From ed97b4ca4b70df90d4ce5847a148df326baa6945 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Mon, 5 Feb 2024 10:21:30 +0100 Subject: [PATCH] Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash --- 0008-CVE-2023-46753.patch | 60 +++++++++++++++++++++++++++++++++++++++ frr.spec | 6 +++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 0008-CVE-2023-46753.patch diff --git a/0008-CVE-2023-46753.patch b/0008-CVE-2023-46753.patch new file mode 100644 index 0000000..f1f0611 --- /dev/null +++ b/0008-CVE-2023-46753.patch @@ -0,0 +1,60 @@ +From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 26fd3de..bcc4424 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + +@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) +@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + enum bgp_attr_parse_ret ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- ret = bgp_attr_check(peer, attr); ++ ret = bgp_attr_check(peer, attr, length); + if (ret < 0) + goto done; + diff --git a/frr.spec b/frr.spec index b40d116..e9b8a38 100644 --- a/frr.spec +++ b/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.5.3 -Release: 3%{?checkout}%{?dist} +Release: 4%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -70,6 +70,7 @@ Patch0004: 0004-fips-mode.patch Patch0005: 0005-CVE-2023-47235.patch Patch0006: 0006-CVE-2023-47234.patch Patch0007: 0007-CVE-2023-46752.patch +Patch0008: 0008-CVE-2023-46753.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -275,6 +276,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Mon Feb 05 2024 Michal Ruprich - 8.5.3-4 +- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash + * Mon Feb 05 2024 Michal Ruprich - 8.5.3-3 - Resolves: RHEL-14822 - mishandled malformed data leading to a crash