From 9eafa3241bfeeb785f8a88c0284838b04ee15788 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Mon, 5 Feb 2024 09:34:26 +0100 Subject: [PATCH] Resolves: RHEL-14822 - mishandled malformed data leading to a crash --- 0007-CVE-2023-46752.patch | 76 +++++++++++++++++++++++++++++++++++++++ frr.spec | 6 +++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 0007-CVE-2023-46752.patch diff --git a/0007-CVE-2023-46752.patch b/0007-CVE-2023-46752.patch new file mode 100644 index 0000000..054853e --- /dev/null +++ b/0007-CVE-2023-46752.patch @@ -0,0 +1,76 @@ +From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 20 Oct 2023 17:49:18 +0300 +Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session + reset + +Avoid crashing bgpd. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 6 +----- + bgpd/bgp_attr.h | 1 - + bgpd/bgp_packet.c | 6 +----- + 3 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 6925aff727e2..e7bb42a5d989 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, + + mp_update->afi = afi; + mp_update->safi = safi; +- return BGP_ATTR_PARSE_EOR; ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); + } + + mp_update->afi = afi; +@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + goto done; + } + +- if (ret == BGP_ATTR_PARSE_EOR) { +- goto done; +- } +- + if (ret == BGP_ATTR_PARSE_ERROR) { + flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, + "%s: Attribute %s, parse error", peer->host, +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 961e5f122470..fc347e7a1b4b 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, +- BGP_ATTR_PARSE_EOR = -4, + BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index b585591e2f69..5ecf343b6657 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection, + * Non-MP IPv4/Unicast EoR is a completely empty UPDATE + * and MP EoR should have only an empty MP_UNREACH + */ +- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) +- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { ++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { + afi_t afi = 0; + safi_t safi; + struct graceful_restart_info *gr_info; +@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection, + && nlris[NLRI_MP_WITHDRAW].length == 0) { + afi = nlris[NLRI_MP_WITHDRAW].afi; + safi = nlris[NLRI_MP_WITHDRAW].safi; +- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { +- afi = nlris[NLRI_MP_UPDATE].afi; +- safi = nlris[NLRI_MP_UPDATE].safi; + } + + if (afi && peer->afc[afi][safi]) { diff --git a/frr.spec b/frr.spec index 1ddb3d0..b40d116 100644 --- a/frr.spec +++ b/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.5.3 -Release: 2%{?checkout}%{?dist} +Release: 3%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -69,6 +69,7 @@ Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch Patch0005: 0005-CVE-2023-47235.patch Patch0006: 0006-CVE-2023-47234.patch +Patch0007: 0007-CVE-2023-46752.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -274,6 +275,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Mon Feb 05 2024 Michal Ruprich - 8.5.3-3 +- Resolves: RHEL-14822 - mishandled malformed data leading to a crash + * Mon Dec 18 2023 Michal Ruprich - 8.5.3-2 - Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message - Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message