mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
frr: fix for CVE-2023-31489
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31489 https://github.com/FRRouting/frr/issues/13098 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Refactored to get it to apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
af43d829a3
commit
0070827069
@@ -0,0 +1,52 @@
|
||||
From 4e1fc50394df0b69f32a9cf8ba8e1dcee2c67563 Mon Sep 17 00:00:00 2001
|
||||
From: Narpat Mali <narpat.mali@windriver.com>
|
||||
Date: Tue, 20 Jun 2023 14:01:46 +0000
|
||||
Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart
|
||||
capability
|
||||
|
||||
It's not 4 bytes, it was assuming the same as Graceful-Restart tuples.
|
||||
LLGR has more 3 bytes (Long-lived Stale Time).
|
||||
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
|
||||
CVE: CVE-2023-31489
|
||||
|
||||
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce]
|
||||
|
||||
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
||||
---
|
||||
bgpd/bgp_open.c | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
|
||||
index 6bdefd0e9..ad56149f6 100644
|
||||
--- a/bgpd/bgp_open.c
|
||||
+++ b/bgpd/bgp_open.c
|
||||
@@ -578,12 +578,24 @@ static int bgp_capability_restart(struct peer *peer,
|
||||
static int bgp_capability_llgr(struct peer *peer,
|
||||
struct capability_header *caphdr)
|
||||
{
|
||||
+/*
|
||||
+ * +--------------------------------------------------+
|
||||
+ * | Address Family Identifier (16 bits) |
|
||||
+ * +--------------------------------------------------+
|
||||
+ * | Subsequent Address Family Identifier (8 bits) |
|
||||
+ * +--------------------------------------------------+
|
||||
+ * | Flags for Address Family (8 bits) |
|
||||
+ * +--------------------------------------------------+
|
||||
+ * | Long-lived Stale Time (24 bits) |
|
||||
+ * +--------------------------------------------------+
|
||||
+ */
|
||||
+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7
|
||||
struct stream *s = BGP_INPUT(peer);
|
||||
size_t end = stream_get_getp(s) + caphdr->length;
|
||||
|
||||
SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV);
|
||||
|
||||
- while (stream_get_getp(s) + 4 <= end) {
|
||||
+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) {
|
||||
afi_t afi;
|
||||
safi_t safi;
|
||||
iana_afi_t pkt_afi = stream_getw(s);
|
||||
--
|
||||
2.40.0
|
||||
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
|
||||
file://CVE-2022-36440.patch \
|
||||
file://CVE-2022-40318.patch \
|
||||
file://CVE-2022-43681.patch \
|
||||
file://CVE-2023-31489.patch \
|
||||
file://frr.pam \
|
||||
"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user