diff options
author | Narpat Mali <narpat.mali@windriver.com> | 2023-06-20 16:56:41 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-06-23 07:49:20 -0400 |
commit | 0070827069082851d0209e9153c31f8cac02a462 (patch) | |
tree | ac7f12980bde7ad548f5ff1b6b69c6a4290f3495 /meta-networking/recipes-protocols | |
parent | af43d829a3182955d267972df1b78bff725e620a (diff) | |
download | meta-openembedded-contrib-0070827069082851d0209e9153c31f8cac02a462.tar.gz |
frr: fix for CVE-2023-31489
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp_capability_llgr() function.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31489
https://github.com/FRRouting/frr/issues/13098
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Refactored to get it to apply]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-protocols')
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr/CVE-2023-31489.patch | 52 | ||||
-rw-r--r-- | meta-networking/recipes-protocols/frr/frr_8.2.2.bb | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-31489.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31489.patch new file mode 100644 index 0000000000..6fd6792087 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-31489.patch @@ -0,0 +1,52 @@ +From 4e1fc50394df0b69f32a9cf8ba8e1dcee2c67563 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Tue, 20 Jun 2023 14:01:46 +0000 +Subject: [PATCH] bgpd: Check 7 bytes for Long-lived Graceful-Restart + capability + +It's not 4 bytes, it was assuming the same as Graceful-Restart tuples. +LLGR has more 3 bytes (Long-lived Stale Time). + +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> + +CVE: CVE-2023-31489 + +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b1d33ec293e8e36fbb8766252f3b016d268e31ce] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + bgpd/bgp_open.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index 6bdefd0e9..ad56149f6 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -578,12 +578,24 @@ static int bgp_capability_restart(struct peer *peer, + static int bgp_capability_llgr(struct peer *peer, + struct capability_header *caphdr) + { ++/* ++ * +--------------------------------------------------+ ++ * | Address Family Identifier (16 bits) | ++ * +--------------------------------------------------+ ++ * | Subsequent Address Family Identifier (8 bits) | ++ * +--------------------------------------------------+ ++ * | Flags for Address Family (8 bits) | ++ * +--------------------------------------------------+ ++ * | Long-lived Stale Time (24 bits) | ++ * +--------------------------------------------------+ ++ */ ++#define BGP_CAP_LLGR_MIN_PACKET_LEN 7 + struct stream *s = BGP_INPUT(peer); + size_t end = stream_get_getp(s) + caphdr->length; + + SET_FLAG(peer->cap, PEER_CAP_LLGR_RCV); + +- while (stream_get_getp(s) + 4 <= end) { ++ while (stream_get_getp(s) + BGP_CAP_LLGR_MIN_PACKET_LEN <= end) { + afi_t afi; + safi_t safi; + iana_afi_t pkt_afi = stream_getw(s); +-- +2.40.0 diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 92aca8ecdd..c98607a0dc 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \ file://CVE-2022-36440.patch \ file://CVE-2022-40318.patch \ file://CVE-2022-43681.patch \ + file://CVE-2023-31489.patch \ file://frr.pam \ " |