diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:53:32 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:53:32 +0000 |
commit | 25b1166673c7fde5edb4dfa218005bf1a83eb25c (patch) | |
tree | 0eb5dc2c4eedabf82b7b531bbe0e5fcb75084e3e /debian/patches | |
parent | Adding upstream version 8.4.4. (diff) | |
download | frr-debian.tar.xz frr-debian.zip |
Adding debian version 8.4.4-1.1~deb12u1.debian/8.4.4-1.1_deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/CVE-2023-38802.patch | 131 | ||||
-rw-r--r-- | debian/patches/CVE-2023-41358.patch | 100 | ||||
-rw-r--r-- | debian/patches/CVE-2023-41360.patch | 30 | ||||
-rw-r--r-- | debian/patches/CVE-2023-41361.patch | 43 | ||||
-rw-r--r-- | debian/patches/series | 3 |
5 files changed, 307 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-38802.patch b/debian/patches/CVE-2023-38802.patch new file mode 100644 index 0000000..99753c7 --- /dev/null +++ b/debian/patches/CVE-2023-38802.patch @@ -0,0 +1,131 @@ +From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +--- + bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 36 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index dcf0f4d47..8c53191d6 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1405,6 +1405,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + case BGP_ATTR_OTC: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: +@@ -2635,26 +2636,21 @@ ipv6_ext_community_ignore: + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2662,12 +2658,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2699,13 +2694,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2753,13 +2746,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3732,8 +3722,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41358.patch b/debian/patches/CVE-2023-41358.patch new file mode 100644 index 0000000..ff2f2b7 --- /dev/null +++ b/debian/patches/CVE-2023-41358.patch @@ -0,0 +1,100 @@ +From f291f1ee9434f56d4b185db0652794a92e313b00 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Tue, 22 Aug 2023 22:52:04 +0300 +Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero + +``` +3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 +4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246 +5 <signal handler called> +6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) + at bgpd/bgp_routemap.c:2258 +7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30, + match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 +8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, + afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) + at bgpd/bgp_route.c:1772 +9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, + attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, + num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 +10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) + at bgpd/bgp_route.c:6249 +11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, + packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 +12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 +13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933 +14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 +15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 +16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505 +``` + +With the configuration: + +``` +frr version 9.1-dev-MyOwnFRRVersion +frr defaults traditional +hostname ip-172-31-13-140 +log file /tmp/debug.log +log syslog +service integrated-vtysh-config +! +debug bgp keepalives +debug bgp neighbor-events +debug bgp updates in +debug bgp updates out +! +router bgp 100 + bgp router-id 9.9.9.9 + no bgp ebgp-requires-policy + bgp bestpath aigp + neighbor 172.31.2.47 remote-as 200 + ! + address-family ipv4 unicast + neighbor 172.31.2.47 default-originate + neighbor 172.31.2.47 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +! +``` + +The issue is that we try to process NLRIs even if the attribute length is 0. + +Later bgp_update() will handle route-maps and a crash occurs because all the +attributes are NULL, including aspath, where we dereference. + +According to the RFC 4271: + +A value of 0 indicates that neither the Network Layer + Reachability Information field nor the Path Attribute field is + present in this UPDATE message. + +But with a fuzzed UPDATE message this can be faked. I think it's reasonable +to skip processing NLRIs if both update_len and attribute_len are 0. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit 28ccc24d38df1d51ed8a563507e5d6f6171fdd38) +--- + bgpd/bgp_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 60f1dcbcd..a02d54894 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1983,7 +1983,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len) { ++ if (update_len && attribute_len) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41360.patch b/debian/patches/CVE-2023-41360.patch new file mode 100644 index 0000000..fd37714 --- /dev/null +++ b/debian/patches/CVE-2023-41360.patch @@ -0,0 +1,30 @@ +From 3515178de4a56d66ed948a774efcbe4a854e1ca7 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Sun, 20 Aug 2023 22:15:27 +0300 +Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead + of stream + +Reported-by: Iggy Frankovic iggyfran@amazon.com +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit 9b855a692e68e0d16467e190b466b4ecb6853702) +--- + bgpd/bgp_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a2959ef6e..60f1dcbcd 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2408,7 +2408,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) + * and 7 bytes of ORF Address-filter entry from + * the stream + */ +- if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { ++ if (p_pnt < p_end && ++ *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { + if (bgp_debug_neighbor_events(peer)) + zlog_debug( + "%pBP rcvd Remove-All pfxlist ORF request", +-- +2.39.2 + diff --git a/debian/patches/CVE-2023-41361.patch b/debian/patches/CVE-2023-41361.patch new file mode 100644 index 0000000..a227dc2 --- /dev/null +++ b/debian/patches/CVE-2023-41361.patch @@ -0,0 +1,43 @@ +From 73ad93a83f18564bb7bff4659872f7ec1a64b05e Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Sun, 20 Aug 2023 21:37:25 +0300 +Subject: [PATCH] bgpd: Check the length of the rcv software version + +Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION. + +The Capability Length SHOULD be no greater than 64. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +(cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840) +--- + bgpd/bgp_open.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index 0dd546397..e7e3c2191 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer, + return -1; + } + +- if (len) { ++ if (len > BGP_MAX_SOFT_VERSION) { ++ flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH, ++ "%s: Received Software Version, but the length is too big, truncating, from peer %s", ++ __func__, peer->host); ++ stream_get(str, s, BGP_MAX_SOFT_VERSION); ++ stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION); ++ len = BGP_MAX_SOFT_VERSION; ++ } else if (len) { + stream_get(str, s, len); ++ } ++ ++ if (len) { + str[len] = '\0'; + + XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version); +-- +2.39.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..5ec3c8f --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +CVE-2023-38802.patch +CVE-2023-41358.patch +CVE-2023-41360.patch |