2 files changed, 60 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
new file mode 100644
index 0000000000..77a011dbc9
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
@@ -0,0 +1,58 @@
+From f316975cedd8ef17d47b56be0d3d21711fe44a25 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 2 Nov 2022 13:24:48 -0400
+Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
+ read
+If a operator receives an invalid packet that is of insufficient size
+then it is possible for BGP to assert during reading of the packet
+instead of gracefully resetting the connection with the peer.
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+(cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78)
+CVE: CVE-2022-43681
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/766eec1b7accffe2c04a5c9ebb14e9f487bb9f78]
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+---
+ bgpd/bgp_packet.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index bcd47e32d453..5225db29fe09 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -1176,8 +1176,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
+            || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
+                uint8_t opttype;
+ 
+               if (STREAM_READABLE(peer->curr) < 1) {
+                       flog_err(
+                               EC_BGP_PKT_OPEN,
+                               "%s: stream does not have enough bytes for extended optional parameters",
+                               peer->host);
+                       bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+                                       BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+                       return BGP_Stop;
+               }
+
+                opttype = stream_getc(peer->curr);
+                if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
+                       if (STREAM_READABLE(peer->curr) < 2) {
+                               flog_err(
+                                       EC_BGP_PKT_OPEN,
+                                       "%s: stream does not have enough bytes to read the extended optional parameters optlen",
+                                       peer->host);
+                               bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+                                               BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+                               return BGP_Stop;
+                       }
+                        optlen = stream_getw(peer->curr);
+                        SET_FLAG(peer->sflags,
+                                 PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
+-- 
+2.40.1
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 2da870ae4e..92aca8ecdd 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -14,6 +14,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2022-37032.patch \
           file://CVE-2022-42917.patch \
           file://CVE-2022-36440.patch \
+           file://CVE-2022-40318.patch \
+           file://CVE-2022-43681.patch \
           file://frr.pam \
              "

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch new file mode 100644 index 0000000000..77a011dbc9 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-43681.patch
@@ -0,0 +1,58 @@
		1	From f316975cedd8ef17d47b56be0d3d21711fe44a25 Mon Sep 17 00:00:00 2001
		2	From: Donald Sharp <sharpd@nvidia.com>
		3	Date: Wed, 2 Nov 2022 13:24:48 -0400
		4	Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
		5	read
		6
		7	If a operator receives an invalid packet that is of insufficient size
		8	then it is possible for BGP to assert during reading of the packet
		9	instead of gracefully resetting the connection with the peer.
		10
		11	Signed-off-by: Donald Sharp <sharpd@nvidia.com>
		12	(cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78)
		13
		14	CVE: CVE-2022-43681
		15
		16	Upstream-Status: Backport
		17	[https://github.com/FRRouting/frr/commit/766eec1b7accffe2c04a5c9ebb14e9f487bb9f78]
		18
		19	Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
		20	---
		21	bgpd/bgp_packet.c \| 19 +++++++++++++++++++
		22	1 file changed, 19 insertions(+)
		23
		24	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		25	index bcd47e32d453..5225db29fe09 100644
		26	--- a/bgpd/bgp_packet.c
		27	+++ b/bgpd/bgp_packet.c
		28	@@ -1176,8 +1176,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
		29	\|\| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
		30	uint8_t opttype;
		31
		32	+ if (STREAM_READABLE(peer->curr) < 1) {
		33	+ flog_err(
		34	+ EC_BGP_PKT_OPEN,
		35	+ "%s: stream does not have enough bytes for extended optional parameters",
		36	+ peer->host);
		37	+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
		38	+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
		39	+ return BGP_Stop;
		40	+ }
		41	+
		42	opttype = stream_getc(peer->curr);
		43	if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
		44	+ if (STREAM_READABLE(peer->curr) < 2) {
		45	+ flog_err(
		46	+ EC_BGP_PKT_OPEN,
		47	+ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
		48	+ peer->host);
		49	+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
		50	+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
		51	+ return BGP_Stop;
		52	+ }
		53	optlen = stream_getw(peer->curr);
		54	SET_FLAG(peer->sflags,
		55	PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
		56	--
		57	2.40.1
		58


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 2da870ae4e..92aca8ecdd 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -14,6 +14,8 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
14	file://CVE-2022-37032.patch \	14	file://CVE-2022-37032.patch \
15	file://CVE-2022-42917.patch \	15	file://CVE-2022-42917.patch \
16	file://CVE-2022-36440.patch \	16	file://CVE-2022-36440.patch \
		17	file://CVE-2022-40318.patch \
		18	file://CVE-2022-43681.patch \
17	file://frr.pam \	19	file://frr.pam \
18	"	20	"
19		21