This commit is contained in:
parent
2b381b1fd4
commit
e0744e8b66
@ -0,0 +1,27 @@
|
||||
From 4fcb9d0764b14463f797f2819905ab819dd770f5 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Sun, 20 Aug 2023 22:15:27 +0300
|
||||
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
|
||||
of stream
|
||||
|
||||
Reported-by: Iggy Frankovic iggyfran@amazon.com
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
(cherry picked from commit 9b855a692e68e0d16467e190b466b4ecb6853702)
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index a2959ef6e..60f1dcbcd 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2408,7 +2408,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
|
||||
* and 7 bytes of ORF Address-filter entry from
|
||||
* the stream
|
||||
*/
|
||||
- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
|
||||
+ if (p_pnt < p_end &&
|
||||
+ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
|
||||
if (bgp_debug_neighbor_events(peer))
|
||||
zlog_debug(
|
||||
"%pBP rcvd Remove-All pfxlist ORF request",
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,51 @@
|
||||
From da62ad75f69f2e0e4ec51c7dd5e79bd810f636b6 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Fri, 18 Aug 2023 11:28:03 +0300
|
||||
Subject: [PATCH] bgpd: Make sure we have enough data to read two bytes when
|
||||
validating AIGP
|
||||
|
||||
Found when fuzzing:
|
||||
|
||||
```
|
||||
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
|
||||
READ of size 2 at 0xffff77801ef7 thread T0
|
||||
0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
|
||||
1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
|
||||
2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
|
||||
3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
|
||||
4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
|
||||
```
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
(cherry picked from commit f96201e104892e18493f24cf67bb713678e8237b)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 8e66a229c..2ef50ffe5 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -513,6 +513,7 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
|
||||
uint8_t *data = pnt;
|
||||
uint8_t tlv_type;
|
||||
uint16_t tlv_length;
|
||||
+ uint8_t *end = data + length;
|
||||
|
||||
if (length < 3) {
|
||||
zlog_err("Bad AIGP attribute length (MUST be minimum 3): %u",
|
||||
@@ -521,7 +522,13 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
|
||||
}
|
||||
|
||||
while (length) {
|
||||
+ size_t data_len = end - data;
|
||||
+
|
||||
tlv_type = *data;
|
||||
+
|
||||
+ if (data_len - 1 < 2)
|
||||
+ return false;
|
||||
+
|
||||
ptr_get_be16(data + 1, &tlv_length);
|
||||
(void)data;
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -21,3 +21,5 @@ cross-compile-changes.patch
|
||||
0019-zebra-Abstract-dplane_ctx_route_init-to-init-route-w.patch
|
||||
0020-zebra-Fix-crash-when-dplane_fpm_nl-fails-to-process-.patch
|
||||
0021-zebra-remove-duplicated-nexthops-when-sending-fpm-msg.patch
|
||||
0022-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
|
||||
0023-bgpd-Make-sure-we-have-enough-data-to-read-two-bytes.patch
|
||||
|
Loading…
Reference in New Issue
Block a user