_attr_malformed(
		91	- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
		92	- args->total);
		93	- }
		94	-
		95	/*
		96	* Check that the portion of the TLV containing the sequence of
		97	* SRGBs corresponds to a multiple of the SRGB size; to get
		98	@@ -2829,12 +2821,8 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		99	stream_get(&srgb_base, peer->curr, 3);
		100	stream_get(&srgb_range, peer->curr, 3);
		101	}
		102	- }
		103	-
		104	- /* Placeholder code for the VPN-SID Service type */
		105	- else if (type == BGP_PREFIX_SID_VPN_SID) {
		106	- if (STREAM_READABLE(peer->curr) < length
		107	- \|\| length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
		108	+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
		109	+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
		110	flog_err(EC_BGP_ATTR_LEN,
		111	"Prefix SID VPN SID length is %hu instead of %u",
		112	length, BGP_PREFIX_SID_VPN_SID_LENGTH);
		113	@@ -2870,39 +2858,22 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
		114	attr->srv6_vpn->sid_flags = sid_flags;
		115	sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
		116	attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn);
		117	- }
		118	-
		119	- /* Placeholder code for the SRv6 L3 Service type */
		120	- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
		121	- if (STREAM_READABLE(peer->curr) < length) {
		122	+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
		123	+ if (STREAM_READABLE(peer->curr) < 1) {
		124	flog_err(
		125	EC_BGP_ATTR_LEN,
		126	- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
		127	- length, STREAM_READABLE(peer->curr));
		128	- return bgp_attr_malformed(args,
		129	- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
		130	- args->total);
		131	+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
		132	+ return bgp_attr_malformed(
		133	+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
		134	+ args->total);
		135	}
		136	-
		137	/* ignore reserved */
		138	stream_getc(peer->curr);
		139
		140	return bgp_attr_srv6_service(args);
		141	}
		142	-
		143	/* Placeholder code for Unsupported TLV */
		144	else {
		145	-
		146	- if (STREAM_READABLE(peer->curr) < length) {
		147	- flog_err(
		148	- EC_BGP_ATTR_LEN,
		149	- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
		150	- length, STREAM_READABLE(peer->curr));
		151	- return bgp_attr_malformed(
		152	- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
		153	- args->total);
		154	- }
		155	-
		156	if (bgp_debug_update(peer, NULL, NULL, 1))
		157	zlog_debug(
		158	"%s attr Prefix-SID sub-type=%u is not supported, skipped",
		159	--
		160	2.40.0


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index c98607a0dc..1897eb2abd 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
17	file://CVE-2022-40318.patch \	17	file://CVE-2022-40318.patch \
18	file://CVE-2022-43681.patch \	18	file://CVE-2022-43681.patch \
19	file://CVE-2023-31489.patch \	19	file://CVE-2023-31489.patch \
		20	file://CVE-2023-31490.patch \
20	file://frr.pam \	21	file://frr.pam \
21	"	22	"
22		23