diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-02 07:02:58 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-02 07:02:58 +0000 |
| commit | e41d98802ef89d98646f14894d82eb0a8923df6f (patch) | |
| tree | 11afd5e70f8db2476806681cb6ea78bb04e80cae /0008-CVE-2023-46753.patch | |
| parent | 3eb722bc1eeafe0a7034605ebb346cb746bf53ce (diff) | |
automatic import of frropeneuler24.03_LTSopeneuler23.09
Diffstat (limited to '0008-CVE-2023-46753.patch')
| -rw-r--r-- | 0008-CVE-2023-46753.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/0008-CVE-2023-46753.patch b/0008-CVE-2023-46753.patch new file mode 100644 index 0000000..f1f0611 --- /dev/null +++ b/0008-CVE-2023-46753.patch @@ -0,0 +1,60 @@ +From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +--- + bgpd/bgp_attr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 26fd3de..bcc4424 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + +@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) +@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + enum bgp_attr_parse_ret ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- ret = bgp_attr_check(peer, attr); ++ ret = bgp_attr_check(peer, attr, length); + if (ret < 0) + goto done; + |