1 files changed, 43 insertions, 0 deletions

diff --git a/debian/patches/CVE-2023-41361.patch b/debian/patches/CVE-2023-41361.patch
new file mode 100644
index 0000000..a227dc2
--- /dev/null
+++ b/debian/patches/CVE-2023-41361.patch
@@ -0,0 +1,43 @@
+From 73ad93a83f18564bb7bff4659872f7ec1a64b05e Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sun, 20 Aug 2023 21:37:25 +0300
+Subject: [PATCH] bgpd: Check the length of the rcv software version
+
+Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION.
+
+The Capability Length SHOULD be no greater than 64.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+(cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840)
+---
+ bgpd/bgp_open.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index 0dd546397..e7e3c2191 100644
+--- a/bgpd/bgp_open.c
++++ b/bgpd/bgp_open.c
+@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer,
+ 		return -1;
+ 	}
+ 
+-	if (len) {
++	if (len > BGP_MAX_SOFT_VERSION) {
++		flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
++			  "%s: Received Software Version, but the length is too big, truncating, from peer %s",
++			  __func__, peer->host);
++		stream_get(str, s, BGP_MAX_SOFT_VERSION);
++		stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION);
++		len = BGP_MAX_SOFT_VERSION;
++	} else if (len) {
+ 		stream_get(str, s, len);
++	}
++
++	if (len) {
+ 		str[len] = '\0';
+ 
+ 		XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version);
+-- 
+2.39.2
+