import CS frr-8.5.3-4.el9
This commit is contained in:
parent
6b509fffb3
commit
7d0d7b067a
@ -1 +1 @@
|
||||
467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz
|
||||
5f46099a744058de374dbbf5240d1c4292a143f2 SOURCES/frr-8.5.3.tar.gz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/frr-8.3.1.tar.gz
|
||||
SOURCES/frr-8.5.3.tar.gz
|
||||
|
@ -28,13 +28,13 @@ index 5be3264..33abc1d 100644
|
||||
nhrpd/Makefile \
|
||||
ospf6d/Makefile \
|
||||
diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
|
||||
index f6d512b..6d4831d 100644
|
||||
index 8aa0887..c92dcca 100644
|
||||
--- a/tools/etc/frr/daemons
|
||||
+++ b/tools/etc/frr/daemons
|
||||
@@ -21,10 +21,8 @@ ripd=no
|
||||
ripngd=no
|
||||
@@ -22,10 +22,8 @@ ripngd=no
|
||||
isisd=no
|
||||
pimd=no
|
||||
pim6d=no
|
||||
-ldpd=no
|
||||
nhrpd=no
|
||||
eigrpd=no
|
||||
@ -42,10 +42,10 @@ index f6d512b..6d4831d 100644
|
||||
sharpd=no
|
||||
pbrd=no
|
||||
bfdd=no
|
||||
@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1"
|
||||
ripngd_options=" -A ::1"
|
||||
@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
|
||||
isisd_options=" -A 127.0.0.1"
|
||||
pimd_options=" -A 127.0.0.1"
|
||||
pim6d_options=" -A ::1"
|
||||
-ldpd_options=" -A 127.0.0.1"
|
||||
nhrpd_options=" -A 127.0.0.1"
|
||||
eigrpd_options=" -A 127.0.0.1"
|
||||
|
@ -111,5 +111,5 @@ index 53ae5b4..930307f 100644
|
||||
#include <openssl/hmac.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
|
||||
#include "openbsd-tree.h"
|
||||
|
110
SOURCES/0005-CVE-2023-47235.patch
Normal file
110
SOURCES/0005-CVE-2023-47235.patch
Normal file
@ -0,0 +1,110 @@
|
||||
From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 13 Dec 2023 16:59:46 +0100
|
||||
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
|
||||
malformed attrs
|
||||
|
||||
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
|
||||
processed as a normal UPDATE without mandatory attributes, that could lead
|
||||
to harmful behavior. In this case, a crash for route-maps with the configuration
|
||||
such as:
|
||||
|
||||
```
|
||||
router bgp 65001
|
||||
no bgp ebgp-requires-policy
|
||||
neighbor 127.0.0.1 remote-as external
|
||||
neighbor 127.0.0.1 passive
|
||||
neighbor 127.0.0.1 ebgp-multihop
|
||||
neighbor 127.0.0.1 disable-connected-check
|
||||
neighbor 127.0.0.1 update-source 127.0.0.2
|
||||
neighbor 127.0.0.1 timers 3 90
|
||||
neighbor 127.0.0.1 timers connect 1
|
||||
!
|
||||
address-family ipv4 unicast
|
||||
neighbor 127.0.0.1 addpath-tx-all-paths
|
||||
neighbor 127.0.0.1 default-originate
|
||||
neighbor 127.0.0.1 route-map RM_IN in
|
||||
exit-address-family
|
||||
exit
|
||||
!
|
||||
route-map RM_IN permit 10
|
||||
set as-path prepend 200
|
||||
exit
|
||||
```
|
||||
|
||||
Send a malformed optional transitive attribute:
|
||||
|
||||
```
|
||||
import socket
|
||||
import time
|
||||
|
||||
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
|
||||
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
|
||||
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
|
||||
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
|
||||
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
|
||||
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
|
||||
b"\x80\x00\x00\x00")
|
||||
|
||||
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
|
||||
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
|
||||
|
||||
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(('127.0.0.2', 179))
|
||||
s.send(OPEN)
|
||||
data = s.recv(1024)
|
||||
s.send(KEEPALIVE)
|
||||
data = s.recv(1024)
|
||||
s.send(UPDATE)
|
||||
data = s.recv(1024)
|
||||
time.sleep(100)
|
||||
s.close()
|
||||
```
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
|
||||
(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
|
||||
---
|
||||
bgpd/bgp_attr.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index a121911..12a6953 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
uint8_t type = 0;
|
||||
|
||||
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
|
||||
- * empty UPDATE. */
|
||||
+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
|
||||
+ * we will pass it to be processed as a normal UPDATE without mandatory
|
||||
+ * attributes, that could lead to harmful behavior.
|
||||
+ */
|
||||
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
- return BGP_ATTR_PARSE_PROCEED;
|
||||
+ return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
||||
to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
|
||||
@@ -3507,7 +3510,13 @@ done:
|
||||
aspath_unintern(&as4_path);
|
||||
|
||||
transit = bgp_attr_get_transit(attr);
|
||||
- if (ret != BGP_ATTR_PARSE_ERROR) {
|
||||
+ /* If we received an UPDATE with mandatory attributes, then
|
||||
+ * the unrecognized transitive optional attribute of that
|
||||
+ * path MUST be passed. Otherwise, it's an error, and from
|
||||
+ * security perspective it might be very harmful if we continue
|
||||
+ * here with the unrecognized attributes.
|
||||
+ */
|
||||
+ if (ret == BGP_ATTR_PARSE_PROCEED) {
|
||||
/* Finally intern unknown attribute. */
|
||||
if (transit)
|
||||
bgp_attr_set_transit(attr, transit_intern(transit));
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,25 +0,0 @@
|
||||
diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c
|
||||
index 74a5674..aec9037 100644
|
||||
--- a/ospfd/ospf_spf.c
|
||||
+++ b/ospfd/ospf_spf.c
|
||||
@@ -48,7 +48,10 @@
|
||||
#include "ospfd/ospf_sr.h"
|
||||
#include "ospfd/ospf_ti_lfa.h"
|
||||
#include "ospfd/ospf_errors.h"
|
||||
+
|
||||
+#ifdef SUPPORT_OSPF_API
|
||||
#include "ospfd/ospf_apiserver.h"
|
||||
+#endif
|
||||
|
||||
/* Variables to ensure a SPF scheduled log message is printed only once */
|
||||
|
||||
@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread)
|
||||
/* Update all routers routing table */
|
||||
ospf->oall_rtrs = ospf->all_rtrs;
|
||||
ospf->all_rtrs = all_rtrs;
|
||||
+#ifdef SUPPORT_OSPF_API
|
||||
ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs);
|
||||
+#endif
|
||||
|
||||
/* Free old ABR/ASBR routing table */
|
||||
if (ospf->old_rtrs)
|
95
SOURCES/0006-CVE-2023-47234.patch
Normal file
95
SOURCES/0006-CVE-2023-47234.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 13 Dec 2023 18:25:48 +0100
|
||||
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
|
||||
|
||||
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
|
||||
no mandatory path attributes received.
|
||||
|
||||
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
|
||||
as a new data, but without mandatory attributes, it's a malformed packet.
|
||||
|
||||
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
|
||||
handle that.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Signed-off-by: Christian Breunig <christian@breunig.cc>
|
||||
|
||||
(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf)
|
||||
---
|
||||
bgpd/bgp_attr.c | 19 ++++++++++---------
|
||||
bgpd/bgp_attr.h | 1 +
|
||||
bgpd/bgp_packet.c | 7 ++++++-
|
||||
3 files changed, 17 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 12a6953..8b02f2c 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
||||
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
|
||||
- are present, it should. Check for any other attribute being present
|
||||
- instead.
|
||||
- */
|
||||
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
||||
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
|
||||
- return BGP_ATTR_PARSE_PROCEED;
|
||||
-
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
type = BGP_ATTR_ORIGIN;
|
||||
|
||||
@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
|
||||
type = BGP_ATTR_LOCAL_PREF;
|
||||
|
||||
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
||||
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
|
||||
+ * are present, it should. Check for any other attribute being present
|
||||
+ * instead.
|
||||
+ */
|
||||
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
||||
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
|
||||
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
|
||||
+ : BGP_ATTR_PARSE_PROCEED;
|
||||
+
|
||||
/* If any of the well-known mandatory attributes are not present
|
||||
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
|
||||
*/
|
||||
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
|
||||
index 06f350b..b9dfec9 100644
|
||||
--- a/bgpd/bgp_attr.h
|
||||
+++ b/bgpd/bgp_attr.h
|
||||
@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret {
|
||||
*/
|
||||
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
|
||||
BGP_ATTR_PARSE_EOR = -4,
|
||||
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
|
||||
};
|
||||
|
||||
struct bpacket_attr_vec_arr;
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index a5f065a..cdf0734 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
|
||||
/* Network Layer Reachability Information. */
|
||||
update_len = end - stream_pnt(s);
|
||||
|
||||
- if (update_len && attribute_len) {
|
||||
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
|
||||
+ * NLRIs should be handled as a new data. Though, if we received
|
||||
+ * NLRIs without mandatory attributes, they should be ignored.
|
||||
+ */
|
||||
+ if (update_len && attribute_len &&
|
||||
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
|
||||
/* Set NLRI portion to structure. */
|
||||
nlris[NLRI_UPDATE].afi = AFI_IP;
|
||||
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,78 +0,0 @@
|
||||
From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Tue, 27 Sep 2022 17:30:16 +0300
|
||||
Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
|
||||
|
||||
We might disable sending unconfig/shutdown notifications when
|
||||
Graceful-Restart is enabled and negotiated.
|
||||
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
|
||||
1 file changed, 26 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
|
||||
index 749e46ebe9d..ae1308db423 100644
|
||||
--- a/bgpd/bgpd.c
|
||||
+++ b/bgpd/bgpd.c
|
||||
@@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
|
||||
|
||||
void peer_notify_unconfig(struct peer *peer)
|
||||
{
|
||||
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
|
||||
+ if (bgp_debug_neighbor_events(peer))
|
||||
+ zlog_debug(
|
||||
+ "%pBP configured Graceful-Restart, skipping unconfig notification",
|
||||
+ peer);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
BGP_NOTIFY_CEASE_PEER_UNCONFIG);
|
||||
}
|
||||
|
||||
+static void peer_notify_shutdown(struct peer *peer)
|
||||
+{
|
||||
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
|
||||
+ if (bgp_debug_neighbor_events(peer))
|
||||
+ zlog_debug(
|
||||
+ "%pBP configured Graceful-Restart, skipping shutdown notification",
|
||||
+ peer);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
||||
+}
|
||||
+
|
||||
void peer_group_notify_unconfig(struct peer_group *group)
|
||||
{
|
||||
struct peer *peer, *other;
|
||||
@@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp)
|
||||
}
|
||||
|
||||
/* Inform peers we're going down. */
|
||||
- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
|
||||
- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
||||
- }
|
||||
+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
|
||||
+ peer_notify_shutdown(peer);
|
||||
|
||||
/* Delete static routes (networks). */
|
||||
bgp_static_delete(bgp);
|
||||
@@ -8252,10 +8272,7 @@ void bgp_terminate(void)
|
||||
|
||||
for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
|
||||
for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
|
||||
- if (peer_established(peer) || peer->status == OpenSent
|
||||
- || peer->status == OpenConfirm)
|
||||
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
- BGP_NOTIFY_CEASE_PEER_UNCONFIG);
|
||||
+ peer_notify_unconfig(peer);
|
||||
|
||||
BGP_TIMER_OFF(bm->t_rmap_update);
|
||||
|
76
SOURCES/0007-CVE-2023-46752.patch
Normal file
76
SOURCES/0007-CVE-2023-46752.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Fri, 20 Oct 2023 17:49:18 +0300
|
||||
Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
|
||||
reset
|
||||
|
||||
Avoid crashing bgpd.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 6 +-----
|
||||
bgpd/bgp_attr.h | 1 -
|
||||
bgpd/bgp_packet.c | 6 +-----
|
||||
3 files changed, 2 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 6925aff727e2..e7bb42a5d989 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
|
||||
|
||||
mp_update->afi = afi;
|
||||
mp_update->safi = safi;
|
||||
- return BGP_ATTR_PARSE_EOR;
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
|
||||
}
|
||||
|
||||
mp_update->afi = afi;
|
||||
@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (ret == BGP_ATTR_PARSE_EOR) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
if (ret == BGP_ATTR_PARSE_ERROR) {
|
||||
flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
|
||||
"%s: Attribute %s, parse error", peer->host,
|
||||
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
|
||||
index 961e5f122470..fc347e7a1b4b 100644
|
||||
--- a/bgpd/bgp_attr.h
|
||||
+++ b/bgpd/bgp_attr.h
|
||||
@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
|
||||
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
|
||||
*/
|
||||
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
|
||||
- BGP_ATTR_PARSE_EOR = -4,
|
||||
BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
|
||||
};
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index b585591e2f69..5ecf343b6657 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
|
||||
* Non-MP IPv4/Unicast EoR is a completely empty UPDATE
|
||||
* and MP EoR should have only an empty MP_UNREACH
|
||||
*/
|
||||
- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
|
||||
- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
|
||||
+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
|
||||
afi_t afi = 0;
|
||||
safi_t safi;
|
||||
struct graceful_restart_info *gr_info;
|
||||
@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
|
||||
&& nlris[NLRI_MP_WITHDRAW].length == 0) {
|
||||
afi = nlris[NLRI_MP_WITHDRAW].afi;
|
||||
safi = nlris[NLRI_MP_WITHDRAW].safi;
|
||||
- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
|
||||
- afi = nlris[NLRI_MP_UPDATE].afi;
|
||||
- safi = nlris[NLRI_MP_UPDATE].safi;
|
||||
}
|
||||
|
||||
if (afi && peer->afc[afi][safi]) {
|
@ -1,32 +0,0 @@
|
||||
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Thu, 21 Jul 2022 08:11:58 -0400
|
||||
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
|
||||
expected
|
||||
|
||||
Ensure that if the capability length specified is enough data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_packet.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index dbf6c0b2e99..45752a8ab6d 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
|
||||
"%s CAPABILITY has action: %d, code: %u, length %u",
|
||||
peer->host, action, hdr->code, hdr->length);
|
||||
|
||||
+ if (hdr->length < sizeof(struct capability_mp_data)) {
|
||||
+ zlog_info(
|
||||
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
|
||||
+ peer, sizeof(struct capability_mp_data),
|
||||
+ hdr->length);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
+
|
||||
/* Capability length check. */
|
||||
if ((pnt + hdr->length + 3) > end) {
|
||||
zlog_info("%s Capability length error", peer->host);
|
60
SOURCES/0008-CVE-2023-46753.patch
Normal file
60
SOURCES/0008-CVE-2023-46753.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Mon, 23 Oct 2023 23:34:10 +0300
|
||||
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
|
||||
message
|
||||
|
||||
If we send a crafted BGP UPDATE message without mandatory attributes, we do
|
||||
not check if the length of the path attributes is zero or not. We only check
|
||||
if attr->flag is at least set or not. Imagine we send only unknown transit
|
||||
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
|
||||
capability is received.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 26fd3de..bcc4424 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
|
||||
}
|
||||
|
||||
/* Well-known attribute check. */
|
||||
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
+ bgp_size_t length)
|
||||
{
|
||||
uint8_t type = 0;
|
||||
|
||||
@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
* we will pass it to be processed as a normal UPDATE without mandatory
|
||||
* attributes, that could lead to harmful behavior.
|
||||
*/
|
||||
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
|
||||
+ !length)
|
||||
return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
enum bgp_attr_parse_ret ret;
|
||||
uint8_t flag = 0;
|
||||
uint8_t type = 0;
|
||||
- bgp_size_t length;
|
||||
+ bgp_size_t length = 0;
|
||||
uint8_t *startp, *endp;
|
||||
uint8_t *attr_endp;
|
||||
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
|
||||
@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
}
|
||||
|
||||
/* Check all mandatory well-known attributes are present */
|
||||
- ret = bgp_attr_check(peer, attr);
|
||||
+ ret = bgp_attr_check(peer, attr, length);
|
||||
if (ret < 0)
|
||||
goto done;
|
||||
|
@ -1,67 +0,0 @@
|
||||
From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Ruprich <michalruprich@gmail.com>
|
||||
Date: Tue, 22 Nov 2022 12:38:05 +0100
|
||||
Subject: [PATCH] tools: Enable start of FRR for non-root user
|
||||
|
||||
There might be use cases when this would make sense, for example
|
||||
running FRR in a container as a designated user.
|
||||
|
||||
Signed-off-by: Michal Ruprich <mruprich@redhat.com>
|
||||
---
|
||||
tools/etc/frr/daemons | 5 +++++
|
||||
tools/frrcommon.sh.in | 4 ++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
|
||||
index 8aa08871e35..2427bfff777 100644
|
||||
--- a/tools/etc/frr/daemons
|
||||
+++ b/tools/etc/frr/daemons
|
||||
@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1"
|
||||
# say BGP.
|
||||
#MAX_FDS=1024
|
||||
|
||||
+# Uncomment this option if you want to run FRR as a non-root user. Note that
|
||||
+# you should know what you are doing since most of the daemons need root
|
||||
+# to work. This could be useful if you want to run FRR in a container
|
||||
+# for instance.
|
||||
+# FRR_NO_ROOT="yes"
|
||||
+
|
||||
# The list of daemons to watch is automatically generated by the init script.
|
||||
#watchfrr_options=""
|
||||
|
||||
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
|
||||
index 3c16c27c6df..4f095a176e4 100755
|
||||
--- a/tools/frrcommon.sh.in
|
||||
+++ b/tools/frrcommon.sh.in
|
||||
@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py"
|
||||
#
|
||||
|
||||
is_user_root () {
|
||||
+ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
[ "${EUID:-$(id -u)}" -eq 0 ] || {
|
||||
log_failure_msg "Only users having EUID=0 can start/stop daemons"
|
||||
return 1
|
||||
diff --git a/doc/user/setup.rst b/doc/user/setup.rst
|
||||
index 25934df..51ffd32 100644
|
||||
--- a/doc/user/setup.rst
|
||||
+++ b/doc/user/setup.rst
|
||||
@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with
|
||||
several thousands of peers than this is where we would modify FRR to
|
||||
allow this to happen.
|
||||
|
||||
+::
|
||||
+
|
||||
+ FRR_NO_ROOT="yes"
|
||||
+
|
||||
+This option allows you to run FRR as a non-root user. Use this option
|
||||
+only when you know what you are doing since most of the daemons
|
||||
+in FRR will not be able to run under a regular user. This option
|
||||
+is useful for example when you run FRR in a container with a designated
|
||||
+user instead of root.
|
||||
+
|
||||
::
|
||||
|
||||
zebra_options=" -s 90000000 --daemon -A 127.0.0.1"
|
@ -1,59 +0,0 @@
|
||||
From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 30 Sep 2022 08:51:45 -0400
|
||||
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
|
||||
peek_for_as4_capability
|
||||
|
||||
In peek_for_as4_capability the code is checking that the
|
||||
stream has at least 2 bytes to read ( the opt_type and the
|
||||
opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
is configured then FRR is reading 3 bytes. Which is not good
|
||||
since the packet could be badly formated. Ensure that
|
||||
FRR has the appropriate data length to read the data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_open.c | 27 +++++++++++++++++++++------
|
||||
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
|
||||
index 7248f034a5a..a760a7ca013 100644
|
||||
--- a/bgpd/bgp_open.c
|
||||
+++ b/bgpd/bgp_open.c
|
||||
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
|
||||
uint8_t opt_type;
|
||||
uint16_t opt_length;
|
||||
|
||||
- /* Check the length. */
|
||||
- if (stream_get_getp(s) + 2 > end)
|
||||
+ /* Ensure we can read the option type */
|
||||
+ if (stream_get_getp(s) + 1 > end)
|
||||
goto end;
|
||||
|
||||
- /* Fetch option type and length. */
|
||||
+ /* Fetch the option type */
|
||||
opt_type = stream_getc(s);
|
||||
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
- ? stream_getw(s)
|
||||
- : stream_getc(s);
|
||||
+
|
||||
+ /*
|
||||
+ * Check the length and fetch the opt_length
|
||||
+ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
+ * then we do a getw which is 2 bytes. So we need to
|
||||
+ * ensure that we can read that as well
|
||||
+ */
|
||||
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
|
||||
+ if (stream_get_getp(s) + 2 > end)
|
||||
+ goto end;
|
||||
+
|
||||
+ opt_length = stream_getw(s);
|
||||
+ } else {
|
||||
+ if (stream_get_getp(s) + 1 > end)
|
||||
+ goto end;
|
||||
+
|
||||
+ opt_length = stream_getc(s);
|
||||
+ }
|
||||
|
||||
/* Option length check. */
|
||||
if (stream_get_getp(s) + opt_length > end)
|
@ -1,47 +0,0 @@
|
||||
From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Wed, 2 Nov 2022 13:24:48 -0400
|
||||
Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
|
||||
read
|
||||
|
||||
If a operator receives an invalid packet that is of insufficient size
|
||||
then it is possible for BGP to assert during reading of the packet
|
||||
instead of gracefully resetting the connection with the peer.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_packet.c | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index 769f9613da8..72d6a923175 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
|
||||
|| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
|
||||
uint8_t opttype;
|
||||
|
||||
+ if (STREAM_READABLE(peer->curr) < 1) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_PKT_OPEN,
|
||||
+ "%s: stream does not have enough bytes for extended optional parameters",
|
||||
+ peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
+
|
||||
opttype = stream_getc(peer->curr);
|
||||
if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
|
||||
+ if (STREAM_READABLE(peer->curr) < 2) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_PKT_OPEN,
|
||||
+ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
|
||||
+ peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
optlen = stream_getw(peer->curr);
|
||||
SET_FLAG(peer->sflags,
|
||||
PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
|
@ -1,70 +0,0 @@
|
||||
From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 30 Sep 2022 08:57:43 -0400
|
||||
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
|
||||
bgp_open_option_parse
|
||||
|
||||
In bgp_open_option_parse the code is checking that the
|
||||
stream has at least 2 bytes to read ( the opt_type and
|
||||
the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
is configured then FRR is reading 3 bytes. Which is not good
|
||||
since the packet could be badly formateed. Ensure that
|
||||
FRR has the appropriate data length to read the data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
|
||||
1 file changed, 28 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
|
||||
index a760a7ca013..d1667fac261 100644
|
||||
--- a/bgpd/bgp_open.c
|
||||
+++ b/bgpd/bgp_open.c
|
||||
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
|
||||
uint8_t opt_type;
|
||||
uint16_t opt_length;
|
||||
|
||||
- /* Must have at least an OPEN option header */
|
||||
- if (STREAM_READABLE(s) < 2) {
|
||||
+ /*
|
||||
+ * Check that we can read the opt_type and fetch it
|
||||
+ */
|
||||
+ if (STREAM_READABLE(s) < 1) {
|
||||
zlog_info("%s Option length error", peer->host);
|
||||
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- /* Fetch option type and length. */
|
||||
opt_type = stream_getc(s);
|
||||
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
|
||||
- ? stream_getw(s)
|
||||
- : stream_getc(s);
|
||||
+
|
||||
+ /*
|
||||
+ * Check the length of the stream to ensure that
|
||||
+ * FRR can properly read the opt_length. Then read it
|
||||
+ */
|
||||
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
|
||||
+ if (STREAM_READABLE(s) < 2) {
|
||||
+ zlog_info("%s Option length error", peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ opt_length = stream_getw(s);
|
||||
+ } else {
|
||||
+ if (STREAM_READABLE(s) < 1) {
|
||||
+ zlog_info("%s Option length error", peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
|
||||
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ opt_length = stream_getc(s);
|
||||
+ }
|
||||
|
||||
/* Option length check. */
|
||||
if (STREAM_READABLE(s) < opt_length) {
|
@ -1,255 +0,0 @@
|
||||
From edc3f63167fd95e4e70287743c9b252415c9336e Mon Sep 17 00:00:00 2001
|
||||
From: Philippe Guibert <philippe.guibert@6wind.com>
|
||||
Date: Thu, 7 Jul 2022 14:33:48 +0200
|
||||
Subject: [PATCH] bfdd: allow l3vrf bfd sessions without udp leaking
|
||||
|
||||
Until now, when in vrf-lite mode, the BFD implementation
|
||||
creates a single UDP socket and relies on the following
|
||||
sysctl value to 1:
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/udp_l3mdev_accept
|
||||
|
||||
With this setting, the incoming BFD packets from a given
|
||||
vrf, would leak to the default vrf, and would match the
|
||||
UDP socket.
|
||||
|
||||
The drawback of this solution is that udp packets received
|
||||
on a given vrf may leak to an other vrf. This may be a
|
||||
security concern.
|
||||
|
||||
The commit addresses this issue by avoiding this leak
|
||||
mechanism. An UDP socket is created for each vrf, and each
|
||||
socket uses new setsockopt option: SO_REUSEADDR + SO_REUSEPORT.
|
||||
|
||||
With this option, the incoming UDP packets are distributed on
|
||||
the available sockets. The impact of those options with l3mdev
|
||||
devices is unknown. It has been observed that this option is not
|
||||
needed, until the default vrf sockets are created.
|
||||
|
||||
To ensure the BFD packets are correctly routed to the appropriate
|
||||
socket, a BPF filter has been put in place and attached to the
|
||||
sockets : SO_ATTACH_REUSEPORT_CBPF. This option adds a criterium
|
||||
to force the packet to choose a given socket. If initial criteria
|
||||
from the default distribution algorithm were not good, at least
|
||||
two sockets would be available, and the CBPF would force the
|
||||
selection to the same socket. This would come to the situation
|
||||
where an incoming packet would be processed on a different vrf.
|
||||
|
||||
The bpf code is the following one:
|
||||
|
||||
struct sock_filter code[] = {
|
||||
{ BPF_RET | BPF_K, 0, 0, 0 },
|
||||
};
|
||||
|
||||
struct sock_fprog p = {
|
||||
.len = sizeof(code)/sizeof(struct sock_filter),
|
||||
.filter = code,
|
||||
};
|
||||
|
||||
if (setsockopt(sd, SOL_SOCKET, SO_ATTACH_REUSEPORT_CBPF, &p, sizeof(p))) {
|
||||
zlog_warn("unable to set SO_ATTACH_REUSEPORT_CBPF on socket: %s",
|
||||
strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
Some tests have been done with by creating vrf contexts, and by using
|
||||
the below vtysh configuration:
|
||||
|
||||
ip route 2.2.2.2/32 10.126.0.2
|
||||
vrf vrf2
|
||||
ip route 2.2.2.2/32 10.126.0.2
|
||||
!
|
||||
interface ntfp2
|
||||
ip address 10.126.0.1/24
|
||||
!
|
||||
interface ntfp3 vrf vrf4
|
||||
ip address 10.126.0.1/24
|
||||
!
|
||||
interface ntfp2 vrf vrf1
|
||||
ip address 10.126.0.1/24
|
||||
!
|
||||
interface ntfp2.100 vrf vrf2
|
||||
ip address 10.126.0.1/24
|
||||
!
|
||||
interface ntfp2.200 vrf vrf3
|
||||
ip address 10.126.0.1/24
|
||||
!
|
||||
line vty
|
||||
!
|
||||
bfd
|
||||
peer 10.126.0.2 vrf vrf2
|
||||
!
|
||||
peer 10.126.0.2 vrf vrf3
|
||||
!
|
||||
peer 10.126.0.2
|
||||
!
|
||||
peer 10.126.0.2 vrf vrf4
|
||||
!
|
||||
peer 2.2.2.2 multihop local-address 1.1.1.1
|
||||
!
|
||||
peer 2.2.2.2 multihop local-address 1.1.1.1 vrf vrf2
|
||||
transmit-interval 1500
|
||||
receive-interval 1500
|
||||
!
|
||||
|
||||
The results showed no issue related to packets received by
|
||||
the wrong vrf. Even changing the udp_l3mdev_accept flag to
|
||||
1 did not change the test results.
|
||||
|
||||
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
|
||||
---
|
||||
bfdd/bfd.c | 66 +++++++++++++++++++++++------------------------
|
||||
bfdd/bfd_packet.c | 45 ++++++++++++++++++++++++++++++++
|
||||
2 files changed, 77 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/bfdd/bfd.c b/bfdd/bfd.c
|
||||
index 483beb1b17c..a1619263588 100644
|
||||
--- a/bfdd/bfd.c
|
||||
+++ b/bfdd/bfd.c
|
||||
@@ -1950,40 +1950,38 @@ static int bfd_vrf_enable(struct vrf *vrf)
|
||||
if (bglobal.debug_zebra)
|
||||
zlog_debug("VRF enable add %s id %u", vrf->name, vrf->vrf_id);
|
||||
|
||||
- if (vrf->vrf_id == VRF_DEFAULT ||
|
||||
- vrf_get_backend() == VRF_BACKEND_NETNS) {
|
||||
- if (!bvrf->bg_shop)
|
||||
- bvrf->bg_shop = bp_udp_shop(vrf);
|
||||
- if (!bvrf->bg_mhop)
|
||||
- bvrf->bg_mhop = bp_udp_mhop(vrf);
|
||||
- if (!bvrf->bg_shop6)
|
||||
- bvrf->bg_shop6 = bp_udp6_shop(vrf);
|
||||
- if (!bvrf->bg_mhop6)
|
||||
- bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
|
||||
- if (!bvrf->bg_echo)
|
||||
- bvrf->bg_echo = bp_echo_socket(vrf);
|
||||
- if (!bvrf->bg_echov6)
|
||||
- bvrf->bg_echov6 = bp_echov6_socket(vrf);
|
||||
-
|
||||
- if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_shop, &bvrf->bg_ev[0]);
|
||||
- if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_mhop, &bvrf->bg_ev[1]);
|
||||
- if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_shop6, &bvrf->bg_ev[2]);
|
||||
- if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_mhop6, &bvrf->bg_ev[3]);
|
||||
- if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_echo, &bvrf->bg_ev[4]);
|
||||
- if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
|
||||
- thread_add_read(master, bfd_recv_cb, bvrf,
|
||||
- bvrf->bg_echov6, &bvrf->bg_ev[5]);
|
||||
- }
|
||||
+ if (!bvrf->bg_shop)
|
||||
+ bvrf->bg_shop = bp_udp_shop(vrf);
|
||||
+ if (!bvrf->bg_mhop)
|
||||
+ bvrf->bg_mhop = bp_udp_mhop(vrf);
|
||||
+ if (!bvrf->bg_shop6)
|
||||
+ bvrf->bg_shop6 = bp_udp6_shop(vrf);
|
||||
+ if (!bvrf->bg_mhop6)
|
||||
+ bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
|
||||
+ if (!bvrf->bg_echo)
|
||||
+ bvrf->bg_echo = bp_echo_socket(vrf);
|
||||
+ if (!bvrf->bg_echov6)
|
||||
+ bvrf->bg_echov6 = bp_echov6_socket(vrf);
|
||||
+
|
||||
+ if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop,
|
||||
+ &bvrf->bg_ev[0]);
|
||||
+ if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop,
|
||||
+ &bvrf->bg_ev[1]);
|
||||
+ if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop6,
|
||||
+ &bvrf->bg_ev[2]);
|
||||
+ if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop6,
|
||||
+ &bvrf->bg_ev[3]);
|
||||
+ if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echo,
|
||||
+ &bvrf->bg_ev[4]);
|
||||
+ if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
|
||||
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echov6,
|
||||
+ &bvrf->bg_ev[5]);
|
||||
+
|
||||
if (vrf->vrf_id != VRF_DEFAULT) {
|
||||
bfdd_zclient_register(vrf->vrf_id);
|
||||
bfdd_sessions_enable_vrf(vrf);
|
||||
diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c
|
||||
index d34d6427628..054a9bfbf21 100644
|
||||
--- a/bfdd/bfd_packet.c
|
||||
+++ b/bfdd/bfd_packet.c
|
||||
@@ -876,6 +876,14 @@ void bfd_recv_cb(struct thread *t)
|
||||
"no session found");
|
||||
return;
|
||||
}
|
||||
+ /*
|
||||
+ * We may have a situation where received packet is on wrong vrf
|
||||
+ */
|
||||
+ if (bfd && bfd->vrf && bfd->vrf != bvrf->vrf) {
|
||||
+ cp_debug(is_mhop, &peer, &local, ifindex, vrfid,
|
||||
+ "wrong vrfid.");
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
/* Ensure that existing good sessions are not overridden. */
|
||||
if (!cp->discrs.remote_discr && bfd->ses_state != PTM_BFD_DOWN &&
|
||||
@@ -1208,10 +1216,41 @@ int bp_set_tos(int sd, uint8_t value)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static bool bp_set_reuse_addr(int sd)
|
||||
+{
|
||||
+ int one = 1;
|
||||
+
|
||||
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) == -1) {
|
||||
+ zlog_warn("set-reuse-addr: setsockopt(SO_REUSEADDR, %d): %s",
|
||||
+ one, strerror(errno));
|
||||
+ return false;
|
||||
+ }
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static bool bp_set_reuse_port(int sd)
|
||||
+{
|
||||
+ int one = 1;
|
||||
+
|
||||
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) == -1) {
|
||||
+ zlog_warn("set-reuse-port: setsockopt(SO_REUSEPORT, %d): %s",
|
||||
+ one, strerror(errno));
|
||||
+ return false;
|
||||
+ }
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static void bp_set_ipopts(int sd)
|
||||
{
|
||||
int rcvttl = BFD_RCV_TTL_VAL;
|
||||
|
||||
+ if (!bp_set_reuse_addr(sd))
|
||||
+ zlog_fatal("set-reuse-addr: failed");
|
||||
+
|
||||
+ if (!bp_set_reuse_port(sd))
|
||||
+ zlog_fatal("set-reuse-port: failed");
|
||||
+
|
||||
if (bp_set_ttl(sd, BFD_TTL_VAL) != 0)
|
||||
zlog_fatal("set-ipopts: TTL configuration failed");
|
||||
|
||||
@@ -1453,6 +1492,12 @@ static void bp_set_ipv6opts(int sd)
|
||||
int ipv6_pktinfo = BFD_IPV6_PKT_INFO_VAL;
|
||||
int ipv6_only = BFD_IPV6_ONLY_VAL;
|
||||
|
||||
+ if (!bp_set_reuse_addr(sd))
|
||||
+ zlog_fatal("set-reuse-addr: failed");
|
||||
+
|
||||
+ if (!bp_set_reuse_port(sd))
|
||||
+ zlog_fatal("set-reuse-port: failed");
|
||||
+
|
||||
if (bp_set_ttlv6(sd, BFD_TTL_VAL) == -1)
|
||||
zlog_fatal(
|
||||
"set-ipv6opts: setsockopt(IPV6_UNICAST_HOPS, %d): %s",
|
@ -6,8 +6,8 @@
|
||||
%bcond_without selinux
|
||||
|
||||
Name: frr
|
||||
Version: 8.3.1
|
||||
Release: 10%{?checkout}%{?dist}
|
||||
Version: 8.5.3
|
||||
Release: 4%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -67,14 +67,10 @@ Patch0000: 0000-remove-babeld-and-ldpd.patch
|
||||
Patch0002: 0002-enable-openssl.patch
|
||||
Patch0003: 0003-disable-eigrp-crypto.patch
|
||||
Patch0004: 0004-fips-mode.patch
|
||||
Patch0005: 0005-ospf-api.patch
|
||||
Patch0006: 0006-graceful-restart.patch
|
||||
Patch0007: 0007-cve-2022-37032.patch
|
||||
Patch0008: 0008-frr-non-root-user.patch
|
||||
Patch0009: 0009-CVE-2022-36440-40302.patch
|
||||
Patch0010: 0010-CVE-2022-43681.patch
|
||||
Patch0011: 0011-CVE-2022-40318.patch
|
||||
Patch0012: 0012-bfd-not-working-in-vrf.patch
|
||||
Patch0005: 0005-CVE-2023-47235.patch
|
||||
Patch0006: 0006-CVE-2023-47234.patch
|
||||
Patch0007: 0007-CVE-2023-46752.patch
|
||||
Patch0008: 0008-CVE-2023-46753.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -280,6 +276,25 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4
|
||||
- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash
|
||||
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3
|
||||
- Resolves: RHEL-14822 - mishandled malformed data leading to a crash
|
||||
|
||||
* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-2
|
||||
- Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
|
||||
- Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message
|
||||
|
||||
* Thu Nov 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
|
||||
- Resolves: RHEL-15291 - Rebase FRR to version 8.5.3 in RHEL9
|
||||
|
||||
* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-12
|
||||
- Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
|
||||
|
||||
* Thu Sep 21 2023 Carlos Goncalves <cgoncalves@redhat.com> - 8.3.1-11
|
||||
- Resolves: RHEL-2263 - bgpd: Do not explicitly print MAXTTL value for ebgp-multihop vty output
|
||||
|
||||
* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
|
||||
- Related: #2216912 - adding sys_admin to capabilities
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user