summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorZhang Peng <peng.zhang1.cn@windriver.com>2025-11-19 13:58:30 +0800
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2025-11-21 11:06:13 +0530
commite656a5b1817e074819c32b750ae4f5c6795971c6 (patch)
treeb54bc681e747ee94ec570eb8597a5bf7b3e661e3 /meta-networking
parentb79cf94b4d53d75ddc4b4f468c1b1ad42a3fffe2 (diff)
downloadmeta-openembedded-e656a5b1817e074819c32b750ae4f5c6795971c6.tar.gz
frr: fix CVE-2024-55553
CVE-2024-55553: In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors. Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-55553] Upstream patches: [https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch253
-rw-r--r--meta-networking/recipes-protocols/frr/frr_9.1.3.bb1
2 files changed, 254 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch
new file mode 100644
index 0000000000..ac8dbcc2ed
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch
@@ -0,0 +1,253 @@
1From c66b72ef6d10f3f77d4bdddd849436a16270dfc4 Mon Sep 17 00:00:00 2001
2From: Donatas Abraitis <donatas@opensourcerouting.org>
3Date: Wed, 4 Dec 2024 23:38:34 +0200
4Subject: [PATCH] bgpd: Validate only affected RPKI prefixes instead of a full
5 RIB
6
7Before this fix, if rpki_sync_socket_rtr socket returns EAGAIN, then ALL routes
8in the RIB are revalidated which takes lots of CPU and some unnecessary traffic,
9e.g. if using BMP servers. With a full feed it would waste 50-80Mbps.
10
11Instead we should try to drain an existing pipe (another end), and revalidate
12only affected prefixes.
13
14Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
15
16CVE: CVE-2024-55553
17Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3]
18Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
19---
20 bgpd/bgp_rpki.c | 148 ++++++++++++++++++------------------------------
21 bgpd/bgpd.c | 4 --
22 bgpd/bgpd.h | 1 -
23 3 files changed, 55 insertions(+), 98 deletions(-)
24
25diff --git a/bgpd/bgp_rpki.c b/bgpd/bgp_rpki.c
26index 375b041853..402ff24b50 100644
27--- a/bgpd/bgp_rpki.c
28+++ b/bgpd/bgp_rpki.c
29@@ -116,7 +116,6 @@ static enum route_map_cmd_result_t route_match(void *rule,
30 void *object);
31 static void *route_match_compile(const char *arg);
32 static void revalidate_bgp_node(struct bgp_dest *dest, afi_t afi, safi_t safi);
33-static void revalidate_all_routes(void);
34
35 static struct rtr_mgr_config *rtr_config;
36 static struct list *cache_list;
37@@ -403,36 +402,10 @@ static void rpki_revalidate_prefix(struct event *thread)
38 XFREE(MTYPE_BGP_RPKI_REVALIDATE, rrp);
39 }
40
41-static void bgpd_sync_callback(struct event *thread)
42+static void revalidate_single_prefix(struct vrf *vrf, struct prefix prefix, afi_t afi)
43 {
44 struct bgp *bgp;
45 struct listnode *node;
46- struct prefix prefix;
47- struct pfx_record rec;
48-
49- event_add_read(bm->master, bgpd_sync_callback, NULL,
50- rpki_sync_socket_bgpd, NULL);
51-
52- if (atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) {
53- while (read(rpki_sync_socket_bgpd, &rec,
54- sizeof(struct pfx_record)) != -1)
55- ;
56-
57- atomic_store_explicit(&rtr_update_overflow, 0,
58- memory_order_seq_cst);
59- revalidate_all_routes();
60- return;
61- }
62-
63- int retval =
64- read(rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
65- if (retval != sizeof(struct pfx_record)) {
66- RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd");
67- return;
68- }
69- pfx_record_to_prefix(&rec, &prefix);
70-
71- afi_t afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
72
73 for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
74 safi_t safi;
75@@ -455,87 +428,76 @@ static void bgpd_sync_callback(struct event *thread)
76 }
77 }
78
79-static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi,
80- safi_t safi)
81+static void bgpd_sync_callback(struct event *thread)
82 {
83- struct bgp_adj_in *ain;
84+ struct prefix prefix;
85+ struct pfx_record rec;
86+ struct rpki_vrf *rpki_vrf = EVENT_ARG(thread);
87+ struct vrf *vrf = NULL;
88+ afi_t afi;
89+ int retval;
90
91- for (ain = bgp_dest->adj_in; ain; ain = ain->next) {
92- struct bgp_path_info *path =
93- bgp_dest_get_bgp_path_info(bgp_dest);
94- mpls_label_t *label = NULL;
95- uint32_t num_labels = 0;
96-
97- if (path && path->extra) {
98- label = path->extra->label;
99- num_labels = path->extra->num_labels;
100+ event_add_read(bm->master, bgpd_sync_callback, rpki_vrf, rpki_vrf->rpki_sync_socket_bgpd,
101+ NULL);
102+
103+ if (rpki_vrf->vrfname) {
104+ vrf = vrf_lookup_by_name(rpki_vrf->vrfname);
105+ if (!vrf) {
106+ zlog_err("%s(): vrf for rpki %s not found", __func__, rpki_vrf->vrfname);
107+ return;
108 }
109- (void)bgp_update(ain->peer, bgp_dest_get_prefix(bgp_dest),
110- ain->addpath_rx_id, ain->attr, afi, safi,
111- ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, NULL, label,
112- num_labels, 1, NULL);
113 }
114-}
115
116-/*
117- * The act of a soft reconfig in revalidation is really expensive
118- * coupled with the fact that the download of a full rpki state
119- * from a rpki server can be expensive, let's break up the revalidation
120- * to a point in time in the future to allow other bgp events
121- * to take place too.
122- */
123-struct rpki_revalidate_peer {
124- afi_t afi;
125- safi_t safi;
126- struct peer *peer;
127-};
128+ if (atomic_load_explicit(&rpki_vrf->rtr_update_overflow, memory_order_seq_cst)) {
129+ ssize_t size = 0;
130
131-static void bgp_rpki_revalidate_peer(struct event *thread)
132-{
133- struct rpki_revalidate_peer *rvp = EVENT_ARG(thread);
134+ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
135+ while (retval != -1) {
136+ if (retval != sizeof(struct pfx_record))
137+ break;
138
139- /*
140- * Here's the expensive bit of gnomish deviousness
141- */
142- bgp_soft_reconfig_in(rvp->peer, rvp->afi, rvp->safi);
143+ size += retval;
144+ pfx_record_to_prefix(&rec, &prefix);
145+ afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
146+ revalidate_single_prefix(vrf, prefix, afi);
147
148- XFREE(MTYPE_BGP_RPKI_REVALIDATE, rvp);
149-}
150+ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec,
151+ sizeof(struct pfx_record));
152+ }
153
154-static void revalidate_all_routes(void)
155-{
156- struct bgp *bgp;
157- struct listnode *node;
158+ RPKI_DEBUG("Socket overflow detected (%zu), revalidating affected prefixes", size);
159
160- for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
161- struct peer *peer;
162- struct listnode *peer_listnode;
163+ atomic_store_explicit(&rpki_vrf->rtr_update_overflow, 0, memory_order_seq_cst);
164+ return;
165+ }
166
167- for (ALL_LIST_ELEMENTS_RO(bgp->peer, peer_listnode, peer)) {
168- afi_t afi;
169- safi_t safi;
170+ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
171+ if (retval != sizeof(struct pfx_record)) {
172+ RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd");
173+ return;
174+ }
175+ pfx_record_to_prefix(&rec, &prefix);
176
177- FOREACH_AFI_SAFI (afi, safi) {
178- struct rpki_revalidate_peer *rvp;
179+ afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
180
181- if (!bgp->rib[afi][safi])
182- continue;
183+ revalidate_single_prefix(vrf, prefix, afi);
184+}
185
186- if (!peer_established(peer->connection))
187- continue;
188+static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi, safi_t safi)
189+{
190+ struct bgp_adj_in *ain;
191+ mpls_label_t *label;
192+ uint8_t num_labels;
193+
194+ for (ain = bgp_dest->adj_in; ain; ain = ain->next) {
195+ struct bgp_path_info *path = bgp_dest_get_bgp_path_info(bgp_dest);
196
197- rvp = XCALLOC(MTYPE_BGP_RPKI_REVALIDATE,
198- sizeof(*rvp));
199- rvp->peer = peer;
200- rvp->afi = afi;
201- rvp->safi = safi;
202+ num_labels = BGP_PATH_INFO_NUM_LABELS(path);
203+ label = num_labels ? path->extra->labels->label : NULL;
204
205- event_add_event(
206- bm->master, bgp_rpki_revalidate_peer,
207- rvp, 0,
208- &peer->t_revalidate_all[afi][safi]);
209- }
210- }
211+ (void)bgp_update(ain->peer, bgp_dest_get_prefix(bgp_dest), ain->addpath_rx_id,
212+ ain->attr, afi, safi, ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, NULL,
213+ label, num_labels, 1, NULL);
214 }
215 }
216
217diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
218index 4de5964c39..9bf964c45f 100644
219--- a/bgpd/bgpd.c
220+++ b/bgpd/bgpd.c
221@@ -1248,8 +1248,6 @@ static void peer_free(struct peer *peer)
222 bgp_reads_off(peer->connection);
223 bgp_writes_off(peer->connection);
224 event_cancel_event_ready(bm->master, peer->connection);
225- FOREACH_AFI_SAFI (afi, safi)
226- EVENT_OFF(peer->t_revalidate_all[afi][safi]);
227 assert(!peer->connection->t_write);
228 assert(!peer->connection->t_read);
229 event_cancel_event_ready(bm->master, peer->connection);
230@@ -2640,8 +2638,6 @@ int peer_delete(struct peer *peer)
231 bgp_reads_off(peer->connection);
232 bgp_writes_off(peer->connection);
233 event_cancel_event_ready(bm->master, peer->connection);
234- FOREACH_AFI_SAFI (afi, safi)
235- EVENT_OFF(peer->t_revalidate_all[afi][safi]);
236 assert(!CHECK_FLAG(peer->connection->thread_flags,
237 PEER_THREAD_WRITES_ON));
238 assert(!CHECK_FLAG(peer->connection->thread_flags,
239diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
240index b139b2c1b4..c4faacc6dc 100644
241--- a/bgpd/bgpd.h
242+++ b/bgpd/bgpd.h
243@@ -1571,7 +1571,6 @@ struct peer {
244
245 /* Threads. */
246 struct event *t_llgr_stale[AFI_MAX][SAFI_MAX];
247- struct event *t_revalidate_all[AFI_MAX][SAFI_MAX];
248 struct event *t_refresh_stalepath;
249
250 /* Thread flags. */
251--
2522.50.0
253
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
index f3b4816941..c5f626a35a 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
13SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ 13SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
14 file://frr.pam \ 14 file://frr.pam \
15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ 15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
16 file://CVE-2024-55553.patch \
16 " 17 "
17 18
18SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19" 19SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19"