pool/frr
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7e97e9eb90
frr/0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
Erico Mendonca 0d23942aca - Update to version 10.0.1 from official sources. 
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
  - 0001-disable-zmq-test.patch
  - harden_frr.service.patch
  - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
  - 0004-tools-remove-backslash-from-declare-check-regex.patch
  - 0005-root-ok-in-account-frr.pam.patch
  - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
  - 0007-bgpd-Ensure-stream-received-has-enough-data.patch
  - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
  - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
  - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
  - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
  - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
  - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
  - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
  - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
  - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
  - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
  - 0018-bgpd-Flowspec-overflow-issue.patch
  - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
  - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
  - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
  - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
  - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch

OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=69
2024-08-08 12:14:43 +00:00

83 lines
3.1 KiB
Diff
Raw Blame History

From cef38442420aeac8e163f8aa55f1b985908f993c Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Tue, 16 Apr 2024 16:42:06 +0200
Upstream: yes
References: CVE-2024-34088,bsc#1223786,gh#FRRouting/frr#16088
Subject: [PATCH 3/3] ospfd: protect call to get_edge() in ospf_te.c
During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
could return null pointer, in particular when the link_id or advertised router
IP addresses are fuzzed. As the null pointer returned by get_edge() function is
not handlei by calling functions, this could cause ospfd crash.
This patch introduces new verification of returned pointer by get_edge()
function and stop the processing in case of null pointer. In addition, link ID
and advertiser router ID are validated before calling ls_find_edge_by_key() to
avoid the creation of a new edge with an invalid key.
CVE-2024-34088
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca)
---
ospfd/ospf_te.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 23a1b181ec..d1f114e30a 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
struct ls_edge *edge;
struct ls_attributes *attr;
+ /* Check that Link ID and Node ID are valid */
+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+ adv.origin != OSPFv2)
+ return NULL;
+
/* Search Edge that corresponds to the Link ID */
key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
edge = ls_find_edge_by_key(ted, key);
@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
/* Get Corresponding Edge from Link State Data Base */
edge = get_edge(ted, vertex->node->adv, link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link Data. Abort!");
+ return;
+ }
attr = edge->attributes;
/* re-attached edge to vertex if needed */
@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
- ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ edge = get_edge(ted, attr.adv, attr.standard.local);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link local add./ID. Abort!");
return -1;
}
- edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
@@ -2786,6 +2795,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
lnid.id.ip.area_id = lsa->area->area_id;
ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
edge = get_edge(ted, lnid, ext->link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Extended Link Data. Abort!");
+ return -1;
+ }
atr = edge->attributes;
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
--
2.35.3
Reference in New Issue View Git Blame Copy Permalink