import frr-8.3.1-11.el9_3

i9c changed/i9c/frr-8.3.1-11.el9_3
MSVSphere Packaging Team 1 year ago
parent 0b71c3d730
commit 0648fbd27f

@ -0,0 +1,59 @@
From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 30 Sep 2022 08:51:45 -0400
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
peek_for_as4_capability
In peek_for_as4_capability the code is checking that the
stream has at least 2 bytes to read ( the opt_type and the
opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
is configured then FRR is reading 3 bytes. Which is not good
since the packet could be badly formated. Ensure that
FRR has the appropriate data length to read the data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_open.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 7248f034a5a..a760a7ca013 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
uint8_t opt_type;
uint16_t opt_length;
- /* Check the length. */
- if (stream_get_getp(s) + 2 > end)
+ /* Ensure we can read the option type */
+ if (stream_get_getp(s) + 1 > end)
goto end;
- /* Fetch option type and length. */
+ /* Fetch the option type */
opt_type = stream_getc(s);
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
- ? stream_getw(s)
- : stream_getc(s);
+
+ /*
+ * Check the length and fetch the opt_length
+ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+ * then we do a getw which is 2 bytes. So we need to
+ * ensure that we can read that as well
+ */
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+ if (stream_get_getp(s) + 2 > end)
+ goto end;
+
+ opt_length = stream_getw(s);
+ } else {
+ if (stream_get_getp(s) + 1 > end)
+ goto end;
+
+ opt_length = stream_getc(s);
+ }
/* Option length check. */
if (stream_get_getp(s) + opt_length > end)

@ -0,0 +1,47 @@
From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 2 Nov 2022 13:24:48 -0400
Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
read
If a operator receives an invalid packet that is of insufficient size
then it is possible for BGP to assert during reading of the packet
instead of gracefully resetting the connection with the peer.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_packet.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 769f9613da8..72d6a923175 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
|| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
uint8_t opttype;
+ if (STREAM_READABLE(peer->curr) < 1) {
+ flog_err(
+ EC_BGP_PKT_OPEN,
+ "%s: stream does not have enough bytes for extended optional parameters",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return BGP_Stop;
+ }
+
opttype = stream_getc(peer->curr);
if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
+ if (STREAM_READABLE(peer->curr) < 2) {
+ flog_err(
+ EC_BGP_PKT_OPEN,
+ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return BGP_Stop;
+ }
optlen = stream_getw(peer->curr);
SET_FLAG(peer->sflags,
PEER_STATUS_EXT_OPT_PARAMS_LENGTH);

@ -0,0 +1,70 @@
From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 30 Sep 2022 08:57:43 -0400
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
bgp_open_option_parse
In bgp_open_option_parse the code is checking that the
stream has at least 2 bytes to read ( the opt_type and
the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
is configured then FRR is reading 3 bytes. Which is not good
since the packet could be badly formateed. Ensure that
FRR has the appropriate data length to read the data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index a760a7ca013..d1667fac261 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
uint8_t opt_type;
uint16_t opt_length;
- /* Must have at least an OPEN option header */
- if (STREAM_READABLE(s) < 2) {
+ /*
+ * Check that we can read the opt_type and fetch it
+ */
+ if (STREAM_READABLE(s) < 1) {
zlog_info("%s Option length error", peer->host);
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
return -1;
}
-
- /* Fetch option type and length. */
opt_type = stream_getc(s);
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
- ? stream_getw(s)
- : stream_getc(s);
+
+ /*
+ * Check the length of the stream to ensure that
+ * FRR can properly read the opt_length. Then read it
+ */
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+ if (STREAM_READABLE(s) < 2) {
+ zlog_info("%s Option length error", peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return -1;
+ }
+
+ opt_length = stream_getw(s);
+ } else {
+ if (STREAM_READABLE(s) < 1) {
+ zlog_info("%s Option length error", peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return -1;
+ }
+
+ opt_length = stream_getc(s);
+ }
/* Option length check. */
if (STREAM_READABLE(s) < opt_length) {

@ -160,3 +160,55 @@ interface(`frr_admin',`
systemd_read_fifo_file_passwd_run($1)
')
')
########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
######################################
## <summary>
## Watch ifconfig_var_run_t directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`sysnet_watch_ifconfig_run',`
interface(`sysnet_watch_ifconfig_run',`
gen_require(`
type ifconfig_var_run_t;
')
watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')
########################################
## <summary>
## Read ifconfig_var_run_t files and link files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`sysnet_read_ifconfig_run',`
interface(`sysnet_read_ifconfig_run',`
gen_require(`
type ifconfig_var_run_t;
')
list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')

@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t)
#
# frr local policy
#
allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create;
allow frr_t self:packet_socket create_socket_perms;
allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@ -95,6 +95,10 @@ domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t)
sysnet_exec_ifconfig(frr_t)
sysnet_read_ifconfig_run(frr_t)
sysnet_watch_ifconfig_run(frr_t)
ipsec_domtrans_mgmt(frr_t)
userdom_read_admin_home_files(frr_t)

@ -7,7 +7,7 @@
Name: frr
Version: 8.3.1
Release: 5%{?checkout}%{?dist}.2
Release: 11%{?checkout}%{?dist}
Summary: Routing daemon
License: GPLv2+
URL: http://www.frrouting.org
@ -71,8 +71,11 @@ Patch0005: 0005-ospf-api.patch
Patch0006: 0006-graceful-restart.patch
Patch0007: 0007-cve-2022-37032.patch
Patch0008: 0008-frr-non-root-user.patch
Patch0009: 0009-bfd-not-working-in-vrf.patch
Patch0010: 0010-CVE-2023-38802.patch
Patch0009: 0009-CVE-2022-36440-40302.patch
Patch0010: 0010-CVE-2022-43681.patch
Patch0011: 0011-CVE-2022-40318.patch
Patch0012: 0012-bfd-not-working-in-vrf.patch
Patch0013: 0013-CVE-2023-38802.patch
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -278,13 +281,28 @@ make check PYTHON=%{__python3}
%endif
%changelog
* Wed Sep 06 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5.2
- Resolves: #2236711 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
* Wed Sep 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11
- Resolves: #2231001 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5.1
- Resolves: #2212921 - BFD not working through VRF
* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
- Related: #2216912 - adding sys_admin to capabilities
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 8.2.2-4
* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
- Resolves: #2168855 - BFD not working through VRF
* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 8.3.1-5
- Rebuilt for MSVSphere 9.1.
* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5

Loading…
Cancel
Save