From 38fb8673f3bf752d260524e0acf8c526e478390b Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 28 Mar 2024 17:13:35 +0300 Subject: [PATCH] import frr-8.5.3-4.el9 --- .frr.metadata | 2 +- .gitignore | 2 +- SOURCES/0000-remove-babeld-and-ldpd.patch | 10 +- SOURCES/0004-fips-mode.patch | 2 +- SOURCES/0005-CVE-2023-47235.patch | 110 ++++++++++ SOURCES/0005-ospf-api.patch | 25 --- SOURCES/0006-CVE-2023-47234.patch | 95 ++++++++ SOURCES/0006-graceful-restart.patch | 78 ------- SOURCES/0007-CVE-2023-46752.patch | 76 +++++++ SOURCES/0007-cve-2022-37032.patch | 32 --- SOURCES/0008-CVE-2023-46753.patch | 60 +++++ SOURCES/0008-frr-non-root-user.patch | 67 ------ SOURCES/0009-CVE-2022-36440-40302.patch | 59 ----- SOURCES/0010-CVE-2022-43681.patch | 47 ---- SOURCES/0011-CVE-2022-40318.patch | 70 ------ SOURCES/0012-bfd-not-working-in-vrf.patch | 255 ---------------------- SPECS/frr.spec | 35 ++- 17 files changed, 374 insertions(+), 651 deletions(-) create mode 100644 SOURCES/0005-CVE-2023-47235.patch delete mode 100644 SOURCES/0005-ospf-api.patch create mode 100644 SOURCES/0006-CVE-2023-47234.patch delete mode 100644 SOURCES/0006-graceful-restart.patch create mode 100644 SOURCES/0007-CVE-2023-46752.patch delete mode 100644 SOURCES/0007-cve-2022-37032.patch create mode 100644 SOURCES/0008-CVE-2023-46753.patch delete mode 100644 SOURCES/0008-frr-non-root-user.patch delete mode 100644 SOURCES/0009-CVE-2022-36440-40302.patch delete mode 100644 SOURCES/0010-CVE-2022-43681.patch delete mode 100644 SOURCES/0011-CVE-2022-40318.patch delete mode 100644 SOURCES/0012-bfd-not-working-in-vrf.patch diff --git a/.frr.metadata b/.frr.metadata index 48fa4ae..ebc1e4a 100644 --- a/.frr.metadata +++ b/.frr.metadata @@ -1 +1 @@ -467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz +5f46099a744058de374dbbf5240d1c4292a143f2 SOURCES/frr-8.5.3.tar.gz diff --git a/.gitignore b/.gitignore index 00c04c8..08f047d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/frr-8.3.1.tar.gz +SOURCES/frr-8.5.3.tar.gz diff --git a/SOURCES/0000-remove-babeld-and-ldpd.patch b/SOURCES/0000-remove-babeld-and-ldpd.patch index 37c416a..4fac02b 100644 --- a/SOURCES/0000-remove-babeld-and-ldpd.patch +++ b/SOURCES/0000-remove-babeld-and-ldpd.patch @@ -28,13 +28,13 @@ index 5be3264..33abc1d 100644 nhrpd/Makefile \ ospf6d/Makefile \ diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons -index f6d512b..6d4831d 100644 +index 8aa0887..c92dcca 100644 --- a/tools/etc/frr/daemons +++ b/tools/etc/frr/daemons -@@ -21,10 +21,8 @@ ripd=no - ripngd=no +@@ -22,10 +22,8 @@ ripngd=no isisd=no pimd=no + pim6d=no -ldpd=no nhrpd=no eigrpd=no @@ -42,10 +42,10 @@ index f6d512b..6d4831d 100644 sharpd=no pbrd=no bfdd=no -@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1" - ripngd_options=" -A ::1" +@@ -48,10 +46,8 @@ ripngd_options=" -A ::1" isisd_options=" -A 127.0.0.1" pimd_options=" -A 127.0.0.1" + pim6d_options=" -A ::1" -ldpd_options=" -A 127.0.0.1" nhrpd_options=" -A 127.0.0.1" eigrpd_options=" -A 127.0.0.1" diff --git a/SOURCES/0004-fips-mode.patch b/SOURCES/0004-fips-mode.patch index 51f9ed3..deedf14 100644 --- a/SOURCES/0004-fips-mode.patch +++ b/SOURCES/0004-fips-mode.patch @@ -111,5 +111,5 @@ index 53ae5b4..930307f 100644 #include +#include #endif - + #include "openbsd-tree.h" diff --git a/SOURCES/0005-CVE-2023-47235.patch b/SOURCES/0005-CVE-2023-47235.patch new file mode 100644 index 0000000..6d0504b --- /dev/null +++ b/SOURCES/0005-CVE-2023-47235.patch @@ -0,0 +1,110 @@ +From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 13 Dec 2023 16:59:46 +0100 +Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of + malformed attrs + +Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be +processed as a normal UPDATE without mandatory attributes, that could lead +to harmful behavior. In this case, a crash for route-maps with the configuration +such as: + +``` +router bgp 65001 + no bgp ebgp-requires-policy + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + ! + address-family ipv4 unicast + neighbor 127.0.0.1 addpath-tx-all-paths + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Send a malformed optional transitive attribute: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(100) +s.close() +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis + +(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b) +--- + bgpd/bgp_attr.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index a121911..12a6953 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an +- * empty UPDATE. */ ++ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, ++ * we will pass it to be processed as a normal UPDATE without mandatory ++ * attributes, that could lead to harmful behavior. ++ */ + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) +- return BGP_ATTR_PARSE_PROCEED; ++ return BGP_ATTR_PARSE_WITHDRAW; + + /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required + to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +@@ -3507,7 +3510,13 @@ done: + aspath_unintern(&as4_path); + + transit = bgp_attr_get_transit(attr); +- if (ret != BGP_ATTR_PARSE_ERROR) { ++ /* If we received an UPDATE with mandatory attributes, then ++ * the unrecognized transitive optional attribute of that ++ * path MUST be passed. Otherwise, it's an error, and from ++ * security perspective it might be very harmful if we continue ++ * here with the unrecognized attributes. ++ */ ++ if (ret == BGP_ATTR_PARSE_PROCEED) { + /* Finally intern unknown attribute. */ + if (transit) + bgp_attr_set_transit(attr, transit_intern(transit)); +-- +2.43.0 + diff --git a/SOURCES/0005-ospf-api.patch b/SOURCES/0005-ospf-api.patch deleted file mode 100644 index bd5bbcb..0000000 --- a/SOURCES/0005-ospf-api.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c -index 74a5674..aec9037 100644 ---- a/ospfd/ospf_spf.c -+++ b/ospfd/ospf_spf.c -@@ -48,7 +48,10 @@ - #include "ospfd/ospf_sr.h" - #include "ospfd/ospf_ti_lfa.h" - #include "ospfd/ospf_errors.h" -+ -+#ifdef SUPPORT_OSPF_API - #include "ospfd/ospf_apiserver.h" -+#endif - - /* Variables to ensure a SPF scheduled log message is printed only once */ - -@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread) - /* Update all routers routing table */ - ospf->oall_rtrs = ospf->all_rtrs; - ospf->all_rtrs = all_rtrs; -+#ifdef SUPPORT_OSPF_API - ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs); -+#endif - - /* Free old ABR/ASBR routing table */ - if (ospf->old_rtrs) diff --git a/SOURCES/0006-CVE-2023-47234.patch b/SOURCES/0006-CVE-2023-47234.patch new file mode 100644 index 0000000..39f1886 --- /dev/null +++ b/SOURCES/0006-CVE-2023-47234.patch @@ -0,0 +1,95 @@ +From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 13 Dec 2023 18:25:48 +0100 +Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI + +If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if +no mandatory path attributes received. + +In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled +as a new data, but without mandatory attributes, it's a malformed packet. + +In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST +handle that. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +Signed-off-by: Christian Breunig + +(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf) +--- + bgpd/bgp_attr.c | 19 ++++++++++--------- + bgpd/bgp_attr.h | 1 + + bgpd/bgp_packet.c | 7 ++++++- + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 12a6953..8b02f2c 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) + return BGP_ATTR_PARSE_WITHDRAW; + +- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +- are present, it should. Check for any other attribute being present +- instead. +- */ +- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && +- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) +- return BGP_ATTR_PARSE_PROCEED; +- + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; + +@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) + type = BGP_ATTR_LOCAL_PREF; + ++ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required ++ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI ++ * are present, it should. Check for any other attribute being present ++ * instead. ++ */ ++ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && ++ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) ++ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY ++ : BGP_ATTR_PARSE_PROCEED; ++ + /* If any of the well-known mandatory attributes are not present + * in an UPDATE message, then "treat-as-withdraw" MUST be used. + */ +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 06f350b..b9dfec9 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret { + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, + BGP_ATTR_PARSE_EOR = -4, ++ BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a5f065a..cdf0734 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len && attribute_len) { ++ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then ++ * NLRIs should be handled as a new data. Though, if we received ++ * NLRIs without mandatory attributes, they should be ignored. ++ */ ++ if (update_len && attribute_len && ++ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.43.0 + diff --git a/SOURCES/0006-graceful-restart.patch b/SOURCES/0006-graceful-restart.patch deleted file mode 100644 index 3c1cb44..0000000 --- a/SOURCES/0006-graceful-restart.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Tue, 27 Sep 2022 17:30:16 +0300 -Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting - -We might disable sending unconfig/shutdown notifications when -Graceful-Restart is enabled and negotiated. - -Signed-off-by: Donatas Abraitis ---- - bgpd/bgpd.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c -index 749e46ebe9d..ae1308db423 100644 ---- a/bgpd/bgpd.c -+++ b/bgpd/bgpd.c -@@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, - - void peer_notify_unconfig(struct peer *peer) - { -+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { -+ if (bgp_debug_neighbor_events(peer)) -+ zlog_debug( -+ "%pBP configured Graceful-Restart, skipping unconfig notification", -+ peer); -+ return; -+ } -+ - if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) - bgp_notify_send(peer, BGP_NOTIFY_CEASE, - BGP_NOTIFY_CEASE_PEER_UNCONFIG); - } - -+static void peer_notify_shutdown(struct peer *peer) -+{ -+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { -+ if (bgp_debug_neighbor_events(peer)) -+ zlog_debug( -+ "%pBP configured Graceful-Restart, skipping shutdown notification", -+ peer); -+ return; -+ } -+ -+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) -+ bgp_notify_send(peer, BGP_NOTIFY_CEASE, -+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); -+} -+ - void peer_group_notify_unconfig(struct peer_group *group) - { - struct peer *peer, *other; -@@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp) - } - - /* Inform peers we're going down. */ -- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) { -- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) -- bgp_notify_send(peer, BGP_NOTIFY_CEASE, -- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); -- } -+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) -+ peer_notify_shutdown(peer); - - /* Delete static routes (networks). */ - bgp_static_delete(bgp); -@@ -8252,10 +8272,7 @@ void bgp_terminate(void) - - for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) - for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) -- if (peer_established(peer) || peer->status == OpenSent -- || peer->status == OpenConfirm) -- bgp_notify_send(peer, BGP_NOTIFY_CEASE, -- BGP_NOTIFY_CEASE_PEER_UNCONFIG); -+ peer_notify_unconfig(peer); - - BGP_TIMER_OFF(bm->t_rmap_update); - diff --git a/SOURCES/0007-CVE-2023-46752.patch b/SOURCES/0007-CVE-2023-46752.patch new file mode 100644 index 0000000..054853e --- /dev/null +++ b/SOURCES/0007-CVE-2023-46752.patch @@ -0,0 +1,76 @@ +From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 20 Oct 2023 17:49:18 +0300 +Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session + reset + +Avoid crashing bgpd. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 6 +----- + bgpd/bgp_attr.h | 1 - + bgpd/bgp_packet.c | 6 +----- + 3 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 6925aff727e2..e7bb42a5d989 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, + + mp_update->afi = afi; + mp_update->safi = safi; +- return BGP_ATTR_PARSE_EOR; ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); + } + + mp_update->afi = afi; +@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + goto done; + } + +- if (ret == BGP_ATTR_PARSE_EOR) { +- goto done; +- } +- + if (ret == BGP_ATTR_PARSE_ERROR) { + flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, + "%s: Attribute %s, parse error", peer->host, +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 961e5f122470..fc347e7a1b4b 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, +- BGP_ATTR_PARSE_EOR = -4, + BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index b585591e2f69..5ecf343b6657 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection, + * Non-MP IPv4/Unicast EoR is a completely empty UPDATE + * and MP EoR should have only an empty MP_UNREACH + */ +- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) +- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { ++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { + afi_t afi = 0; + safi_t safi; + struct graceful_restart_info *gr_info; +@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection, + && nlris[NLRI_MP_WITHDRAW].length == 0) { + afi = nlris[NLRI_MP_WITHDRAW].afi; + safi = nlris[NLRI_MP_WITHDRAW].safi; +- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { +- afi = nlris[NLRI_MP_UPDATE].afi; +- safi = nlris[NLRI_MP_UPDATE].safi; + } + + if (afi && peer->afc[afi][safi]) { diff --git a/SOURCES/0007-cve-2022-37032.patch b/SOURCES/0007-cve-2022-37032.patch deleted file mode 100644 index 4899c72..0000000 --- a/SOURCES/0007-cve-2022-37032.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Thu, 21 Jul 2022 08:11:58 -0400 -Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is - expected - -Ensure that if the capability length specified is enough data. - -Signed-off-by: Donald Sharp ---- - bgpd/bgp_packet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index dbf6c0b2e99..45752a8ab6d 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - "%s CAPABILITY has action: %d, code: %u, length %u", - peer->host, action, hdr->code, hdr->length); - -+ if (hdr->length < sizeof(struct capability_mp_data)) { -+ zlog_info( -+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", -+ peer, sizeof(struct capability_mp_data), -+ hdr->length); -+ return BGP_Stop; -+ } -+ - /* Capability length check. */ - if ((pnt + hdr->length + 3) > end) { - zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/0008-CVE-2023-46753.patch b/SOURCES/0008-CVE-2023-46753.patch new file mode 100644 index 0000000..f1f0611 --- /dev/null +++ b/SOURCES/0008-CVE-2023-46753.patch @@ -0,0 +1,60 @@ +From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 26fd3de..bcc4424 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + +@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) +@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + enum bgp_attr_parse_ret ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- ret = bgp_attr_check(peer, attr); ++ ret = bgp_attr_check(peer, attr, length); + if (ret < 0) + goto done; + diff --git a/SOURCES/0008-frr-non-root-user.patch b/SOURCES/0008-frr-non-root-user.patch deleted file mode 100644 index 6a0803c..0000000 --- a/SOURCES/0008-frr-non-root-user.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001 -From: Michal Ruprich -Date: Tue, 22 Nov 2022 12:38:05 +0100 -Subject: [PATCH] tools: Enable start of FRR for non-root user - -There might be use cases when this would make sense, for example -running FRR in a container as a designated user. - -Signed-off-by: Michal Ruprich ---- - tools/etc/frr/daemons | 5 +++++ - tools/frrcommon.sh.in | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons -index 8aa08871e35..2427bfff777 100644 ---- a/tools/etc/frr/daemons -+++ b/tools/etc/frr/daemons -@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1" - # say BGP. - #MAX_FDS=1024 - -+# Uncomment this option if you want to run FRR as a non-root user. Note that -+# you should know what you are doing since most of the daemons need root -+# to work. This could be useful if you want to run FRR in a container -+# for instance. -+# FRR_NO_ROOT="yes" -+ - # The list of daemons to watch is automatically generated by the init script. - #watchfrr_options="" - -diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in -index 3c16c27c6df..4f095a176e4 100755 ---- a/tools/frrcommon.sh.in -+++ b/tools/frrcommon.sh.in -@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py" - # - - is_user_root () { -+ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then -+ return 0 -+ fi -+ - [ "${EUID:-$(id -u)}" -eq 0 ] || { - log_failure_msg "Only users having EUID=0 can start/stop daemons" - return 1 -diff --git a/doc/user/setup.rst b/doc/user/setup.rst -index 25934df..51ffd32 100644 ---- a/doc/user/setup.rst -+++ b/doc/user/setup.rst -@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with - several thousands of peers than this is where we would modify FRR to - allow this to happen. - -+:: -+ -+ FRR_NO_ROOT="yes" -+ -+This option allows you to run FRR as a non-root user. Use this option -+only when you know what you are doing since most of the daemons -+in FRR will not be able to run under a regular user. This option -+is useful for example when you run FRR in a container with a designated -+user instead of root. -+ - :: - - zebra_options=" -s 90000000 --daemon -A 127.0.0.1" diff --git a/SOURCES/0009-CVE-2022-36440-40302.patch b/SOURCES/0009-CVE-2022-36440-40302.patch deleted file mode 100644 index 08de573..0000000 --- a/SOURCES/0009-CVE-2022-36440-40302.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Fri, 30 Sep 2022 08:51:45 -0400 -Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in - peek_for_as4_capability - -In peek_for_as4_capability the code is checking that the -stream has at least 2 bytes to read ( the opt_type and the -opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) -is configured then FRR is reading 3 bytes. Which is not good -since the packet could be badly formated. Ensure that -FRR has the appropriate data length to read the data. - -Signed-off-by: Donald Sharp ---- - bgpd/bgp_open.c | 27 +++++++++++++++++++++------ - 1 file changed, 21 insertions(+), 6 deletions(-) - -diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c -index 7248f034a5a..a760a7ca013 100644 ---- a/bgpd/bgp_open.c -+++ b/bgpd/bgp_open.c -@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length) - uint8_t opt_type; - uint16_t opt_length; - -- /* Check the length. */ -- if (stream_get_getp(s) + 2 > end) -+ /* Ensure we can read the option type */ -+ if (stream_get_getp(s) + 1 > end) - goto end; - -- /* Fetch option type and length. */ -+ /* Fetch the option type */ - opt_type = stream_getc(s); -- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) -- ? stream_getw(s) -- : stream_getc(s); -+ -+ /* -+ * Check the length and fetch the opt_length -+ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) -+ * then we do a getw which is 2 bytes. So we need to -+ * ensure that we can read that as well -+ */ -+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { -+ if (stream_get_getp(s) + 2 > end) -+ goto end; -+ -+ opt_length = stream_getw(s); -+ } else { -+ if (stream_get_getp(s) + 1 > end) -+ goto end; -+ -+ opt_length = stream_getc(s); -+ } - - /* Option length check. */ - if (stream_get_getp(s) + opt_length > end) diff --git a/SOURCES/0010-CVE-2022-43681.patch b/SOURCES/0010-CVE-2022-43681.patch deleted file mode 100644 index 73fcfc3..0000000 --- a/SOURCES/0010-CVE-2022-43681.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Wed, 2 Nov 2022 13:24:48 -0400 -Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to - read - -If a operator receives an invalid packet that is of insufficient size -then it is possible for BGP to assert during reading of the packet -instead of gracefully resetting the connection with the peer. - -Signed-off-by: Donald Sharp ---- - bgpd/bgp_packet.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 769f9613da8..72d6a923175 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size) - || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) { - uint8_t opttype; - -+ if (STREAM_READABLE(peer->curr) < 1) { -+ flog_err( -+ EC_BGP_PKT_OPEN, -+ "%s: stream does not have enough bytes for extended optional parameters", -+ peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, -+ BGP_NOTIFY_OPEN_MALFORMED_ATTR); -+ return BGP_Stop; -+ } -+ - opttype = stream_getc(peer->curr); - if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) { -+ if (STREAM_READABLE(peer->curr) < 2) { -+ flog_err( -+ EC_BGP_PKT_OPEN, -+ "%s: stream does not have enough bytes to read the extended optional parameters optlen", -+ peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, -+ BGP_NOTIFY_OPEN_MALFORMED_ATTR); -+ return BGP_Stop; -+ } - optlen = stream_getw(peer->curr); - SET_FLAG(peer->sflags, - PEER_STATUS_EXT_OPT_PARAMS_LENGTH); diff --git a/SOURCES/0011-CVE-2022-40318.patch b/SOURCES/0011-CVE-2022-40318.patch deleted file mode 100644 index e4dadfb..0000000 --- a/SOURCES/0011-CVE-2022-40318.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Fri, 30 Sep 2022 08:57:43 -0400 -Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in - bgp_open_option_parse - -In bgp_open_option_parse the code is checking that the -stream has at least 2 bytes to read ( the opt_type and -the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) -is configured then FRR is reading 3 bytes. Which is not good -since the packet could be badly formateed. Ensure that -FRR has the appropriate data length to read the data. - -Signed-off-by: Donald Sharp ---- - bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++------- - 1 file changed, 28 insertions(+), 7 deletions(-) - -diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c -index a760a7ca013..d1667fac261 100644 ---- a/bgpd/bgp_open.c -+++ b/bgpd/bgp_open.c -@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length, - uint8_t opt_type; - uint16_t opt_length; - -- /* Must have at least an OPEN option header */ -- if (STREAM_READABLE(s) < 2) { -+ /* -+ * Check that we can read the opt_type and fetch it -+ */ -+ if (STREAM_READABLE(s) < 1) { - zlog_info("%s Option length error", peer->host); - bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, - BGP_NOTIFY_OPEN_MALFORMED_ATTR); - return -1; - } -- -- /* Fetch option type and length. */ - opt_type = stream_getc(s); -- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) -- ? stream_getw(s) -- : stream_getc(s); -+ -+ /* -+ * Check the length of the stream to ensure that -+ * FRR can properly read the opt_length. Then read it -+ */ -+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { -+ if (STREAM_READABLE(s) < 2) { -+ zlog_info("%s Option length error", peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, -+ BGP_NOTIFY_OPEN_MALFORMED_ATTR); -+ return -1; -+ } -+ -+ opt_length = stream_getw(s); -+ } else { -+ if (STREAM_READABLE(s) < 1) { -+ zlog_info("%s Option length error", peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, -+ BGP_NOTIFY_OPEN_MALFORMED_ATTR); -+ return -1; -+ } -+ -+ opt_length = stream_getc(s); -+ } - - /* Option length check. */ - if (STREAM_READABLE(s) < opt_length) { diff --git a/SOURCES/0012-bfd-not-working-in-vrf.patch b/SOURCES/0012-bfd-not-working-in-vrf.patch deleted file mode 100644 index 6ee8490..0000000 --- a/SOURCES/0012-bfd-not-working-in-vrf.patch +++ /dev/null @@ -1,255 +0,0 @@ -From edc3f63167fd95e4e70287743c9b252415c9336e Mon Sep 17 00:00:00 2001 -From: Philippe Guibert -Date: Thu, 7 Jul 2022 14:33:48 +0200 -Subject: [PATCH] bfdd: allow l3vrf bfd sessions without udp leaking - -Until now, when in vrf-lite mode, the BFD implementation -creates a single UDP socket and relies on the following -sysctl value to 1: - -echo 1 > /proc/sys/net/ipv4/udp_l3mdev_accept - -With this setting, the incoming BFD packets from a given -vrf, would leak to the default vrf, and would match the -UDP socket. - -The drawback of this solution is that udp packets received -on a given vrf may leak to an other vrf. This may be a -security concern. - -The commit addresses this issue by avoiding this leak -mechanism. An UDP socket is created for each vrf, and each -socket uses new setsockopt option: SO_REUSEADDR + SO_REUSEPORT. - -With this option, the incoming UDP packets are distributed on -the available sockets. The impact of those options with l3mdev -devices is unknown. It has been observed that this option is not -needed, until the default vrf sockets are created. - -To ensure the BFD packets are correctly routed to the appropriate -socket, a BPF filter has been put in place and attached to the -sockets : SO_ATTACH_REUSEPORT_CBPF. This option adds a criterium -to force the packet to choose a given socket. If initial criteria -from the default distribution algorithm were not good, at least -two sockets would be available, and the CBPF would force the -selection to the same socket. This would come to the situation -where an incoming packet would be processed on a different vrf. - -The bpf code is the following one: - -struct sock_filter code[] = { - { BPF_RET | BPF_K, 0, 0, 0 }, -}; - -struct sock_fprog p = { - .len = sizeof(code)/sizeof(struct sock_filter), - .filter = code, -}; - -if (setsockopt(sd, SOL_SOCKET, SO_ATTACH_REUSEPORT_CBPF, &p, sizeof(p))) { - zlog_warn("unable to set SO_ATTACH_REUSEPORT_CBPF on socket: %s", - strerror(errno)); - return -1; -} - -Some tests have been done with by creating vrf contexts, and by using -the below vtysh configuration: - -ip route 2.2.2.2/32 10.126.0.2 -vrf vrf2 - ip route 2.2.2.2/32 10.126.0.2 -! -interface ntfp2 - ip address 10.126.0.1/24 -! -interface ntfp3 vrf vrf4 - ip address 10.126.0.1/24 -! -interface ntfp2 vrf vrf1 - ip address 10.126.0.1/24 -! -interface ntfp2.100 vrf vrf2 - ip address 10.126.0.1/24 -! -interface ntfp2.200 vrf vrf3 - ip address 10.126.0.1/24 -! -line vty -! -bfd - peer 10.126.0.2 vrf vrf2 - ! - peer 10.126.0.2 vrf vrf3 - ! - peer 10.126.0.2 - ! - peer 10.126.0.2 vrf vrf4 - ! - peer 2.2.2.2 multihop local-address 1.1.1.1 - ! - peer 2.2.2.2 multihop local-address 1.1.1.1 vrf vrf2 - transmit-interval 1500 - receive-interval 1500 - ! - -The results showed no issue related to packets received by -the wrong vrf. Even changing the udp_l3mdev_accept flag to -1 did not change the test results. - -Signed-off-by: Philippe Guibert ---- - bfdd/bfd.c | 66 +++++++++++++++++++++++------------------------ - bfdd/bfd_packet.c | 45 ++++++++++++++++++++++++++++++++ - 2 files changed, 77 insertions(+), 34 deletions(-) - -diff --git a/bfdd/bfd.c b/bfdd/bfd.c -index 483beb1b17c..a1619263588 100644 ---- a/bfdd/bfd.c -+++ b/bfdd/bfd.c -@@ -1950,40 +1950,38 @@ static int bfd_vrf_enable(struct vrf *vrf) - if (bglobal.debug_zebra) - zlog_debug("VRF enable add %s id %u", vrf->name, vrf->vrf_id); - -- if (vrf->vrf_id == VRF_DEFAULT || -- vrf_get_backend() == VRF_BACKEND_NETNS) { -- if (!bvrf->bg_shop) -- bvrf->bg_shop = bp_udp_shop(vrf); -- if (!bvrf->bg_mhop) -- bvrf->bg_mhop = bp_udp_mhop(vrf); -- if (!bvrf->bg_shop6) -- bvrf->bg_shop6 = bp_udp6_shop(vrf); -- if (!bvrf->bg_mhop6) -- bvrf->bg_mhop6 = bp_udp6_mhop(vrf); -- if (!bvrf->bg_echo) -- bvrf->bg_echo = bp_echo_socket(vrf); -- if (!bvrf->bg_echov6) -- bvrf->bg_echov6 = bp_echov6_socket(vrf); -- -- if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_shop, &bvrf->bg_ev[0]); -- if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_mhop, &bvrf->bg_ev[1]); -- if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_shop6, &bvrf->bg_ev[2]); -- if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_mhop6, &bvrf->bg_ev[3]); -- if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_echo, &bvrf->bg_ev[4]); -- if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1) -- thread_add_read(master, bfd_recv_cb, bvrf, -- bvrf->bg_echov6, &bvrf->bg_ev[5]); -- } -+ if (!bvrf->bg_shop) -+ bvrf->bg_shop = bp_udp_shop(vrf); -+ if (!bvrf->bg_mhop) -+ bvrf->bg_mhop = bp_udp_mhop(vrf); -+ if (!bvrf->bg_shop6) -+ bvrf->bg_shop6 = bp_udp6_shop(vrf); -+ if (!bvrf->bg_mhop6) -+ bvrf->bg_mhop6 = bp_udp6_mhop(vrf); -+ if (!bvrf->bg_echo) -+ bvrf->bg_echo = bp_echo_socket(vrf); -+ if (!bvrf->bg_echov6) -+ bvrf->bg_echov6 = bp_echov6_socket(vrf); -+ -+ if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop, -+ &bvrf->bg_ev[0]); -+ if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop, -+ &bvrf->bg_ev[1]); -+ if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop6, -+ &bvrf->bg_ev[2]); -+ if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop6, -+ &bvrf->bg_ev[3]); -+ if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echo, -+ &bvrf->bg_ev[4]); -+ if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1) -+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echov6, -+ &bvrf->bg_ev[5]); -+ - if (vrf->vrf_id != VRF_DEFAULT) { - bfdd_zclient_register(vrf->vrf_id); - bfdd_sessions_enable_vrf(vrf); -diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c -index d34d6427628..054a9bfbf21 100644 ---- a/bfdd/bfd_packet.c -+++ b/bfdd/bfd_packet.c -@@ -876,6 +876,14 @@ void bfd_recv_cb(struct thread *t) - "no session found"); - return; - } -+ /* -+ * We may have a situation where received packet is on wrong vrf -+ */ -+ if (bfd && bfd->vrf && bfd->vrf != bvrf->vrf) { -+ cp_debug(is_mhop, &peer, &local, ifindex, vrfid, -+ "wrong vrfid."); -+ return; -+ } - - /* Ensure that existing good sessions are not overridden. */ - if (!cp->discrs.remote_discr && bfd->ses_state != PTM_BFD_DOWN && -@@ -1208,10 +1216,41 @@ int bp_set_tos(int sd, uint8_t value) - return 0; - } - -+static bool bp_set_reuse_addr(int sd) -+{ -+ int one = 1; -+ -+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) == -1) { -+ zlog_warn("set-reuse-addr: setsockopt(SO_REUSEADDR, %d): %s", -+ one, strerror(errno)); -+ return false; -+ } -+ return true; -+} -+ -+static bool bp_set_reuse_port(int sd) -+{ -+ int one = 1; -+ -+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) == -1) { -+ zlog_warn("set-reuse-port: setsockopt(SO_REUSEPORT, %d): %s", -+ one, strerror(errno)); -+ return false; -+ } -+ return true; -+} -+ -+ - static void bp_set_ipopts(int sd) - { - int rcvttl = BFD_RCV_TTL_VAL; - -+ if (!bp_set_reuse_addr(sd)) -+ zlog_fatal("set-reuse-addr: failed"); -+ -+ if (!bp_set_reuse_port(sd)) -+ zlog_fatal("set-reuse-port: failed"); -+ - if (bp_set_ttl(sd, BFD_TTL_VAL) != 0) - zlog_fatal("set-ipopts: TTL configuration failed"); - -@@ -1453,6 +1492,12 @@ static void bp_set_ipv6opts(int sd) - int ipv6_pktinfo = BFD_IPV6_PKT_INFO_VAL; - int ipv6_only = BFD_IPV6_ONLY_VAL; - -+ if (!bp_set_reuse_addr(sd)) -+ zlog_fatal("set-reuse-addr: failed"); -+ -+ if (!bp_set_reuse_port(sd)) -+ zlog_fatal("set-reuse-port: failed"); -+ - if (bp_set_ttlv6(sd, BFD_TTL_VAL) == -1) - zlog_fatal( - "set-ipv6opts: setsockopt(IPV6_UNICAST_HOPS, %d): %s", diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 2d22b8e..d039694 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -6,8 +6,8 @@ %bcond_without selinux Name: frr -Version: 8.3.1 -Release: 10%{?checkout}%{?dist} +Version: 8.5.3 +Release: 4%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -67,14 +67,10 @@ Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0002: 0002-enable-openssl.patch Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch -Patch0005: 0005-ospf-api.patch -Patch0006: 0006-graceful-restart.patch -Patch0007: 0007-cve-2022-37032.patch -Patch0008: 0008-frr-non-root-user.patch -Patch0009: 0009-CVE-2022-36440-40302.patch -Patch0010: 0010-CVE-2022-43681.patch -Patch0011: 0011-CVE-2022-40318.patch -Patch0012: 0012-bfd-not-working-in-vrf.patch +Patch0005: 0005-CVE-2023-47235.patch +Patch0006: 0006-CVE-2023-47234.patch +Patch0007: 0007-CVE-2023-46752.patch +Patch0008: 0008-CVE-2023-46753.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -280,6 +276,25 @@ make check PYTHON=%{__python3} %endif %changelog +* Mon Feb 05 2024 Michal Ruprich - 8.5.3-4 +- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash + +* Mon Feb 05 2024 Michal Ruprich - 8.5.3-3 +- Resolves: RHEL-14822 - mishandled malformed data leading to a crash + +* Mon Dec 18 2023 Michal Ruprich - 8.5.3-2 +- Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message +- Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message + +* Thu Nov 23 2023 Michal Ruprich - 8.5.3-1 +- Resolves: RHEL-15291 - Rebase FRR to version 8.5.3 in RHEL9 + +* Fri Oct 13 2023 Michal Ruprich - 8.3.1-12 +- Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router + +* Thu Sep 21 2023 Carlos Goncalves - 8.3.1-11 +- Resolves: RHEL-2263 - bgpd: Do not explicitly print MAXTTL value for ebgp-multihop vty output + * Thu Aug 10 2023 Michal Ruprich - 8.3.1-10 - Related: #2216912 - adding sys_admin to capabilities