Accepting request 1111550 from home:mtomaschewski:frr

- Apply upstream fix for NULL pointer dereference due to processing of malformed requests with no attributes in bgp_nlri_parse_flowspec (CVE-2023-41909,bsc#1215065,cfd04dcb3e). [+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch] OBS-URL: https://build.opensuse.org/request/show/1111550 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=53
2023-09-15 12:32:32 +00:00 · 2023-09-15 12:32:32 +00:00 · cee0900b9b
commit cee0900b9b
parent fbadf37a51
3 changed files with 47 additions and 0 deletions
--- a/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
+++ b/0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
@ -0,0 +1,37 @@
+From 168204de6371f594c4f1ebac30ca3e181a851e39 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 5 Apr 2023 14:57:05 -0400
+Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
+ withdrawal
+Upsteam: yes
+References: CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
+
+All other parsing functions done from bgp_nlri_parse() assume
+no attributes == an implicit withdrawal.  Let's move
+bgp_nlri_parse_flowspec() into the same alignment.
+
+Reported-by: Matteo Memelli <mmemelli@amazon.it>
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+
+diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
+index 39c0cfe514..fe1f0d50f8 100644
+--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
+@@ -112,6 +112,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
+ 	afi = packet->afi;
+ 	safi = packet->safi;
+ 
+	/*
+	 * All other AFI/SAFI's treat no attribute as a implicit
+	 * withdraw.  Flowspec should as well.
+	 */
+	if (!attr)
+		withdraw = 1;
+
+ 	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
+ 		flog_err(EC_BGP_FLOWSPEC_PACKET,
+ 			 "BGP flowspec nlri length maximum reached (%u)",
+-- 
+2.35.3
+
--- a/frr.changes
+++ b/frr.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski <mt@suse.com>
+
+- Apply upstream fix for NULL pointer dereference due to processing
+  of malformed requests with no attributes in bgp_nlri_parse_flowspec
+  (CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8).
+  [+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch]
+
 -------------------------------------------------------------------
 Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski <mt@suse.com>

--- a/frr.spec
+++ b/frr.spec
@ -50,6 +50,7 @@ Patch8:         0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
 Patch9:         0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
 Patch10:        0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
 Patch11:        0011-babeld-fix-11808-to-avoid-infinite-loops.patch
+Patch12:        0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@ -198,6 +199,7 @@ developing OSPF-API and frr applications.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 %build
 # GCC LTO objects must be "fat" to avoid assembly errors