From 12f2cdf8ce29988278af97b85ba452dd6f081fa2 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Mon, 17 Oct 2022 09:37:25 +0200 Subject: [PATCH] Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service --- 0007-cve-2022-37032.patch | 32 ++++++++++++++++++++++++++++++++ frr.spec | 6 +++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 0007-cve-2022-37032.patch diff --git a/0007-cve-2022-37032.patch b/0007-cve-2022-37032.patch new file mode 100644 index 0000000..4899c72 --- /dev/null +++ b/0007-cve-2022-37032.patch @@ -0,0 +1,32 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e99..45752a8ab6d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); diff --git a/frr.spec b/frr.spec index 5431e0f..8fff4bf 100644 --- a/frr.spec +++ b/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.3.1 -Release: 1%{?checkout}%{?dist} +Release: 2%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -69,6 +69,7 @@ Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch Patch0005: 0005-ospf-api.patch Patch0006: 0006-graceful-restart.patch +Patch0007: 0007-cve-2022-37032.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -274,6 +275,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Mon Oct 17 2022 Michal Ruprich - 8.3.1-2 +- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + * Thu Oct 13 2022 Michal Ruprich - 8.3.1-1 - Resolves: #2129731 - Rebase FRR to the latest version - Resolves: #2129743 - Add targeted SELinux policy for FRR