frr/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch

From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 22:15:27 +0300
Upstream: yes
References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
 of stream

Reported-by: Iggy Frankovic iggyfran@amazon.com
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 72d6a92317..4947dbc21d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
 				 * and 7 bytes of ORF Address-filter entry from
 				 * the stream
 				 */
-				if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+				if (p_pnt < p_end &&
+				    *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
 					if (bgp_debug_neighbor_events(peer))
 						zlog_debug(
 							"%pBP rcvd Remove-All pfxlist ORF request",
-- 
2.35.3
Accepting request 1108163 from home:mtomaschewski:frr - Removed protobuf-c BuildRequires (source package name) breaking build-system setup with libprotobuf-c-devel 1.3.2 updates. - Apply upstream fix for bgpd: Don't read initial byte of the ORF header in an ahead-of-stream situation (CVE-2023-41360, bsc#1214739,https://github.com/FRRouting/frr/pull/14245) [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch] - Apply upstream fix for bgpd: Do not process NLRIs if the attribute length is zero (CVE-2023-41358,bsc#1214735, https://github.com/FRRouting/frr/pull/14260) [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch] - Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation attribute instead of session reset (CVE-2023-38802,bsc#1213284, https://github.com/FRRouting/frr/pull/14290) [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch] - Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434, gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952) [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch] OBS-URL: https://build.opensuse.org/request/show/1108163 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=51 2023-09-03 16:42:25 +02:00			`From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001`
			`From: Donatas Abraitis <donatas@opensourcerouting.org>`
			`Date: Sun, 20 Aug 2023 22:15:27 +0300`
			`Upstream: yes`
			`References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245`
			`Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead`
			`of stream`

			`Reported-by: Iggy Frankovic iggyfran@amazon.com`
			`Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>`
			`Signed-off-by: Marius Tomaschewski <mt@suse.com>`

			`diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c`
			`index 72d6a92317..4947dbc21d 100644`
			`--- a/bgpd/bgp_packet.c`
			`+++ b/bgpd/bgp_packet.c`
			`@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)`
			`* and 7 bytes of ORF Address-filter entry from`
			`* the stream`
			`*/`
			`- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {`
			`+ if (p_pnt < p_end &&`
			`+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {`
			`if (bgp_debug_neighbor_events(peer))`
			`zlog_debug(`
			`"%pBP rcvd Remove-All pfxlist ORF request",`
			`--`
			`2.35.3`