Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash

.frr.metadata

@@ -0,0 +1,2 @@
+5f46099a744058de374dbbf5240d1c4292a143f2 frr-8.5.3.tar.gz
+f9cc2bf16aa26b5090d782b70111f511cb276de1 remove-babeld-ldpd.sh

0008-CVE-2023-46753.patch

@@ -0,0 +1,60 @@
+From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 23 Oct 2023 23:34:10 +0300
+Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
+ message
+
+If we send a crafted BGP UPDATE message without mandatory attributes, we do
+not check if the length of the path attributes is zero or not. We only check
+if attr->flag is at least set or not. Imagine we send only unknown transit
+attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
+capability is received.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 26fd3de..bcc4424 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Well-known attribute check. */
+-static int bgp_attr_check(struct peer *peer, struct attr *attr)
++static int bgp_attr_check(struct peer *peer, struct attr *attr,
++           bgp_size_t length)
+ {
+ 	uint8_t type = 0;
+ 
+@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	 * we will pass it to be processed as a normal UPDATE without mandatory
+ 	 * attributes, that could lead to harmful behavior.
+ 	 */
+-	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
++	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
++      !length)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	enum bgp_attr_parse_ret ret;
+ 	uint8_t flag = 0;
+ 	uint8_t type = 0;
+-	bgp_size_t length;
++	bgp_size_t length = 0;
+ 	uint8_t *startp, *endp;
+ 	uint8_t *attr_endp;
+ 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
+@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	}
+ 
+ 	/* Check all mandatory well-known attributes are present */
+-	ret = bgp_attr_check(peer, attr);
++	ret = bgp_attr_check(peer, attr, length);
+ 	if (ret < 0)
+ 		goto done;
+ 

frr.spec

@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 8.5.3
-Release: 3%{?checkout}%{?dist}
+Release: 4%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -70,6 +70,7 @@ Patch0004: 0004-fips-mode.patch
 Patch0005: 0005-CVE-2023-47235.patch
 Patch0006: 0006-CVE-2023-47234.patch
 Patch0007: 0007-CVE-2023-46752.patch
+Patch0008: 0008-CVE-2023-46753.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -275,6 +276,9 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4
+- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash
+
 * Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3
 - Resolves: RHEL-14822 - mishandled malformed data leading to a crash