commit ec7e79108b73c5d1cce09a001f818768fb4beba5 Author: MSVSphere Packaging Team Date: Fri Mar 29 15:36:30 2024 +0300 import frr-7.5.1-22.el8 diff --git a/.frr.metadata b/.frr.metadata new file mode 100644 index 0000000..fe0c737 --- /dev/null +++ b/.frr.metadata @@ -0,0 +1 @@ +dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c0a706d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/frr-7.5.1.tar.gz diff --git a/SOURCES/0000-remove-babeld-and-ldpd.patch b/SOURCES/0000-remove-babeld-and-ldpd.patch new file mode 100644 index 0000000..37c416a --- /dev/null +++ b/SOURCES/0000-remove-babeld-and-ldpd.patch @@ -0,0 +1,55 @@ +diff --git a/Makefile.am b/Makefile.am +index 5be3264..33abc1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -130,8 +130,6 @@ include ospf6d/subdir.am + include ospfclient/subdir.am + include isisd/subdir.am + include nhrpd/subdir.am +-include ldpd/subdir.am +-include babeld/subdir.am + include eigrpd/subdir.am + include sharpd/subdir.am + include pimd/subdir.am +@@ -182,7 +180,6 @@ EXTRA_DIST += \ + snapcraft/defaults \ + snapcraft/helpers \ + snapcraft/snap \ +- babeld/Makefile \ + bgpd/Makefile \ + bgpd/rfp-example/librfp/Makefile \ + bgpd/rfp-example/rfptest/Makefile \ +@@ -193,7 +190,6 @@ EXTRA_DIST += \ + fpm/Makefile \ + grpc/Makefile \ + isisd/Makefile \ +- ldpd/Makefile \ + lib/Makefile \ + nhrpd/Makefile \ + ospf6d/Makefile \ +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index f6d512b..6d4831d 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -21,10 +21,8 @@ ripd=no + ripngd=no + isisd=no + pimd=no +-ldpd=no + nhrpd=no + eigrpd=no +-babeld=no + sharpd=no + pbrd=no + bfdd=no +@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1" + ripngd_options=" -A ::1" + isisd_options=" -A 127.0.0.1" + pimd_options=" -A 127.0.0.1" +-ldpd_options=" -A 127.0.0.1" + nhrpd_options=" -A 127.0.0.1" + eigrpd_options=" -A 127.0.0.1" +-babeld_options=" -A 127.0.0.1" + sharpd_options=" -A 127.0.0.1" + pbrd_options=" -A 127.0.0.1" + staticd_options="-A 127.0.0.1" diff --git a/SOURCES/0001-use-python3.patch b/SOURCES/0001-use-python3.patch new file mode 100644 index 0000000..ce0359e --- /dev/null +++ b/SOURCES/0001-use-python3.patch @@ -0,0 +1,20 @@ +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index 208fb11..0692adc 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + # Frr Reloader + # Copyright (C) 2014 Cumulus Networks, Inc. + # +diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py +index 540b7a1..0876ebb 100755 +--- a/tools/generate_support_bundle.py ++++ b/tools/generate_support_bundle.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + + ######################################################## + ### Python Script to generate the FRR support bundle ### diff --git a/SOURCES/0002-enable-openssl.patch b/SOURCES/0002-enable-openssl.patch new file mode 100644 index 0000000..6f1c389 --- /dev/null +++ b/SOURCES/0002-enable-openssl.patch @@ -0,0 +1,86 @@ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/log.c \ + lib/log_filter.c \ + lib/log_vty.c \ +- lib/md5.c \ + lib/memory.c \ + lib/mlag.c \ + lib/module.c \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0533e24..b3d3700 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/linklist.h \ + lib/log.h \ + lib/log_vty.h \ +- lib/md5.h \ + lib/memory.h \ + lib/module.h \ + lib/monotime.h \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 53f7115..cea866f 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/routemap_northbound.c \ + lib/sbuf.c \ + lib/seqlock.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/routemap.h \ + lib/sbuf.h \ + lib/seqlock.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/isis_constants.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/SOURCES/0003-disable-eigrp-crypto.patch b/SOURCES/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..cd43569 --- /dev/null +++ b/SOURCES/0003-disable-eigrp-crypto.patch @@ -0,0 +1,252 @@ +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" +diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c +index a93d4c8..b01e121 100644 +--- a/eigrpd/eigrp_cli.c ++++ b/eigrpd/eigrp_cli.c +@@ -25,6 +25,7 @@ + #include "lib/command.h" + #include "lib/log.h" + #include "lib/northbound_cli.h" ++#include "lib/libfrr.h" + + #include "eigrp_structs.h" + #include "eigrpd.h" +@@ -726,6 +726,20 @@ DEFPY( + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ //EIGRP authentication is currently broken in FRR ++ switch (frr_get_cli_mode()) { ++ case FRR_CLI_CLASSIC: ++ vty_out(vty, "%% Eigrp Authentication is disabled\n\n"); ++ break; ++ case FRR_CLI_TRANSACTIONAL: ++ vty_out(vty, ++ "%% Failed to edit candidate configuration - " ++ "Eigrp Authentication is disabled.\n\n"); ++ break; ++ } ++ ++ return CMD_WARNING_CONFIG_FAILED; ++ + char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64]; + + snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']", diff --git a/SOURCES/0004-fips-mode.patch b/SOURCES/0004-fips-mode.patch new file mode 100644 index 0000000..e8efeb7 --- /dev/null +++ b/SOURCES/0004-fips-mode.patch @@ -0,0 +1,103 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strlcpy((char *)circuit->passwd.passwd, passwd, + sizeof(circuit->passwd.passwd)); +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strlcpy((char *)modified.passwd, passwd, + sizeof(modified.passwd)); +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + if (strmatch(mode, "md5")) diff --git a/SOURCES/0006-CVE-2020-12831.patch b/SOURCES/0006-CVE-2020-12831.patch new file mode 100644 index 0000000..df352d2 --- /dev/null +++ b/SOURCES/0006-CVE-2020-12831.patch @@ -0,0 +1,17 @@ +diff --git a/tools/frr.in b/tools/frr.in +index b860797..eb64a93 100755 +--- a/tools/frr.in ++++ b/tools/frr.in +@@ -105,10 +105,12 @@ check_daemon() + if [ ! -r "$C_PATH/$1-$2.conf" ]; then + touch "$C_PATH/$1-$2.conf" + chownfrr "$C_PATH/$1-$2.conf" ++ chmod 0600 "$C_PATH/$1-$2.conf" + fi + elif [ ! -r "$C_PATH/$1.conf" ]; then + touch "$C_PATH/$1.conf" + chownfrr "$C_PATH/$1.conf" ++ chmod 0600 "$C_PATH/$1.conf" + fi + fi + return 0 diff --git a/SOURCES/0007-frrinit.patch b/SOURCES/0007-frrinit.patch new file mode 100644 index 0000000..f5fd13c --- /dev/null +++ b/SOURCES/0007-frrinit.patch @@ -0,0 +1,31 @@ +diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in +index 539ab7d..d27d1be 100644 +--- a/tools/frrinit.sh.in ++++ b/tools/frrinit.sh.in +@@ -43,7 +43,7 @@ fi + case "$1" in + start) + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_start watchfrr + ;; + stop) +@@ -57,7 +57,7 @@ restart|force-reload) + all_stop --reallyall + + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_start watchfrr + ;; + +@@ -87,7 +87,7 @@ reload) + # restart watchfrr to pick up added daemons. + # NB: This will NOT cause the other daemons to be restarted. + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_stop watchfrr && \ + daemon_start watchfrr + diff --git a/SOURCES/0008-designated-router.patch b/SOURCES/0008-designated-router.patch new file mode 100644 index 0000000..323a10e --- /dev/null +++ b/SOURCES/0008-designated-router.patch @@ -0,0 +1,33 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 69a3e4587..57ef6029a 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -3737,6 +3737,28 @@ static void show_ip_ospf_interface_sub(struct vty *vty, struct ospf *ospf, + vty_out(vty, + " No backup designated router on this network\n"); + } else { ++ nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &DR(oi)); ++ if (nbr) { ++ if (use_json) { ++ json_object_string_add( ++ json_interface_sub, "drId", ++ inet_ntoa(nbr->router_id)); ++ json_object_string_add( ++ json_interface_sub, "drAddress", ++ inet_ntoa(nbr->address.u ++ .prefix4)); ++ } else { ++ vty_out(vty, ++ " Designated Router (ID) %s", ++ inet_ntoa(nbr->router_id)); ++ vty_out(vty, ++ " Interface Address %s\n", ++ inet_ntoa(nbr->address.u ++ .prefix4)); ++ } ++ } ++ nbr = NULL; ++ + nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &BDR(oi)); + if (nbr == NULL) { + if (!use_json) diff --git a/SOURCES/0009-routemap.patch b/SOURCES/0009-routemap.patch new file mode 100644 index 0000000..f389e57 --- /dev/null +++ b/SOURCES/0009-routemap.patch @@ -0,0 +1,25 @@ +diff --git a/lib/routemap.c b/lib/routemap.c +index a90443a..0b594b2 100644 +--- a/lib/routemap.c ++++ b/lib/routemap.c +@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn, + */ + static struct route_map_index * + route_map_get_index(struct route_map *map, const struct prefix *prefix, +- route_map_object_t type, void *object, uint8_t *match_ret) ++ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret) + { +- int ret = 0; ++ enum route_map_cmd_result_t ret = RMAP_NOMATCH; + struct list *candidate_rmap_list = NULL; + struct route_node *rn = NULL; + struct listnode *ln = NULL, *nn = NULL; +@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map, + if ((!map->optimization_disabled) + && (map->ipv4_prefix_table || map->ipv6_prefix_table)) { + index = route_map_get_index(map, prefix, type, object, +- (uint8_t *)&match_ret); ++ &match_ret); + if (index) { + if (rmap_debug) + zlog_debug( diff --git a/SOURCES/0010-moving-executables.patch b/SOURCES/0010-moving-executables.patch new file mode 100644 index 0000000..46f1439 --- /dev/null +++ b/SOURCES/0010-moving-executables.patch @@ -0,0 +1,40 @@ +diff --git a/tools/frr.service b/tools/frr.service +index aa45f42..a3f0103 100644 +--- a/tools/frr.service ++++ b/tools/frr.service +@@ -17,9 +17,9 @@ WatchdogSec=60s + RestartSec=5 + Restart=on-abnormal + LimitNOFILE=1024 +-ExecStart=/usr/lib/frr/frrinit.sh start +-ExecStop=/usr/lib/frr/frrinit.sh stop +-ExecReload=/usr/lib/frr/frrinit.sh reload ++ExecStart=/usr/libexec/frr/frrinit.sh start ++ExecStop=/usr/libexec/frr/frrinit.sh stop ++ExecReload=/usr/libexec/frr/frrinit.sh reload + + [Install] + WantedBy=multi-user.target +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 9a144b2..a334d95 100644 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -59,6 +59,9 @@ chownfrr() { + [ -n "$FRR_USER" ] && chown "$FRR_USER" "$1" + [ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1" + [ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1" ++ if [ -d "$1" ]; then ++ chmod gu+x "$1" ++ fi + } + + vtysh_b () { +@@ -152,7 +155,7 @@ daemon_start() { + daemon_prep "$daemon" "$inst" || return 1 + if test ! -d "$V_PATH"; then + mkdir -p "$V_PATH" +- chown frr "$V_PATH" ++ chownfrr "$V_PATH" + fi + + eval wrap="\$${daemon}_wrap" diff --git a/SOURCES/0011-reload-bfd-profile.patch b/SOURCES/0011-reload-bfd-profile.patch new file mode 100644 index 0000000..dcd6981 --- /dev/null +++ b/SOURCES/0011-reload-bfd-profile.patch @@ -0,0 +1,77 @@ +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index 9979c8b..1c24f90 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True): + return True + return False + ++def delete_bgp_bfd(lines_to_add, lines_to_del): ++ """ ++ When 'neighbor bfd profile ' is present without a ++ 'neighbor bfd' line, FRR explicitily adds it to the running ++ configuration. When the new configuration drops the bfd profile ++ line, the user's intent is to delete any bfd configuration on the ++ peer. On reload, deleting the bfd profile line after the bfd line ++ will re-enable BFD with the default BFD profile. Move the bfd line ++ to the end, if it exists in the new configuration. ++ ++ Example: ++ ++ neighbor 10.0.0.1 bfd ++ neighbor 10.0.0.1 bfd profile bfd-profile-1 ++ ++ Move to end: ++ neighbor 10.0.0.1 bfd profile bfd-profile-1 ++ ... ++ ++ neighbor 10.0.0.1 bfd ++ ++ """ ++ lines_to_del_to_app = [] ++ for (ctx_keys, line) in lines_to_del: ++ if ( ++ ctx_keys[0].startswith("router bgp") ++ and line ++ and line.startswith("neighbor ") ++ ): ++ # 'no neighbor [peer] bfd>' ++ nb_bfd = "neighbor (\S+) .*bfd$" ++ re_nb_bfd = re.search(nb_bfd, line) ++ if re_nb_bfd: ++ lines_to_del_to_app.append((ctx_keys, line)) ++ ++ for (ctx_keys, line) in lines_to_del_to_app: ++ lines_to_del.remove((ctx_keys, line)) ++ lines_to_del.append((ctx_keys, line)) ++ ++ return (lines_to_add, lines_to_del) ++ ++ + def check_for_exit_vrf(lines_to_add, lines_to_del): + + # exit-vrf is a bit tricky. If the new config is missing it but we +@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running): + for line in newconf_ctx.lines: + lines_to_add.append((newconf_ctx_keys, line)) + ++ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del) + (lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del) + (lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del) + (lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del) +diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c +index b566b0e..1bd6249 100644 +--- a/bgpd/bgp_bfd.c ++++ b/bgpd/bgp_bfd.c +@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr) + + if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG) + && (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) { +- vty_out(vty, " neighbor %s bfd", addr); ++ vty_out(vty, " neighbor %s bfd\n", addr); + if (bfd_info->profile[0]) +- vty_out(vty, " profile %s", bfd_info->profile); ++ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile); + vty_out(vty, "\n"); + } + diff --git a/SOURCES/0012-graceful-restart.patch b/SOURCES/0012-graceful-restart.patch new file mode 100644 index 0000000..7e874cc --- /dev/null +++ b/SOURCES/0012-graceful-restart.patch @@ -0,0 +1,79 @@ +From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Tue, 27 Sep 2022 17:30:16 +0300 +Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting + +We might disable sending unconfig/shutdown notifications when +Graceful-Restart is enabled and negotiated. + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgpd.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c +index 3d4ef7c..f8089c6 100644 +--- a/bgpd/bgpd.c ++++ b/bgpd/bgpd.c +@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, + + void peer_notify_unconfig(struct peer *peer) + { ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping unconfig notification", ++ peer); ++ return; ++ } ++ + if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) + bgp_notify_send(peer, BGP_NOTIFY_CEASE, + BGP_NOTIFY_CEASE_PEER_UNCONFIG); + } + ++static void peer_notify_shutdown(struct peer *peer) ++{ ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping shutdown notification", ++ peer); ++ return; ++ } ++ ++ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) ++ bgp_notify_send(peer, BGP_NOTIFY_CEASE, ++ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); ++} ++ + void peer_group_notify_unconfig(struct peer_group *group) + { + struct peer *peer, *other; +@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp) + } + + /* Inform peers we're going down. */ +- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) { +- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); +- } ++ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) ++ peer_notify_shutdown(peer); + + /* Delete static routes (networks). */ + bgp_static_delete(bgp); +@@ -7238,11 +7258,7 @@ void bgp_terminate(void) + + for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) + for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) +- if (peer->status == Established +- || peer->status == OpenSent +- || peer->status == OpenConfirm) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_PEER_UNCONFIG); ++ peer_notify_unconfig(peer); + + if (bm->process_main_queue) + work_queue_free_and_null(&bm->process_main_queue); diff --git a/SOURCES/0013-CVE-2022-37032.patch b/SOURCES/0013-CVE-2022-37032.patch new file mode 100644 index 0000000..4899c72 --- /dev/null +++ b/SOURCES/0013-CVE-2022-37032.patch @@ -0,0 +1,32 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e99..45752a8ab6d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/0014-bfd-profile-crash.patch b/SOURCES/0014-bfd-profile-crash.patch new file mode 100644 index 0000000..cc263ff --- /dev/null +++ b/SOURCES/0014-bfd-profile-crash.patch @@ -0,0 +1,117 @@ +From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001 +From: Igor Ryzhov +Date: Thu, 1 Apr 2021 15:29:18 +0300 +Subject: [PATCH] bfdd: remove profiles when removing bfd node + +Fixes #8379. + +Signed-off-by: Igor Ryzhov +--- + bfdd/bfd.c | 8 ++++++++ + bfdd/bfd.h | 1 + + bfdd/bfdd_nb_config.c | 1 + + 3 files changed, 10 insertions(+) + +diff --git a/bfdd/bfd.c b/bfdd/bfd.c +index c966efd8ea71..cf292a836354 100644 +--- a/bfdd/bfd.c ++++ b/bfdd/bfd.c +@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void) + hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL); + } + ++void bfd_profiles_remove(void) ++{ ++ struct bfd_profile *bp; ++ ++ while ((bp = TAILQ_FIRST(&bplist)) != NULL) ++ bfd_profile_free(bp); ++} ++ + /* + * Profile related hash functions. + */ +diff --git a/bfdd/bfd.h b/bfdd/bfd.h +index af3f92d6a8f8..9ee1da728717 100644 +--- a/bfdd/bfd.h ++++ b/bfdd/bfd.h +@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs); + const struct bfd_session *bfd_session_next(const struct bfd_session *bs, + bool mhop); + void bfd_sessions_remove_manual(void); ++void bfd_profiles_remove(void); + + /** + * Set the BFD session echo state. +diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c +index 0046bc625b45..77f8cbd09c07 100644 +--- a/bfdd/bfdd_nb_config.c ++++ b/bfdd/bfdd_nb_config.c +@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) + + case NB_EV_APPLY: + bfd_sessions_remove_manual(); ++ bfd_profiles_remove(); + break; + + case NB_EV_ABORT: +diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c +index 77f8cbd09c07..4030e2eefa50 100644 +--- a/bfdd/bfdd_nb_config.c ++++ b/bfdd/bfdd_nb_config.c +@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event, + */ + int bfdd_bfd_create(struct nb_cb_create_args *args) + { +- /* NOTHING */ ++ if (args->event != NB_EV_APPLY) ++ return NB_OK; ++ ++ /* ++ * Set any non-NULL value to be able to call ++ * nb_running_unset_entry in bfdd_bfd_destroy. ++ */ ++ nb_running_set_entry(args->dnode, (void *)0x1); ++ + return NB_OK; + } + +@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) + return NB_OK; + + case NB_EV_APPLY: ++ /* ++ * We need to call this to unset pointers from ++ * the child nodes - sessions and profiles. ++ */ ++ nb_running_unset_entry(args->dnode); ++ + bfd_sessions_remove_manual(); + bfd_profiles_remove(); + break; +diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c +index b64e36b36a44..5a844e56e121 100644 +--- a/bfdd/bfdd_cli.c ++++ b/bfdd/bfdd_cli.c +@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode, + * Profile commands. + */ + DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd, +- "profile WORD$name", ++ "profile BFDPROF$name", + BFD_PROFILE_STR + BFD_PROFILE_NAME_STR) + { +diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c +index 74f13e1a44e8..cf1811bb1f2f 100644 +--- a/vtysh/vtysh.c ++++ b/vtysh/vtysh.c +@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd, + } + + DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd, +- "profile WORD", ++ "profile BFDPROF", + BFD_PROFILE_STR + BFD_PROFILE_NAME_STR) + { diff --git a/SOURCES/0015-max-ttl-reload.patch b/SOURCES/0015-max-ttl-reload.patch new file mode 100644 index 0000000..e68a221 --- /dev/null +++ b/SOURCES/0015-max-ttl-reload.patch @@ -0,0 +1,93 @@ +From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 21 Aug 2023 00:01:42 +0300 +Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop + vty output + +1. Create /etc/frr/frr.conf +``` +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +line vty +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop +``` + +2. Start FRR +`# systemctl start frr +` +3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225) + +``` +Building configuration... + +Current configuration: +! +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +! +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop 255 +! +line vty +! +end +``` +4. Copy initial frr.conf to frr.conf.new (no changes) +`# cp /etc/frr/frr.conf /root/frr.conf.new +` +5. Run frr-reload.sh: + +``` +$ /usr/lib/frr/frr-reload.py --test /root/frr.conf.new +2023-08-20 20:15:48,050 INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)" +2023-08-20 20:15:48,050 INFO: Loading Config object from file /root/frr.conf.new +2023-08-20 20:15:48,124 INFO: Loading Config object from vtysh show running + +Lines To Delete +=============== +router bgp 4250001000 + no neighbor 192.168.122.207 ebgp-multihop 255 + +Lines To Add +============ +router bgp 4250001000 + neighbor 192.168.122.207 ebgp-multihop +``` + +Closes https://github.com/FRRouting/frr/issues/14242 + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_vty.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c +index be0fe4283747..c9a9255f3392 100644 +--- a/bgpd/bgp_vty.c ++++ b/bgpd/bgp_vty.c +@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp, + && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED + && peer->ttl == MAXTTL)) { + if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) { +- vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr, +- peer->ttl); ++ if (peer->ttl != MAXTTL) ++ vty_out(vty, " neighbor %s ebgp-multihop %d\n", ++ addr, peer->ttl); ++ else ++ vty_out(vty, " neighbor %s ebgp-multihop\n", ++ addr); + } + } + diff --git a/SOURCES/0016-CVE-2023-38802.patch b/SOURCES/0016-CVE-2023-38802.patch new file mode 100644 index 0000000..728db32 --- /dev/null +++ b/SOURCES/0016-CVE-2023-38802.patch @@ -0,0 +1,129 @@ +From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis +(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186) +--- + bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 36 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 058fae23cbd..1c0803cfd8e 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: + case BGP_ATTR_MP_UNREACH_NLRI: +@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); diff --git a/SOURCES/0017-fix-crash-in-plist-update.patch b/SOURCES/0017-fix-crash-in-plist-update.patch new file mode 100644 index 0000000..69bfc64 --- /dev/null +++ b/SOURCES/0017-fix-crash-in-plist-update.patch @@ -0,0 +1,48 @@ +From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001 +From: Chirag Shah +Date: Mon, 25 Jan 2021 11:44:56 -0800 +Subject: [PATCH] lib: fix a crash in plist update + +Problem: +Prefix-list with mulitiple rules, an update to +a rule/sequence with different prefix/prefixlen +reset prefix-list next-base pointer to avoid +having stale value. + +In some case the old next-bast's reference leads +to an assert in tri (trie_install_fn ) add. + +bt: +(object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560 +(plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585 +(ple=0x55576a4c8a00) at lib/plist.c:745 +(args=0x7fffe04beb50) at lib/filter_nb.c:1181 + +Solution: +Reset prefix-list next-base pointer whenver a +sequence/rule is updated. + +Ticket:CM-33109 +Testing Done: + +Signed-off-by: Chirag Shah +Signed-off-by: Rafael Zalamena +(cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03) +--- + lib/plist.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/plist.c b/lib/plist.c +index 981e86e2a..c746d1946 100644 +--- a/lib/plist.c ++++ b/lib/plist.c +@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple) + if (pl->head || pl->tail || pl->desc) + pl->master->recent = pl; + ++ ple->next_best = NULL; + ple->installed = false; + } + +-- +2.41.0 diff --git a/SOURCES/0018-CVE-2023-38406.patch b/SOURCES/0018-CVE-2023-38406.patch new file mode 100644 index 0000000..56c9296 --- /dev/null +++ b/SOURCES/0018-CVE-2023-38406.patch @@ -0,0 +1,34 @@ +From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 23 Feb 2023 13:29:32 -0500 +Subject: [PATCH] bgpd: Flowspec overflow issue + +According to the flowspec RFC 8955 a flowspec nlri is > +Specifying 0 as a length makes BGP get all warm on the inside. Which +in this case is not a good thing at all. Prevent warmth, stay cold +on the inside. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_flowspec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index 8d5ca5e77779..f9debe43cd45 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + psize); + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } ++ ++ if (psize == 0) { ++ flog_err(EC_BGP_FLOWSPEC_PACKET, ++ "Flowspec NLRI length 0 which makes no sense"); ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; ++ } ++ + if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { + flog_err( + EC_BGP_FLOWSPEC_PACKET, diff --git a/SOURCES/0019-CVE-2023-38407.patch b/SOURCES/0019-CVE-2023-38407.patch new file mode 100644 index 0000000..dbd4e9e --- /dev/null +++ b/SOURCES/0019-CVE-2023-38407.patch @@ -0,0 +1,54 @@ +From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 3 Mar 2023 21:58:33 -0500 +Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing + +Fixes a couple crashes associated with attempting to read +beyond the end of the stream. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_label.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c +index 0cad119af101..c4a5277553ba 100644 +--- a/bgpd/bgp_label.c ++++ b/bgpd/bgp_label.c +@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, + uint8_t llen = 0; + uint8_t label_depth = 0; + ++ if (plen < BGP_LABEL_BYTES) ++ return 0; ++ + for (; data < lim; data += BGP_LABEL_BYTES) { + memcpy(label, data, BGP_LABEL_BYTES); + llen += BGP_LABEL_BYTES; +@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); + addpath_id = ntohl(addpath_id); + pnt += BGP_ADDPATH_ID_LEN; ++ ++ if (pnt >= lim) ++ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } + + /* Fetch prefix length. */ +@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, + + /* Fill in the labels */ + llen = bgp_nlri_get_labels(peer, pnt, psize, &label); ++ if (llen == 0) { ++ flog_err( ++ EC_BGP_UPDATE_RCV, ++ "%s [Error] Update packet error (wrong label length 0)", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, ++ BGP_NOTIFY_UPDATE_INVAL_NETWORK); ++ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; ++ } + p.prefixlen = prefixlen - BSIZE(llen); + + /* There needs to be at least one label */ diff --git a/SOURCES/0020-CVE-2023-47234.patch b/SOURCES/0020-CVE-2023-47234.patch new file mode 100644 index 0000000..ac509c6 --- /dev/null +++ b/SOURCES/0020-CVE-2023-47234.patch @@ -0,0 +1,89 @@ +From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Sun, 29 Oct 2023 22:44:45 +0200 +Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI + +If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if +no mandatory path attributes received. + +In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled +as a new data, but without mandatory attributes, it's a malformed packet. + +In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST +handle that. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 19 ++++++++++--------- + bgpd/bgp_attr.h | 1 + + bgpd/bgp_packet.c | 7 ++++++- + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 1473dc772502..75aa2ac7cce6 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) + return BGP_ATTR_PARSE_PROCEED; + +- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +- are present, it should. Check for any other attribute being present +- instead. +- */ +- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && +- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) +- return BGP_ATTR_PARSE_PROCEED; +- + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; + +@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) + type = BGP_ATTR_LOCAL_PREF; + ++ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required ++ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI ++ * are present, it should. Check for any other attribute being present ++ * instead. ++ */ ++ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && ++ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) ++ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY ++ : BGP_ATTR_PARSE_PROCEED; ++ + /* If any of the well-known mandatory attributes are not present + * in an UPDATE message, then "treat-as-withdraw" MUST be used. + */ +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index fc347e7a1b4b..d30155e6dba0 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret { + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, + BGP_ATTR_PARSE_EOR = -4, ++ BGP_ATTR_PARSE_MISSING_MANDATORY = -4, + } bgp_attr_parse_ret_t; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a7514a26aa64..5dc35157ebf6 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection, + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len) { ++ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then ++ * NLRIs should be handled as a new data. Though, if we received ++ * NLRIs without mandatory attributes, they should be ignored. ++ */ ++ if (update_len && attribute_len && ++ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; diff --git a/SOURCES/0021-CVE-2023-47235.patch b/SOURCES/0021-CVE-2023-47235.patch new file mode 100644 index 0000000..b9786ef --- /dev/null +++ b/SOURCES/0021-CVE-2023-47235.patch @@ -0,0 +1,105 @@ +From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 27 Oct 2023 11:56:45 +0300 +Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of + malformed attrs + +Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be +processed as a normal UPDATE without mandatory attributes, that could lead +to harmful behavior. In this case, a crash for route-maps with the configuration +such as: + +``` +router bgp 65001 + no bgp ebgp-requires-policy + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + ! + address-family ipv4 unicast + neighbor 127.0.0.1 addpath-tx-all-paths + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Send a malformed optional transitive attribute: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(100) +s.close() +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index cf2dbe65b805..1473dc772502 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an +- * empty UPDATE. */ ++ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, ++ * we will pass it to be processed as a normal UPDATE without mandatory ++ * attributes, that could lead to harmful behavior. ++ */ + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) +- return BGP_ATTR_PARSE_PROCEED; ++ return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; +@@ -3273,7 +3276,13 @@ done: + aspath_unintern(&as4_path); + } + +- if (ret != BGP_ATTR_PARSE_ERROR) { ++ /* If we received an UPDATE with mandatory attributes, then ++ * the unrecognized transitive optional attribute of that ++ * path MUST be passed. Otherwise, it's an error, and from ++ * security perspective it might be very harmful if we continue ++ * here with the unrecognized attributes. ++ */ ++ if (ret == BGP_ATTR_PARSE_PROCEED) { + /* Finally intern unknown attribute. */ + if (attr->transit) + attr->transit = transit_intern(attr->transit); diff --git a/SOURCES/0022-route-map-event.patch b/SOURCES/0022-route-map-event.patch new file mode 100644 index 0000000..74e9242 --- /dev/null +++ b/SOURCES/0022-route-map-event.patch @@ -0,0 +1,47 @@ +From 4fc5dafd1c8167a98e3a5f51efc1ea5092513364 Mon Sep 17 00:00:00 2001 +From: rgirada +Date: Thu, 18 Feb 2021 20:15:40 -0800 +Subject: [PATCH] lib: Routemap is not getting applied upon changing the + routemap action + +Description: + This looks broken after NB changes in routemap. When routemap + action modified from permit to deny, it is expected to apply + the new action on the filtered routes before the action in the + routemap data structure has been changed. But currently this is + not handled by the corresponding northbound API. + +Signed-off-by: Rajesh Girada +--- + lib/routemap_northbound.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/routemap_northbound.c b/lib/routemap_northbound.c +index db06e9caac75..3473ca2aea8c 100644 +--- a/lib/routemap_northbound.c ++++ b/lib/routemap_northbound.c +@@ -271,6 +271,7 @@ lib_route_map_entry_description_destroy(struct nb_cb_destroy_args *args) + static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args) + { + struct route_map_index *rmi; ++ struct route_map *map; + + switch (args->event) { + case NB_EV_VALIDATE: +@@ -281,7 +282,15 @@ static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args) + case NB_EV_APPLY: + rmi = nb_running_get_entry(args->dnode, NULL, true); + rmi->type = yang_dnode_get_enum(args->dnode, NULL); +- /* TODO: notify? */ ++ map = rmi->map; ++ ++ /* Execute event hook. */ ++ if (route_map_master.event_hook) { ++ (*route_map_master.event_hook)(map->name); ++ route_map_notify_dependencies(map->name, ++ RMAP_EVENT_CALL_ADDED); ++ } ++ + break; + } + diff --git a/SOURCES/0023-CVE-2023-46752.patch b/SOURCES/0023-CVE-2023-46752.patch new file mode 100644 index 0000000..a59b74c --- /dev/null +++ b/SOURCES/0023-CVE-2023-46752.patch @@ -0,0 +1,76 @@ +From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Fri, 20 Oct 2023 17:49:18 +0300 +Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session + reset + +Avoid crashing bgpd. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 6 +----- + bgpd/bgp_attr.h | 1 - + bgpd/bgp_packet.c | 6 +----- + 3 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 6925aff727e2..e7bb42a5d989 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, + + mp_update->afi = afi; + mp_update->safi = safi; +- return BGP_ATTR_PARSE_EOR; ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); + } + + mp_update->afi = afi; +@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + goto done; + } + +- if (ret == BGP_ATTR_PARSE_EOR) { +- goto done; +- } +- + if (ret == BGP_ATTR_PARSE_ERROR) { + flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, + "%s: Attribute %s, parse error", peer->host, +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 961e5f122470..fc347e7a1b4b 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, +- BGP_ATTR_PARSE_EOR = -4, + BGP_ATTR_PARSE_MISSING_MANDATORY = -4, + } bgp_attr_parse_ret_t; + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index b585591e2f69..5ecf343b6657 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection, + * Non-MP IPv4/Unicast EoR is a completely empty UPDATE + * and MP EoR should have only an empty MP_UNREACH + */ +- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) +- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { ++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { + afi_t afi = 0; + safi_t safi; + struct graceful_restart_info *gr_info; +@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection, + && nlris[NLRI_MP_WITHDRAW].length == 0) { + afi = nlris[NLRI_MP_WITHDRAW].afi; + safi = nlris[NLRI_MP_WITHDRAW].safi; +- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { +- afi = nlris[NLRI_MP_UPDATE].afi; +- safi = nlris[NLRI_MP_UPDATE].safi; + } + + if (afi && peer->afc[afi][safi]) { diff --git a/SOURCES/0024-CVE-2023-46753.patch b/SOURCES/0024-CVE-2023-46753.patch new file mode 100644 index 0000000..7b8381b --- /dev/null +++ b/SOURCES/0024-CVE-2023-46753.patch @@ -0,0 +1,60 @@ +From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 26fd3de..bcc4424 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + +@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) +@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + bgp_attr_parse_ret_t ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- if ((ret = bgp_attr_check(peer, attr)) < 0) ++ if ((ret = bgp_attr_check(peer, attr, length)) < 0) + goto done; + + /* diff --git a/SOURCES/0025-CVE-2023-31490.patch b/SOURCES/0025-CVE-2023-31490.patch new file mode 100644 index 0000000..5bbde8a --- /dev/null +++ b/SOURCES/0025-CVE-2023-31490.patch @@ -0,0 +1,150 @@ +From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Tue, 6 Dec 2022 10:23:11 -0500 +Subject: [PATCH] bgpd: Ensure stream received has enough data + +BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not +fully trust the length value specified in the nlri. +Always ensure that the amount of data we need to read +can be fullfilled. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_attr.c | 79 ++++++++++++++++--------------------------------- + 1 file changed, 25 insertions(+), 54 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index c35e45275c9b..5b06bc391375 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + uint16_t endpoint_behavior; + char buf[BUFSIZ]; + ++ /* ++ * Check that we actually have at least as much data as ++ * specified by the length field ++ */ ++ if (STREAM_READABLE(peer->curr) < length) { ++ flog_err( ++ EC_BGP_ATTR_LEN, ++ "Prefix SID specifies length %hu, but only %zu bytes remain", ++ length, STREAM_READABLE(peer->curr)); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); ++ } ++ + if (type == BGP_PREFIX_SID_LABEL_INDEX) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { ++ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID label index length is %hu instead of %u", + length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH); +@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + /* Store label index; subsequently, we'll check on + * address-family */ + attr->label_index = label_index; +- } +- +- /* Placeholder code for the IPv6 SID type */ +- else if (type == BGP_PREFIX_SID_IPV6) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_IPV6_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_IPV6) { ++ if (length != BGP_PREFIX_SID_IPV6_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID IPv6 length is %hu instead of %u", + length, BGP_PREFIX_SID_IPV6_LENGTH); +@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + stream_getw(peer->curr); + + stream_get(&ipv6_sid, peer->curr, 16); +- } +- +- /* Placeholder code for the Originator SRGB type */ +- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { ++ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { + /* + * ietf-idr-bgp-prefix-sid-05: + * Length is the total length of the value portion of the +@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + args->total); + } + +- /* +- * Check that we actually have at least as much data as +- * specified by the length field +- */ +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err(EC_BGP_ATTR_LEN, +- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- + /* + * Check that the portion of the TLV containing the sequence of + * SRGBs corresponds to a multiple of the SRGB size; to get +@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, + stream_get(&srgb_base, peer->curr, 3); + stream_get(&srgb_range, peer->curr, 3); + } +- } +- +- /* Placeholder code for the VPN-SID Service type */ +- else if (type == BGP_PREFIX_SID_VPN_SID) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_VPN_SID) { ++ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID VPN SID length is %hu instead of %u", + length, BGP_PREFIX_SID_VPN_SID_LENGTH); +@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length, + sizeof(struct bgp_attr_srv6_vpn)); + attr->srv6_vpn->sid_flags = sid_flags; + sid_copy(&attr->srv6_vpn->sid, &ipv6_sid); +- } +- +- /* Placeholder code for the SRv6 L3 Service type */ +- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) { +- flog_err(EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 L3-Service length is %hu instead of %u", +- length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH); +- return bgp_attr_malformed(args, +- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); ++ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { ++ if (STREAM_READABLE(peer->curr) < 1) { ++ flog_err(EC_BGP_ATTR_LEN, ++ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte"); ++ return bgp_attr_malformed( ++ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); + } + + /* Parse L3-SERVICE Sub-TLV */ +@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length, + + /* Placeholder code for Unsupported TLV */ + else { +- +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err( +- EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- + if (bgp_debug_update(peer, NULL, NULL, 1)) + zlog_debug( + "%s attr Prefix-SID sub-type=%u is not supported, skipped", diff --git a/SOURCES/0026-CVE-2023-41909.patch b/SOURCES/0026-CVE-2023-41909.patch new file mode 100644 index 0000000..a61dafe --- /dev/null +++ b/SOURCES/0026-CVE-2023-41909.patch @@ -0,0 +1,34 @@ +From cfd04dcb3e689754a72507d086ba3b9709fc5ed8 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Wed, 5 Apr 2023 14:57:05 -0400 +Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit + withdrawal + +All other parsing functions done from bgp_nlri_parse() assume +no attributes == an implicit withdrawal. Let's move +bgp_nlri_parse_flowspec() into the same alignment. + +Reported-by: Matteo Memelli +Signed-off-by: Donald Sharp +--- + bgpd/bgp_flowspec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c +index f9debe43cd45..5e1be21402dc 100644 +--- a/bgpd/bgp_flowspec.c ++++ b/bgpd/bgp_flowspec.c +@@ -98,6 +98,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, + afi = packet->afi; + safi = packet->safi; + ++ /* ++ * All other AFI/SAFI's treat no attribute as a implicit ++ * withdraw. Flowspec should as well. ++ */ ++ if (!attr) ++ withdraw = 1; ++ + if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { + flog_err(EC_BGP_FLOWSPEC_PACKET, + "BGP flowspec nlri length maximum reached (%u)", diff --git a/SOURCES/0027-dynamic-netlink-buffer.patch b/SOURCES/0027-dynamic-netlink-buffer.patch new file mode 100644 index 0000000..ec31367 --- /dev/null +++ b/SOURCES/0027-dynamic-netlink-buffer.patch @@ -0,0 +1,267 @@ +From 2cf7651f0b1b0123dc5568ebad00ac84a9b3c348 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Wed, 2 Feb 2022 13:28:42 -0500 +Subject: [PATCH] zebra: Make netlink buffer reads resizeable when needed + +Currently when the kernel sends netlink messages to FRR +the buffers to receive this data is of fixed length. +The kernel, with certain configurations, will send +netlink messages that are larger than this fixed length. +This leads to situations where, on startup, zebra gets +really confused about the state of the kernel. Effectively +the current algorithm is this: + +read up to buffer in size +while (data to parse) + get netlink message header, look at size + parse if you can + +The problem is that there is a 32k buffer we read. +We get the first message that is say 1k in size, +subtract that 1k to 31k left to parse. We then +get the next header and notice that the length +of the message is 33k. Which is obviously larger +than what we read in. FRR has no recover mechanism +nor is there a way to know, a priori, what the maximum +size the kernel will send us. + +Modify FRR to look at the kernel message and see if the +buffer is large enough, if not, make it large enough to +read in the message. + +This code has to be per netlink socket because of the usage +of pthreads. So add to `struct nlsock` the buffer and current +buffer length. Growing it as necessary. + +Fixes: #10404 +Signed-off-by: Donald Sharp +--- + zebra/kernel_netlink.c | 68 +++++++++++++++++++++++++----------------- + zebra/kernel_netlink.h | 2 +- + zebra/zebra_dplane.c | 4 +++ + zebra/zebra_ns.h | 3 ++ + 4 files changed, 49 insertions(+), 28 deletions(-) + +diff --git a/zebra/kernel_netlink.h b/zebra/kernel_netlink.h +index ae88f3372b1c..9421ea1c611a 100644 +--- a/zebra/kernel_netlink.h ++++ b/zebra/kernel_netlink.h +@@ -96,7 +96,7 @@ extern const char *nl_family_to_str(uint8_t family); + extern const char *nl_rttype_to_str(uint8_t rttype); + + extern int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), +- const struct nlsock *nl, ++ struct nlsock *nl, + const struct zebra_dplane_info *dp_info, + int count, int startup); + extern int netlink_talk_filter(struct nlmsghdr *h, ns_id_t ns, int startup); +diff --git a/zebra/zebra_ns.h b/zebra/zebra_ns.h +index 0519e1d5b33d..7a0ffbc1ee6f 100644 +--- a/zebra/zebra_ns.h ++++ b/zebra/zebra_ns.h +@@ -39,6 +39,9 @@ struct nlsock { + int seq; + struct sockaddr_nl snl; + char name[64]; ++ ++ uint8_t *buf; ++ size_t buflen; + }; + #endif + +diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c +index b8eaeb1..14a40a9 100644 +--- a/zebra/kernel_netlink.c ++++ b/zebra/kernel_netlink.c +@@ -90,8 +90,6 @@ + */ + #define NL_DEFAULT_BATCH_SEND_THRESHOLD (15 * NL_PKT_BUF_SIZE) + +-#define NL_BATCH_RX_BUFSIZE NL_RCV_PKT_BUF_SIZE +- + static const struct message nlmsg_str[] = {{RTM_NEWROUTE, "RTM_NEWROUTE"}, + {RTM_DELROUTE, "RTM_DELROUTE"}, + {RTM_GETROUTE, "RTM_GETROUTE"}, +@@ -164,8 +162,6 @@ DEFINE_MTYPE_STATIC(ZEBRA, NL_BUF, "Zebra Netlink buffers") + size_t nl_batch_tx_bufsize; + char *nl_batch_tx_buf; + +-char nl_batch_rx_buf[NL_BATCH_RX_BUFSIZE]; +- + _Atomic uint32_t nl_batch_bufsize = NL_DEFAULT_BATCH_BUFSIZE; + _Atomic uint32_t nl_batch_send_threshold = NL_DEFAULT_BATCH_SEND_THRESHOLD; + +@@ -322,6 +318,9 @@ static int netlink_socket(struct nlsock *nl, unsigned long groups, + + nl->snl = snl; + nl->sock = sock; ++ nl->buflen = NL_RCV_PKT_BUF_SIZE; ++ nl->buf = XMALLOC(MTYPE_NL_BUF, nl->buflen); ++ + return ret; + } + +@@ -729,19 +728,29 @@ static ssize_t netlink_send_msg(const struct nlsock *nl, void *buf, + * + * Returns -1 on error, 0 if read would block or the number of bytes received. + */ +-static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg, +- void *buf, size_t buflen) ++static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg) + { + struct iovec iov; + int status; + +- iov.iov_base = buf; +- iov.iov_len = buflen; +- msg.msg_iov = &iov; +- msg.msg_iovlen = 1; ++ iov.iov_base = nl->buf; ++ iov.iov_len = nl->buflen; ++ msg->msg_iov = &iov; ++ msg->msg_iovlen = 1; + + do { +- status = recvmsg(nl->sock, &msg, 0); ++ int bytes; ++ ++ bytes = recv(nl->sock, NULL, 0, MSG_PEEK | MSG_TRUNC); ++ ++ if (bytes >= 0 && (size_t)bytes > nl->buflen) { ++ nl->buf = XREALLOC(MTYPE_NL_BUF, nl->buf, bytes); ++ nl->buflen = bytes; ++ iov.iov_base = nl->buf; ++ iov.iov_len = nl->buflen; ++ } ++ ++ status = recvmsg(nl->sock, msg, 0); + } while (status == -1 && errno == EINTR); + + if (status == -1) { +@@ -761,10 +770,10 @@ static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg, + return -1; + } + +- if (msg.msg_namelen != sizeof(struct sockaddr_nl)) { ++ if (msg->msg_namelen != sizeof(struct sockaddr_nl)) { + flog_err(EC_ZEBRA_NETLINK_LENGTH_ERROR, + "%s sender address length error: length %d", nl->name, +- msg.msg_namelen); ++ msg->msg_namelen); + return -1; + } + +@@ -873,8 +882,7 @@ static int netlink_parse_error(const struct nlsock *nl, struct nlmsghdr *h, + * the filter. + */ + int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), +- const struct nlsock *nl, +- const struct zebra_dplane_info *zns, ++ struct nlsock *nl, const struct zebra_dplane_info *zns, + int count, int startup) + { + int status; +@@ -883,7 +891,6 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), + int read_in = 0; + + while (1) { +- char buf[NL_RCV_PKT_BUF_SIZE]; + struct sockaddr_nl snl; + struct msghdr msg = {.msg_name = (void *)&snl, + .msg_namelen = sizeof(snl)}; +@@ -892,14 +899,14 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), + if (count && read_in >= count) + return 0; + +- status = netlink_recv_msg(nl, msg, buf, sizeof(buf)); ++ status = netlink_recv_msg(nl, &msg); + if (status == -1) + return -1; + else if (status == 0) + break; + + read_in++; +- for (h = (struct nlmsghdr *)buf; ++ for (h = (struct nlmsghdr *)nl->buf; + (status >= 0 && NLMSG_OK(h, (unsigned int)status)); + h = NLMSG_NEXT(h, status)) { + /* Finish of reading. */ +@@ -976,10 +983,10 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), + */ + static int + netlink_talk_info(int (*filter)(struct nlmsghdr *, ns_id_t, int startup), +- struct nlmsghdr *n, const struct zebra_dplane_info *dp_info, ++ struct nlmsghdr *n, struct zebra_dplane_info *dp_info, + int startup) + { +- const struct nlsock *nl; ++ struct nlsock *nl; + + nl = &(dp_info->nls); + n->nlmsg_seq = nl->seq; +@@ -1067,12 +1074,11 @@ static int nl_batch_read_resp(struct nl_batch *bth) + * message at a time. + */ + while (true) { +- status = netlink_recv_msg(nl, msg, nl_batch_rx_buf, +- sizeof(nl_batch_rx_buf)); ++ status = netlink_recv_msg(nl, &msg); + if (status == -1 || status == 0) + return status; + +- h = (struct nlmsghdr *)nl_batch_rx_buf; ++ h = (struct nlmsghdr *)nl->buf; + ignore_msg = false; + seq = h->nlmsg_seq; + /* +@@ -1506,11 +1512,15 @@ void kernel_terminate(struct zebra_ns *zns, bool complete) + if (zns->netlink.sock >= 0) { + close(zns->netlink.sock); + zns->netlink.sock = -1; ++ XFREE(MTYPE_NL_BUF, zns->netlink.buf); ++ zns->netlink.buflen = 0; + } + + if (zns->netlink_cmd.sock >= 0) { + close(zns->netlink_cmd.sock); + zns->netlink_cmd.sock = -1; ++ XFREE(MTYPE_NL_BUF, zns->netlink_cmd.buf); ++ zns->netlink_cmd.buflen = 0; + } + + /* During zebra shutdown, we need to leave the dataplane socket +@@ -1520,6 +1530,8 @@ void kernel_terminate(struct zebra_ns *zns, bool complete) + if (zns->netlink_dplane.sock >= 0) { + close(zns->netlink_dplane.sock); + zns->netlink_dplane.sock = -1; ++ XFREE(MTYPE_NL_BUF, zns->netlink_dplane.buf); ++ zns->netlink_dplane.buflen = 0; + } + } + } +diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c +index 14a40a9..2b566d4 100644 +--- a/zebra/kernel_netlink.c ++++ b/zebra/kernel_netlink.c +@@ -779,7 +779,7 @@ static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg) + + if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_RECV) { + zlog_debug("%s: << netlink message dump [recv]", __func__); +- zlog_hexdump(buf, status); ++ zlog_hexdump(nl->buf, status); + } + + return status; +diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c +index 2b566d4..0564a6b 100644 +--- a/zebra/kernel_netlink.c ++++ b/zebra/kernel_netlink.c +@@ -1060,7 +1060,7 @@ static int nl_batch_read_resp(struct nl_batch *bth) + struct sockaddr_nl snl; + struct msghdr msg = {}; + int status, seq; +- const struct nlsock *nl; ++ struct nlsock *nl; + struct zebra_dplane_ctx *ctx; + bool ignore_msg; + diff --git a/SOURCES/frr-tmpfiles.conf b/SOURCES/frr-tmpfiles.conf new file mode 100644 index 0000000..c1613b2 --- /dev/null +++ b/SOURCES/frr-tmpfiles.conf @@ -0,0 +1 @@ +d /run/frr 0755 frr frr - diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc new file mode 100644 index 0000000..8cd3b3d --- /dev/null +++ b/SOURCES/frr.fc @@ -0,0 +1,28 @@ +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) + +/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) + +/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) + +/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) +/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) + +/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) + +/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) + +/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) diff --git a/SOURCES/frr.if b/SOURCES/frr.if new file mode 100644 index 0000000..b580159 --- /dev/null +++ b/SOURCES/frr.if @@ -0,0 +1,206 @@ +## policy for frr + +######################################## +## +## Execute frr_exec_t in the frr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`frr_domtrans',` + gen_require(` + type frr_t, frr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, frr_exec_t, frr_t) +') + +###################################### +## +## Execute frr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_exec',` + gen_require(` + type frr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, frr_exec_t) +') + +######################################## +## +## Read frr's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`frr_read_log',` + gen_require(` + type frr_log_t; + ') + + read_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Append to frr log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_append_log',` + gen_require(` + type frr_log_t; + ') + + append_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Manage frr log files +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_manage_log',` + gen_require(` + type frr_log_t; + ') + + manage_dirs_pattern($1, frr_log_t, frr_log_t) + manage_files_pattern($1, frr_log_t, frr_log_t) + manage_lnk_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Read frr PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_read_pid_files',` + gen_require(` + type frr_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, frr_var_run_t, frr_var_run_t) +') + +######################################## +## +## All of the rules required to administrate +## an frr environment +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_admin',` + gen_require(` + type frr_t; + type frr_log_t; + type frr_var_run_t; + ') + + allow $1 frr_t:process { signal_perms }; + ps_process_pattern($1, frr_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 frr_t:process ptrace; + ') + + admin_pattern($1, frr_log_t) + + files_search_pids($1) + admin_pattern($1, frr_var_run_t) + optional_policy(` + logging_search_logs($1) + ') + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Read ifconfig_var_run_t files and link files +## +## +## +## Domain allowed access. +## +## +# +ifndef(`sysnet_read_ifconfig_run',` + interface(`sysnet_read_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## +## Read unconfined_t files and dirs +## +## +## +## Domain allowed access. +## +## +# +ifndef(`unconfined_read_files',` + interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:file read_file_perms; + allow $1 unconfined_t:dir list_dir_perms; + ') +') diff --git a/SOURCES/frr.te b/SOURCES/frr.te new file mode 100644 index 0000000..a1c8bee --- /dev/null +++ b/SOURCES/frr.te @@ -0,0 +1,129 @@ +policy_module(frr, 1.0.0) + +######################################## +# +# Declarations +# + +type frr_t; +type frr_exec_t; +init_daemon_domain(frr_t, frr_exec_t) + +type frr_log_t; +logging_log_file(frr_log_t) + +type frr_tmp_t; +files_tmp_file(frr_tmp_t) + +type frr_lock_t; +files_lock_file(frr_lock_t) + +type frr_conf_t; +files_config_file(frr_conf_t) + +type frr_unit_file_t; +systemd_unit_file(frr_unit_file_t) + +type frr_var_run_t; +files_pid_file(frr_var_run_t) + +######################################## +# +# frr local policy +# +allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; +allow frr_t self:netlink_route_socket rw_netlink_socket_perms; +allow frr_t self:packet_socket create; +allow frr_t self:process { setcap setpgid }; +allow frr_t self:rawip_socket create_socket_perms; +allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; +allow frr_t self:udp_socket create_socket_perms; +allow frr_t self:unix_stream_socket connectto; + +allow frr_t frr_conf_t:dir list_dir_perms; +manage_files_pattern(frr_t, frr_conf_t, frr_conf_t) +read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t) + +manage_dirs_pattern(frr_t, frr_log_t, frr_log_t) +manage_files_pattern(frr_t, frr_log_t, frr_log_t) +manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t) +logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file }) + +allow frr_t frr_tmp_t:file map; +manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t) +manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t) +files_tmp_filetrans(frr_t, frr_tmp_t, { file dir }) + +manage_files_pattern(frr_t, frr_lock_t, frr_lock_t) +manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t) +files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file }) + +manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file }) + +allow frr_t frr_exec_t:dir search_dir_perms; +can_exec(frr_t, frr_exec_t) + +kernel_read_network_state(frr_t) +kernel_rw_net_sysctls(frr_t) +kernel_read_system_state(frr_t) + +auth_use_nsswitch(frr_t) + +corecmd_exec_bin(frr_t) + +corenet_tcp_bind_appswitch_emp_port(frr_t) +corenet_udp_bind_bfd_control_port(frr_t) +corenet_udp_bind_bfd_echo_port(frr_t) +corenet_tcp_bind_bgp_port(frr_t) +corenet_tcp_connect_bgp_port(frr_t) +corenet_udp_bind_all_unreserved_ports(frr_t); +corenet_tcp_bind_generic_port(frr_t) +corenet_tcp_bind_firepower_port(frr_t) +corenet_tcp_bind_priority_e_com_port(frr_t) +corenet_udp_bind_router_port(frr_t) +corenet_tcp_bind_qpasa_agent_port(frr_t) +corenet_tcp_bind_smntubootstrap_port(frr_t) +corenet_tcp_bind_versa_tek_port(frr_t) +corenet_tcp_bind_zebra_port(frr_t) + +domain_use_interactive_fds(frr_t) + +fs_read_nsfs_files(frr_t) +fs_search_cgroup_dirs(frr_t) + +sysnet_exec_ifconfig(frr_t) +sysnet_read_ifconfig_run(frr_t) + +userdom_read_admin_home_files(frr_t) + +init_signal(frr_t) +init_signal_script(frr_t) +init_signull_script(frr_t) + +optional_policy(` + logging_send_syslog_msg(frr_t) +') + +optional_policy(` + unconfined_read_files(frr_t) +') + +optional_policy(` + modutils_exec_kmod(frr_t) + modutils_getattr_module_deps(frr_t) + modutils_read_module_config(frr_t) + modutils_read_module_deps_files(frr_t) +') + +optional_policy(` + networkmanager_read_state(frr_t) +') + +optional_policy(` + userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") + userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") +') diff --git a/SPECS/frr.spec b/SPECS/frr.spec new file mode 100644 index 0000000..24f64b4 --- /dev/null +++ b/SPECS/frr.spec @@ -0,0 +1,423 @@ +%global frrversion 7.5.1 +%global frr_libdir /usr/libexec/frr + +%global _hardened_build 1 +%global selinuxtype targeted +%bcond_without selinux + +Name: frr +Version: 7.5.1 +Release: 22%{?checkout}%{?dist} +Summary: Routing daemon +License: GPLv2+ +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz +Source1: %{name}-tmpfiles.conf +Source2: frr.fc +Source3: frr.te +Source4: frr.if +BuildRequires: perl-generators +BuildRequires: gcc +BuildRequires: net-snmp-devel +BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff +BuildRequires: readline readline-devel ncurses ncurses-devel +BuildRequires: git pam-devel c-ares-devel +BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML +BuildRequires: python3-devel python3-sphinx python3-pytest +BuildRequires: systemd systemd-devel +BuildRequires: libyang-devel >= 1.0.184 +Requires: net-snmp ncurses +Requires(post): systemd /sbin/install-info +Requires(preun): systemd /sbin/install-info +Requires(postun): systemd +Requires: iproute +Requires: initscripts + +%if 0%{?with_selinux} +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) +%endif + +Provides: routingdaemon = %{version}-%{release} +Obsoletes: frr-sysvinit quagga frr-contrib + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0001: 0001-use-python3.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch +Patch0006: 0006-CVE-2020-12831.patch +Patch0007: 0007-frrinit.patch +Patch0008: 0008-designated-router.patch +Patch0009: 0009-routemap.patch +Patch0010: 0010-moving-executables.patch +Patch0011: 0011-reload-bfd-profile.patch +Patch0012: 0012-graceful-restart.patch +Patch0013: 0013-CVE-2022-37032.patch +Patch0014: 0014-bfd-profile-crash.patch +Patch0015: 0015-max-ttl-reload.patch +Patch0016: 0016-CVE-2023-38802.patch +Patch0017: 0017-fix-crash-in-plist-update.patch +Patch0018: 0018-CVE-2023-38406.patch +Patch0019: 0019-CVE-2023-38407.patch +Patch0020: 0020-CVE-2023-47234.patch +Patch0021: 0021-CVE-2023-47235.patch +Patch0022: 0022-route-map-event.patch +Patch0023: 0023-CVE-2023-46752.patch +Patch0024: 0024-CVE-2023-46753.patch +Patch0025: 0025-CVE-2023-31490.patch +Patch0026: 0026-CVE-2023-41909.patch +Patch0027: 0027-dynamic-netlink-buffer.patch + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%if 0%{?with_selinux} +%package selinux +Summary: Selinux policy for FRR +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +SELinux policy modules for FRR package + +%endif + +%prep +%autosetup -S git +#SELinux +mkdir selinux +cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=%{_localstatedir}/run/frr \ + --enable-snmp=agentx \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --enable-ospfclient=no \ + --enable-ospfapi=no \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ + --enable-fpm + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +pushd doc +make info +popd + +#SELinux policy +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 selinux/%{name}.pp +%endif + +%install +mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr +mkdir -p %{buildroot}%{_tmpfilesdir} + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}/usr/share/info/dir + +install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh + +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +%if 0%{?with_selinux} +install -D -m 644 selinux/%{name}.pp.bz2 \ + %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + +rm %{buildroot}%{_libdir}/frr/*.la +rm %{buildroot}%{_libdir}/frr/modules/*.la + +#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed +rm %{buildroot}%{_libdir}/frr/*.so +rm -r %{buildroot}%{_includedir}/frr/ + +%pre +getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || : +getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || : +getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \ + -c "FRRouting suite" -d %{_localstatedir}/run/frr frr || : +usermod -aG frrvty frr + +%post +#Because we move files to /usr/libexec, we need to reload .service files as well +/usr/bin/systemctl daemon-reload +%systemd_post frr.service + +if [ -f %{_infodir}/%{name}.inf* ]; then + install-info %{_infodir}/frr.info %{_infodir}/dir || : +fi + +# Create dummy files if they don't exist so basic functions can be used. +if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf + chown frr:frr %{_sysconfdir}/frr/zebra.conf + chmod 640 %{_sysconfdir}/frr/zebra.conf +fi + +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf +fi + +#Making sure that the old format of config file still works +#Checking whether .rpmnew conf file is present - in that case I want to change the old config +if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then + sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons + sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons +fi + +%postun +%systemd_postun_with_restart frr.service + +#only when removing the package +if [ $1 -ge 0 ]; then + if [ -f %{_infodir}/%{name}.inf* ]; then + install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : + fi +fi + +%preun +%systemd_preun frr.service + +#SELinux +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} +#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi + +%endif + +%check +make check PYTHON=%{__python3} + +%files +%defattr(-,root,root) +%license COPYING +%doc zebra/zebra.conf.sample +%doc isisd/isisd.conf.sample +%doc ripd/ripd.conf.sample +%doc bgpd/bgpd.conf.sample* +%doc ospfd/ospfd.conf.sample +%doc ospf6d/ospf6d.conf.sample +%doc ripngd/ripngd.conf.sample +%doc pimd/pimd.conf.sample +%doc doc/mpls +%dir %attr(740,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) /var/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man*/* +%dir %{frr_libdir}/ +%{frr_libdir}/* +%{_bindir}/* +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%dir %{_libdir}/frr/modules/ +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr +%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons +%config(noreplace) /etc/pam.d/frr +%{_unitdir}/*.service +%dir /usr/share/yang +/usr/share/yang/*.yang +%{_tmpfilesdir}/%{name}.conf + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + +%changelog +* Wed Feb 07 2024 Michal Ruprich - 7.5.1-22 +- Resolves: RHEL-22303 - Zebra not fetching host routes + +* Wed Feb 07 2024 Michal Ruprich - 7.5.1-21 +- Resolves: RHEL-2216 - NULL pointer dereference + +* Wed Feb 07 2024 Michal Ruprich - 7.5.1-20 +- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS + +* Mon Feb 05 2024 Michal Ruprich - 7.5.1-19 +- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash + +* Mon Feb 05 2024 Michal Ruprich - 7.5.1-18 +- Resolves: RHEL-14821 - mishandled malformed data leading to a crash + +* Tue Dec 19 2023 Michal Ruprich - 7.5.1-17 +- Resolves: RHEL-6583 - Routes are not refreshed after changing the inbound route rules from deny to permit + +* Tue Dec 19 2023 Michal Ruprich - 7.5.1-16 +- Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c +- Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c +- Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message +- Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message + +* Thu Oct 19 2023 Andreas Karis - 7.5.1-15 +- Resolves: RHEL-12039 - crash in plist update + +* Fri Oct 13 2023 Michal Ruprich - 7.5.1-14 +- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router + +* Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 +- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration + +* Wed Aug 23 2023 Michal Ruprich - 7.5.1-12 +- Resolves: #2216911 - Adding missing sys_admin SELinux call + +* Mon Aug 21 2023 Michal Ruprich - 7.5.1-11 +- Related: #2216911 - Adding unconfined_t type to access namespaces + +* Thu Aug 17 2023 Michal Ruprich - 7.5.1-10 +- Related: #2226803 - Adding patch + +* Wed Aug 16 2023 Michal Ruprich - 7.5.1-9 +- Resolves: #2226803 - BFD crash in FRR running in MetalLB + +* Fri Aug 11 2023 Michal Ruprich - 7.5.1-8 +- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces + +* Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 +- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + +* Tue Nov 29 2022 Michal Ruprich - 7.5.1-6 +- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context + +* Mon Nov 14 2022 Michal Ruprich - 7.5.1-5 +- Resolves: #2127140 - Frr is unable to push routes to the system routing table + +* Mon Nov 14 2022 Michal Ruprich - 7.5.1-4 +- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers + +* Thu Aug 25 2022 Michal Ruprich - 7.5.1-3 +- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile + +* Wed Aug 24 2022 Michal Ruprich - 7.5.1-2 +- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2 +- Resolves: #1714984 - SELinux policy (daemons) changes required for package + +* Wed May 11 2022 Michal Ruprich - 7.5.1-1 +- Resolves: #2018451 - Rebase of frr to version 7.5.1 +- Resolves: #1975361 - the dynamic routing setup does not work any more + +* Wed Jan 05 2022 Michal Ruprich - 7.5-11 +- Resolves: #2034328 - Bfdd crash in metallb CI + +* Tue Jan 04 2022 Michal Ruprich - 7.5-10 +- Resolves: #2020878 - frr ospfd show ip ospf interface does not show designated router info + +* Fri Dec 10 2021 Michal Ruprich - 7.5-9 +- Resolves: #2029958 - FRR reloader generating invalid BFD configurations, exits with error + +* Tue Nov 16 2021 Michal Ruprich - 7.5-8 +- Resolves: #2021819 - Rebuilding for the new json-c + +* Thu Sep 30 2021 Michal Ruprich - 7.5-7 +- Related: #1917269 - Wrong value in gating file + +* Fri Sep 17 2021 Michal Ruprich - 7.5-6 +- Related: #1917269 - Incomplete patch, adding gating rules + +* Thu Sep 16 2021 Michal Ruprich - 7.5-5 +- Resolves: #1979426 - Unable to configure OSPF in multi-instance mode +- Resolves: #1917269 - vtysh running-config output not showing bgp ttl-security hops option + +* Tue Jan 12 2021 root - 7.5-4 +- Related: #1889323 - Fixing start-up with old config file + +* Mon Jan 11 2021 root - 7.5-3 +- Related: #1889323 - Reverting to non-integrated cofiguration + +* Thu Jan 07 2021 Michal Ruprich - 7.5-2 +- Related: #1889323 - Obsoleting frr-contrib + +* Thu Jan 07 2021 Michal Ruprich - 7.5-1 +- Resolves: #1889323 - [RFE] Rebase FRR to 7.5 + +* Thu Aug 20 2020 Michal Ruprich - 7.0-10 +- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 + +* Thu Aug 20 2020 Michal Ruprich - 7.0-9 +- Resolves: #1852476 - default permission issue eases information leaks + +* Tue May 05 2020 Michal Ruprich - 7.0-8 +- Resolves: #1819319 - frr fails to start start if the initscripts package is missing + +* Mon May 04 2020 Michal Ruprich - 7.0-7 +- Resolves: #1758544 - IGMPv3 queries may lead to DoS + +* Tue Mar 10 2020 Michal Ruprich - 7.0-6 +- Resolves: #1776342 - frr has missing dependency on iproute + +* Tue Sep 03 2019 Michal Ruprich - 7.0-5 +- Resolves: #1719465 - Removal of component Frr or its crypto + +* Wed Jun 19 2019 Michal Ruprich - 7.0-4 +- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test + +* Wed Jun 19 2019 Michal Ruprich - 7.0-3 +- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty + +* Wed Jun 19 2019 Michal Ruprich - 7.0-2 +- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel + +* Wed May 29 2019 Michal Ruprich - 7.0-1 +- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8