import CS frr-7.5.1-22.el8
This commit is contained in:
parent
3467a16b20
commit
8e558801ac
129
SOURCES/0016-CVE-2023-38802.patch
Normal file
129
SOURCES/0016-CVE-2023-38802.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Thu, 13 Jul 2023 22:32:03 +0300
|
||||
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
|
||||
attribute
|
||||
|
||||
Before this path we used session reset method, which is discouraged by rfc7606.
|
||||
|
||||
Handle this as rfc requires.
|
||||
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
|
||||
---
|
||||
bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
|
||||
1 file changed, 25 insertions(+), 36 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 058fae23cbd..1c0803cfd8e 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
|
||||
case BGP_ATTR_LARGE_COMMUNITIES:
|
||||
case BGP_ATTR_ORIGINATOR_ID:
|
||||
case BGP_ATTR_CLUSTER_LIST:
|
||||
+ case BGP_ATTR_ENCAP:
|
||||
return BGP_ATTR_PARSE_WITHDRAW;
|
||||
case BGP_ATTR_MP_REACH_NLRI:
|
||||
case BGP_ATTR_MP_UNREACH_NLRI:
|
||||
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
|
||||
}
|
||||
|
||||
/* Parse Tunnel Encap attribute in an UPDATE */
|
||||
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||
- bgp_size_t length, /* IN: attr's length field */
|
||||
- struct attr *attr, /* IN: caller already allocated */
|
||||
- uint8_t flag, /* IN: attr's flags field */
|
||||
- uint8_t *startp)
|
||||
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
|
||||
{
|
||||
- bgp_size_t total;
|
||||
uint16_t tunneltype = 0;
|
||||
-
|
||||
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
|
||||
+ struct peer *const peer = args->peer;
|
||||
+ struct attr *const attr = args->attr;
|
||||
+ bgp_size_t length = args->length;
|
||||
+ uint8_t type = args->type;
|
||||
+ uint8_t flag = args->flags;
|
||||
|
||||
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|
||||
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
|
||||
- zlog_info(
|
||||
- "Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||
- flag);
|
||||
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
|
||||
- startp, total);
|
||||
- return -1;
|
||||
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||
+ flag);
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
|
||||
if (BGP_ATTR_ENCAP == type) {
|
||||
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||
uint16_t tlv_length;
|
||||
|
||||
if (length < 4) {
|
||||
- zlog_info(
|
||||
+ zlog_err(
|
||||
"Tunnel Encap attribute not long enough to contain outer T,L");
|
||||
- bgp_notify_send_with_data(
|
||||
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||
- return -1;
|
||||
+ return bgp_attr_malformed(args,
|
||||
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
tunneltype = stream_getw(BGP_INPUT(peer));
|
||||
tlv_length = stream_getw(BGP_INPUT(peer));
|
||||
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||
}
|
||||
|
||||
if (sublength > length) {
|
||||
- zlog_info(
|
||||
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||
- sublength, length);
|
||||
- bgp_notify_send_with_data(
|
||||
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||
- return -1;
|
||||
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||
+ sublength, length);
|
||||
+ return bgp_attr_malformed(args,
|
||||
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
|
||||
/* alloc and copy sub-tlv */
|
||||
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||
|
||||
if (length) {
|
||||
/* spurious leftover data */
|
||||
- zlog_info(
|
||||
- "Tunnel Encap attribute length is bad: %d leftover octets",
|
||||
- length);
|
||||
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
- startp, total);
|
||||
- return -1;
|
||||
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
|
||||
+ length);
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
case BGP_ATTR_VNC:
|
||||
#endif
|
||||
case BGP_ATTR_ENCAP:
|
||||
- ret = bgp_attr_encap(type, peer, length, attr, flag,
|
||||
- startp);
|
||||
+ ret = bgp_attr_encap(&attr_args);
|
||||
break;
|
||||
case BGP_ATTR_PREFIX_SID:
|
||||
ret = bgp_attr_prefix_sid(&attr_args);
|
48
SOURCES/0017-fix-crash-in-plist-update.patch
Normal file
48
SOURCES/0017-fix-crash-in-plist-update.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001
|
||||
From: Chirag Shah <chirag@nvidia.com>
|
||||
Date: Mon, 25 Jan 2021 11:44:56 -0800
|
||||
Subject: [PATCH] lib: fix a crash in plist update
|
||||
|
||||
Problem:
|
||||
Prefix-list with mulitiple rules, an update to
|
||||
a rule/sequence with different prefix/prefixlen
|
||||
reset prefix-list next-base pointer to avoid
|
||||
having stale value.
|
||||
|
||||
In some case the old next-bast's reference leads
|
||||
to an assert in tri (trie_install_fn ) add.
|
||||
|
||||
bt:
|
||||
(object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560
|
||||
(plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585
|
||||
(ple=0x55576a4c8a00) at lib/plist.c:745
|
||||
(args=0x7fffe04beb50) at lib/filter_nb.c:1181
|
||||
|
||||
Solution:
|
||||
Reset prefix-list next-base pointer whenver a
|
||||
sequence/rule is updated.
|
||||
|
||||
Ticket:CM-33109
|
||||
Testing Done:
|
||||
|
||||
Signed-off-by: Chirag Shah <chirag@nvidia.com>
|
||||
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
|
||||
(cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03)
|
||||
---
|
||||
lib/plist.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/plist.c b/lib/plist.c
|
||||
index 981e86e2a..c746d1946 100644
|
||||
--- a/lib/plist.c
|
||||
+++ b/lib/plist.c
|
||||
@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple)
|
||||
if (pl->head || pl->tail || pl->desc)
|
||||
pl->master->recent = pl;
|
||||
|
||||
+ ple->next_best = NULL;
|
||||
ple->installed = false;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
34
SOURCES/0018-CVE-2023-38406.patch
Normal file
34
SOURCES/0018-CVE-2023-38406.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Thu, 23 Feb 2023 13:29:32 -0500
|
||||
Subject: [PATCH] bgpd: Flowspec overflow issue
|
||||
|
||||
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
|
||||
Specifying 0 as a length makes BGP get all warm on the inside. Which
|
||||
in this case is not a good thing at all. Prevent warmth, stay cold
|
||||
on the inside.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_flowspec.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
|
||||
index 8d5ca5e77779..f9debe43cd45 100644
|
||||
--- a/bgpd/bgp_flowspec.c
|
||||
+++ b/bgpd/bgp_flowspec.c
|
||||
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
|
||||
psize);
|
||||
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
|
||||
}
|
||||
+
|
||||
+ if (psize == 0) {
|
||||
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
|
||||
+ "Flowspec NLRI length 0 which makes no sense");
|
||||
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
|
||||
+ }
|
||||
+
|
||||
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
|
||||
flog_err(
|
||||
EC_BGP_FLOWSPEC_PACKET,
|
54
SOURCES/0019-CVE-2023-38407.patch
Normal file
54
SOURCES/0019-CVE-2023-38407.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 3 Mar 2023 21:58:33 -0500
|
||||
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
|
||||
|
||||
Fixes a couple crashes associated with attempting to read
|
||||
beyond the end of the stream.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_label.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
|
||||
index 0cad119af101..c4a5277553ba 100644
|
||||
--- a/bgpd/bgp_label.c
|
||||
+++ b/bgpd/bgp_label.c
|
||||
@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
|
||||
uint8_t llen = 0;
|
||||
uint8_t label_depth = 0;
|
||||
|
||||
+ if (plen < BGP_LABEL_BYTES)
|
||||
+ return 0;
|
||||
+
|
||||
for (; data < lim; data += BGP_LABEL_BYTES) {
|
||||
memcpy(label, data, BGP_LABEL_BYTES);
|
||||
llen += BGP_LABEL_BYTES;
|
||||
@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
|
||||
memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
|
||||
addpath_id = ntohl(addpath_id);
|
||||
pnt += BGP_ADDPATH_ID_LEN;
|
||||
+
|
||||
+ if (pnt >= lim)
|
||||
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
|
||||
}
|
||||
|
||||
/* Fetch prefix length. */
|
||||
@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
|
||||
|
||||
/* Fill in the labels */
|
||||
llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
|
||||
+ if (llen == 0) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_UPDATE_RCV,
|
||||
+ "%s [Error] Update packet error (wrong label length 0)",
|
||||
+ peer->host);
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||
+ BGP_NOTIFY_UPDATE_INVAL_NETWORK);
|
||||
+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
|
||||
+ }
|
||||
p.prefixlen = prefixlen - BSIZE(llen);
|
||||
|
||||
/* There needs to be at least one label */
|
89
SOURCES/0020-CVE-2023-47234.patch
Normal file
89
SOURCES/0020-CVE-2023-47234.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Sun, 29 Oct 2023 22:44:45 +0200
|
||||
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
|
||||
|
||||
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
|
||||
no mandatory path attributes received.
|
||||
|
||||
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
|
||||
as a new data, but without mandatory attributes, it's a malformed packet.
|
||||
|
||||
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
|
||||
handle that.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 19 ++++++++++---------
|
||||
bgpd/bgp_attr.h | 1 +
|
||||
bgpd/bgp_packet.c | 7 ++++++-
|
||||
3 files changed, 17 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 1473dc772502..75aa2ac7cce6 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
return BGP_ATTR_PARSE_PROCEED;
|
||||
|
||||
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
||||
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
|
||||
- are present, it should. Check for any other attribute being present
|
||||
- instead.
|
||||
- */
|
||||
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
||||
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
|
||||
- return BGP_ATTR_PARSE_PROCEED;
|
||||
-
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
type = BGP_ATTR_ORIGIN;
|
||||
|
||||
@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
|
||||
type = BGP_ATTR_LOCAL_PREF;
|
||||
|
||||
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
|
||||
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
|
||||
+ * are present, it should. Check for any other attribute being present
|
||||
+ * instead.
|
||||
+ */
|
||||
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
|
||||
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
|
||||
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
|
||||
+ : BGP_ATTR_PARSE_PROCEED;
|
||||
+
|
||||
/* If any of the well-known mandatory attributes are not present
|
||||
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
|
||||
*/
|
||||
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
|
||||
index fc347e7a1b4b..d30155e6dba0 100644
|
||||
--- a/bgpd/bgp_attr.h
|
||||
+++ b/bgpd/bgp_attr.h
|
||||
@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret {
|
||||
*/
|
||||
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
|
||||
BGP_ATTR_PARSE_EOR = -4,
|
||||
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
|
||||
} bgp_attr_parse_ret_t;
|
||||
|
||||
struct bpacket_attr_vec_arr;
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index a7514a26aa64..5dc35157ebf6 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection,
|
||||
/* Network Layer Reachability Information. */
|
||||
update_len = end - stream_pnt(s);
|
||||
|
||||
- if (update_len) {
|
||||
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
|
||||
+ * NLRIs should be handled as a new data. Though, if we received
|
||||
+ * NLRIs without mandatory attributes, they should be ignored.
|
||||
+ */
|
||||
+ if (update_len && attribute_len &&
|
||||
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
|
||||
/* Set NLRI portion to structure. */
|
||||
nlris[NLRI_UPDATE].afi = AFI_IP;
|
||||
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
|
105
SOURCES/0021-CVE-2023-47235.patch
Normal file
105
SOURCES/0021-CVE-2023-47235.patch
Normal file
@ -0,0 +1,105 @@
|
||||
From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Fri, 27 Oct 2023 11:56:45 +0300
|
||||
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
|
||||
malformed attrs
|
||||
|
||||
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
|
||||
processed as a normal UPDATE without mandatory attributes, that could lead
|
||||
to harmful behavior. In this case, a crash for route-maps with the configuration
|
||||
such as:
|
||||
|
||||
```
|
||||
router bgp 65001
|
||||
no bgp ebgp-requires-policy
|
||||
neighbor 127.0.0.1 remote-as external
|
||||
neighbor 127.0.0.1 passive
|
||||
neighbor 127.0.0.1 ebgp-multihop
|
||||
neighbor 127.0.0.1 disable-connected-check
|
||||
neighbor 127.0.0.1 update-source 127.0.0.2
|
||||
neighbor 127.0.0.1 timers 3 90
|
||||
neighbor 127.0.0.1 timers connect 1
|
||||
!
|
||||
address-family ipv4 unicast
|
||||
neighbor 127.0.0.1 addpath-tx-all-paths
|
||||
neighbor 127.0.0.1 default-originate
|
||||
neighbor 127.0.0.1 route-map RM_IN in
|
||||
exit-address-family
|
||||
exit
|
||||
!
|
||||
route-map RM_IN permit 10
|
||||
set as-path prepend 200
|
||||
exit
|
||||
```
|
||||
|
||||
Send a malformed optional transitive attribute:
|
||||
|
||||
```
|
||||
import socket
|
||||
import time
|
||||
|
||||
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
|
||||
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
|
||||
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
|
||||
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
|
||||
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
|
||||
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
|
||||
b"\x80\x00\x00\x00")
|
||||
|
||||
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
|
||||
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
|
||||
|
||||
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(('127.0.0.2', 179))
|
||||
s.send(OPEN)
|
||||
data = s.recv(1024)
|
||||
s.send(KEEPALIVE)
|
||||
data = s.recv(1024)
|
||||
s.send(UPDATE)
|
||||
data = s.recv(1024)
|
||||
time.sleep(100)
|
||||
s.close()
|
||||
```
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index cf2dbe65b805..1473dc772502 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
uint8_t type = 0;
|
||||
|
||||
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
|
||||
- * empty UPDATE. */
|
||||
+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
|
||||
+ * we will pass it to be processed as a normal UPDATE without mandatory
|
||||
+ * attributes, that could lead to harmful behavior.
|
||||
+ */
|
||||
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
- return BGP_ATTR_PARSE_PROCEED;
|
||||
+ return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
type = BGP_ATTR_ORIGIN;
|
||||
@@ -3273,7 +3276,13 @@ done:
|
||||
aspath_unintern(&as4_path);
|
||||
}
|
||||
|
||||
- if (ret != BGP_ATTR_PARSE_ERROR) {
|
||||
+ /* If we received an UPDATE with mandatory attributes, then
|
||||
+ * the unrecognized transitive optional attribute of that
|
||||
+ * path MUST be passed. Otherwise, it's an error, and from
|
||||
+ * security perspective it might be very harmful if we continue
|
||||
+ * here with the unrecognized attributes.
|
||||
+ */
|
||||
+ if (ret == BGP_ATTR_PARSE_PROCEED) {
|
||||
/* Finally intern unknown attribute. */
|
||||
if (attr->transit)
|
||||
attr->transit = transit_intern(attr->transit);
|
47
SOURCES/0022-route-map-event.patch
Normal file
47
SOURCES/0022-route-map-event.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 4fc5dafd1c8167a98e3a5f51efc1ea5092513364 Mon Sep 17 00:00:00 2001
|
||||
From: rgirada <rgirada@vmware.com>
|
||||
Date: Thu, 18 Feb 2021 20:15:40 -0800
|
||||
Subject: [PATCH] lib: Routemap is not getting applied upon changing the
|
||||
routemap action
|
||||
|
||||
Description:
|
||||
This looks broken after NB changes in routemap. When routemap
|
||||
action modified from permit to deny, it is expected to apply
|
||||
the new action on the filtered routes before the action in the
|
||||
routemap data structure has been changed. But currently this is
|
||||
not handled by the corresponding northbound API.
|
||||
|
||||
Signed-off-by: Rajesh Girada <rgirada@vmware.com>
|
||||
---
|
||||
lib/routemap_northbound.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/routemap_northbound.c b/lib/routemap_northbound.c
|
||||
index db06e9caac75..3473ca2aea8c 100644
|
||||
--- a/lib/routemap_northbound.c
|
||||
+++ b/lib/routemap_northbound.c
|
||||
@@ -271,6 +271,7 @@ lib_route_map_entry_description_destroy(struct nb_cb_destroy_args *args)
|
||||
static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
|
||||
{
|
||||
struct route_map_index *rmi;
|
||||
+ struct route_map *map;
|
||||
|
||||
switch (args->event) {
|
||||
case NB_EV_VALIDATE:
|
||||
@@ -281,7 +282,15 @@ static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
|
||||
case NB_EV_APPLY:
|
||||
rmi = nb_running_get_entry(args->dnode, NULL, true);
|
||||
rmi->type = yang_dnode_get_enum(args->dnode, NULL);
|
||||
- /* TODO: notify? */
|
||||
+ map = rmi->map;
|
||||
+
|
||||
+ /* Execute event hook. */
|
||||
+ if (route_map_master.event_hook) {
|
||||
+ (*route_map_master.event_hook)(map->name);
|
||||
+ route_map_notify_dependencies(map->name,
|
||||
+ RMAP_EVENT_CALL_ADDED);
|
||||
+ }
|
||||
+
|
||||
break;
|
||||
}
|
||||
|
76
SOURCES/0023-CVE-2023-46752.patch
Normal file
76
SOURCES/0023-CVE-2023-46752.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Fri, 20 Oct 2023 17:49:18 +0300
|
||||
Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
|
||||
reset
|
||||
|
||||
Avoid crashing bgpd.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 6 +-----
|
||||
bgpd/bgp_attr.h | 1 -
|
||||
bgpd/bgp_packet.c | 6 +-----
|
||||
3 files changed, 2 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 6925aff727e2..e7bb42a5d989 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
|
||||
|
||||
mp_update->afi = afi;
|
||||
mp_update->safi = safi;
|
||||
- return BGP_ATTR_PARSE_EOR;
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
|
||||
}
|
||||
|
||||
mp_update->afi = afi;
|
||||
@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (ret == BGP_ATTR_PARSE_EOR) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
if (ret == BGP_ATTR_PARSE_ERROR) {
|
||||
flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
|
||||
"%s: Attribute %s, parse error", peer->host,
|
||||
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
|
||||
index 961e5f122470..fc347e7a1b4b 100644
|
||||
--- a/bgpd/bgp_attr.h
|
||||
+++ b/bgpd/bgp_attr.h
|
||||
@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
|
||||
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
|
||||
*/
|
||||
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
|
||||
- BGP_ATTR_PARSE_EOR = -4,
|
||||
BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
|
||||
} bgp_attr_parse_ret_t;
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index b585591e2f69..5ecf343b6657 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
|
||||
* Non-MP IPv4/Unicast EoR is a completely empty UPDATE
|
||||
* and MP EoR should have only an empty MP_UNREACH
|
||||
*/
|
||||
- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
|
||||
- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
|
||||
+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
|
||||
afi_t afi = 0;
|
||||
safi_t safi;
|
||||
struct graceful_restart_info *gr_info;
|
||||
@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
|
||||
&& nlris[NLRI_MP_WITHDRAW].length == 0) {
|
||||
afi = nlris[NLRI_MP_WITHDRAW].afi;
|
||||
safi = nlris[NLRI_MP_WITHDRAW].safi;
|
||||
- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
|
||||
- afi = nlris[NLRI_MP_UPDATE].afi;
|
||||
- safi = nlris[NLRI_MP_UPDATE].safi;
|
||||
}
|
||||
|
||||
if (afi && peer->afc[afi][safi]) {
|
60
SOURCES/0024-CVE-2023-46753.patch
Normal file
60
SOURCES/0024-CVE-2023-46753.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Mon, 23 Oct 2023 23:34:10 +0300
|
||||
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
|
||||
message
|
||||
|
||||
If we send a crafted BGP UPDATE message without mandatory attributes, we do
|
||||
not check if the length of the path attributes is zero or not. We only check
|
||||
if attr->flag is at least set or not. Imagine we send only unknown transit
|
||||
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
|
||||
capability is received.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 26fd3de..bcc4424 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
|
||||
}
|
||||
|
||||
/* Well-known attribute check. */
|
||||
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
|
||||
+ bgp_size_t length)
|
||||
{
|
||||
uint8_t type = 0;
|
||||
|
||||
@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
|
||||
* we will pass it to be processed as a normal UPDATE without mandatory
|
||||
* attributes, that could lead to harmful behavior.
|
||||
*/
|
||||
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
|
||||
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
|
||||
+ !length)
|
||||
return BGP_ATTR_PARSE_WITHDRAW;
|
||||
|
||||
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
|
||||
@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
bgp_attr_parse_ret_t ret;
|
||||
uint8_t flag = 0;
|
||||
uint8_t type = 0;
|
||||
- bgp_size_t length;
|
||||
+ bgp_size_t length = 0;
|
||||
uint8_t *startp, *endp;
|
||||
uint8_t *attr_endp;
|
||||
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
|
||||
@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||
}
|
||||
|
||||
/* Check all mandatory well-known attributes are present */
|
||||
- if ((ret = bgp_attr_check(peer, attr)) < 0)
|
||||
+ if ((ret = bgp_attr_check(peer, attr, length)) < 0)
|
||||
goto done;
|
||||
|
||||
/*
|
150
SOURCES/0025-CVE-2023-31490.patch
Normal file
150
SOURCES/0025-CVE-2023-31490.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Tue, 6 Dec 2022 10:23:11 -0500
|
||||
Subject: [PATCH] bgpd: Ensure stream received has enough data
|
||||
|
||||
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
|
||||
fully trust the length value specified in the nlri.
|
||||
Always ensure that the amount of data we need to read
|
||||
can be fullfilled.
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_attr.c | 79 ++++++++++++++++---------------------------------
|
||||
1 file changed, 25 insertions(+), 54 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index c35e45275c9b..5b06bc391375 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
uint16_t endpoint_behavior;
|
||||
char buf[BUFSIZ];
|
||||
|
||||
+ /*
|
||||
+ * Check that we actually have at least as much data as
|
||||
+ * specified by the length field
|
||||
+ */
|
||||
+ if (STREAM_READABLE(peer->curr) < length) {
|
||||
+ flog_err(
|
||||
+ EC_BGP_ATTR_LEN,
|
||||
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
|
||||
+ length, STREAM_READABLE(peer->curr));
|
||||
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
+ args->total);
|
||||
+ }
|
||||
+
|
||||
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
||||
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID label index length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
|
||||
@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
/* Store label index; subsequently, we'll check on
|
||||
* address-family */
|
||||
attr->label_index = label_index;
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the IPv6 SID type */
|
||||
- else if (type == BGP_PREFIX_SID_IPV6) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
||||
+ } else if (type == BGP_PREFIX_SID_IPV6) {
|
||||
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID IPv6 length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_IPV6_LENGTH);
|
||||
@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
stream_getw(peer->curr);
|
||||
|
||||
stream_get(&ipv6_sid, peer->curr, 16);
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the Originator SRGB type */
|
||||
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
||||
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
|
||||
/*
|
||||
* ietf-idr-bgp-prefix-sid-05:
|
||||
* Length is the total length of the value portion of the
|
||||
@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
args->total);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Check that we actually have at least as much data as
|
||||
- * specified by the length field
|
||||
- */
|
||||
- if (STREAM_READABLE(peer->curr) < length) {
|
||||
- flog_err(EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
|
||||
- length, STREAM_READABLE(peer->curr));
|
||||
- return bgp_attr_malformed(
|
||||
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Check that the portion of the TLV containing the sequence of
|
||||
* SRGBs corresponds to a multiple of the SRGB size; to get
|
||||
@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
stream_get(&srgb_base, peer->curr, 3);
|
||||
stream_get(&srgb_range, peer->curr, 3);
|
||||
}
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the VPN-SID Service type */
|
||||
- else if (type == BGP_PREFIX_SID_VPN_SID) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
||||
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
|
||||
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
|
||||
flog_err(EC_BGP_ATTR_LEN,
|
||||
"Prefix SID VPN SID length is %hu instead of %u",
|
||||
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
|
||||
@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
sizeof(struct bgp_attr_srv6_vpn));
|
||||
attr->srv6_vpn->sid_flags = sid_flags;
|
||||
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
|
||||
- }
|
||||
-
|
||||
- /* Placeholder code for the SRv6 L3 Service type */
|
||||
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
||||
- if (STREAM_READABLE(peer->curr) < length
|
||||
- || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) {
|
||||
- flog_err(EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID SRv6 L3-Service length is %hu instead of %u",
|
||||
- length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH);
|
||||
- return bgp_attr_malformed(args,
|
||||
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
|
||||
+ if (STREAM_READABLE(peer->curr) < 1) {
|
||||
+ flog_err(EC_BGP_ATTR_LEN,
|
||||
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
|
||||
+ return bgp_attr_malformed(
|
||||
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
+ args->total);
|
||||
}
|
||||
|
||||
/* Parse L3-SERVICE Sub-TLV */
|
||||
@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
|
||||
|
||||
/* Placeholder code for Unsupported TLV */
|
||||
else {
|
||||
-
|
||||
- if (STREAM_READABLE(peer->curr) < length) {
|
||||
- flog_err(
|
||||
- EC_BGP_ATTR_LEN,
|
||||
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
|
||||
- length, STREAM_READABLE(peer->curr));
|
||||
- return bgp_attr_malformed(
|
||||
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
||||
- args->total);
|
||||
- }
|
||||
-
|
||||
if (bgp_debug_update(peer, NULL, NULL, 1))
|
||||
zlog_debug(
|
||||
"%s attr Prefix-SID sub-type=%u is not supported, skipped",
|
34
SOURCES/0026-CVE-2023-41909.patch
Normal file
34
SOURCES/0026-CVE-2023-41909.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From cfd04dcb3e689754a72507d086ba3b9709fc5ed8 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Wed, 5 Apr 2023 14:57:05 -0400
|
||||
Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
|
||||
withdrawal
|
||||
|
||||
All other parsing functions done from bgp_nlri_parse() assume
|
||||
no attributes == an implicit withdrawal. Let's move
|
||||
bgp_nlri_parse_flowspec() into the same alignment.
|
||||
|
||||
Reported-by: Matteo Memelli <mmemelli@amazon.it>
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_flowspec.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
|
||||
index f9debe43cd45..5e1be21402dc 100644
|
||||
--- a/bgpd/bgp_flowspec.c
|
||||
+++ b/bgpd/bgp_flowspec.c
|
||||
@@ -98,6 +98,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
|
||||
afi = packet->afi;
|
||||
safi = packet->safi;
|
||||
|
||||
+ /*
|
||||
+ * All other AFI/SAFI's treat no attribute as a implicit
|
||||
+ * withdraw. Flowspec should as well.
|
||||
+ */
|
||||
+ if (!attr)
|
||||
+ withdraw = 1;
|
||||
+
|
||||
if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
|
||||
flog_err(EC_BGP_FLOWSPEC_PACKET,
|
||||
"BGP flowspec nlri length maximum reached (%u)",
|
267
SOURCES/0027-dynamic-netlink-buffer.patch
Normal file
267
SOURCES/0027-dynamic-netlink-buffer.patch
Normal file
@ -0,0 +1,267 @@
|
||||
From 2cf7651f0b1b0123dc5568ebad00ac84a9b3c348 Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Wed, 2 Feb 2022 13:28:42 -0500
|
||||
Subject: [PATCH] zebra: Make netlink buffer reads resizeable when needed
|
||||
|
||||
Currently when the kernel sends netlink messages to FRR
|
||||
the buffers to receive this data is of fixed length.
|
||||
The kernel, with certain configurations, will send
|
||||
netlink messages that are larger than this fixed length.
|
||||
This leads to situations where, on startup, zebra gets
|
||||
really confused about the state of the kernel. Effectively
|
||||
the current algorithm is this:
|
||||
|
||||
read up to buffer in size
|
||||
while (data to parse)
|
||||
get netlink message header, look at size
|
||||
parse if you can
|
||||
|
||||
The problem is that there is a 32k buffer we read.
|
||||
We get the first message that is say 1k in size,
|
||||
subtract that 1k to 31k left to parse. We then
|
||||
get the next header and notice that the length
|
||||
of the message is 33k. Which is obviously larger
|
||||
than what we read in. FRR has no recover mechanism
|
||||
nor is there a way to know, a priori, what the maximum
|
||||
size the kernel will send us.
|
||||
|
||||
Modify FRR to look at the kernel message and see if the
|
||||
buffer is large enough, if not, make it large enough to
|
||||
read in the message.
|
||||
|
||||
This code has to be per netlink socket because of the usage
|
||||
of pthreads. So add to `struct nlsock` the buffer and current
|
||||
buffer length. Growing it as necessary.
|
||||
|
||||
Fixes: #10404
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
zebra/kernel_netlink.c | 68 +++++++++++++++++++++++++-----------------
|
||||
zebra/kernel_netlink.h | 2 +-
|
||||
zebra/zebra_dplane.c | 4 +++
|
||||
zebra/zebra_ns.h | 3 ++
|
||||
4 files changed, 49 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/zebra/kernel_netlink.h b/zebra/kernel_netlink.h
|
||||
index ae88f3372b1c..9421ea1c611a 100644
|
||||
--- a/zebra/kernel_netlink.h
|
||||
+++ b/zebra/kernel_netlink.h
|
||||
@@ -96,7 +96,7 @@ extern const char *nl_family_to_str(uint8_t family);
|
||||
extern const char *nl_rttype_to_str(uint8_t rttype);
|
||||
|
||||
extern int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
|
||||
- const struct nlsock *nl,
|
||||
+ struct nlsock *nl,
|
||||
const struct zebra_dplane_info *dp_info,
|
||||
int count, int startup);
|
||||
extern int netlink_talk_filter(struct nlmsghdr *h, ns_id_t ns, int startup);
|
||||
diff --git a/zebra/zebra_ns.h b/zebra/zebra_ns.h
|
||||
index 0519e1d5b33d..7a0ffbc1ee6f 100644
|
||||
--- a/zebra/zebra_ns.h
|
||||
+++ b/zebra/zebra_ns.h
|
||||
@@ -39,6 +39,9 @@ struct nlsock {
|
||||
int seq;
|
||||
struct sockaddr_nl snl;
|
||||
char name[64];
|
||||
+
|
||||
+ uint8_t *buf;
|
||||
+ size_t buflen;
|
||||
};
|
||||
#endif
|
||||
|
||||
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
|
||||
index b8eaeb1..14a40a9 100644
|
||||
--- a/zebra/kernel_netlink.c
|
||||
+++ b/zebra/kernel_netlink.c
|
||||
@@ -90,8 +90,6 @@
|
||||
*/
|
||||
#define NL_DEFAULT_BATCH_SEND_THRESHOLD (15 * NL_PKT_BUF_SIZE)
|
||||
|
||||
-#define NL_BATCH_RX_BUFSIZE NL_RCV_PKT_BUF_SIZE
|
||||
-
|
||||
static const struct message nlmsg_str[] = {{RTM_NEWROUTE, "RTM_NEWROUTE"},
|
||||
{RTM_DELROUTE, "RTM_DELROUTE"},
|
||||
{RTM_GETROUTE, "RTM_GETROUTE"},
|
||||
@@ -164,8 +162,6 @@ DEFINE_MTYPE_STATIC(ZEBRA, NL_BUF, "Zebra Netlink buffers")
|
||||
size_t nl_batch_tx_bufsize;
|
||||
char *nl_batch_tx_buf;
|
||||
|
||||
-char nl_batch_rx_buf[NL_BATCH_RX_BUFSIZE];
|
||||
-
|
||||
_Atomic uint32_t nl_batch_bufsize = NL_DEFAULT_BATCH_BUFSIZE;
|
||||
_Atomic uint32_t nl_batch_send_threshold = NL_DEFAULT_BATCH_SEND_THRESHOLD;
|
||||
|
||||
@@ -322,6 +318,9 @@ static int netlink_socket(struct nlsock *nl, unsigned long groups,
|
||||
|
||||
nl->snl = snl;
|
||||
nl->sock = sock;
|
||||
+ nl->buflen = NL_RCV_PKT_BUF_SIZE;
|
||||
+ nl->buf = XMALLOC(MTYPE_NL_BUF, nl->buflen);
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -729,19 +728,29 @@ static ssize_t netlink_send_msg(const struct nlsock *nl, void *buf,
|
||||
*
|
||||
* Returns -1 on error, 0 if read would block or the number of bytes received.
|
||||
*/
|
||||
-static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
|
||||
- void *buf, size_t buflen)
|
||||
+static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
|
||||
{
|
||||
struct iovec iov;
|
||||
int status;
|
||||
|
||||
- iov.iov_base = buf;
|
||||
- iov.iov_len = buflen;
|
||||
- msg.msg_iov = &iov;
|
||||
- msg.msg_iovlen = 1;
|
||||
+ iov.iov_base = nl->buf;
|
||||
+ iov.iov_len = nl->buflen;
|
||||
+ msg->msg_iov = &iov;
|
||||
+ msg->msg_iovlen = 1;
|
||||
|
||||
do {
|
||||
- status = recvmsg(nl->sock, &msg, 0);
|
||||
+ int bytes;
|
||||
+
|
||||
+ bytes = recv(nl->sock, NULL, 0, MSG_PEEK | MSG_TRUNC);
|
||||
+
|
||||
+ if (bytes >= 0 && (size_t)bytes > nl->buflen) {
|
||||
+ nl->buf = XREALLOC(MTYPE_NL_BUF, nl->buf, bytes);
|
||||
+ nl->buflen = bytes;
|
||||
+ iov.iov_base = nl->buf;
|
||||
+ iov.iov_len = nl->buflen;
|
||||
+ }
|
||||
+
|
||||
+ status = recvmsg(nl->sock, msg, 0);
|
||||
} while (status == -1 && errno == EINTR);
|
||||
|
||||
if (status == -1) {
|
||||
@@ -761,10 +770,10 @@ static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
|
||||
+ if (msg->msg_namelen != sizeof(struct sockaddr_nl)) {
|
||||
flog_err(EC_ZEBRA_NETLINK_LENGTH_ERROR,
|
||||
"%s sender address length error: length %d", nl->name,
|
||||
- msg.msg_namelen);
|
||||
+ msg->msg_namelen);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -873,8 +882,7 @@ static int netlink_parse_error(const struct nlsock *nl, struct nlmsghdr *h,
|
||||
* the filter.
|
||||
*/
|
||||
int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
|
||||
- const struct nlsock *nl,
|
||||
- const struct zebra_dplane_info *zns,
|
||||
+ struct nlsock *nl, const struct zebra_dplane_info *zns,
|
||||
int count, int startup)
|
||||
{
|
||||
int status;
|
||||
@@ -883,7 +891,6 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
|
||||
int read_in = 0;
|
||||
|
||||
while (1) {
|
||||
- char buf[NL_RCV_PKT_BUF_SIZE];
|
||||
struct sockaddr_nl snl;
|
||||
struct msghdr msg = {.msg_name = (void *)&snl,
|
||||
.msg_namelen = sizeof(snl)};
|
||||
@@ -892,14 +899,14 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
|
||||
if (count && read_in >= count)
|
||||
return 0;
|
||||
|
||||
- status = netlink_recv_msg(nl, msg, buf, sizeof(buf));
|
||||
+ status = netlink_recv_msg(nl, &msg);
|
||||
if (status == -1)
|
||||
return -1;
|
||||
else if (status == 0)
|
||||
break;
|
||||
|
||||
read_in++;
|
||||
- for (h = (struct nlmsghdr *)buf;
|
||||
+ for (h = (struct nlmsghdr *)nl->buf;
|
||||
(status >= 0 && NLMSG_OK(h, (unsigned int)status));
|
||||
h = NLMSG_NEXT(h, status)) {
|
||||
/* Finish of reading. */
|
||||
@@ -976,10 +983,10 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
|
||||
*/
|
||||
static int
|
||||
netlink_talk_info(int (*filter)(struct nlmsghdr *, ns_id_t, int startup),
|
||||
- struct nlmsghdr *n, const struct zebra_dplane_info *dp_info,
|
||||
+ struct nlmsghdr *n, struct zebra_dplane_info *dp_info,
|
||||
int startup)
|
||||
{
|
||||
- const struct nlsock *nl;
|
||||
+ struct nlsock *nl;
|
||||
|
||||
nl = &(dp_info->nls);
|
||||
n->nlmsg_seq = nl->seq;
|
||||
@@ -1067,12 +1074,11 @@ static int nl_batch_read_resp(struct nl_batch *bth)
|
||||
* message at a time.
|
||||
*/
|
||||
while (true) {
|
||||
- status = netlink_recv_msg(nl, msg, nl_batch_rx_buf,
|
||||
- sizeof(nl_batch_rx_buf));
|
||||
+ status = netlink_recv_msg(nl, &msg);
|
||||
if (status == -1 || status == 0)
|
||||
return status;
|
||||
|
||||
- h = (struct nlmsghdr *)nl_batch_rx_buf;
|
||||
+ h = (struct nlmsghdr *)nl->buf;
|
||||
ignore_msg = false;
|
||||
seq = h->nlmsg_seq;
|
||||
/*
|
||||
@@ -1506,11 +1512,15 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
|
||||
if (zns->netlink.sock >= 0) {
|
||||
close(zns->netlink.sock);
|
||||
zns->netlink.sock = -1;
|
||||
+ XFREE(MTYPE_NL_BUF, zns->netlink.buf);
|
||||
+ zns->netlink.buflen = 0;
|
||||
}
|
||||
|
||||
if (zns->netlink_cmd.sock >= 0) {
|
||||
close(zns->netlink_cmd.sock);
|
||||
zns->netlink_cmd.sock = -1;
|
||||
+ XFREE(MTYPE_NL_BUF, zns->netlink_cmd.buf);
|
||||
+ zns->netlink_cmd.buflen = 0;
|
||||
}
|
||||
|
||||
/* During zebra shutdown, we need to leave the dataplane socket
|
||||
@@ -1520,6 +1530,8 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
|
||||
if (zns->netlink_dplane.sock >= 0) {
|
||||
close(zns->netlink_dplane.sock);
|
||||
zns->netlink_dplane.sock = -1;
|
||||
+ XFREE(MTYPE_NL_BUF, zns->netlink_dplane.buf);
|
||||
+ zns->netlink_dplane.buflen = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
|
||||
index 14a40a9..2b566d4 100644
|
||||
--- a/zebra/kernel_netlink.c
|
||||
+++ b/zebra/kernel_netlink.c
|
||||
@@ -779,7 +779,7 @@ static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
|
||||
|
||||
if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_RECV) {
|
||||
zlog_debug("%s: << netlink message dump [recv]", __func__);
|
||||
- zlog_hexdump(buf, status);
|
||||
+ zlog_hexdump(nl->buf, status);
|
||||
}
|
||||
|
||||
return status;
|
||||
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
|
||||
index 2b566d4..0564a6b 100644
|
||||
--- a/zebra/kernel_netlink.c
|
||||
+++ b/zebra/kernel_netlink.c
|
||||
@@ -1060,7 +1060,7 @@ static int nl_batch_read_resp(struct nl_batch *bth)
|
||||
struct sockaddr_nl snl;
|
||||
struct msghdr msg = {};
|
||||
int status, seq;
|
||||
- const struct nlsock *nl;
|
||||
+ struct nlsock *nl;
|
||||
struct zebra_dplane_ctx *ctx;
|
||||
bool ignore_msg;
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
Name: frr
|
||||
Version: 7.5.1
|
||||
Release: 13%{?checkout}%{?dist}
|
||||
Release: 22%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -55,6 +55,18 @@ Patch0012: 0012-graceful-restart.patch
|
||||
Patch0013: 0013-CVE-2022-37032.patch
|
||||
Patch0014: 0014-bfd-profile-crash.patch
|
||||
Patch0015: 0015-max-ttl-reload.patch
|
||||
Patch0016: 0016-CVE-2023-38802.patch
|
||||
Patch0017: 0017-fix-crash-in-plist-update.patch
|
||||
Patch0018: 0018-CVE-2023-38406.patch
|
||||
Patch0019: 0019-CVE-2023-38407.patch
|
||||
Patch0020: 0020-CVE-2023-47234.patch
|
||||
Patch0021: 0021-CVE-2023-47235.patch
|
||||
Patch0022: 0022-route-map-event.patch
|
||||
Patch0023: 0023-CVE-2023-46752.patch
|
||||
Patch0024: 0024-CVE-2023-46753.patch
|
||||
Patch0025: 0025-CVE-2023-31490.patch
|
||||
Patch0026: 0026-CVE-2023-41909.patch
|
||||
Patch0027: 0027-dynamic-netlink-buffer.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -275,6 +287,36 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-22
|
||||
- Resolves: RHEL-22303 - Zebra not fetching host routes
|
||||
|
||||
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-21
|
||||
- Resolves: RHEL-2216 - NULL pointer dereference
|
||||
|
||||
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-20
|
||||
- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS
|
||||
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-19
|
||||
- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
|
||||
|
||||
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-18
|
||||
- Resolves: RHEL-14821 - mishandled malformed data leading to a crash
|
||||
|
||||
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-17
|
||||
- Resolves: RHEL-6583 - Routes are not refreshed after changing the inbound route rules from deny to permit
|
||||
|
||||
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-16
|
||||
- Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c
|
||||
- Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c
|
||||
- Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
|
||||
- Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message
|
||||
|
||||
* Thu Oct 19 2023 Andreas Karis <akaris@redhat.com> - 7.5.1-15
|
||||
- Resolves: RHEL-12039 - crash in plist update
|
||||
|
||||
* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-14
|
||||
- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
|
||||
|
||||
* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
|
||||
- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user