summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2023-09-10 15:15:08 +0100
committerGitHub <noreply@github.com>2023-09-10 15:15:08 +0100
commit46f5655f475fc1e220ede69e55c87eae66e24b41 (patch)
tree6798fcaca9b66dafd36bc02d97486c5e5cc4686d
parent6e463ebc5a760ce850942488156201345485352e (diff)
parent13a5fa10d8c8632d08cf48a445c7d5925d3d42c4 (diff)
downloadvyos-build-46f5655f475fc1e220ede69e55c87eae66e24b41.tar.gz
vyos-build-46f5655f475fc1e220ede69e55c87eae66e24b41.zip
Merge pull request #398 from c-po/equuleus
frr: T5557: use treat-as-withdraw for tunnel encapsulation attribute CVE-2023-38802
-rw-r--r--packages/frr/patches/0004-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch134
1 files changed, 134 insertions, 0 deletions
diff --git a/packages/frr/patches/0004-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch b/packages/frr/patches/0004-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
new file mode 100644
index 00000000..a6d824c4
--- /dev/null
+++ b/packages/frr/patches/0004-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
@@ -0,0 +1,134 @@
+From a3337f1bd534d1d2b47b149a14418c5d93d341e3 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Thu, 13 Jul 2023 22:32:03 +0300
+Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute
+
+Before this path we used session reset method, which is discouraged by rfc7606.
+
+Handle this as rfc requires.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Christian Breunig <christian@breunig.cc>
+
+(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
+---
+ bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
+ 1 file changed, 25 insertions(+), 36 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index f5e54267d..4bc28fe23 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -1225,6 +1225,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ case BGP_ATTR_LARGE_COMMUNITIES:
+ case BGP_ATTR_ORIGINATOR_ID:
+ case BGP_ATTR_CLUSTER_LIST:
++ case BGP_ATTR_ENCAP:
+ return BGP_ATTR_PARSE_WITHDRAW;
+ case BGP_ATTR_MP_REACH_NLRI:
+ case BGP_ATTR_MP_UNREACH_NLRI:
+@@ -2320,26 +2321,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ }
+
+ /* Parse Tunnel Encap attribute in an UPDATE */
+-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+- bgp_size_t length, /* IN: attr's length field */
+- struct attr *attr, /* IN: caller already allocated */
+- uint8_t flag, /* IN: attr's flags field */
+- uint8_t *startp)
++static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ {
+- bgp_size_t total;
+ uint16_t tunneltype = 0;
+-
+- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
++ struct peer *const peer = args->peer;
++ struct attr *const attr = args->attr;
++ bgp_size_t length = args->length;
++ uint8_t type = args->type;
++ uint8_t flag = args->flags;
+
+ if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
+ || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
+- zlog_info(
+- "Tunnel Encap attribute flag isn't optional and transitive %d",
+- flag);
+- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
+- startp, total);
+- return -1;
++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
++ flag);
++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++ args->total);
+ }
+
+ if (BGP_ATTR_ENCAP == type) {
+@@ -2347,12 +2343,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ uint16_t tlv_length;
+
+ if (length < 4) {
+- zlog_info(
++ zlog_err(
+ "Tunnel Encap attribute not long enough to contain outer T,L");
+- bgp_notify_send_with_data(
+- peer, BGP_NOTIFY_UPDATE_ERR,
+- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+- return -1;
++ return bgp_attr_malformed(args,
++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++ args->total);
+ }
+ tunneltype = stream_getw(BGP_INPUT(peer));
+ tlv_length = stream_getw(BGP_INPUT(peer));
+@@ -2382,13 +2377,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ }
+
+ if (sublength > length) {
+- zlog_info(
+- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+- sublength, length);
+- bgp_notify_send_with_data(
+- peer, BGP_NOTIFY_UPDATE_ERR,
+- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+- return -1;
++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
++ sublength, length);
++ return bgp_attr_malformed(args,
++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++ args->total);
+ }
+
+ /* alloc and copy sub-tlv */
+@@ -2434,13 +2427,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+
+ if (length) {
+ /* spurious leftover data */
+- zlog_info(
+- "Tunnel Encap attribute length is bad: %d leftover octets",
+- length);
+- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+- startp, total);
+- return -1;
++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
++ length);
++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++ args->total);
+ }
+
+ return 0;
+@@ -3128,8 +3118,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
+ case BGP_ATTR_VNC:
+ #endif
+ case BGP_ATTR_ENCAP:
+- ret = bgp_attr_encap(type, peer, length, attr, flag,
+- startp);
++ ret = bgp_attr_encap(&attr_args);
+ break;
+ case BGP_ATTR_PREFIX_SID:
+ ret = bgp_attr_prefix_sid(&attr_args);
+--
+2.39.2
+