Accepting request 1108163 from home:mtomaschewski:frr

- Removed protobuf-c BuildRequires (source package name) breaking
  build-system setup with libprotobuf-c-devel 1.3.2 updates.
- Apply upstream fix for bgpd: Don't read initial byte of the ORF
  header in an ahead-of-stream situation (CVE-2023-41360,
  bsc#1214739,https://github.com/FRRouting/frr/pull/14245)
  [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch]
- Apply upstream fix for bgpd: Do not process NLRIs if the attribute
  length is zero (CVE-2023-41358,bsc#1214735,
  https://github.com/FRRouting/frr/pull/14260)
  [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch]
- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation
  attribute instead of session reset (CVE-2023-38802,bsc#1213284,
  https://github.com/FRRouting/frr/pull/14290)
  [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch]
- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434,
  gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952)
  [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch]

OBS-URL: https://build.opensuse.org/request/show/1108163
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=51

0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch

@@ -0,0 +1,29 @@
+From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sun, 20 Aug 2023 22:15:27 +0300
+Upstream: yes
+References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245
+Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
+ of stream
+
+Reported-by: Iggy Frankovic iggyfran@amazon.com
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 72d6a92317..4947dbc21d 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
+ 				 * and 7 bytes of ORF Address-filter entry from
+ 				 * the stream
+ 				 */
+-				if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
++				if (p_pnt < p_end &&
++				    *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+ 					if (bgp_debug_neighbor_events(peer))
+ 						zlog_debug(
+ 							"%pBP rcvd Remove-All pfxlist ORF request",
+-- 
+2.35.3
+

0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch

@@ -0,0 +1,100 @@
+From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 22 Aug 2023 22:52:04 +0300
+Upstream: yes
+References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260
+Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is
+ zero
+
+```
+3  0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
+4  0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
+5  <signal handler called>
+6  0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
+    at bgpd/bgp_routemap.c:2258
+7  0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
+    match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
+8  0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
+    afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
+    at bgpd/bgp_route.c:1772
+9  0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
+    attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
+    num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
+10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
+    at bgpd/bgp_route.c:6249
+11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
+    packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
+12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
+13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
+14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
+15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
+16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
+```
+
+With the configuration:
+
+```
+frr version 9.1-dev-MyOwnFRRVersion
+frr defaults traditional
+hostname ip-172-31-13-140
+log file /tmp/debug.log
+log syslog
+service integrated-vtysh-config
+!
+debug bgp keepalives
+debug bgp neighbor-events
+debug bgp updates in
+debug bgp updates out
+!
+router bgp 100
+ bgp router-id 9.9.9.9
+ no bgp ebgp-requires-policy
+ bgp bestpath aigp
+ neighbor 172.31.2.47 remote-as 200
+ !
+ address-family ipv4 unicast
+  neighbor 172.31.2.47 default-originate
+  neighbor 172.31.2.47 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+!
+```
+
+The issue is that we try to process NLRIs even if the attribute length is 0.
+
+Later bgp_update() will handle route-maps and a crash occurs because all the
+attributes are NULL, including aspath, where we dereference.
+
+According to the RFC 4271:
+
+A value of 0 indicates that neither the Network Layer
+         Reachability Information field nor the Path Attribute field is
+         present in this UPDATE message.
+
+But with a fuzzed UPDATE message this can be faked. I think it's reasonable
+to skip processing NLRIs if both update_len and attribute_len are 0.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 4947dbc21d..1ef421028f 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ 	/* Network Layer Reachability Information. */
+ 	update_len = end - stream_pnt(s);
+ 
+-	if (update_len) {
++	if (update_len && attribute_len) {
+ 		/* Set NLRI portion to structure. */
+ 		nlris[NLRI_UPDATE].afi = AFI_IP;
+ 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+-- 
+2.35.3
+

0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch

@@ -0,0 +1,131 @@
+From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Thu, 13 Jul 2023 22:32:03 +0300
+Upstream: yes
+References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290
+Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute
+
+Before this path we used session reset method, which is discouraged by rfc7606.
+
+Handle this as rfc requires.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index c6177a1b93..188393b752 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ 	case BGP_ATTR_LARGE_COMMUNITIES:
+ 	case BGP_ATTR_ORIGINATOR_ID:
+ 	case BGP_ATTR_CLUSTER_LIST:
++	case BGP_ATTR_ENCAP:
+ 	case BGP_ATTR_OTC:
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 	case BGP_ATTR_MP_REACH_NLRI:
+@@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Parse Tunnel Encap attribute in an UPDATE */
+-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-			  bgp_size_t length, /* IN: attr's length field */
+-			  struct attr *attr, /* IN: caller already allocated */
+-			  uint8_t flag,      /* IN: attr's flags field */
+-			  uint8_t *startp)
++static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ {
+-	bgp_size_t total;
+ 	uint16_t tunneltype = 0;
+-
+-	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
++	struct peer *const peer = args->peer;
++	struct attr *const attr = args->attr;
++	bgp_size_t length = args->length;
++	uint8_t type = args->type;
++	uint8_t flag = args->flags;
+ 
+ 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
+ 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
+-		zlog_info(
+-			"Tunnel Encap attribute flag isn't optional and transitive %d",
+-			flag);
+-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
+-					  startp, total);
+-		return -1;
++		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
++			 flag);
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++					  args->total);
+ 	}
+ 
+ 	if (BGP_ATTR_ENCAP == type) {
+@@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 		uint16_t tlv_length;
+ 
+ 		if (length < 4) {
+-			zlog_info(
++			zlog_err(
+ 				"Tunnel Encap attribute not long enough to contain outer T,L");
+-			bgp_notify_send_with_data(
+-				peer, BGP_NOTIFY_UPDATE_ERR,
+-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-			return -1;
++			return bgp_attr_malformed(args,
++						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++						  args->total);
+ 		}
+ 		tunneltype = stream_getw(BGP_INPUT(peer));
+ 		tlv_length = stream_getw(BGP_INPUT(peer));
+@@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 		}
+ 
+ 		if (sublength > length) {
+-			zlog_info(
+-				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+-				sublength, length);
+-			bgp_notify_send_with_data(
+-				peer, BGP_NOTIFY_UPDATE_ERR,
+-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-			return -1;
++			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
++				 sublength, length);
++			return bgp_attr_malformed(args,
++						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++						  args->total);
+ 		}
+ 
+ 		/* alloc and copy sub-tlv */
+@@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 
+ 	if (length) {
+ 		/* spurious leftover data */
+-		zlog_info(
+-			"Tunnel Encap attribute length is bad: %d leftover octets",
+-			length);
+-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+-					  startp, total);
+-		return -1;
++		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
++			 length);
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++					  args->total);
+ 	}
+ 
+ 	return 0;
+@@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 		case BGP_ATTR_VNC:
+ #endif
+ 		case BGP_ATTR_ENCAP:
+-			ret = bgp_attr_encap(type, peer, length, attr, flag,
+-					     startp);
++			ret = bgp_attr_encap(&attr_args);
+ 			break;
+ 		case BGP_ATTR_PREFIX_SID:
+ 			ret = bgp_attr_prefix_sid(&attr_args);
+-- 
+2.35.3
+

0011-babeld-fix-11808-to-avoid-infinite-loops.patch

@@ -0,0 +1,48 @@
+From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001
+From: harryreps <harryreps@gmail.com>
+Date: Fri, 3 Mar 2023 23:17:14 +0000
+Upsteam: yes
+References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952
+Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
+
+Replacing continue in loops to goto done so that index of packet buffer
+increases.
+
+Signed-off-by: harryreps <harryreps@gmail.com>
+(cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0)
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/babeld/message.c b/babeld/message.c
+index 7d45d91bf7..2bf2337965 100644
+--- a/babeld/message.c
++++ b/babeld/message.c
+@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		/*
+@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		DO_NTOHS(seqno, message + 4);
+@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		changed = update_neighbour(neigh, seqno, interval);
+-- 
+2.35.3
+

frr.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski <mt@suse.com>
+
+- Removed protobuf-c BuildRequires (source package name) breaking
+  build-system setup with libprotobuf-c-devel 1.3.2 updates.
+- Apply upstream fix for bgpd: Don't read initial byte of the ORF
+  header in an ahead-of-stream situation (CVE-2023-41360,
+  bsc#1214739,https://github.com/FRRouting/frr/pull/14245)
+  [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch]
+- Apply upstream fix for bgpd: Do not process NLRIs if the attribute
+  length is zero (CVE-2023-41358,bsc#1214735,
+  https://github.com/FRRouting/frr/pull/14260)
+  [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch]
+- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation
+  attribute instead of session reset (CVE-2023-38802,bsc#1213284,
+  https://github.com/FRRouting/frr/pull/14290)
+  [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch]
+- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434,
+  gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952)
+  [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch]
+
 -------------------------------------------------------------------
 Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski <mt@suse.com>
 

frr.spec

@@ -46,6 +46,10 @@ Patch4:         0004-tools-remove-backslash-from-declare-check-regex.patch
 Patch5:         0005-root-ok-in-account-frr.pam.patch
 Patch6:         0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
 Patch7:         0007-bgpd-Ensure-stream-received-has-enough-data.patch
+Patch8:         0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
+Patch9:         0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
+Patch10:        0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
+Patch11:        0011-babeld-fix-11808-to-avoid-infinite-loops.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -61,7 +65,6 @@ BuildRequires:  mininet
 BuildRequires:  net-snmp-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
-BuildRequires:  protobuf-c
 BuildRequires:  python-rpm-macros
 BuildRequires:  readline-devel
 BuildRequires:  systemd-rpm-macros
@@ -191,6 +194,10 @@ developing OSPF-API and frr applications.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 
 %build
 # GCC LTO objects must be "fat" to avoid assembly errors