0d23942aca
- Clean slate: removing all previous patches. - The following patches were obsoleted: - 0001-disable-zmq-test.patch - harden_frr.service.patch - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch - 0004-tools-remove-backslash-from-declare-check-regex.patch - 0005-root-ok-in-account-frr.pam.patch - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch - 0007-bgpd-Ensure-stream-received-has-enough-data.patch - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch - 0018-bgpd-Flowspec-overflow-issue.patch - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=69
91 lines
3.5 KiB
Diff
91 lines
3.5 KiB
Diff
From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001
|
|
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
|
Date: Sun, 29 Oct 2023 22:44:45 +0200
|
|
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
|
|
Upstream: yes
|
|
CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf
|
|
|
|
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
|
|
no mandatory path attributes received.
|
|
|
|
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
|
|
as a new data, but without mandatory attributes, it's a malformed packet.
|
|
|
|
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
|
|
handle that.
|
|
|
|
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
|
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
|
Signed-off-by: Marius Tomaschewski <mt@suse.com>
|
|
|
|
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
|
index fc92dbb326..ae0f052c42 100644
|
|
--- a/bgpd/bgp_attr.c
|
|
+++ b/bgpd/bgp_attr.c
|
|
@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
|
!length)
|
|
return BGP_ATTR_PARSE_WITHDRAW;
|
|
|
|
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
|
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
|
|
- are present, it should. Check for any other attribute being present
|
|
- instead.
|
|
- */
|
|
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
|
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
|
|
- return BGP_ATTR_PARSE_PROCEED;
|
|
-
|
|
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
|
type = BGP_ATTR_ORIGIN;
|
|
|
|
@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
|
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
|
|
type = BGP_ATTR_LOCAL_PREF;
|
|
|
|
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
|
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
|
|
+ * are present, it should. Check for any other attribute being present
|
|
+ * instead.
|
|
+ */
|
|
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
|
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
|
|
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
|
|
+ : BGP_ATTR_PARSE_PROCEED;
|
|
+
|
|
/* If any of the well-known mandatory attributes are not present
|
|
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
|
|
*/
|
|
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
|
|
index 23767153b2..27708c0689 100644
|
|
--- a/bgpd/bgp_attr.h
|
|
+++ b/bgpd/bgp_attr.h
|
|
@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret {
|
|
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
|
|
*/
|
|
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
|
|
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
|
|
};
|
|
|
|
struct bpacket_attr_vec_arr;
|
|
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
|
index 20c642190b..b175a26ab9 100644
|
|
--- a/bgpd/bgp_packet.c
|
|
+++ b/bgpd/bgp_packet.c
|
|
@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
|
|
/* Network Layer Reachability Information. */
|
|
update_len = end - stream_pnt(s);
|
|
|
|
- if (update_len && attribute_len) {
|
|
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
|
|
+ * NLRIs should be handled as a new data. Though, if we received
|
|
+ * NLRIs without mandatory attributes, they should be ignored.
|
|
+ */
|
|
+ if (update_len && attribute_len &&
|
|
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
|
|
/* Set NLRI portion to structure. */
|
|
nlris[NLRI_UPDATE].afi = AFI_IP;
|
|
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
|
|
--
|
|
2.35.3
|
|
|