frr: Security fix CVE-2023-3748

CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748

Patch from:
https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ee1026ab77dcb31b0f5cb723b4d998aab4c00382)
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 55 insertions, 0 deletions

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
new file mode 100644
index 0000000000..4a8a7e1afd
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
@@ -0,0 +1,54 @@
+From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001
+From: harryreps <harryreps@gmail.com>
+Date: Fri, 3 Mar 2023 23:17:14 +0000
+Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
+
+Replacing continue in loops to goto done so that index of packet buffer
+increases.
+
+Signed-off-by: harryreps <harryreps@gmail.com>
+
+CVE: CVE-2023-3748
+
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ babeld/message.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/babeld/message.c b/babeld/message.c
+index 7d45d91bf..2bf233796 100644
+--- a/babeld/message.c
++++ b/babeld/message.c
+@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		/*
+@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		DO_NTOHS(seqno, message + 4);
+@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
+ 			       format_address(from), ifp->name);
+-			continue;
++			goto done;
+ 		}
+ 
+ 		changed = update_neighbour(neigh, seqno, interval);
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
index b87c3e78b0..f32b52f331 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
            file://frr.pam \
            file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
+           file://CVE-2023-3748.patch \
            "
 
 SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"