Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS
This commit is contained in:
Michal Ruprich
parent
6f6ec0f6ce
commit
2c64b7c6a1
150
0025-CVE-2023-31490.patch
Normal file
150
0025-CVE-2023-31490.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Tue, 6 Dec 2022 10:23:11 -0500
|
||||
Subject: [PATCH] bgpd: Ensure stream received has enough data
|
||||
|
||||
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
|
||||
fully trust the length value specified in the nlri.
|
||||
Always ensure that the amount of data we need to read
|
||||
can be fullfilled.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_attr.c | 79 ++++++++++++++++---------------------------------
|
||||
1 file changed, 25 insertions(+), 54 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index c35e45275c9b..5b06bc391375 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
uint16_t endpoint_behavior;
|
||||
char buf[BUFSIZ];
|
||||
|
||||
+ /*
|
||||
+ * Check that we actually have at least as much data as
|
||||
+ * specified by the length field
|
||||
+ */
|
||||
+ if (STREAM_READABLE(peer->curr) < length) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_ATTR_LEN,
|
||||
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
|
||||
+ length, STREAM_READABLE(peer->curr));
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
+ args->total);
|
||||
+ }
|
||||
+
|
||||
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
||||
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID label index length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
|
||||
@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
/* Store label index; subsequently, we'll check on
|
||||
* address-family */
|
||||
attr->label_index = label_index;
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the IPv6 SID type */
|
||||
- else if (type == BGP_PREFIX_SID_IPV6) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
||||
+ } else if (type == BGP_PREFIX_SID_IPV6) {
|
||||
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID IPv6 length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_IPV6_LENGTH);
|
||||
@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
stream_getw(peer->curr);
|
||||
|
||||
stream_get(&ipv6_sid, peer->curr, 16);
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the Originator SRGB type */
|
||||
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
||||
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
||||
/*
|
||||
* ietf-idr-bgp-prefix-sid-05:
|
||||
* Length is the total length of the value portion of the
|
||||
@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
args->total);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Check that we actually have at least as much data as
|
||||
- * specified by the length field
|
||||
- */
|
||||
- if (STREAM_READABLE(peer->curr) < length) {
|
||||
- flog_err(EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
|
||||
- length, STREAM_READABLE(peer->curr));
|
||||
- return bgp_attr_malformed(
|
||||
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Check that the portion of the TLV containing the sequence of
|
||||
* SRGBs corresponds to a multiple of the SRGB size; to get
|
||||
@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
stream_get(&srgb_base, peer->curr, 3);
|
||||
stream_get(&srgb_range, peer->curr, 3);
|
||||
}
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the VPN-SID Service type */
|
||||
- else if (type == BGP_PREFIX_SID_VPN_SID) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
||||
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
|
||||
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID VPN SID length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
|
||||
@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
sizeof(struct bgp_attr_srv6_vpn));
|
||||
attr->srv6_vpn->sid_flags = sid_flags;
|
||||
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the SRv6 L3 Service type */
|
||||
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) {
|
||||
- flog_err(EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID SRv6 L3-Service length is %hu instead of %u",
|
||||
- length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH);
|
||||
- return bgp_attr_malformed(args,
|
||||
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
||||
+ if (STREAM_READABLE(peer->curr) < 1) {
|
||||
+ flog_err(EC_BGP_ATTR_LEN,
|
||||
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
|
||||
+ return bgp_attr_malformed(
|
||||
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
|
||||
/* Parse L3-SERVICE Sub-TLV */
|
||||
@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
|
||||
/* Placeholder code for Unsupported TLV */
|
||||
else {
|
||||
-
|
||||
- if (STREAM_READABLE(peer->curr) < length) {
|
||||
- flog_err(
|
||||
- EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
|
||||
- length, STREAM_READABLE(peer->curr));
|
||||
- return bgp_attr_malformed(
|
||||
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
- }
|
||||
-
|
||||
if (bgp_debug_update(peer, NULL, NULL, 1))
|
||||
zlog_debug(
|
||||
"%s attr Prefix-SID sub-type=%u is not supported, skipped",
|
||||
6
frr.spec
6
frr.spec
@ -7,7 +7,7 @@
|
||||
|
||||
Name: frr
|
||||
Version: 7.5.1
|
||||
Release: 19%{?checkout}%{?dist}
|
||||
Release: 20%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -64,6 +64,7 @@ Patch0021: 0021-CVE-2023-47235.patch
|
||||
Patch0022: 0022-route-map-event.patch
|
||||
Patch0023: 0023-CVE-2023-46752.patch
|
||||
Patch0024: 0024-CVE-2023-46753.patch
|
||||
Patch0025: 0025-CVE-2023-31490.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -284,6 +285,9 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-20
|
||||
- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS
|
||||
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-19
|
||||
- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user