rpm/frr
SHA256
1
0
Fork 0
forked from pool/frr
Code Pull Requests Activity

Accepting request 1035289 from home:mtomaschewski:branches:network

Browse Source 
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
  file to vendor specific directory /usr/etc/logrotate.d and added
  saving of user changed configuration files in /etc and restoring
  them while an RPM update.
- Declare root as sufficient also in the pam account verification;
  without vtysh use causes to log a pam frr:account warnings
  (https://github.com/FRRouting/frr/pull/12308)
  [+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
  (https://github.com/FRRouting/frr/pull/12307)
  [+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
  from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
  https://github.com/FRRouting/frr/pull/12157).
  [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
  [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
   - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
   - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
   - 0006-isisd-fix-10505-using-base64-encoding.patch,
   - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
   - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
  * New BGP command (neighbor PEER soo) to configure SoO to prevent
    routing loops and suboptimal routing on dual-homed sites.
  * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
    because previously we allowed using martian next-hops when debug is
    turned on.
  * Implement BGP Prefix Origin Validation State Extended Community rfc8097
  *  Implement Route Leak Prevention and Detection Using Roles in UPDATE

OBS-URL: https://build.opensuse.org/request/show/1035289
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=43
This commit is contained in:
Martin Hauke 2022-11-15 14:31:19 +00:00 committed by Git OBS Bridge
parent 9b537df10f
commit 729276ccdc
13 changed files with 246 additions and 902 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
View File

@ -1,52 +0,0 @@
From 50044ec7fe129e0a74d3a679dd29fe17ce30e6bf Mon Sep 17 00:00:00 2001
From: whichbug <whichbug@github.com>
Date: Thu, 3 Feb 2022 12:01:31 -0500
Upstream: yes
References: bsc#1196503,CVE-2022-26127
Subject: [PATCH] babeld: fix #10487 by adding a check on packet length
The body length of a packet should satisfy the condition:
packetlen >= bodylen + 4. Otherwise, heap overflows may happen.
Signed-off-by: whichbug <whichbug@github.com>
diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b..3a29b6a60 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
static int
babel_packet_examin(const unsigned char *packet, int packetlen)
{
- unsigned i = 0, bodylen;
+ int i = 0, bodylen;
const unsigned char *message;
unsigned char type, len;
if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
return 1;
DO_NTOHS(bodylen, packet + 2);
+ if(bodylen + 4 > packetlen) {
+ debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
+ bodylen, packetlen);
+ return 1;
+ }
while (i < bodylen){
message = packet + 4 + i;
type = message[0];
@@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
DO_NTOHS(bodylen, packet + 2);
- if(bodylen + 4 > packetlen) {
- flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
- bodylen, packetlen);
- bodylen = packetlen - 4;
- }
-
i = 0;
while(i < bodylen) {
message = packet + 4 + i;
--
2.34.1

93
0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch Normal file
View File

@ -0,0 +1,93 @@
From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 20 Oct 2022 09:10:22 +0300
References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157
Upstream: submitted
Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race
conditions
This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124
install/chown is in most cases (as I tested) is enough, but still, can be racy.
Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this.
For Linux `runuser` can be used, but *BSD do not have this command.
Proof of concept:
```
% sudo su - frr
[sudo] password for donatas:
su: warning: cannot change directory to /nonexistent: No such file or directory
frr@donatas-laptop:/home/donatas$ cd /etc/frr/
frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf
Setting up watches.
Watches established.
./ CREATE zebra.conf
frr@donatas-laptop:/etc/frr$ ls -la zebra.conf
lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow
frr@donatas-laptop:/etc/frr$ cat zebra.conf
cat: zebra.conf: Permission denied
frr@donatas-laptop:/etc/frr$
```
On the other terminal do:
```
/usr/lib/frr/frrinit.sh restart
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/tools/frr.in b/tools/frr.in
index e9f1122834..5f3f425a1e 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -96,10 +96,10 @@ check_daemon()
# check for config file
if [ -n "$2" ]; then
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\""
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\""
fi
fi
return 0
@@ -524,7 +524,7 @@ convert_daemon_prios
if [ ! -d $V_PATH ]; then
echo "Creating $V_PATH"
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..4d5d688d57 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -143,7 +143,7 @@ daemon_prep() {
cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
if [ ! -r "$cfg" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\""
fi
return 0
}
@@ -161,7 +161,7 @@ daemon_start() {
[ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
--
2.35.3

95
0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
View File

@ -1,95 +0,0 @@
From c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 Mon Sep 17 00:00:00 2001
From: qingkaishi <qingkaishi@gmail.com>
Date: Fri, 4 Feb 2022 16:41:11 -0500
Upstream: yes
References: bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129
Subject: [PATCH] babeld: fix #10502 #10503 by repairing the checks on length
This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv
Signed-off-by: qingkaishi <qingkaishi@gmail.com>
diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b..053538700 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return;
}
@@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0;
while(i < alen) {
- type = a[0];
+ type = a[i];
if(type == SUBTLV_PAD1) {
i++;
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message.");
return -1;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message.");
return -1;
@@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0;
while(i < alen) {
- type = a[0];
+ type = a[i];
if(type == SUBTLV_PAD1) {
i++;
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message.");
return -1;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message.");
return -1;
@@ -302,12 +302,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
i++;
continue;
}
- if(i + 1 > bodylen) {
+ if(i + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
len = message[1];
- if(i + len > bodylen) {
+ if(i + len + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
--
2.34.1

29
0004-tools-remove-backslash-from-declare-check-regex.patch Normal file
View File

@ -0,0 +1,29 @@
From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 12:26:04 +0100
References: https://github.com/FRRouting/frr/pull/12307
Upstream: submitted
Subject: [PATCH] tools: remove backslash from declare check regex
The backslash in `grep -q '^declare \-a'` is not needed and
causes `grep: warning: stray \ before -` warning in grep-3.8.
---
tools/frrcommon.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..3c16c27c6d 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
load_old_config "/etc/sysconfig/frr"
fi
-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then
+if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then
log_warning_msg "watchfrr_options contains a bash array value." \
"The configured value is intentionally ignored since it is likely wrong." \
"Please remove or fix the setting."
--
2.35.3

208
0005-isisd-fix-router-capability-TLV-parsing-issues.patch
View File

File diff suppressed because one or more lines are too long

33
0005-root-ok-in-account-frr.pam.patch Normal file
View File

@ -0,0 +1,33 @@
From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 11 Nov 2022 14:50:12 +0100
References: https://github.com/FRRouting/frr/pull/12308
Upstream: submitted
Subject: [PATCH] pam: declare root as sufficient frr pam account
https://github.com/FRRouting/frr/pull/11465 enabled account verification,
but the pam config declares rootok as sufficient in authentication only
and not in account verification, what causes warning in the log:
vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt]
flags=0 service=[frr] terminal=[<unknown>] user=[root]
ruser=[<unknown>] rhost=[<unknown>]
---
redhat/frr.pam | 1 +
1 file changed, 1 insertion(+)
diff --git a/redhat/frr.pam b/redhat/frr.pam
index 5cef5d9d74..17a62f1999 100644
--- a/redhat/frr.pam
+++ b/redhat/frr.pam
@@ -5,6 +5,7 @@
# Only allow root (and possibly wheel) to use this because enable access
# is unrestricted.
auth sufficient pam_rootok.so
+account sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
--
2.35.3

456
0006-isisd-fix-10505-using-base64-encoding.patch
View File

@ -1,456 +0,0 @@
From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
From: whichbug <whichbug@github.com>
Date: Thu, 10 Feb 2022 22:49:41 -0500
Upstream: yes
References: bsc#1196506,CVE-2022-26126
Subject: [PATCH] isisd: fix #10505 using base64 encoding
Using base64 instead of the raw string to encode
the binary data.
Signed-off-by: whichbug <whichbug@github.com>
diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
index f219632ac..fd7b1b315 100644
--- a/isisd/isis_nb_notifications.c
+++ b/isisd/isis_nb_notifications.c
@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
data = yang_data_new_uint8(xpath_arg, max_area_addrs);
listnode_add(arguments, data);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
notif_prep_instance_hdr(xpath, area, "default", arguments);
notif_prepr_iface_hdr(xpath, circuit, arguments);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
notif_prep_instance_hdr(xpath, area, "default", arguments);
notif_prepr_iface_hdr(xpath, circuit, arguments);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
data = yang_data_new_string(xpath_arg, reason);
listnode_add(arguments, data);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
notif_prep_instance_hdr(xpath, area, "default", arguments);
notif_prepr_iface_hdr(xpath, circuit, arguments);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
data = yang_data_new_uint8(xpath_arg, rcv_id_len);
listnode_add(arguments, data);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
data = yang_data_new_uint8(xpath_arg, version);
listnode_add(arguments, data);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
listnode_add(arguments, data);
snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
- data = yang_data_new(xpath_arg, raw_pdu);
+ data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
listnode_add(arguments, data);
/* ignore offset and tlv_type which cannot be set properly */
diff --git a/lib/base64.c b/lib/base64.c
new file mode 100644
index 000000000..e3f238969
--- /dev/null
+++ b/lib/base64.c
@@ -0,0 +1,193 @@
+/*
+ * This is part of the libb64 project, and has been placed in the public domain.
+ * For details, see http://sourceforge.net/projects/libb64
+ */
+
+#include "base64.h"
+
+static const int CHARS_PER_LINE = 72;
+static const char *ENCODING =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+void base64_init_encodestate(struct base64_encodestate *state_in)
+{
+ state_in->step = step_A;
+ state_in->result = 0;
+ state_in->stepcount = 0;
+}
+
+char base64_encode_value(char value_in)
+{
+ if (value_in > 63)
+ return '=';
+ return ENCODING[(int)value_in];
+}
+
+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
+ struct base64_encodestate *state_in)
+{
+ const char *plainchar = plaintext_in;
+ const char *const plaintextend = plaintext_in + length_in;
+ char *codechar = code_out;
+ char result;
+ char fragment;
+
+ result = state_in->result;
+
+ switch (state_in->step) {
+ while (1) {
+ case step_A:
+ if (plainchar == plaintextend) {
+ state_in->result = result;
+ state_in->step = step_A;
+ return codechar - code_out;
+ }
+ fragment = *plainchar++;
+ result = (fragment & 0x0fc) >> 2;
+ *codechar++ = base64_encode_value(result);
+ result = (fragment & 0x003) << 4;
+ /* fall through */
+ case step_B:
+ if (plainchar == plaintextend) {
+ state_in->result = result;
+ state_in->step = step_B;
+ return codechar - code_out;
+ }
+ fragment = *plainchar++;
+ result |= (fragment & 0x0f0) >> 4;
+ *codechar++ = base64_encode_value(result);
+ result = (fragment & 0x00f) << 2;
+ /* fall through */
+ case step_C:
+ if (plainchar == plaintextend) {
+ state_in->result = result;
+ state_in->step = step_C;
+ return codechar - code_out;
+ }
+ fragment = *plainchar++;
+ result |= (fragment & 0x0c0) >> 6;
+ *codechar++ = base64_encode_value(result);
+ result = (fragment & 0x03f) >> 0;
+ *codechar++ = base64_encode_value(result);
+
+ ++(state_in->stepcount);
+ if (state_in->stepcount == CHARS_PER_LINE/4) {
+ *codechar++ = '\n';
+ state_in->stepcount = 0;
+ }
+ }
+ }
+ /* control should not reach here */
+ return codechar - code_out;
+}
+
+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
+{
+ char *codechar = code_out;
+
+ switch (state_in->step) {
+ case step_B:
+ *codechar++ = base64_encode_value(state_in->result);
+ *codechar++ = '=';
+ *codechar++ = '=';
+ break;
+ case step_C:
+ *codechar++ = base64_encode_value(state_in->result);
+ *codechar++ = '=';
+ break;
+ case step_A:
+ break;
+ }
+ *codechar++ = '\n';
+
+ return codechar - code_out;
+}
+
+
+signed char base64_decode_value(signed char value_in)
+{
+ static const signed char decoding[] = {
+ 62, -1, -1, -1, 63, 52, 53, 54,
+ 55, 56, 57, 58, 59, 60, 61, -1,
+ -1, -1, -2, -1, -1, -1, 0, 1,
+ 2, 3, 4, 5, 6, 7, 8, 9,
+ 10, 11, 12, 13, 14, 15, 16, 17,
+ 18, 19, 20, 21, 22, 23, 24, 25,
+ -1, -1, -1, -1, -1, -1, 26, 27,
+ 28, 29, 30, 31, 32, 33, 34, 35,
+ 36, 37, 38, 39, 40, 41, 42, 43,
+ 44, 45, 46, 47, 48, 49, 50, 51
+ };
+ value_in -= 43;
+ if (value_in < 0 || value_in >= 80)
+ return -1;
+ return decoding[(int)value_in];
+}
+
+void base64_init_decodestate(struct base64_decodestate *state_in)
+{
+ state_in->step = step_a;
+ state_in->plainchar = 0;
+}
+
+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
+ struct base64_decodestate *state_in)
+{
+ const char *codec = code_in;
+ char *plainc = plaintext_out;
+ signed char fragmt;
+
+ *plainc = state_in->plainchar;
+
+ switch (state_in->step) {
+ while (1) {
+ case step_a:
+ do {
+ if (codec == code_in+length_in) {
+ state_in->step = step_a;
+ state_in->plainchar = *plainc;
+ return plainc - plaintext_out;
+ }
+ fragmt = base64_decode_value(*codec++);
+ } while (fragmt < 0);
+ *plainc = (fragmt & 0x03f) << 2;
+ /* fall through */
+ case step_b:
+ do {
+ if (codec == code_in+length_in) {
+ state_in->step = step_b;
+ state_in->plainchar = *plainc;
+ return plainc - plaintext_out;
+ }
+ fragmt = base64_decode_value(*codec++);
+ } while (fragmt < 0);
+ *plainc++ |= (fragmt & 0x030) >> 4;
+ *plainc = (fragmt & 0x00f) << 4;
+ /* fall through */
+ case step_c:
+ do {
+ if (codec == code_in+length_in) {
+ state_in->step = step_c;
+ state_in->plainchar = *plainc;
+ return plainc - plaintext_out;
+ }
+ fragmt = base64_decode_value(*codec++);
+ } while (fragmt < 0);
+ *plainc++ |= (fragmt & 0x03c) >> 2;
+ *plainc = (fragmt & 0x003) << 6;
+ /* fall through */
+ case step_d:
+ do {
+ if (codec == code_in+length_in) {
+ state_in->step = step_d;
+ state_in->plainchar = *plainc;
+ return plainc - plaintext_out;
+ }
+ fragmt = base64_decode_value(*codec++);
+ } while (fragmt < 0);
+ *plainc++ |= (fragmt & 0x03f);
+ }
+ }
+ /* control should not reach here */
+ return plainc - plaintext_out;
+}
diff --git a/lib/base64.h b/lib/base64.h
new file mode 100644
index 000000000..3dc1559aa
--- /dev/null
+++ b/lib/base64.h
@@ -0,0 +1,45 @@
+/*
+ * This is part of the libb64 project, and has been placed in the public domain.
+ * For details, see http://sourceforge.net/projects/libb64
+ */
+
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+enum base64_encodestep {
+ step_A, step_B, step_C
+};
+
+struct base64_encodestate {
+ enum base64_encodestep step;
+ char result;
+ int stepcount;
+};
+
+void base64_init_encodestate(struct base64_encodestate *state_in);
+
+char base64_encode_value(char value_in);
+
+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
+ struct base64_encodestate *state_in);
+
+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
+
+
+enum base64_decodestep {
+ step_a, step_b, step_c, step_d
+};
+
+struct base64_decodestate {
+ enum base64_decodestep step;
+ char plainchar;
+};
+
+void base64_init_decodestate(struct base64_decodestate *state_in);
+
+signed char base64_decode_value(signed char value_in);
+
+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
+ struct base64_decodestate *state_in);
+
+#endif /* _BASE64_H_ */
diff --git a/lib/subdir.am b/lib/subdir.am
index 648ab7f14..f8f82f276 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
lib_libfrr_la_SOURCES = \
lib/agg_table.c \
lib/atomlist.c \
+ lib/base64.c \
lib/bfd.c \
lib/buffer.c \
lib/checksum.c \
@@ -177,6 +178,7 @@ clippy_scan += \
pkginclude_HEADERS += \
lib/agg_table.h \
lib/atomlist.h \
+ lib/base64.h \
lib/bfd.h \
lib/bitfield.h \
lib/buffer.h \
diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
index 85aa003db..bee76c6e0 100644
--- a/lib/yang_wrappers.c
+++ b/lib/yang_wrappers.c
@@ -19,6 +19,7 @@
#include <zebra.h>
+#include "base64.h"
#include "log.h"
#include "lib_errors.h"
#include "northbound.h"
@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
xpath);
}
+/*
+ * Primitive type: binary.
+ */
+struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
+ size_t len)
+{
+ char *value_str;
+ struct base64_encodestate s;
+ int cnt;
+ char *c;
+ struct yang_data *data;
+
+ value_str = (char *)malloc(len * 2);
+ base64_init_encodestate(&s);
+ cnt = base64_encode_block(value, len, value_str, &s);
+ c = value_str + cnt;
+ cnt = base64_encode_blockend(c, &s);
+ c += cnt;
+ *c = 0;
+ data = yang_data_new(xpath, value_str);
+ free(value_str);
+ return data;
+}
+
+size_t yang_dnode_get_binary_buf(char *buf, size_t size,
+ const struct lyd_node *dnode,
+ const char *xpath_fmt, ...)
+{
+ const char *canon;
+ size_t cannon_len;
+ size_t decode_len;
+ size_t ret_len;
+ size_t cnt;
+ char *value_str;
+ struct base64_decodestate s;
+
+ canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
+ cannon_len = strlen(canon);
+ decode_len = cannon_len;
+ value_str = (char *)malloc(decode_len);
+ base64_init_decodestate(&s);
+ cnt = base64_decode_block(canon, cannon_len, value_str, &s);
+
+ ret_len = size > cnt ? cnt : size;
+ memcpy(buf, value_str, ret_len);
+ if (size < cnt) {
+ char xpath[XPATH_MAXLEN];
+
+ yang_dnode_get_path(dnode, xpath, sizeof(xpath));
+ flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
+ "%s: value was truncated [xpath %s]", __func__,
+ xpath);
+ }
+ free(value_str);
+ return ret_len;
+}
+
+
/*
* Primitive type: empty.
*/
diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
index d781dfb1e..56b314876 100644
--- a/lib/yang_wrappers.h
+++ b/lib/yang_wrappers.h
@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
extern void yang_get_default_string_buf(char *buf, size_t size,
const char *xpath_fmt, ...);
+/* binary */
+extern struct yang_data *yang_data_new_binary(const char *xpath,
+ const char *value, size_t len);
+extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
+ const struct lyd_node *dnode,
+ const char *xpath_fmt, ...);
+
/* empty */
extern struct yang_data *yang_data_new_empty(const char *xpath);
extern bool yang_dnode_get_empty(const struct lyd_node *dnode,
--
2.34.1

34
0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
View File

@ -1,34 +0,0 @@
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
References: bsc#1202023,CVE-2022-37032
Upstream: yes
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index dbf6c0b2e9..45752a8ab6 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length %u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+ peer, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);
--
2.35.3

41
0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
View File

@ -1,41 +0,0 @@
From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 20 Jul 2022 16:49:09 -0400
Subject: [PATCH] isisd: Ensure rcap is freed in error case
References: bsc#1202022
Upstream: yes
unpack_tlv_router_cap allocates memory that in the error
case is not being freed.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 11be3c3a71..b3c3fd4b0b 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
}
static int unpack_tlv_router_cap(enum isis_tlv_context context,
- uint8_t tlv_type, uint8_t tlv_len,
- struct stream *s, struct sbuf *log,
- void *dest, int indent)
+ uint8_t tlv_type, uint8_t tlv_len,
+ struct stream *s, struct sbuf *log, void *dest,
+ int indent)
{
struct isis_tlvs *tlvs = dest;
struct isis_router_cap *rcap;
@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
log, indent,
"WARNING: Router Capability subTLV length too large compared to expected size\n");
stream_forward_getp(s, STREAM_READABLE(s));
-
+ XFREE(MTYPE_ISIS_TLV, rcap);
return 0;
}
--
2.35.3

3
frr-8.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9d82c11b304ab89a30627fcbb4150f51e639f473f8563976e14101e796240599
size 8514995

3
frr-8.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a
size 9883194

59
frr.changes
View File

@ -1,3 +1,62 @@
-------------------------------------------------------------------
Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
file to vendor specific directory /usr/etc/logrotate.d and added
saving of user changed configuration files in /etc and restoring
them while an RPM update.
- Declare root as sufficient also in the pam account verification;
without vtysh use causes to log a pam frr:account warnings
(https://github.com/FRRouting/frr/pull/12308)
[+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
(https://github.com/FRRouting/frr/pull/12307)
[+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
https://github.com/FRRouting/frr/pull/12157).
[+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
[- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
- 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
- 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
- 0006-isisd-fix-10505-using-base64-encoding.patch,
- 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
- 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
* New BGP command (neighbor PEER soo) to configure SoO to prevent
routing loops and suboptimal routing on dual-homed sites.
* Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
because previously we allowed using martian next-hops when debug is
turned on.
* Implement BGP Prefix Origin Validation State Extended Community rfc8097
* Implement Route Leak Prevention and Detection Using Roles in UPDATE
and OPEN Messages rfc9234
* BMP L3VPN support
* PIMv6 support
* MLD support
* New command to enable using reserved IPv4 ranges as normal addresses
for BGP next-hops, interface addresses, etc.
* As usual, lots of bugs and memory leaks were fixed \m/
such as a fix for a possible use-after-free due to a race
condition related to bgp_notify_send_with_data() and
bgp_process_packet() in bgp_packet.c. This could lead to
Remote Code Execution or Information Disclosure by sending
crafted BGP packets (CVE-2022-37035,bsc#1202085).
- Update to version 8.3, see https://frrouting.org/release/8.3/
* Notification Message support for BGP Graceful Restart
* BGP Cease Notification Subcode For BFD
* Send Hold Timer for BGP
* RFC5424 syslog support
* PIM passive command
- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/
* BGP Long-lived graceful restart capability
* BGP Extended Optional Parameters Length for BGP OPEN Message
* BGP Extended BGP Administrative Shutdown Communication
* IS-IS Link State Traffic Engineering support
* OSPFv3 Support for NSSA Type-7 address ranges
* PBR VLAN actions support
-------------------------------------------------------------------
Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski <mt@suse.com>

42
frr.spec
View File

@ -30,23 +30,20 @@
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
Version: 8.1
Version: 8.4
Release: 0
Summary: FRRouting Routing daemon
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/System
URL: https://www.frrouting.org
#Git-Clone: https://github.com/FRRouting/frr.git
Source: https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz
Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.d
Patch1: 0001-disable-zmq-test.patch
Patch2: harden_frr.service.patch
Patch3: 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch
Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch
Patch7: 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
Patch8: 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
Patch3: 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
Patch4: 0004-tools-remove-backslash-from-declare-check-regex.patch
Patch5: 0005-root-ok-in-account-frr.pam.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@ -189,12 +186,7 @@ developing OSPF-API and frr applications.
%patch2 -p1
%patch3 -p1
%patch4 -p1
gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz
%patch5 -p1
gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
@ -284,7 +276,11 @@ install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/fr
sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons
install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
%if 0%{?suse_version} > 1500
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr
%else
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
%endif
install -d -m 0750 %{buildroot}%{rundir}
install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr
@ -317,6 +313,20 @@ getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group}
getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user}
%service_add_pre %{name}.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%posttrans
%if 0%{?suse_version} > 1500
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%post
%service_add_post %{name}.service
@ -366,7 +376,11 @@ getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_g
%config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf
%config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons
%config(noreplace) %{_sysconfdir}/pam.d/frr
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/frr
%else
%config(noreplace) %{_sysconfdir}/logrotate.d/frr
%endif
%{_infodir}/frr.info%{?ext_info}
%{_mandir}/man?/*
%{_docdir}/%{name}/html
@ -389,11 +403,13 @@ getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_g
%{frr_daemondir}/frr
%{frr_daemondir}/frr-reload
%{frr_daemondir}/frr-reload.py
%{frr_daemondir}/frr_babeltrace.py
%{frr_daemondir}/frrcommon.sh
%{frr_daemondir}/frrinit.sh
%{frr_daemondir}/isisd
%{frr_daemondir}/ldpd
%{frr_daemondir}/nhrpd
%{frr_daemondir}/ospfclient.py
%{frr_daemondir}/ospf6d
%{frr_daemondir}/ospfd
%{frr_daemondir}/pathd