mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

frr: Security fix CVE-2022-37032

Browse Source 
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032

Patch from:
https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yi Zhao
2022-10-13 11:04:36 +08:00
committed by Armin Kuster
parent a7b999dba0
commit 744a4b6eda
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-protocols/frr/frr/CVE-2022-37032.patch
+42
View File
@@ -0,0 +1,42 @@
From 3c4821679f2362bcd38fcc7803f28a5210441ddb Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
CVE: CVE-2022-37032
Upstream-Status: Backport
[https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
bgpd/bgp_packet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 7c92a8d9e..bcd47e32d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2440,6 +2440,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length %u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+ peer->host, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);
--
2.25.1
meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+1
View File
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
file://CVE-2022-37035.patch \
file://CVE-2022-37032.patch \
file://frr.pam \
"