Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router

2023-10-13 09:08:32 +02:00 · 2023-10-13 09:08:32 +02:00 · bbe99e6e9f
commit bbe99e6e9f
parent 5481c6a69a
2 changed files with 134 additions and 1 deletions
--- a/0016-CVE-2023-38802.patch
+++ b/0016-CVE-2023-38802.patch
@ -0,0 +1,129 @@
+From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Thu, 13 Jul 2023 22:32:03 +0300
+Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute
+
+Before this path we used session reset method, which is discouraged by rfc7606.
+
+Handle this as rfc requires.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
+---
+ bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
+ 1 file changed, 25 insertions(+), 36 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 058fae23cbd..1c0803cfd8e 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ 	case BGP_ATTR_LARGE_COMMUNITIES:
+ 	case BGP_ATTR_ORIGINATOR_ID:
+ 	case BGP_ATTR_CLUSTER_LIST:
+	case BGP_ATTR_ENCAP:
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 	case BGP_ATTR_MP_REACH_NLRI:
+ 	case BGP_ATTR_MP_UNREACH_NLRI:
+@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Parse Tunnel Encap attribute in an UPDATE */
+-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-			  bgp_size_t length, /* IN: attr's length field */
+-			  struct attr *attr, /* IN: caller already allocated */
+-			  uint8_t flag,      /* IN: attr's flags field */
+-			  uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ {
+-	bgp_size_t total;
+ 	uint16_t tunneltype = 0;
+-
+-	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+	struct peer *const peer = args->peer;
+	struct attr *const attr = args->attr;
+	bgp_size_t length = args->length;
+	uint8_t type = args->type;
+	uint8_t flag = args->flags;
+ 
+ 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
+ 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
+-		zlog_info(
+-			"Tunnel Encap attribute flag isn't optional and transitive %d",
+-			flag);
+-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
+-					  startp, total);
+-		return -1;
+		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+			 flag);
+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+					  args->total);
+ 	}
+ 
+ 	if (BGP_ATTR_ENCAP == type) {
+@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 		uint16_t tlv_length;
+ 
+ 		if (length < 4) {
+-			zlog_info(
+			zlog_err(
+ 				"Tunnel Encap attribute not long enough to contain outer T,L");
+-			bgp_notify_send_with_data(
+-				peer, BGP_NOTIFY_UPDATE_ERR,
+-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-			return -1;
+			return bgp_attr_malformed(args,
+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+						  args->total);
+ 		}
+ 		tunneltype = stream_getw(BGP_INPUT(peer));
+ 		tlv_length = stream_getw(BGP_INPUT(peer));
+@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 		}
+ 
+ 		if (sublength > length) {
+-			zlog_info(
+-				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+-				sublength, length);
+-			bgp_notify_send_with_data(
+-				peer, BGP_NOTIFY_UPDATE_ERR,
+-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-			return -1;
+			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+				 sublength, length);
+			return bgp_attr_malformed(args,
+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+						  args->total);
+ 		}
+ 
+ 		/* alloc and copy sub-tlv */
+@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 
+ 	if (length) {
+ 		/* spurious leftover data */
+-		zlog_info(
+-			"Tunnel Encap attribute length is bad: %d leftover octets",
+-			length);
+-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+-					  startp, total);
+-		return -1;
+		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+			 length);
+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+					  args->total);
+ 	}
+ 
+ 	return 0;
+@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 		case BGP_ATTR_VNC:
+ #endif
+ 		case BGP_ATTR_ENCAP:
+-			ret = bgp_attr_encap(type, peer, length, attr, flag,
+-					     startp);
+			ret = bgp_attr_encap(&attr_args);
+ 			break;
+ 		case BGP_ATTR_PREFIX_SID:
+ 			ret = bgp_attr_prefix_sid(&attr_args);
--- a/frr.spec
+++ b/frr.spec
@ -7,7 +7,7 @@

 Name: frr
 Version: 7.5.1
-Release: 13%{?checkout}%{?dist}
+Release: 14%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -55,6 +55,7 @@ Patch0012: 0012-graceful-restart.patch
 Patch0013: 0013-CVE-2022-37032.patch
 Patch0014: 0014-bfd-profile-crash.patch
 Patch0015: 0015-max-ttl-reload.patch
+Patch0016: 0016-CVE-2023-38802.patch

 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -275,6 +276,9 @@ make check PYTHON=%{__python3}
 %endif

 %changelog
+* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-14
+- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
+
 * Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
 - Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration