… CVE-2022-40302 Add patches from PRs https://github.com/FRRouting/frr/pull/12043 https://github.com/FRRouting/frr/pull/12247 #### Why I did it To fix CVEs https://github.com/advisories/GHSA-x7mf-v6gh-vm4g https://github.com/advisories/GHSA-9rqq-99cf-35g5 https://github.com/advisories/GHSA-j7hm-p94x-q9pw ##### Work item tracking - Microsoft ADO **(number only)**: 23268946 #### How I did it Added patches from the FRR fix PRs Co-authored-by: DavidZagury <32644413+DavidZagury@users.noreply.github.com>
This commit is contained in:
parent
d935f430b8
commit
7b13065e7d
@ -0,0 +1,130 @@
|
||||
From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 30 Sep 2022 08:51:45 -0400
|
||||
Subject: [PATCH 1/2] bgpd: Ensure FRR has enough data to read 2 bytes in
|
||||
peek_for_as4_capability
|
||||
|
||||
In peek_for_as4_capability the code is checking that the
|
||||
stream has at least 2 bytes to read ( the opt_type and the
|
||||
opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
is configured then FRR is reading 3 bytes. Which is not good
|
||||
since the packet could be badly formated. Ensure that
|
||||
FRR has the appropriate data length to read the data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_open.c | 27 +++++++++++++++++++++------
|
||||
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
|
||||
index 7248f034a5a..a760a7ca013 100644
|
||||
--- a/bgpd/bgp_open.c
|
||||
+++ b/bgpd/bgp_open.c
|
||||
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
|
||||
uint8_t opt_type;
|
||||
uint16_t opt_length;
|
||||
|
||||
- /* Check the length. */
|
||||
- if (stream_get_getp(s) + 2 > end)
|
||||
+ /* Ensure we can read the option type */
|
||||
+ if (stream_get_getp(s) + 1 > end)
|
||||
goto end;
|
||||
|
||||
- /* Fetch option type and length. */
|
||||
+ /* Fetch the option type */
|
||||
opt_type = stream_getc(s);
|
||||
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
- ? stream_getw(s)
|
||||
- : stream_getc(s);
|
||||
+
|
||||
+ /*
|
||||
+ * Check the length and fetch the opt_length
|
||||
+ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
+ * then we do a getw which is 2 bytes. So we need to
|
||||
+ * ensure that we can read that as well
|
||||
+ */
|
||||
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
|
||||
+ if (stream_get_getp(s) + 2 > end)
|
||||
+ goto end;
|
||||
+
|
||||
+ opt_length = stream_getw(s);
|
||||
+ } else {
|
||||
+ if (stream_get_getp(s) + 1 > end)
|
||||
+ goto end;
|
||||
+
|
||||
+ opt_length = stream_getc(s);
|
||||
+ }
|
||||
|
||||
/* Option length check. */
|
||||
if (stream_get_getp(s) + opt_length > end)
|
||||
|
||||
From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 30 Sep 2022 08:57:43 -0400
|
||||
Subject: [PATCH 2/2] bgpd: Ensure FRR has enough data to read 2 bytes in
|
||||
bgp_open_option_parse
|
||||
|
||||
In bgp_open_option_parse the code is checking that the
|
||||
stream has at least 2 bytes to read ( the opt_type and
|
||||
the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
is configured then FRR is reading 3 bytes. Which is not good
|
||||
since the packet could be badly formateed. Ensure that
|
||||
FRR has the appropriate data length to read the data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
|
||||
1 file changed, 28 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
|
||||
index a760a7ca013..d1667fac261 100644
|
||||
--- a/bgpd/bgp_open.c
|
||||
+++ b/bgpd/bgp_open.c
|
||||
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
|
||||
uint8_t opt_type;
|
||||
uint16_t opt_length;
|
||||
|
||||
- /* Must have at least an OPEN option header */
|
||||
- if (STREAM_READABLE(s) < 2) {
|
||||
+ /*
|
||||
+ * Check that we can read the opt_type and fetch it
|
||||
+ */
|
||||
+ if (STREAM_READABLE(s) < 1) {
|
||||
zlog_info("%s Option length error", peer->host);
|
||||
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- /* Fetch option type and length. */
|
||||
opt_type = stream_getc(s);
|
||||
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
- ? stream_getw(s)
|
||||
- : stream_getc(s);
|
||||
+
|
||||
+ /*
|
||||
+ * Check the length of the stream to ensure that
|
||||
+ * FRR can properly read the opt_length. Then read it
|
||||
+ */
|
||||
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
|
||||
+ if (STREAM_READABLE(s) < 2) {
|
||||
+ zlog_info("%s Option length error", peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ opt_length = stream_getw(s);
|
||||
+ } else {
|
||||
+ if (STREAM_READABLE(s) < 1) {
|
||||
+ zlog_info("%s Option length error", peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ opt_length = stream_getc(s);
|
||||
+ }
|
||||
|
||||
/* Option length check. */
|
||||
if (STREAM_READABLE(s) < opt_length) {
|
@ -0,0 +1,47 @@
|
||||
From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Wed, 2 Nov 2022 13:24:48 -0400
|
||||
Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
|
||||
read
|
||||
|
||||
If a operator receives an invalid packet that is of insufficient size
|
||||
then it is possible for BGP to assert during reading of the packet
|
||||
instead of gracefully resetting the connection with the peer.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_packet.c | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index 769f9613da8..72d6a923175 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
|
||||
|| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
|
||||
uint8_t opttype;
|
||||
|
||||
+ if (STREAM_READABLE(peer->curr) < 1) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_PKT_OPEN,
|
||||
+ "%s: stream does not have enough bytes for extended optional parameters",
|
||||
+ peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
+
|
||||
opttype = stream_getc(peer->curr);
|
||||
if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
|
||||
+ if (STREAM_READABLE(peer->curr) < 2) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_PKT_OPEN,
|
||||
+ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
|
||||
+ peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
optlen = stream_getw(peer->curr);
|
||||
SET_FLAG(peer->sflags,
|
||||
PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
|
@ -11,3 +11,5 @@ Disable-ipv6-src-address-test-in-pceplib.patch
|
||||
0010-zebra-Note-when-the-netlink-DUMP-command-is-interrup.patch
|
||||
0011-bgpd-enhanced-capability-is-always-turned-on-for-int.patch
|
||||
0012-Ensure-ospf_apiclient_lsa_originate-cannot-accidently-write-into-stack.patch
|
||||
0027-bgpd-Ensure-FRR-has-enough-data-to-read-in-peek_for_as4_capability-and-bgp_open_option_parse.patch
|
||||
0028-bgpd-Ensure-that-bgp-open-message-stream-has-enough-data-to-read.patch
|
||||
|
Loading…
Reference in New Issue
Block a user