From 35f367fe536d4b13c3880edc6f6359382f218d5214381cf3a3e17a514e6580ab Mon Sep 17 00:00:00 2001 From: Martin Hauke Date: Tue, 6 Sep 2022 12:14:05 +0000 Subject: [PATCH] Accepting request 1001418 from home:mtomaschewski:frr - Apply upstream fix for out-of-bounds read in the BGP daemon that may lead to information disclosure or denial of service (bsc#1202023,CVE-2022-37032) [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] - Apply upstream fix for a memory leak in the IS-IS daemon that may lead to server memory exhaustion (bsc#1202023,CVE-2019-25074) [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] OBS-URL: https://build.opensuse.org/request/show/1001418 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=40 --- ...dr-length-is-at-a-minimum-of-what-is.patch | 34 +++++++++++++++ ...d-Ensure-rcap-is-freed-in-error-case.patch | 41 +++++++++++++++++++ frr.changes | 11 +++++ frr.spec | 4 ++ 4 files changed, 90 insertions(+) create mode 100644 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch create mode 100644 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch diff --git a/0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch b/0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch new file mode 100644 index 0000000..fc7fdb9 --- /dev/null +++ b/0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch @@ -0,0 +1,34 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected +References: bsc#1202023,CVE-2022-37032 +Upstream: yes + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e9..45752a8ab6 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); +-- +2.35.3 + diff --git a/0008-isisd-Ensure-rcap-is-freed-in-error-case.patch b/0008-isisd-Ensure-rcap-is-freed-in-error-case.patch new file mode 100644 index 0000000..486313c --- /dev/null +++ b/0008-isisd-Ensure-rcap-is-freed-in-error-case.patch @@ -0,0 +1,41 @@ +From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Wed, 20 Jul 2022 16:49:09 -0400 +Subject: [PATCH] isisd: Ensure rcap is freed in error case +References: bsc#1202022 +Upstream: yes + +unpack_tlv_router_cap allocates memory that in the error +case is not being freed. + +Signed-off-by: Donald Sharp + +diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c +index 11be3c3a71..b3c3fd4b0b 100644 +--- a/isisd/isis_tlvs.c ++++ b/isisd/isis_tlvs.c +@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap, + } + + static int unpack_tlv_router_cap(enum isis_tlv_context context, +- uint8_t tlv_type, uint8_t tlv_len, +- struct stream *s, struct sbuf *log, +- void *dest, int indent) ++ uint8_t tlv_type, uint8_t tlv_len, ++ struct stream *s, struct sbuf *log, void *dest, ++ int indent) + { + struct isis_tlvs *tlvs = dest; + struct isis_router_cap *rcap; +@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context, + log, indent, + "WARNING: Router Capability subTLV length too large compared to expected size\n"); + stream_forward_getp(s, STREAM_READABLE(s)); +- ++ XFREE(MTYPE_ISIS_TLV, rcap); + return 0; + } + +-- +2.35.3 + diff --git a/frr.changes b/frr.changes index 3f23f57..bfa305c 100644 --- a/frr.changes +++ b/frr.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski + +- Apply upstream fix for out-of-bounds read in the BGP daemon + that may lead to information disclosure or denial of service + (bsc#1202023,CVE-2022-37032) + [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] +- Apply upstream fix for a memory leak in the IS-IS daemon that + may lead to server memory exhaustion (bsc#1202023,CVE-2019-25074) + [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] + ------------------------------------------------------------------- Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger diff --git a/frr.spec b/frr.spec index eaa29f4..fb07578 100644 --- a/frr.spec +++ b/frr.spec @@ -45,6 +45,8 @@ Patch3: 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch +Patch7: 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch +Patch8: 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -191,6 +193,8 @@ gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz %patch5 -p1 gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors