Accepting request 1001516 from network

OBS-URL: https://build.opensuse.org/request/show/1001516 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/frr?expand=0&rev=20
2022-09-07 09:05:55 +00:00 · 2022-09-07 09:05:55 +00:00 · 857f9bd362
commit 857f9bd362
parent 3ecf89a58c 9b537df10f
4 changed files with 90 additions and 0 deletions
--- a/0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
+++ b/0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
@ -0,0 +1,34 @@
+From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Thu, 21 Jul 2022 08:11:58 -0400
+Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
+ expected
+References: bsc#1202023,CVE-2022-37032
+Upstream: yes
+
+Ensure that if the capability length specified is enough data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index dbf6c0b2e9..45752a8ab6 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+ 				"%s CAPABILITY has action: %d, code: %u, length %u",
+ 				peer->host, action, hdr->code, hdr->length);
+ 
+		if (hdr->length < sizeof(struct capability_mp_data)) {
+			zlog_info(
+				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+				peer, sizeof(struct capability_mp_data),
+				hdr->length);
+			return BGP_Stop;
+		}
+
+ 		/* Capability length check. */
+ 		if ((pnt + hdr->length + 3) > end) {
+ 			zlog_info("%s Capability length error", peer->host);
+-- 
+2.35.3
+
--- a/0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
+++ b/0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
@ -0,0 +1,41 @@
+From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 20 Jul 2022 16:49:09 -0400
+Subject: [PATCH] isisd: Ensure rcap is freed in error case
+References: bsc#1202022
+Upstream: yes
+
+unpack_tlv_router_cap allocates memory that in the error
+case is not being freed.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+
+diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
+index 11be3c3a71..b3c3fd4b0b 100644
+--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
+@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
+ }
+ 
+ static int unpack_tlv_router_cap(enum isis_tlv_context context,
+-				       uint8_t tlv_type, uint8_t tlv_len,
+-				       struct stream *s, struct sbuf *log,
+-				       void *dest, int indent)
+				 uint8_t tlv_type, uint8_t tlv_len,
+				 struct stream *s, struct sbuf *log, void *dest,
+				 int indent)
+ {
+ 	struct isis_tlvs *tlvs = dest;
+ 	struct isis_router_cap *rcap;
+@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
+ 				log, indent,
+ 				"WARNING: Router Capability subTLV length too large compared to expected size\n");
+ 			stream_forward_getp(s, STREAM_READABLE(s));
+-
+			XFREE(MTYPE_ISIS_TLV, rcap);
+ 			return 0;
+ 		}
+ 
+-- 
+2.35.3
+
--- a/frr.changes
+++ b/frr.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Sep  5 11:48:25 UTC 2022 - Marius Tomaschewski <mt@suse.com>
+
+- Apply upstream fix for out-of-bounds read in the BGP daemon
+  that may lead to information disclosure or denial of service
+  (bsc#1202023,CVE-2022-37032)
+  [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
+- Apply upstream fix for a memory leak in the IS-IS daemon that
+  may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074)
+  [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
+
 -------------------------------------------------------------------
 Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/frr.spec
+++ b/frr.spec
@ -45,6 +45,8 @@ Patch3:         0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
 Patch4:         0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
 Patch5:         0005-isisd-fix-router-capability-TLV-parsing-issues.patch
 Patch6:         0006-isisd-fix-10505-using-base64-encoding.patch
+Patch7:         0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
+Patch8:         0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@ -191,6 +193,8 @@ gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz
 %patch5 -p1
 gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1

 %build
 # GCC LTO objects must be "fat" to avoid assembly errors