rpm/frr
SHA256
1
0
Fork 0
forked from pool/frr
Code Pull Requests Activity
factory
frr/0018-bgpd-Flowspec-overflow-issue.patch
Marcus Meissner 53d2f4bd0b Accepting request 1130736 from home:mtomaschewski:frr 
- Apply upstream fix for a crash on malformed BGP UPDATE message
  with an EOR, because the presence of EOR does not lead to a
  treat-as-withdraw outcome (CVE-2023-47235,1216896,6814f2e013)
  [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
  a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
  bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
  [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
  stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,ab362eae68)
  [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
  "flowspec overflow" (CVE-2023-38406,bsc#1216900,0b999c886e)
  [+ 0018-bgpd-Flowspec-overflow-issue.patch]

OBS-URL: https://build.opensuse.org/request/show/1130736
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=57
2023-12-05 10:45:46 +00:00

38 lines
1.3 KiB
Diff
Raw Permalink Blame History

From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 23 Feb 2023 13:29:32 -0500
Subject: [PATCH] bgpd: Flowspec overflow issue
Upstream: yes
CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside. Which
in this case is not a good thing at all. Prevent warmth, stay cold
on the inside.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index fe1f0d50f8..98ec1ed073 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
psize);
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
+
+ if (psize == 0) {
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
+ "Flowspec NLRI length 0 which makes no sense");
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ }
+
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
flog_err(
EC_BGP_FLOWSPEC_PACKET,
--
2.35.3
View Git Blame Copy Permalink