frr: fix for CVE-2023-31489

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp_capability_llgr() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31489
https://github.com/FRRouting/frr/issues/13098

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Refactored to get it to apply]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Narpat Mali
2023-06-20 16:56:41 +00:00
committed by Armin Kuster
parent af43d829a3
commit 0070827069
2 changed files with 53 additions and 0 deletions
@@ -0,0 +1,52 @@
From 4e1fc50394df0b69f32a9cf8ba8e1dcee2c67563 Mon Sep 17 00:00:00 2001
From: Narpat Mali <narpat.mali@windriver.com>
Date: Tue, 20 Jun 2023 14:01:46 +0000
Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart
capability
It's not 4 bytes, it was assuming the same as Graceful-Restart tuples.
LLGR has more 3 bytes (Long-lived Stale Time).
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
CVE: CVE-2023-31489
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
bgpd/bgp_open.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 6bdefd0e9..ad56149f6 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -578,12 +578,24 @@ static int bgp_capability_restart(struct peer *peer,
static int bgp_capability_llgr(struct peer *peer,
struct capability_header *caphdr)
{
+/*
+ * +--------------------------------------------------+
+ * | Address Family Identifier (16 bits) |
+ * +--------------------------------------------------+
+ * | Subsequent Address Family Identifier (8 bits) |
+ * +--------------------------------------------------+
+ * | Flags for Address Family (8 bits) |
+ * +--------------------------------------------------+
+ * | Long-lived Stale Time (24 bits) |
+ * +--------------------------------------------------+
+ */
+#define BGP_CAP_LLGR_MIN_PACKET_LEN 7
struct stream *s = BGP_INPUT(peer);
size_t end = stream_get_getp(s) + caphdr->length;
SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV);
- while (stream_get_getp(s) + 4 <= end) {
+ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) {
afi_t afi;
safi_t safi;
iana_afi_t pkt_afi = stream_getw(s);
--
2.40.0
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
file://CVE-2022-36440.patch \
file://CVE-2022-40318.patch \
file://CVE-2022-43681.patch \
file://CVE-2023-31489.patch \
file://frr.pam \
"