- Fix CVE-2023-38802
This commit is contained in:
parent
5874d72bc1
commit
7599d0ae96
128
SOURCES/0010-CVE-2023-38802.patch
Normal file
128
SOURCES/0010-CVE-2023-38802.patch
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||||
|
Date: Thu, 13 Jul 2023 22:32:03 +0300
|
||||||
|
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
|
||||||
|
attribute
|
||||||
|
|
||||||
|
Before this path we used session reset method, which is discouraged by rfc7606.
|
||||||
|
|
||||||
|
Handle this as rfc requires.
|
||||||
|
|
||||||
|
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||||
|
---
|
||||||
|
bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
|
||||||
|
1 file changed, 25 insertions(+), 36 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||||
|
index dcf0f4d47cfb..8c53191d680f 100644
|
||||||
|
--- a/bgpd/bgp_attr.c
|
||||||
|
+++ b/bgpd/bgp_attr.c
|
||||||
|
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
|
||||||
|
case BGP_ATTR_LARGE_COMMUNITIES:
|
||||||
|
case BGP_ATTR_ORIGINATOR_ID:
|
||||||
|
case BGP_ATTR_CLUSTER_LIST:
|
||||||
|
+ case BGP_ATTR_ENCAP:
|
||||||
|
return BGP_ATTR_PARSE_WITHDRAW;
|
||||||
|
case BGP_ATTR_MP_REACH_NLRI:
|
||||||
|
case BGP_ATTR_MP_UNREACH_NLRI:
|
||||||
|
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Parse Tunnel Encap attribute in an UPDATE */
|
||||||
|
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
- bgp_size_t length, /* IN: attr's length field */
|
||||||
|
- struct attr *attr, /* IN: caller already allocated */
|
||||||
|
- uint8_t flag, /* IN: attr's flags field */
|
||||||
|
- uint8_t *startp)
|
||||||
|
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
|
||||||
|
{
|
||||||
|
- bgp_size_t total;
|
||||||
|
uint16_t tunneltype = 0;
|
||||||
|
-
|
||||||
|
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
|
||||||
|
+ struct peer *const peer = args->peer;
|
||||||
|
+ struct attr *const attr = args->attr;
|
||||||
|
+ bgp_size_t length = args->length;
|
||||||
|
+ uint8_t type = args->type;
|
||||||
|
+ uint8_t flag = args->flags;
|
||||||
|
|
||||||
|
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|
||||||
|
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||||
|
- flag);
|
||||||
|
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
|
||||||
|
- startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||||
|
+ flag);
|
||||||
|
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (BGP_ATTR_ENCAP == type) {
|
||||||
|
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
uint16_t tlv_length;
|
||||||
|
|
||||||
|
if (length < 4) {
|
||||||
|
- zlog_info(
|
||||||
|
+ zlog_err(
|
||||||
|
"Tunnel Encap attribute not long enough to contain outer T,L");
|
||||||
|
- bgp_notify_send_with_data(
|
||||||
|
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ return bgp_attr_malformed(args,
|
||||||
|
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
tunneltype = stream_getw(BGP_INPUT(peer));
|
||||||
|
tlv_length = stream_getw(BGP_INPUT(peer));
|
||||||
|
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sublength > length) {
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||||
|
- sublength, length);
|
||||||
|
- bgp_notify_send_with_data(
|
||||||
|
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||||
|
+ sublength, length);
|
||||||
|
+ return bgp_attr_malformed(args,
|
||||||
|
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* alloc and copy sub-tlv */
|
||||||
|
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
|
||||||
|
if (length) {
|
||||||
|
/* spurious leftover data */
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute length is bad: %d leftover octets",
|
||||||
|
- length);
|
||||||
|
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
- startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
|
||||||
|
+ length);
|
||||||
|
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||||
|
case BGP_ATTR_VNC:
|
||||||
|
#endif
|
||||||
|
case BGP_ATTR_ENCAP:
|
||||||
|
- ret = bgp_attr_encap(type, peer, length, attr, flag,
|
||||||
|
- startp);
|
||||||
|
+ ret = bgp_attr_encap(&attr_args);
|
||||||
|
break;
|
||||||
|
case BGP_ATTR_PREFIX_SID:
|
||||||
|
ret = bgp_attr_prefix_sid(&attr_args);
|
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Name: frr
|
Name: frr
|
||||||
Version: 8.3.1
|
Version: 8.3.1
|
||||||
Release: 5%{?checkout}%{?dist}.1.alma
|
Release: 5%{?checkout}%{?dist}.2.alma
|
||||||
Summary: Routing daemon
|
Summary: Routing daemon
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
URL: http://www.frrouting.org
|
URL: http://www.frrouting.org
|
||||||
@ -71,9 +71,11 @@ Patch0005: 0005-ospf-api.patch
|
|||||||
Patch0006: 0006-graceful-restart.patch
|
Patch0006: 0006-graceful-restart.patch
|
||||||
Patch0007: 0007-cve-2022-37032.patch
|
Patch0007: 0007-cve-2022-37032.patch
|
||||||
Patch0008: 0008-frr-non-root-user.patch
|
Patch0008: 0008-frr-non-root-user.patch
|
||||||
# Patch was taken from upstream:
|
# Patches were taken from upstream and modified to apply cleanly:
|
||||||
# https://gitlab.com/redhat/centos-stream/rpms/frr/-/commit/4fbe36d12fc27a0f8eada5c14a4ab434ab0b9af8
|
# https://gitlab.com/redhat/centos-stream/rpms/frr/-/commit/4fbe36d12fc27a0f8eada5c14a4ab434ab0b9af8
|
||||||
Patch0009: 0009-bfd-not-working-in-vrf.patch
|
Patch0009: 0009-bfd-not-working-in-vrf.patch
|
||||||
|
# https://github.com/FRRouting/frr/pull/14290/commits/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186
|
||||||
|
Patch0010: 0010-CVE-2023-38802.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||||
@ -279,6 +281,9 @@ make check PYTHON=%{__python3}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 19 2023 Eduard Abdullin <eabdullin@almalinux.org> - 8.3.1-5.2.alma
|
||||||
|
- Fix CVE-2023-38802
|
||||||
|
|
||||||
* Wed Aug 02 2023 Eduard Abdullin <eabdullin@almalinux.org> - 8.3.1-5.1.alma
|
* Wed Aug 02 2023 Eduard Abdullin <eabdullin@almalinux.org> - 8.3.1-5.1.alma
|
||||||
- Apply 0009-bfd-not-working-in-vrf.patch
|
- Apply 0009-bfd-not-working-in-vrf.patch
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user