diff options
author | Jonas Gorski <jonas.gorski@bisdn.de> | 2023-05-10 12:16:37 +0200 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-05-24 10:47:53 -0400 |
commit | 49c8c1e74ecf81d8089d374b55f9a584f54cc4bc (patch) | |
tree | 6e4f7c6e0f65f34eea16dfba70ec7eea592adf9c | |
parent | 5f120a926b0fcd55cfe7565bb7ddf23661cad498 (diff) | |
download | meta-openembedded-contrib-49c8c1e74ecf81d8089d374b55f9a584f54cc4bc.tar.gz |
frr: Security fix CVE-2022-36440 / CVE-2022-40302
Add a security fix from the stable/8.2 branch for two CVEs for the same
vulneratiblity:
CVE-2022-36440:
A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the
peek_for_as4_capability function. Attackers can maliciously construct
BGP open packets and send them to BGP peers running frr-bgpd, resulting
in DoS.
CVE-2022-40302:
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By
crafting a BGP OPEN message with an option of type 0xff (Extended Length
from RFC 9072), attackers may cause a denial of service (assertion
failure and daemon restart, or out-of-bounds read). This is possible
because of inconsistent boundary checks that do not account for reading
3 bytes (instead of 2) in this 0xff case.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-36440
https://nvd.nist.gov/vuln/detail/CVE-2022-40302
https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/
https://github.com/FRRouting/frr/issues/13202
Patch from:
https://github.com/FRRouting/frr/commit/02a0e45f66160f571196a105b217e1bb84d1a835
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch | 71 | ||||
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr_8.2.2.bb | 1 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch new file mode 100644 index 0000000000..c06de49eb3 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch @@ -0,0 +1,71 @@ +From 02a0e45f66160f571196a105b217e1bb84d1a835 Mon Sep 17 00:00:00 2001 +From: Donald Sharp <sharpd@nvidia.com> +Date: Fri, 30 Sep 2022 08:51:45 -0400 +Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in + peek_for_as4_capability + +In peek_for_as4_capability the code is checking that the +stream has at least 2 bytes to read ( the opt_type and the +opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +is configured then FRR is reading 3 bytes. Which is not good +since the packet could be badly formated. Ensure that +FRR has the appropriate data length to read the data. + +Signed-off-by: Donald Sharp <sharpd@nvidia.com> +(cherry picked from commit 3e46b43e3788f0f87bae56a86b54d412b4710286) + +CVE: CVE-2022-36440 +CVE: CVE-2022-40302 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/02a0e45f66160f571196a105b217e1bb84d1a835] + +Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> +--- + bgpd/bgp_open.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index c2562c75d3fc..fe4c24a8c979 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -1116,15 +1116,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length) + uint8_t opt_type; + uint16_t opt_length; + +- /* Check the length. */ +- if (stream_get_getp(s) + 2 > end) ++ /* Ensure we can read the option type */ ++ if (stream_get_getp(s) + 1 > end) + goto end; + +- /* Fetch option type and length. */ ++ /* Fetch the option type */ + opt_type = stream_getc(s); +- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +- ? stream_getw(s) +- : stream_getc(s); ++ ++ /* ++ * Check the length and fetch the opt_length ++ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) ++ * then we do a getw which is 2 bytes. So we need to ++ * ensure that we can read that as well ++ */ ++ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { ++ if (stream_get_getp(s) + 2 > end) ++ goto end; ++ ++ opt_length = stream_getw(s); ++ } else { ++ if (stream_get_getp(s) + 1 > end) ++ goto end; ++ ++ opt_length = stream_getc(s); ++ } + + /* Option length check. */ + if (stream_get_getp(s) + opt_length > end) +-- +2.40.1 + diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 80f4729e1f..2da870ae4e 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb @@ -13,6 +13,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \ file://CVE-2022-37035.patch \ file://CVE-2022-37032.patch \ file://CVE-2022-42917.patch \ + file://CVE-2022-36440.patch \ file://frr.pam \ " |