Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash

Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message

0007-CVE-2023-46752.patch

@@ -0,0 +1,76 @@
+From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Fri, 20 Oct 2023 17:49:18 +0300
+Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
+ reset
+
+Avoid crashing bgpd.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c   | 6 +-----
+ bgpd/bgp_attr.h   | 1 -
+ bgpd/bgp_packet.c | 6 +-----
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 6925aff727e2..e7bb42a5d989 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
+ 
+ 		mp_update->afi = afi;
+ 		mp_update->safi = safi;
+-		return BGP_ATTR_PARSE_EOR;
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
+ 	}
+ 
+ 	mp_update->afi = afi;
+@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 			goto done;
+ 		}
+ 
+-		if (ret == BGP_ATTR_PARSE_EOR) {
+-			goto done;
+-		}
+-
+ 		if (ret == BGP_ATTR_PARSE_ERROR) {
+ 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
+ 				  "%s: Attribute %s, parse error", peer->host,
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 961e5f122470..fc347e7a1b4b 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+-	BGP_ATTR_PARSE_EOR = -4,
+ 	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
+ };
+ 
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b585591e2f69..5ecf343b6657 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
+ 	 * and MP EoR should have only an empty MP_UNREACH
+ 	 */
+-	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
+-	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
++	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
+ 		afi_t afi = 0;
+ 		safi_t safi;
+ 		struct graceful_restart_info *gr_info;
+@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
+ 			afi = nlris[NLRI_MP_WITHDRAW].afi;
+ 			safi = nlris[NLRI_MP_WITHDRAW].safi;
+-		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
+-			afi = nlris[NLRI_MP_UPDATE].afi;
+-			safi = nlris[NLRI_MP_UPDATE].safi;
+ 		}
+ 
+ 		if (afi && peer->afc[afi][safi]) {

0008-CVE-2023-46753.patch

@@ -0,0 +1,60 @@
+From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 23 Oct 2023 23:34:10 +0300
+Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
+ message
+
+If we send a crafted BGP UPDATE message without mandatory attributes, we do
+not check if the length of the path attributes is zero or not. We only check
+if attr->flag is at least set or not. Imagine we send only unknown transit
+attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
+capability is received.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 26fd3de..bcc4424 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Well-known attribute check. */
+-static int bgp_attr_check(struct peer *peer, struct attr *attr)
++static int bgp_attr_check(struct peer *peer, struct attr *attr,
++           bgp_size_t length)
+ {
+ 	uint8_t type = 0;
+ 
+@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	 * we will pass it to be processed as a normal UPDATE without mandatory
+ 	 * attributes, that could lead to harmful behavior.
+ 	 */
+-	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
++	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
++      !length)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	enum bgp_attr_parse_ret ret;
+ 	uint8_t flag = 0;
+ 	uint8_t type = 0;
+-	bgp_size_t length;
++	bgp_size_t length = 0;
+ 	uint8_t *startp, *endp;
+ 	uint8_t *attr_endp;
+ 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
+@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	}
+ 
+ 	/* Check all mandatory well-known attributes are present */
+-	ret = bgp_attr_check(peer, attr);
++	ret = bgp_attr_check(peer, attr, length);
+ 	if (ret < 0)
+ 		goto done;
+ 

frr.spec

@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 8.5.3
-Release: 2%{?checkout}%{?dist}
+Release: 4%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -69,6 +69,8 @@ Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
 Patch0005: 0005-CVE-2023-47235.patch
 Patch0006: 0006-CVE-2023-47234.patch
+Patch0007: 0007-CVE-2023-46752.patch
+Patch0008: 0008-CVE-2023-46753.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -274,6 +276,12 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4
+- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash
+
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3
+- Resolves: RHEL-14822 - mishandled malformed data leading to a crash
+
 * Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-2
 - Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
 - Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message