Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
This commit is contained in:
Michal Ruprich
parent
1a8a32e553
commit
6f6ec0f6ce
60
0024-CVE-2023-46753.patch
Normal file
60
0024-CVE-2023-46753.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Mon, 23 Oct 2023 23:34:10 +0300
|
||||
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
|
||||
message
|
||||
|
||||
If we send a crafted BGP UPDATE message without mandatory attributes, we do
|
||||
not check if the length of the path attributes is zero or not. We only check
|
||||
if attr->flag is at least set or not. Imagine we send only unknown transit
|
||||
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
|
||||
capability is received.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 26fd3de..bcc4424 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
|
||||
}
|
||||
|
||||
/* Well-known attribute check. */
|
||||
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
+ bgp_size_t length)
|
||||
{
|
||||
uint8_t type = 0;
|
||||
|
||||
@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
* we will pass it to be processed as a normal UPDATE without mandatory
|
||||
* attributes, that could lead to harmful behavior.
|
||||
*/
|
||||
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
|
||||
+ !length)
|
||||
return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
bgp_attr_parse_ret_t ret;
|
||||
uint8_t flag = 0;
|
||||
uint8_t type = 0;
|
||||
- bgp_size_t length;
|
||||
+ bgp_size_t length = 0;
|
||||
uint8_t *startp, *endp;
|
||||
uint8_t *attr_endp;
|
||||
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
|
||||
@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
}
|
||||
|
||||
/* Check all mandatory well-known attributes are present */
|
||||
- if ((ret = bgp_attr_check(peer, attr)) < 0)
|
||||
+ if ((ret = bgp_attr_check(peer, attr, length)) < 0)
|
||||
goto done;
|
||||
|
||||
/*
|
||||
6
frr.spec
6
frr.spec
@ -7,7 +7,7 @@
|
||||
|
||||
Name: frr
|
||||
Version: 7.5.1
|
||||
Release: 18%{?checkout}%{?dist}
|
||||
Release: 19%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -63,6 +63,7 @@ Patch0020: 0020-CVE-2023-47234.patch
|
||||
Patch0021: 0021-CVE-2023-47235.patch
|
||||
Patch0022: 0022-route-map-event.patch
|
||||
Patch0023: 0023-CVE-2023-46752.patch
|
||||
Patch0024: 0024-CVE-2023-46753.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -283,6 +284,9 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-19
|
||||
- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
|
||||
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-18
|
||||
- Resolves: RHEL-14821 - mishandled malformed data leading to a crash
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user