0d23942aca
- Clean slate: removing all previous patches. - The following patches were obsoleted: - 0001-disable-zmq-test.patch - harden_frr.service.patch - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch - 0004-tools-remove-backslash-from-declare-check-regex.patch - 0005-root-ok-in-account-frr.pam.patch - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch - 0007-bgpd-Ensure-stream-received-has-enough-data.patch - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch - 0018-bgpd-Flowspec-overflow-issue.patch - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=69
156 lines
5.3 KiB
Diff
156 lines
5.3 KiB
Diff
From 6d307ec2f5f5f9827f340a08941e6f78d09d1876 Mon Sep 17 00:00:00 2001
|
|
From: Donald Sharp <sharpd@nvidia.com>
|
|
Date: Tue, 6 Dec 2022 10:23:11 -0500
|
|
Upstream: yes
|
|
References: bsc#1211249,CVE-2023-31490,https://github.com/FRRouting/frr/pull/12454/commits/06431bfa7570f169637ebb5898f0b0cc3b010802
|
|
Subject: [PATCH] bgpd: Ensure stream received has enough data
|
|
|
|
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
|
|
fully trust the length value specified in the nlri.
|
|
Always ensure that the amount of data we need to read
|
|
can be fullfilled.
|
|
|
|
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
|
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
|
Signed-off-by: Marius Tomaschewski <mt@suse.com>
|
|
|
|
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
|
index b7d0958bac..c6177a1b93 100644
|
|
--- a/bgpd/bgp_attr.c
|
|
+++ b/bgpd/bgp_attr.c
|
|
@@ -2748,9 +2748,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
uint8_t sid_type, sid_flags;
|
|
char buf[BUFSIZ];
|
|
|
|
+ /*
|
|
+ * Check that we actually have at least as much data as
|
|
+ * specified by the length field
|
|
+ */
|
|
+ if (STREAM_READABLE(peer->curr) < length) {
|
|
+ flog_err(
|
|
+ EC_BGP_ATTR_LEN,
|
|
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
|
|
+ length, STREAM_READABLE(peer->curr));
|
|
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
+ args->total);
|
|
+ }
|
|
+
|
|
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
|
|
- if (STREAM_READABLE(peer->curr) < length
|
|
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
|
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
|
flog_err(EC_BGP_ATTR_LEN,
|
|
"Prefix SID label index length is %hu instead of %u",
|
|
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
|
|
@@ -2772,12 +2784,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
/* Store label index; subsequently, we'll check on
|
|
* address-family */
|
|
attr->label_index = label_index;
|
|
- }
|
|
-
|
|
- /* Placeholder code for the IPv6 SID type */
|
|
- else if (type == BGP_PREFIX_SID_IPV6) {
|
|
- if (STREAM_READABLE(peer->curr) < length
|
|
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
|
+ } else if (type == BGP_PREFIX_SID_IPV6) {
|
|
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
|
flog_err(EC_BGP_ATTR_LEN,
|
|
"Prefix SID IPv6 length is %hu instead of %u",
|
|
length, BGP_PREFIX_SID_IPV6_LENGTH);
|
|
@@ -2791,10 +2799,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
stream_getw(peer->curr);
|
|
|
|
stream_get(&ipv6_sid, peer->curr, 16);
|
|
- }
|
|
-
|
|
- /* Placeholder code for the Originator SRGB type */
|
|
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
|
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
|
/*
|
|
* ietf-idr-bgp-prefix-sid-05:
|
|
* Length is the total length of the value portion of the
|
|
@@ -2819,19 +2824,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
args->total);
|
|
}
|
|
|
|
- /*
|
|
- * Check that we actually have at least as much data as
|
|
- * specified by the length field
|
|
- */
|
|
- if (STREAM_READABLE(peer->curr) < length) {
|
|
- flog_err(EC_BGP_ATTR_LEN,
|
|
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
|
|
- length, STREAM_READABLE(peer->curr));
|
|
- return bgp_attr_malformed(
|
|
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
- args->total);
|
|
- }
|
|
-
|
|
/*
|
|
* Check that the portion of the TLV containing the sequence of
|
|
* SRGBs corresponds to a multiple of the SRGB size; to get
|
|
@@ -2855,12 +2847,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
stream_get(&srgb_base, peer->curr, 3);
|
|
stream_get(&srgb_range, peer->curr, 3);
|
|
}
|
|
- }
|
|
-
|
|
- /* Placeholder code for the VPN-SID Service type */
|
|
- else if (type == BGP_PREFIX_SID_VPN_SID) {
|
|
- if (STREAM_READABLE(peer->curr) < length
|
|
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
|
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
|
|
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
|
flog_err(EC_BGP_ATTR_LEN,
|
|
"Prefix SID VPN SID length is %hu instead of %u",
|
|
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
|
|
@@ -2896,39 +2884,22 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
|
attr->srv6_vpn->sid_flags = sid_flags;
|
|
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
|
|
attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn);
|
|
- }
|
|
-
|
|
- /* Placeholder code for the SRv6 L3 Service type */
|
|
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
|
- if (STREAM_READABLE(peer->curr) < length) {
|
|
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
|
+ if (STREAM_READABLE(peer->curr) < 1) {
|
|
flog_err(
|
|
EC_BGP_ATTR_LEN,
|
|
- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
|
|
- length, STREAM_READABLE(peer->curr));
|
|
- return bgp_attr_malformed(args,
|
|
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
- args->total);
|
|
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
|
|
+ return bgp_attr_malformed(
|
|
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
+ args->total);
|
|
}
|
|
-
|
|
/* ignore reserved */
|
|
stream_getc(peer->curr);
|
|
|
|
return bgp_attr_srv6_service(args);
|
|
}
|
|
-
|
|
/* Placeholder code for Unsupported TLV */
|
|
else {
|
|
-
|
|
- if (STREAM_READABLE(peer->curr) < length) {
|
|
- flog_err(
|
|
- EC_BGP_ATTR_LEN,
|
|
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
|
|
- length, STREAM_READABLE(peer->curr));
|
|
- return bgp_attr_malformed(
|
|
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
- args->total);
|
|
- }
|
|
-
|
|
if (bgp_debug_update(peer, NULL, NULL, 1))
|
|
zlog_debug(
|
|
"%s attr Prefix-SID sub-type=%u is not supported, skipped",
|
|
--
|
|
2.35.3
|
|
|