diff --git a/0001-disable-zmq-test.patch b/0001-disable-zmq-test.patch deleted file mode 100644 index 8d59a16..0000000 --- a/0001-disable-zmq-test.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001 -From: Ruben Torrero Marijnissen -Date: Mon, 21 Dec 2020 18:36:43 +0000 -Subject: [PATCH] tests: disable zeromq tests due to build service timeouts -References: bsc#1180217 ---- - tests/lib/test_zmq.py | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py -index 1f8ee5416..b298fe7b5 100644 ---- a/tests/lib/test_zmq.py -+++ b/tests/lib/test_zmq.py -@@ -5,8 +5,7 @@ import os - program = "./test_zmq" - - @pytest.mark.skipif( -- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(), -- reason="ZEROMQ not enabled", -+ reason="Test disabled due to intermittent build service timeouts" - ) - def test_refout(self): - return super(TestZMQ, self).test_refout() --- -2.29.2 diff --git a/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch b/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch deleted file mode 100644 index 7279f97..0000000 --- a/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Thu, 20 Oct 2022 09:10:22 +0300 -References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157 -Upstream: submitted -Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race - conditions - -This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124 - -install/chown is in most cases (as I tested) is enough, but still, can be racy. - -Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this. - -For Linux `runuser` can be used, but *BSD do not have this command. - -Proof of concept: - -``` -% sudo su - frr -[sudo] password for donatas: -su: warning: cannot change directory to /nonexistent: No such file or directory -frr@donatas-laptop:/home/donatas$ cd /etc/frr/ -frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf -Setting up watches. -Watches established. -./ CREATE zebra.conf -frr@donatas-laptop:/etc/frr$ ls -la zebra.conf -lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow -frr@donatas-laptop:/etc/frr$ cat zebra.conf -cat: zebra.conf: Permission denied -frr@donatas-laptop:/etc/frr$ -``` - -On the other terminal do: - -``` -/usr/lib/frr/frrinit.sh restart -``` - -Signed-off-by: Donatas Abraitis - -diff --git a/tools/frr.in b/tools/frr.in -index e9f1122834..5f3f425a1e 100755 ---- a/tools/frr.in -+++ b/tools/frr.in -@@ -96,10 +96,10 @@ check_daemon() - # check for config file - if [ -n "$2" ]; then - if [ ! -r "$C_PATH/$1-$2.conf" ]; then -- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf" -+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\"" - fi - elif [ ! -r "$C_PATH/$1.conf" ]; then -- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf" -+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\"" - fi - fi - return 0 -@@ -524,7 +524,7 @@ convert_daemon_prios - - if [ ! -d $V_PATH ]; then - echo "Creating $V_PATH" -- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" -+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" - chmod gu+x "${V_PATH}" - fi - -diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in -index 61f1abb378..4d5d688d57 100755 ---- a/tools/frrcommon.sh.in -+++ b/tools/frrcommon.sh.in -@@ -143,7 +143,7 @@ daemon_prep() { - - cfg="$C_PATH/$daemon${inst:+-$inst}.conf" - if [ ! -r "$cfg" ]; then -- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg" -+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\"" - fi - return 0 - } -@@ -161,7 +161,7 @@ daemon_start() { - [ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null - daemon_prep "$daemon" "$inst" || return 1 - if test ! -d "$V_PATH"; then -- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" -+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" - chmod gu+x "${V_PATH}" - fi - --- -2.35.3 - diff --git a/0004-tools-remove-backslash-from-declare-check-regex.patch b/0004-tools-remove-backslash-from-declare-check-regex.patch deleted file mode 100644 index 3ec363d..0000000 --- a/0004-tools-remove-backslash-from-declare-check-regex.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Fri, 11 Nov 2022 12:26:04 +0100 -References: https://github.com/FRRouting/frr/pull/12307 -Upstream: submitted -Subject: [PATCH] tools: remove backslash from declare check regex - -The backslash in `grep -q '^declare \-a'` is not needed and -causes `grep: warning: stray \ before -` warning in grep-3.8. ---- - tools/frrcommon.sh.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in -index 61f1abb378..3c16c27c6d 100755 ---- a/tools/frrcommon.sh.in -+++ b/tools/frrcommon.sh.in -@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then - load_old_config "/etc/sysconfig/frr" - fi - --if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then -+if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then - log_warning_msg "watchfrr_options contains a bash array value." \ - "The configured value is intentionally ignored since it is likely wrong." \ - "Please remove or fix the setting." --- -2.35.3 - diff --git a/0005-root-ok-in-account-frr.pam.patch b/0005-root-ok-in-account-frr.pam.patch deleted file mode 100644 index a051878..0000000 --- a/0005-root-ok-in-account-frr.pam.patch +++ /dev/null @@ -1,33 +0,0 @@ -From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Fri, 11 Nov 2022 14:50:12 +0100 -References: https://github.com/FRRouting/frr/pull/12308 -Upstream: submitted -Subject: [PATCH] pam: declare root as sufficient frr pam account - -https://github.com/FRRouting/frr/pull/11465 enabled account verification, -but the pam config declares rootok as sufficient in authentication only -and not in account verification, what causes warning in the log: - -vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] - flags=0 service=[frr] terminal=[] user=[root] - ruser=[] rhost=[] ---- - redhat/frr.pam | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/redhat/frr.pam b/redhat/frr.pam -index 5cef5d9d74..17a62f1999 100644 ---- a/redhat/frr.pam -+++ b/redhat/frr.pam -@@ -5,6 +5,7 @@ - # Only allow root (and possibly wheel) to use this because enable access - # is unrestricted. - auth sufficient pam_rootok.so -+account sufficient pam_rootok.so - - # Uncomment the following line to implicitly trust users in the "wheel" group. - #auth sufficient pam_wheel.so trust use_uid --- -2.35.3 - diff --git a/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch b/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch deleted file mode 100644 index 92e4394..0000000 --- a/0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d95229c9ba4c8ff99dfc644dd2d1e9e172fe3faf Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Fri, 24 Mar 2023 09:55:23 +0200 -Upstream: yes -References: bsc#1211248,CVE-2023-31489,https://github.com/FRRouting/frr/pull/13100/commits/b1d33ec293e8e36fbb8766252f3b016d268e31ce -Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart - capability - -It's not 4 bytes, it was assuming the same as Graceful-Restart tuples. - -LLGR has more 3 bytes (Long-lived Stale Time). - -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c -index d1667fac26..907e75e76b 100644 ---- a/bgpd/bgp_open.c -+++ b/bgpd/bgp_open.c -@@ -599,12 +599,24 @@ static int bgp_capability_restart(struct peer *peer, - static int bgp_capability_llgr(struct peer *peer, - struct capability_header *caphdr) - { -+/* -+ * +--------------------------------------------------+ -+ * | Address Family Identifier (16 bits) | -+ * +--------------------------------------------------+ -+ * | Subsequent Address Family Identifier (8 bits) | -+ * +--------------------------------------------------+ -+ * | Flags for Address Family (8 bits) | -+ * +--------------------------------------------------+ -+ * | Long-lived Stale Time (24 bits) | -+ * +--------------------------------------------------+ -+ */ -+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7 - struct stream *s = BGP_INPUT(peer); - size_t end = stream_get_getp(s) + caphdr->length; - - SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV); - -- while (stream_get_getp(s) + 4 <= end) { -+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) { - afi_t afi; - safi_t safi; - iana_afi_t pkt_afi = stream_getw(s); --- -2.35.3 - diff --git a/0007-bgpd-Ensure-stream-received-has-enough-data.patch b/0007-bgpd-Ensure-stream-received-has-enough-data.patch deleted file mode 100644 index aba1134..0000000 --- a/0007-bgpd-Ensure-stream-received-has-enough-data.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Tue, 6 Dec 2022 10:23:11 -0500 -Upstream: yes -References: bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802 -Subject: [PATCH] bgpd: Ensure stream received has enough data - -BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not -fully trust the length value specified in the nlri. -Always ensure that the amount of data we need to read -can be fullfilled. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index b7d0958bac..c6177a1b93 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -2748,9 +2748,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - uint8_t sid_type, sid_flags; - char buf[BUFSIZ]; - -+ /* -+ * Check that we actually have at least as much data as -+ * specified by the length field -+ */ -+ if (STREAM_READABLE(peer->curr) < length) { -+ flog_err( -+ EC_BGP_ATTR_LEN, -+ "Prefix SID specifies length %hu, but only %zu bytes remain", -+ length, STREAM_READABLE(peer->curr)); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -+ args->total); -+ } -+ - if (type == BGP_PREFIX_SID_LABEL_INDEX) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { -+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID label index length is %hu instead of %u", - length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH); -@@ -2772,12 +2784,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - /* Store label index; subsequently, we'll check on - * address-family */ - attr->label_index = label_index; -- } -- -- /* Placeholder code for the IPv6 SID type */ -- else if (type == BGP_PREFIX_SID_IPV6) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_IPV6_LENGTH) { -+ } else if (type == BGP_PREFIX_SID_IPV6) { -+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID IPv6 length is %hu instead of %u", - length, BGP_PREFIX_SID_IPV6_LENGTH); -@@ -2791,10 +2799,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - stream_getw(peer->curr); - - stream_get(&ipv6_sid, peer->curr, 16); -- } -- -- /* Placeholder code for the Originator SRGB type */ -- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { -+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { - /* - * ietf-idr-bgp-prefix-sid-05: - * Length is the total length of the value portion of the -@@ -2819,19 +2824,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - args->total); - } - -- /* -- * Check that we actually have at least as much data as -- * specified by the length field -- */ -- if (STREAM_READABLE(peer->curr) < length) { -- flog_err(EC_BGP_ATTR_LEN, -- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain", -- length, STREAM_READABLE(peer->curr)); -- return bgp_attr_malformed( -- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -- } -- - /* - * Check that the portion of the TLV containing the sequence of - * SRGBs corresponds to a multiple of the SRGB size; to get -@@ -2855,12 +2847,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - stream_get(&srgb_base, peer->curr, 3); - stream_get(&srgb_range, peer->curr, 3); - } -- } -- -- /* Placeholder code for the VPN-SID Service type */ -- else if (type == BGP_PREFIX_SID_VPN_SID) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) { -+ } else if (type == BGP_PREFIX_SID_VPN_SID) { -+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID VPN SID length is %hu instead of %u", - length, BGP_PREFIX_SID_VPN_SID_LENGTH); -@@ -2896,39 +2884,22 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - attr->srv6_vpn->sid_flags = sid_flags; - sid_copy(&attr->srv6_vpn->sid, &ipv6_sid); - attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn); -- } -- -- /* Placeholder code for the SRv6 L3 Service type */ -- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { -- if (STREAM_READABLE(peer->curr) < length) { -+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { -+ if (STREAM_READABLE(peer->curr) < 1) { - flog_err( - EC_BGP_ATTR_LEN, -- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain", -- length, STREAM_READABLE(peer->curr)); -- return bgp_attr_malformed(args, -- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte"); -+ return bgp_attr_malformed( -+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -+ args->total); - } -- - /* ignore reserved */ - stream_getc(peer->curr); - - return bgp_attr_srv6_service(args); - } -- - /* Placeholder code for Unsupported TLV */ - else { -- -- if (STREAM_READABLE(peer->curr) < length) { -- flog_err( -- EC_BGP_ATTR_LEN, -- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE", -- length, STREAM_READABLE(peer->curr)); -- return bgp_attr_malformed( -- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -- } -- - if (bgp_debug_update(peer, NULL, NULL, 1)) - zlog_debug( - "%s attr Prefix-SID sub-type=%u is not supported, skipped", --- -2.35.3 - diff --git a/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch b/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch deleted file mode 100644 index 2ba1cfc..0000000 --- a/0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Sun, 20 Aug 2023 22:15:27 +0300 -Upstream: yes -References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245 -Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead - of stream - -Reported-by: Iggy Frankovic iggyfran@amazon.com -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 72d6a92317..4947dbc21d 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) - * and 7 bytes of ORF Address-filter entry from - * the stream - */ -- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { -+ if (p_pnt < p_end && -+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { - if (bgp_debug_neighbor_events(peer)) - zlog_debug( - "%pBP rcvd Remove-All pfxlist ORF request", --- -2.35.3 - diff --git a/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch b/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch deleted file mode 100644 index bd53710..0000000 --- a/0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch +++ /dev/null @@ -1,100 +0,0 @@ -From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Tue, 22 Aug 2023 22:52:04 +0300 -Upstream: yes -References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260 -Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is - zero - -``` -3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 -4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=) at lib/sigevent.c:246 -5 -6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) - at bgpd/bgp_routemap.c:2258 -7 0x00007f423aeec7e0 in route_map_apply_ext (map=, prefix=prefix@entry=0x7fffc414ea30, - match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 -8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, - afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) - at bgpd/bgp_route.c:1772 -9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, - attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, - num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 -10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) - at bgpd/bgp_route.c:6249 -11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, - packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 -12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 -13 0x0000564dea2c901d in bgp_process_packet (thread=) at bgpd/bgp_packet.c:2933 -14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 -15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 -16 0x0000564dea261b83 in main (argc=, argv=) at bgpd/bgp_main.c:505 -``` - -With the configuration: - -``` -frr version 9.1-dev-MyOwnFRRVersion -frr defaults traditional -hostname ip-172-31-13-140 -log file /tmp/debug.log -log syslog -service integrated-vtysh-config -! -debug bgp keepalives -debug bgp neighbor-events -debug bgp updates in -debug bgp updates out -! -router bgp 100 - bgp router-id 9.9.9.9 - no bgp ebgp-requires-policy - bgp bestpath aigp - neighbor 172.31.2.47 remote-as 200 - ! - address-family ipv4 unicast - neighbor 172.31.2.47 default-originate - neighbor 172.31.2.47 route-map RM_IN in - exit-address-family -exit -! -route-map RM_IN permit 10 - set as-path prepend 200 -exit -! -``` - -The issue is that we try to process NLRIs even if the attribute length is 0. - -Later bgp_update() will handle route-maps and a crash occurs because all the -attributes are NULL, including aspath, where we dereference. - -According to the RFC 4271: - -A value of 0 indicates that neither the Network Layer - Reachability Information field nor the Path Attribute field is - present in this UPDATE message. - -But with a fuzzed UPDATE message this can be faked. I think it's reasonable -to skip processing NLRIs if both update_len and attribute_len are 0. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 4947dbc21d..1ef421028f 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) - /* Network Layer Reachability Information. */ - update_len = end - stream_pnt(s); - -- if (update_len) { -+ if (update_len && attribute_len) { - /* Set NLRI portion to structure. */ - nlris[NLRI_UPDATE].afi = AFI_IP; - nlris[NLRI_UPDATE].safi = SAFI_UNICAST; --- -2.35.3 - diff --git a/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch b/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch deleted file mode 100644 index d59a1d0..0000000 --- a/0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Thu, 13 Jul 2023 22:32:03 +0300 -Upstream: yes -References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290 -Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation - attribute - -Before this path we used session reset method, which is discouraged by rfc7606. - -Handle this as rfc requires. - -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index c6177a1b93..188393b752 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_LARGE_COMMUNITIES: - case BGP_ATTR_ORIGINATOR_ID: - case BGP_ATTR_CLUSTER_LIST: -+ case BGP_ATTR_ENCAP: - case BGP_ATTR_OTC: - return BGP_ATTR_PARSE_WITHDRAW; - case BGP_ATTR_MP_REACH_NLRI: -@@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) - } - - /* Parse Tunnel Encap attribute in an UPDATE */ --static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ -- bgp_size_t length, /* IN: attr's length field */ -- struct attr *attr, /* IN: caller already allocated */ -- uint8_t flag, /* IN: attr's flags field */ -- uint8_t *startp) -+static int bgp_attr_encap(struct bgp_attr_parser_args *args) - { -- bgp_size_t total; - uint16_t tunneltype = 0; -- -- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); -+ struct peer *const peer = args->peer; -+ struct attr *const attr = args->attr; -+ bgp_size_t length = args->length; -+ uint8_t type = args->type; -+ uint8_t flag = args->flags; - - if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) - || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { -- zlog_info( -- "Tunnel Encap attribute flag isn't optional and transitive %d", -- flag); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", -+ flag); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - if (BGP_ATTR_ENCAP == type) { -@@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - uint16_t tlv_length; - - if (length < 4) { -- zlog_info( -+ zlog_err( - "Tunnel Encap attribute not long enough to contain outer T,L"); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - tunneltype = stream_getw(BGP_INPUT(peer)); - tlv_length = stream_getw(BGP_INPUT(peer)); -@@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - } - - if (sublength > length) { -- zlog_info( -- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -- sublength, length); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -+ sublength, length); -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - /* alloc and copy sub-tlv */ -@@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - - if (length) { - /* spurious leftover data */ -- zlog_info( -- "Tunnel Encap attribute length is bad: %d leftover octets", -- length); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", -+ length); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - return 0; -@@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - case BGP_ATTR_VNC: - #endif - case BGP_ATTR_ENCAP: -- ret = bgp_attr_encap(type, peer, length, attr, flag, -- startp); -+ ret = bgp_attr_encap(&attr_args); - break; - case BGP_ATTR_PREFIX_SID: - ret = bgp_attr_prefix_sid(&attr_args); --- -2.35.3 - diff --git a/0011-babeld-fix-11808-to-avoid-infinite-loops.patch b/0011-babeld-fix-11808-to-avoid-infinite-loops.patch deleted file mode 100644 index 06c2d6e..0000000 --- a/0011-babeld-fix-11808-to-avoid-infinite-loops.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001 -From: harryreps -Date: Fri, 3 Mar 2023 23:17:14 +0000 -Upsteam: yes -References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952 -Subject: [PATCH] babeld: fix #11808 to avoid infinite loops - -Replacing continue in loops to goto done so that index of packet buffer -increases. - -Signed-off-by: harryreps -(cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0) -Signed-off-by: Marius Tomaschewski - -diff --git a/babeld/message.c b/babeld/message.c -index 7d45d91bf7..2bf2337965 100644 ---- a/babeld/message.c -+++ b/babeld/message.c -@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, - debugf(BABEL_DEBUG_COMMON, - "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", - format_address(from), ifp->name); -- continue; -+ goto done; - } - - /* -@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, - debugf(BABEL_DEBUG_COMMON, - "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", - format_address(from), ifp->name); -- continue; -+ goto done; - } - - DO_NTOHS(seqno, message + 4); -@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, - debugf(BABEL_DEBUG_COMMON, - "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", - format_address(from), ifp->name); -- continue; -+ goto done; - } - - changed = update_neighbour(neigh, seqno, interval); --- -2.35.3 - diff --git a/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch b/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch deleted file mode 100644 index ced2b9c..0000000 --- a/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Wed, 5 Apr 2023 14:57:05 -0400 -Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit - withdrawal -Upsteam: yes -References: CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8 - -All other parsing functions done from bgp_nlri_parse() assume -no attributes == an implicit withdrawal. Let's move -bgp_nlri_parse_flowspec() into the same alignment. - -Reported-by: Matteo Memelli -Signed-off-by: Donald Sharp -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c -index 39c0cfe514..fe1f0d50f8 100644 ---- a/bgpd/bgp_flowspec.c -+++ b/bgpd/bgp_flowspec.c -@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, - afi = packet->afi; - safi = packet->safi; - -+ /* -+ * All other AFI/SAFI's treat no attribute as a implicit -+ * withdraw. Flowspec should as well. -+ */ -+ if (!attr) -+ withdraw = 1; -+ - if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { - flog_err(EC_BGP_FLOWSPEC_PACKET, - "BGP flowspec nlri length maximum reached (%u)", --- -2.35.3 - diff --git a/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch b/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch deleted file mode 100644 index dc1a41c..0000000 --- a/0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 1fdbfffbe343ad63c32ff37998300b0b4f67d8fb Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Mon, 23 Oct 2023 23:34:10 +0300 -Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE - message -Upstream: yes -References: CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4 - -If we send a crafted BGP UPDATE message without mandatory attributes, we do -not check if the length of the path attributes is zero or not. We only check -if attr->flag is at least set or not. Imagine we send only unknown transit -attribute, then attr->flag is always 0. Also, this is true only if graceful-restart -capability is received. - -A crash: - -``` -bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16) -bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17 -BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting... -BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d] -BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593] -BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181] -BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980] -BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a] -BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290] -BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610] -BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5] -BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867] -BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6] -BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597] -BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3] -BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0] -BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979] -``` - -Sending: - -``` -import socket -import time - -OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" -b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" -b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" -b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" -b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" -b"\x80\x00\x00\x00") - -KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") - -UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff003c0200000014ff1f001000040146464646460004464646464646664646f50d05800100010200ffff000000") - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.connect(('127.0.0.2', 179)) -s.send(OPEN) -data = s.recv(1024) -s.send(KEEPALIVE) -data = s.recv(1024) -s.send(UPDATE) -data = s.recv(1024) -time.sleep(1000) -s.close() -``` - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -(cherry picked from commit d8482bf011cb2b173e85b65b4bf3d5061250cdb9) -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 188393b752..5c028c854c 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3098,13 +3098,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) - } - - /* Well-known attribute check. */ --static int bgp_attr_check(struct peer *peer, struct attr *attr) -+static int bgp_attr_check(struct peer *peer, struct attr *attr, -+ bgp_size_t length) - { - uint8_t type = 0; - - /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an - * empty UPDATE. */ -- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) -+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && -+ !length) - return BGP_ATTR_PARSE_PROCEED; - - /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required -@@ -3156,7 +3158,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - enum bgp_attr_parse_ret ret; - uint8_t flag = 0; - uint8_t type = 0; -- bgp_size_t length; -+ bgp_size_t length = 0; - uint8_t *startp, *endp; - uint8_t *attr_endp; - uint8_t seen[BGP_ATTR_BITMAP_SIZE]; -@@ -3478,7 +3480,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - } - - /* Check all mandatory well-known attributes are present */ -- ret = bgp_attr_check(peer, attr); -+ ret = bgp_attr_check(peer, attr, length); - if (ret < 0) - goto done; - --- -2.35.3 - diff --git a/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch b/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch deleted file mode 100644 index 83edea3..0000000 --- a/0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch +++ /dev/null @@ -1,121 +0,0 @@ -From f2bc4e6847b222ed8fbd460fbba9aa69d1bf8d0e Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Fri, 20 Oct 2023 17:49:18 +0300 -Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session - reset -Upstream: yes -References: CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35 - -Avoid crashing bgpd. - -``` -(gdb) -bgp_mp_reach_parse (args=, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341 -2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN); -(gdb) -stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320 -320 { -(gdb) -321 STREAM_VERIFY_SANE(s); -(gdb) -323 if (STREAM_READABLE(s) < size) { -(gdb) -34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); -(gdb) - -Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault. -0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050, - object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282 -2282 if (path->attr->aspath->refcnt) -(gdb) -``` - -With the configuration: - -``` - neighbor 127.0.0.1 remote-as external - neighbor 127.0.0.1 passive - neighbor 127.0.0.1 ebgp-multihop - neighbor 127.0.0.1 disable-connected-check - neighbor 127.0.0.1 update-source 127.0.0.2 - neighbor 127.0.0.1 timers 3 90 - neighbor 127.0.0.1 timers connect 1 - address-family ipv4 unicast - redistribute connected - neighbor 127.0.0.1 default-originate - neighbor 127.0.0.1 route-map RM_IN in - exit-address-family -! -route-map RM_IN permit 10 - set as-path prepend 200 -exit -``` - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -(cherry picked from commit b08afc81c60607a4f736f418f2e3eb06087f1a35) -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 5c028c854c..42a2342f6f 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -2224,7 +2224,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, - - mp_update->afi = afi; - mp_update->safi = safi; -- return BGP_ATTR_PARSE_EOR; -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); - } - - mp_update->afi = afi; -@@ -3405,10 +3405,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - goto done; - } - -- if (ret == BGP_ATTR_PARSE_EOR) { -- goto done; -- } -- - if (ret == BGP_ATTR_PARSE_ERROR) { - flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, - "%s: Attribute %s, parse error", peer->host, -diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h -index 4963ea64d0..23767153b2 100644 ---- a/bgpd/bgp_attr.h -+++ b/bgpd/bgp_attr.h -@@ -382,7 +382,6 @@ enum bgp_attr_parse_ret { - /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR - */ - BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, -- BGP_ATTR_PARSE_EOR = -4, - }; - - struct bpacket_attr_vec_arr; -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 1ef421028f..20c642190b 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2027,8 +2027,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) - * Non-MP IPv4/Unicast EoR is a completely empty UPDATE - * and MP EoR should have only an empty MP_UNREACH - */ -- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) -- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { -+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { - afi_t afi = 0; - safi_t safi; - struct graceful_restart_info *gr_info; -@@ -2049,9 +2048,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) - && nlris[NLRI_MP_WITHDRAW].length == 0) { - afi = nlris[NLRI_MP_WITHDRAW].afi; - safi = nlris[NLRI_MP_WITHDRAW].safi; -- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { -- afi = nlris[NLRI_MP_UPDATE].afi; -- safi = nlris[NLRI_MP_UPDATE].safi; - } - - if (afi && peer->afc[afi][safi]) { --- -2.35.3 - diff --git a/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch b/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch deleted file mode 100644 index 98ea81d..0000000 --- a/0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch +++ /dev/null @@ -1,109 +0,0 @@ -From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Fri, 27 Oct 2023 11:56:45 +0300 -Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of - malformed attrs -Upstream: yes -CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b - -Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be -processed as a normal UPDATE without mandatory attributes, that could lead -to harmful behavior. In this case, a crash for route-maps with the configuration -such as: - -``` -router bgp 65001 - no bgp ebgp-requires-policy - neighbor 127.0.0.1 remote-as external - neighbor 127.0.0.1 passive - neighbor 127.0.0.1 ebgp-multihop - neighbor 127.0.0.1 disable-connected-check - neighbor 127.0.0.1 update-source 127.0.0.2 - neighbor 127.0.0.1 timers 3 90 - neighbor 127.0.0.1 timers connect 1 - ! - address-family ipv4 unicast - neighbor 127.0.0.1 addpath-tx-all-paths - neighbor 127.0.0.1 default-originate - neighbor 127.0.0.1 route-map RM_IN in - exit-address-family -exit -! -route-map RM_IN permit 10 - set as-path prepend 200 -exit -``` - -Send a malformed optional transitive attribute: - -``` -import socket -import time - -OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" -b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" -b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" -b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" -b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" -b"\x80\x00\x00\x00") - -KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") - -UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.connect(('127.0.0.2', 179)) -s.send(OPEN) -data = s.recv(1024) -s.send(KEEPALIVE) -data = s.recv(1024) -s.send(UPDATE) -data = s.recv(1024) -time.sleep(100) -s.close() -``` - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 42a2342f6f..fc92dbb326 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - uint8_t type = 0; - - /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an -- * empty UPDATE. */ -+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, -+ * we will pass it to be processed as a normal UPDATE without mandatory -+ * attributes, that could lead to harmful behavior. -+ */ - if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && - !length) -- return BGP_ATTR_PARSE_PROCEED; -+ return BGP_ATTR_PARSE_WITHDRAW; - - /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required - to carry any other path attributes.", though if MP_REACH_NLRI or NLRI -@@ -3532,7 +3535,13 @@ done: - aspath_unintern(&as4_path); - - transit = bgp_attr_get_transit(attr); -- if (ret != BGP_ATTR_PARSE_ERROR) { -+ /* If we received an UPDATE with mandatory attributes, then -+ * the unrecognized transitive optional attribute of that -+ * path MUST be passed. Otherwise, it's an error, and from -+ * security perspective it might be very harmful if we continue -+ * here with the unrecognized attributes. -+ */ -+ if (ret == BGP_ATTR_PARSE_PROCEED) { - /* Finally intern unknown attribute. */ - if (transit) - bgp_attr_set_transit(attr, transit_intern(transit)); --- -2.35.3 - diff --git a/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch b/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch deleted file mode 100644 index b46d113..0000000 --- a/0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Sun, 29 Oct 2023 22:44:45 +0200 -Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI -Upstream: yes -CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf - -If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if -no mandatory path attributes received. - -In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled -as a new data, but without mandatory attributes, it's a malformed packet. - -In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST -handle that. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index fc92dbb326..ae0f052c42 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - !length) - return BGP_ATTR_PARSE_WITHDRAW; - -- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required -- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI -- are present, it should. Check for any other attribute being present -- instead. -- */ -- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && -- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) -- return BGP_ATTR_PARSE_PROCEED; -- - if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) - type = BGP_ATTR_ORIGIN; - -@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) - type = BGP_ATTR_LOCAL_PREF; - -+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required -+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI -+ * are present, it should. Check for any other attribute being present -+ * instead. -+ */ -+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && -+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) -+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY -+ : BGP_ATTR_PARSE_PROCEED; -+ - /* If any of the well-known mandatory attributes are not present - * in an UPDATE message, then "treat-as-withdraw" MUST be used. - */ -diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h -index 23767153b2..27708c0689 100644 ---- a/bgpd/bgp_attr.h -+++ b/bgpd/bgp_attr.h -@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret { - /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR - */ - BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, -+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4, - }; - - struct bpacket_attr_vec_arr; -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 20c642190b..b175a26ab9 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) - /* Network Layer Reachability Information. */ - update_len = end - stream_pnt(s); - -- if (update_len && attribute_len) { -+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then -+ * NLRIs should be handled as a new data. Though, if we received -+ * NLRIs without mandatory attributes, they should be ignored. -+ */ -+ if (update_len && attribute_len && -+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { - /* Set NLRI portion to structure. */ - nlris[NLRI_UPDATE].afi = AFI_IP; - nlris[NLRI_UPDATE].safi = SAFI_UNICAST; --- -2.35.3 - diff --git a/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch b/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch deleted file mode 100644 index a0e9c5a..0000000 --- a/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Fri, 3 Mar 2023 21:58:33 -0500 -Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing -Upstream: yes -CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f - -Fixes a couple crashes associated with attempting to read -beyond the end of the stream. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp -(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b) -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c -index 38f34a8927..64d1ff70ca 100644 ---- a/bgpd/bgp_label.c -+++ b/bgpd/bgp_label.c -@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, - uint8_t llen = 0; - uint8_t label_depth = 0; - -+ if (plen < BGP_LABEL_BYTES) -+ return 0; -+ - for (; data < lim; data += BGP_LABEL_BYTES) { - memcpy(label, data, BGP_LABEL_BYTES); - llen += BGP_LABEL_BYTES; -@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, - memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); - addpath_id = ntohl(addpath_id); - pnt += BGP_ADDPATH_ID_LEN; -+ -+ if (pnt >= lim) -+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; - } - - /* Fetch prefix length. */ -@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, - - /* Fill in the labels */ - llen = bgp_nlri_get_labels(peer, pnt, psize, &label); -+ if (llen == 0) { -+ flog_err( -+ EC_BGP_UPDATE_RCV, -+ "%s [Error] Update packet error (wrong label length 0)", -+ peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, -+ BGP_NOTIFY_UPDATE_INVAL_NETWORK); -+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; -+ } - p.prefixlen = prefixlen - BSIZE(llen); - - /* There needs to be at least one label */ --- -2.35.3 - diff --git a/0018-bgpd-Flowspec-overflow-issue.patch b/0018-bgpd-Flowspec-overflow-issue.patch deleted file mode 100644 index 7081c2e..0000000 --- a/0018-bgpd-Flowspec-overflow-issue.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Thu, 23 Feb 2023 13:29:32 -0500 -Subject: [PATCH] bgpd: Flowspec overflow issue -Upstream: yes -CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3 - -According to the flowspec RFC 8955 a flowspec nlri is > -Specifying 0 as a length makes BGP get all warm on the inside. Which -in this case is not a good thing at all. Prevent warmth, stay cold -on the inside. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp -Signed-off-by: Marius Tomaschewski - -diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c -index fe1f0d50f8..98ec1ed073 100644 ---- a/bgpd/bgp_flowspec.c -+++ b/bgpd/bgp_flowspec.c -@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, - psize); - return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; - } -+ -+ if (psize == 0) { -+ flog_err(EC_BGP_FLOWSPEC_PACKET, -+ "Flowspec NLRI length 0 which makes no sense"); -+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; -+ } -+ - if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { - flog_err( - EC_BGP_FLOWSPEC_PACKET, --- -2.35.3 - diff --git a/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch b/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch deleted file mode 100644 index 624015b..0000000 --- a/0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Wed, 27 Mar 2024 18:42:56 +0200 -Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID - attribute -References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 - - -Without this patch, we always set the BGP Prefix SID attribute flag without -checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded. - -Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received, -with malformed transitive flags and/or TLVs. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -(cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138) ---- - bgpd/bgp_attr.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 7144c4bfa73d..2e2845b8fa7e 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_AS4_AGGREGATOR: - case BGP_ATTR_AGGREGATOR: - case BGP_ATTR_ATOMIC_AGGREGATE: -+ case BGP_ATTR_PREFIX_SID: - return BGP_ATTR_PARSE_PROCEED; - - /* Core attributes, particularly ones which may influence route -@@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) - struct attr *const attr = args->attr; - enum bgp_attr_parse_ret ret; - -- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID); -- - uint8_t type; - uint16_t length; - size_t headersz = sizeof(type) + sizeof(length); -@@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) - } - } - -+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID)); -+ - return BGP_ATTR_PARSE_PROCEED; - } - - -From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Wed, 27 Mar 2024 19:08:38 +0200 -Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place -References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628 -Upstream: submitted - -If we receive an attribute that is handled by bgp_attr_malformed(), use -treat-as-withdraw behavior for unknown (or missing to add - if new) attributes. - -Signed-off-by: Donatas Abraitis -(cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07) ---- - bgpd/bgp_attr.c | 33 ++++++++++++++++++++++----------- - 1 file changed, 22 insertions(+), 11 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 2e2845b8fa7e..7570598a3d7f 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - (args->startp - STREAM_DATA(BGP_INPUT(peer))) - + args->total); - -+ /* Partial optional attributes that are malformed should not cause -+ * the whole session to be reset. Instead treat it as a withdrawal -+ * of the routes, if possible. -+ */ -+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) && -+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) && -+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) -+ return BGP_ATTR_PARSE_WITHDRAW; -+ - switch (args->type) { - /* where an attribute is relatively inconsequential, e.g. it does not - * affect route selection, and can be safely ignored, then any such -@@ -1425,19 +1434,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode, - notify_datap, length); - return BGP_ATTR_PARSE_ERROR; -+ default: -+ /* Unknown attributes, that are handled by this function -+ * should be treated as withdraw, to prevent one more CVE -+ * from being introduced. -+ * RFC 7606 says: -+ * The "treat-as-withdraw" approach is generally preferred -+ * and the "session reset" approach is discouraged. -+ */ -+ flog_err(EC_BGP_ATTR_FLAG, -+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw", -+ lookup_msg(attr_str, args->type, NULL), args->type); -+ break; - } - -- /* Partial optional attributes that are malformed should not cause -- * the whole session to be reset. Instead treat it as a withdrawal -- * of the routes, if possible. -- */ -- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) -- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) -- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) -- return BGP_ATTR_PARSE_WITHDRAW; -- -- /* default to reset */ -- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS; -+ return BGP_ATTR_PARSE_WITHDRAW; - } - - /* Find out what is wrong with the path attribute flag bits and log the error. diff --git a/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch b/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch deleted file mode 100644 index 2c1979e..0000000 --- a/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001 -From: Olivier Dugeon -Date: Mon, 26 Feb 2024 10:40:34 +0100 -Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing -Upstream: yes -References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431 - -Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA -packets. The crash occurs in ospf_te_parse_te() function when attemping to -create corresponding egde from TE Link parameters. If there is no local -address, an edge is created but without any attributes. During parsing, the -function try to access to this attribute fields which has not been created -causing an ospfd crash. - -The patch simply check if the te parser has found a valid local address. If not -found, we stop the parser which avoid the crash. - -Signed-off-by: Olivier Dugeon - -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 75f4e0c9f0..45eb205759 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - } - - /* Get corresponding Edge from Link State Data Base */ -+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { -+ ote_debug(" |- Found no TE Link local address/ID. Abort!"); -+ return -1; -+ } - edge = get_edge(ted, attr.adv, attr.standard.local); - old = edge->attributes; - --- -2.35.3 - diff --git a/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch b/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch deleted file mode 100644 index 09ff0a3..0000000 --- a/0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001 -From: Olivier Dugeon -Date: Wed, 3 Apr 2024 16:28:23 +0200 -Upstream: yes -References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088 -Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE - -Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF -LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to -read Segment Routing subTLVs. The original code doesn't check if the size of -the SR subTLVs have the correct length. In presence of erronous LSA, this will -cause a buffer overflow and ospfd crash. - -This patch introduces new verification of the subTLVs size for Router -Information TLV. - -Co-authored-by: Iggy Frankovic -Signed-off-by: Olivier Dugeon -(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4) ---- - ospfd/ospf_te.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 45eb205759..885b915585 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - - switch (ntohs(tlvh->type)) { - case RI_SR_TLV_SR_ALGORITHM: -+ if (TLV_BODY_SIZE(tlvh) < 1 || -+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT) -+ break; - algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; - - for (int i = 0; i < ntohs(algo->header.length); i++) { -@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_SRGB_LABEL_RANGE: -+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) -+ break; - range = (struct ri_sr_tlv_sid_label_range *)tlvh; - size = GET_RANGE_SIZE(ntohl(range->size)); - lower = GET_LABEL(ntohl(range->lower.value)); -@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_SRLB_LABEL_RANGE: -+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) -+ break; - range = (struct ri_sr_tlv_sid_label_range *)tlvh; - size = GET_RANGE_SIZE(ntohl(range->size)); - lower = GET_LABEL(ntohl(range->lower.value)); -@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_NODE_MSD: -+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE) -+ break; - msd = (struct ri_sr_tlv_node_msd *)tlvh; - if ((CHECK_FLAG(node->flags, LS_NODE_MSD)) - && (node->msd == msd->value)) --- -2.35.3 - diff --git a/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch b/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch deleted file mode 100644 index 2e2a40a..0000000 --- a/0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 4e70b09f24b72fbb27ff5eda63393bfd2a72ef37 Mon Sep 17 00:00:00 2001 -From: Olivier Dugeon -Date: Fri, 5 Apr 2024 12:57:11 +0200 -Upstream: yes -References: CVE-2024-31951,bsc#1222528,gh#FRRouting/frr#16088 -Subject: [PATCH 2/3] ospfd: Correct Opaque LSA Extended parser - -Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF -LSA packets. The crash occurs in ospf_te_parse_ext_link() function when -attemping to read Segment Routing Adjacency SID subTLVs. The original code -doesn't check if the size of the Extended Link TLVs and subTLVs have the correct -length. In presence of erronous LSA, this will cause a buffer overflow and ospfd -crashes. - -This patch introduces new verification of the subTLVs size for Extended Link -TLVs and subTLVs. Similar check has been also introduced for the Extended -Prefix TLV. - -Co-authored-by: Iggy Frankovic -Signed-off-by: Olivier Dugeon -(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a) ---- - ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++-- - 1 file changed, 33 insertions(+), 2 deletions(-) - -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 885b915585..23a1b181ec 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2647,6 +2647,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) - struct ext_tlv_prefix *ext; - struct ext_subtlv_prefix_sid *pref_sid; - uint32_t label; -+ uint16_t len, size; - - /* Get corresponding Subnet from Link State Data Base */ - ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data); -@@ -2668,6 +2669,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) - ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX", - &lsa->data->id, &pref); - -+ /* -+ * Check Extended Prefix TLV size against LSA size -+ * as only one TLV is allowed per LSA -+ */ -+ len = TLV_BODY_SIZE(&ext->header); -+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); -+ if (len != size || len <= 0) { -+ ote_debug(" |- Wrong TLV size: %u instead of %u", -+ (uint32_t)len, (uint32_t)size); -+ return -1; -+ } -+ - /* Initialize TLV browsing */ - ls_pref = subnet->ls_pref; - pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE -@@ -2778,8 +2791,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", - &lsa->data->id, &edge->attributes->standard.local); - -- /* Initialize TLV browsing */ -- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE; -+ /* -+ * Check Extended Link TLV size against LSA size -+ * as only one TLV is allowed per LSA -+ */ -+ len = TLV_BODY_SIZE(&ext->header); -+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); -+ if (len != i || len <= 0) { -+ ote_debug(" |- Wrong TLV size: %u instead of %u", -+ (uint32_t)len, (uint32_t)i); -+ return -1; -+ } -+ -+ /* Initialize subTLVs browsing */ -+ len -= EXT_TLV_LINK_SIZE; - tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE - + EXT_TLV_LINK_SIZE); - for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -@@ -2789,6 +2814,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - switch (ntohs(tlvh->type)) { - case EXT_SUBTLV_ADJ_SID: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE) -+ break; - adj = (struct ext_subtlv_adj_sid *)tlvh; - label = CHECK_FLAG(adj->flags, - EXT_SUBTLV_LINK_ADJ_SID_VFLG) -@@ -2815,6 +2842,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - break; - case EXT_SUBTLV_LAN_ADJ_SID: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE) -+ break; - ladj = (struct ext_subtlv_lan_adj_sid *)tlvh; - label = CHECK_FLAG(ladj->flags, - EXT_SUBTLV_LINK_ADJ_SID_VFLG) -@@ -2844,6 +2873,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - break; - case EXT_SUBTLV_RMT_ITF_ADDR: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE) -+ break; - rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh; - if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR) - && IPV4_ADDR_SAME(&atr->standard.remote, --- -2.35.3 - diff --git a/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch b/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch deleted file mode 100644 index e6073bf..0000000 --- a/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch +++ /dev/null @@ -1,82 +0,0 @@ -From cef38442420aeac8e163f8aa55f1b985908f993c Mon Sep 17 00:00:00 2001 -From: Olivier Dugeon -Date: Tue, 16 Apr 2024 16:42:06 +0200 -Upstream: yes -References: CVE-2024-34088,bsc#1223786,gh#FRRouting/frr#16088 -Subject: [PATCH 3/3] ospfd: protect call to get_edge() in ospf_te.c - -During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c -could return null pointer, in particular when the link_id or advertised router -IP addresses are fuzzed. As the null pointer returned by get_edge() function is -not handlei by calling functions, this could cause ospfd crash. - -This patch introduces new verification of returned pointer by get_edge() -function and stop the processing in case of null pointer. In addition, link ID -and advertiser router ID are validated before calling ls_find_edge_by_key() to -avoid the creation of a new edge with an invalid key. - -CVE-2024-34088 - -Co-authored-by: Iggy Frankovic -Signed-off-by: Olivier Dugeon -(cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca) ---- - ospfd/ospf_te.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 23a1b181ec..d1f114e30a 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv, - struct ls_edge *edge; - struct ls_attributes *attr; - -+ /* Check that Link ID and Node ID are valid */ -+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) || -+ adv.origin != OSPFv2) -+ return NULL; -+ - /* Search Edge that corresponds to the Link ID */ - key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff; - edge = ls_find_edge_by_key(ted, key); -@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex, - - /* Get Corresponding Edge from Link State Data Base */ - edge = get_edge(ted, vertex->node->adv, link_data); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Link Data. Abort!"); -+ return; -+ } - attr = edge->attributes; - - /* re-attached edge to vertex if needed */ -@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - } - - /* Get corresponding Edge from Link State Data Base */ -- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { -- ote_debug(" |- Found no TE Link local address/ID. Abort!"); -+ edge = get_edge(ted, attr.adv, attr.standard.local); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Link local add./ID. Abort!"); - return -1; - } -- edge = get_edge(ted, attr.adv, attr.standard.local); - old = edge->attributes; - - ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4", -@@ -2786,6 +2795,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - lnid.id.ip.area_id = lsa->area->area_id; - ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data); - edge = get_edge(ted, lnid, ext->link_data); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Extended Link Data. Abort!"); -+ return -1; -+ } - atr = edge->attributes; - - ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", --- -2.35.3 - diff --git a/frr-10.0.1.tar.gz b/frr-10.0.1.tar.gz new file mode 100644 index 0000000..1eee213 --- /dev/null +++ b/frr-10.0.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56ea357c56ea55e19101fcf9824252c45ab3b6b419a7a29ead8028c96863e0e2 +size 10963132 diff --git a/frr-8.4.tar.gz b/frr-8.4.tar.gz deleted file mode 100644 index cdfba41..0000000 --- a/frr-8.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a -size 9883194 diff --git a/frr.changes b/frr.changes index d421f56..e942c5d 100644 --- a/frr.changes +++ b/frr.changes @@ -1,4 +1,38 @@ ------------------------------------------------------------------- +Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca + +- Fixing Source URL/archive name. + +------------------------------------------------------------------- +Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca - 10.0.1 + +- Update to version 10.0.1 from official sources. +- Clean slate: removing all previous patches. +- The following patches were obsoleted: + - 0001-disable-zmq-test.patch + - harden_frr.service.patch + - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch + - 0004-tools-remove-backslash-from-declare-check-regex.patch + - 0005-root-ok-in-account-frr.pam.patch + - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch + - 0007-bgpd-Ensure-stream-received-has-enough-data.patch + - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch + - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch + - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch + - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch + - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch + - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch + - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch + - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch + - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch + - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch + - 0018-bgpd-Flowspec-overflow-issue.patch + - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch + - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch + - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch + - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch + - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch +------------------------------------------------------------------- Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski - Apply upstream fix solving ospfd denial of service via get_edge() diff --git a/frr.spec b/frr.spec index be0610b..8e7c92b 100644 --- a/frr.spec +++ b/frr.spec @@ -30,38 +30,15 @@ %define frr_daemondir %{_prefix}/lib/frr Name: frr -Version: 8.4 +Version: 10.0.1 Release: 0 -Summary: FRRouting Routing daemon +Summary: The FRRouting Protocol Suite License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/System URL: https://www.frrouting.org #Git-Clone: https://github.com/FRRouting/frr.git Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.d -Patch1: 0001-disable-zmq-test.patch -Patch2: harden_frr.service.patch -Patch3: 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch -Patch4: 0004-tools-remove-backslash-from-declare-check-regex.patch -Patch5: 0005-root-ok-in-account-frr.pam.patch -Patch6: 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch -Patch7: 0007-bgpd-Ensure-stream-received-has-enough-data.patch -Patch8: 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch -Patch9: 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch -Patch10: 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch -Patch11: 0011-babeld-fix-11808-to-avoid-infinite-loops.patch -Patch12: 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch -Patch13: 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch -Patch14: 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch -Patch15: 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch -Patch16: 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch -Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch -Patch18: 0018-bgpd-Flowspec-overflow-issue.patch -Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch -Patch20: 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch -Patch21: 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch -Patch22: 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch -Patch23: 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -89,6 +66,10 @@ BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libelf) BuildRequires: pkgconfig(libpcre) BuildRequires: pkgconfig(libprotobuf-c) +%if 0%{?sle_version} == 150500 +BuildRequires: libprotoc25_1_0 +BuildRequires: libyang1 +%endif BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libyang) >= 2.0.0 BuildRequires: pkgconfig(libzmq) >= 4.0.0 @@ -97,7 +78,7 @@ BuildRequires: pkgconfig(sqlite3) Requires(post): %{install_info_prereq} Requires(pre): %{install_info_prereq} Requires(pre): shadow -Requires(preun):%{install_info_prereq} +Requires(preun): %{install_info_prereq} Recommends: logrotate Conflicts: quagga Provides: zebra = %{version} @@ -107,11 +88,24 @@ Provides: group(%{frrvty_group}) Provides: user(%{frr_user}) %description -FRR is free software which manages TCP/IP based routing protocols. -It supports BGP4, BGP4+, OSPFv2, OSPFv3, IS-IS, RIPv1, RIPv2, RIPng, -PIM and LDP as well as the IPv6 versions of these. - -FRR is a fork of Quagga.. +FRR is free software that implements and manages various IPv4 and IPv6 routing protocols. +FRR currently supports the following protocols: +- BGP +- OSPFv2 +- OSPFv3 +- RIPv1 +- RIPv2 +- RIPng +- IS-IS +- PIM-SM/MSDP +- LDP +- BFD +- Babel +- PBR +- OpenFabric +- VRRP +- EIGRP (alpha) +- NHRP (alpha) %package -n libfrrfpm_pb0 Summary: FRRouting fpm protobuf library @@ -174,12 +168,12 @@ Group: System/Libraries This library contains various utility functions to FRRouting, such as data types, buffers and socket handling. -%package -n libmlag_pb0 +%package -n libmgmt_be_nb0 Summary: FRRouting utility library Group: System/Libraries -%description -n libmlag_pb0 -This library contains part of the mlag implementation of FRRouting. +%description -n libmgmt_be_nb0 +This library contains part of the mgmt_be implementation of FRRouting. %package devel Summary: Header and object files for frr development @@ -194,7 +188,7 @@ Requires: libfrrgrpc_pb0 = %{version} Requires: libfrrospfapiclient0 = %{version} Requires: libfrrsnmp0 = %{version} Requires: libfrrzmq0 = %{version} -Requires: libmlag_pb0 = %{version} +Requires: libmgmt_be_nb0 = %{version} %description devel The frr-devel package contains the header and object files necessary for @@ -385,11 +379,11 @@ done %post -n libfrrcares0 -p /sbin/ldconfig %postun -n libfrrcares0 -p /sbin/ldconfig -%post -n libmlag_pb0 -p /sbin/ldconfig -%postun -n libmlag_pb0 -p /sbin/ldconfig +%post -n libmgmt_be_nb0 -p /sbin/ldconfig +%postun -n libmgmt_be_nb0 -p /sbin/ldconfig %files -%license COPYING COPYING-LGPLv2.1 +%license COPYING %doc README.md %doc doc/mpls %dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name} @@ -433,6 +427,7 @@ done %{frr_daemondir}/frrinit.sh %{frr_daemondir}/isisd %{frr_daemondir}/ldpd +%{frr_daemondir}/mgmtd %{frr_daemondir}/nhrpd %{frr_daemondir}/ospfclient.py %{frr_daemondir}/ospf6d @@ -489,8 +484,8 @@ done %files -n libfrrcares0 %{_libdir}/libfrrcares.so.0* -%files -n libmlag_pb0 -%{_libdir}/libmlag_pb.so.0* +%files -n libmgmt_be_nb0 +%{_libdir}/libmgmt_be_nb.so.0* %files devel %dir %{_includedir}/%{name} diff --git a/harden_frr.service.patch b/harden_frr.service.patch deleted file mode 100644 index daef202..0000000 --- a/harden_frr.service.patch +++ /dev/null @@ -1,42 +0,0 @@ -Index: frr-frr-8.1/tools/frr.service.in -=================================================================== ---- frr-frr-8.1.orig/tools/frr.service.in -+++ frr-frr-8.1/tools/frr.service.in -@@ -7,6 +7,16 @@ Before=network.target - OnFailure=heartbeat-failed@%n - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ReadWritePaths=/etc/frr -+ProtectHome=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Nice=-5 - Type=forking - NotifyAccess=all -Index: frr-frr-8.1/tools/frr@.service.in -=================================================================== ---- frr-frr-8.1.orig/tools/frr@.service.in -+++ frr-frr-8.1/tools/frr@.service.in -@@ -7,6 +7,16 @@ Before=network.target - OnFailure=heartbeat-failed@%n - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ReadWritePaths=/etc/frr -+ProtectHome=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Nice=-5 - Type=forking - NotifyAccess=all