frr/0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch

From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 3 Mar 2023 21:58:33 -0500
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
Upstream: yes
CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f

Fixes a couple crashes associated with attempting to read
beyond the end of the stream.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)
Signed-off-by: Marius Tomaschewski <mt@suse.com>

diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
index 38f34a8927..64d1ff70ca 100644
--- a/bgpd/bgp_label.c
+++ b/bgpd/bgp_label.c
@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
 	uint8_t llen = 0;
 	uint8_t label_depth = 0;
 
+	if (plen < BGP_LABEL_BYTES)
+		return 0;
+
 	for (; data < lim; data += BGP_LABEL_BYTES) {
 		memcpy(label, data, BGP_LABEL_BYTES);
 		llen += BGP_LABEL_BYTES;
@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
 			addpath_id = ntohl(addpath_id);
 			pnt += BGP_ADDPATH_ID_LEN;
+
+			if (pnt >= lim)
+				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
 
 		/* Fetch prefix length. */
@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 
 		/* Fill in the labels */
 		llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
+		if (llen == 0) {
+			flog_err(
+				EC_BGP_UPDATE_RCV,
+				"%s [Error] Update packet error (wrong label length 0)",
+				peer->host);
+			bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
+					BGP_NOTIFY_UPDATE_INVAL_NETWORK);
+			return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
+		}
 		p.prefixlen = prefixlen - BSIZE(llen);
 
 		/* There needs to be at least one label */
-- 
2.35.3
Accepting request 1130736 from home:mtomaschewski:frr - Apply upstream fix for a crash on malformed BGP UPDATE message with an EOR, because the presence of EOR does not lead to a treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b) [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] - Apply upstream fix for a crash on crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234, bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] - Apply upstream fix for attempts to read beyond the end of the stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] - Apply upstream fix for an nlri length of zero mishandling, aka "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) [+ 0018-bgpd-Flowspec-overflow-issue.patch] OBS-URL: https://build.opensuse.org/request/show/1130736 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=57 2023-12-05 11:45:46 +01:00			`From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001`
			`From: Donald Sharp <sharpd@nvidia.com>`
			`Date: Fri, 3 Mar 2023 21:58:33 -0500`
			`Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing`
			`Upstream: yes`
			`CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f`

			`Fixes a couple crashes associated with attempting to read`
			`beyond the end of the stream.`

			`Reported-by: Iggy Frankovic <iggyfran@amazon.com>`
			`Signed-off-by: Donald Sharp <sharpd@nvidia.com>`
			`(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)`
			`Signed-off-by: Marius Tomaschewski <mt@suse.com>`

			`diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c`
			`index 38f34a8927..64d1ff70ca 100644`
			`--- a/bgpd/bgp_label.c`
			`+++ b/bgpd/bgp_label.c`
			`@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer peer, uint8_t pnt, uint8_t plen,`
			`uint8_t llen = 0;`
			`uint8_t label_depth = 0;`

			`+ if (plen < BGP_LABEL_BYTES)`
			`+ return 0;`
			`+`
			`for (; data < lim; data += BGP_LABEL_BYTES) {`
			`memcpy(label, data, BGP_LABEL_BYTES);`
			`llen += BGP_LABEL_BYTES;`
			`@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer peer, struct attr attr,`
			`memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);`
			`addpath_id = ntohl(addpath_id);`
			`pnt += BGP_ADDPATH_ID_LEN;`
			`+`
			`+ if (pnt >= lim)`
			`+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;`
			`}`

			`/* Fetch prefix length. */`
			`@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer peer, struct attr attr,`

			`/* Fill in the labels */`
			`llen = bgp_nlri_get_labels(peer, pnt, psize, &label);`
			`+ if (llen == 0) {`
			`+ flog_err(`
			`+ EC_BGP_UPDATE_RCV,`
			`+ "%s [Error] Update packet error (wrong label length 0)",`
			`+ peer->host);`
			`+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,`
			`+ BGP_NOTIFY_UPDATE_INVAL_NETWORK);`
			`+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;`
			`+ }`
			`p.prefixlen = prefixlen - BSIZE(llen);`

			`/* There needs to be at least one label */`
			`--`
			`2.35.3`