Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
quagga.35810
Quagga-CVE-2023-41358-bgpd-NLRIs.bsc1214735.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Quagga-CVE-2023-41358-bgpd-NLRIs.bsc1214735.patch of Package quagga.35810
From 980ee75e303310fbdfdccc33f46392a927ca9463 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <donatas@opensourcerouting.org> Date: Tue, 22 Aug 2023 22:52:04 +0300 Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero Upstream: yes References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260 Adopted CVE-2023-41358 fix implemented by Donatas Abraitis for frr, see: - https://github.com/FRRouting/frr/issues/14289 - https://github.com/FRRouting/frr/pull/14260 ``` The issue is that we try to process NLRIs even if the attribute length is 0. Later bgp_update() will handle route-maps and a crash occurs because all the attributes are NULL, including aspath, where we dereference. According to the RFC 4271: A value of 0 indicates that neither the Network Layer Reachability Information field nor the Path Attribute field is present in this UPDATE message. But with a fuzzed UPDATE message this can be faked. I think it's reasonable to skip processing NLRIs if both update_len and attribute_len are 0. Reported-by: Iggy Frankovic <iggyfran@amazon.com> Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> ``` Signed-off-by: Marius Tomaschewski <mt@suse.com> diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index 56e27dc6..9b064003 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -1798,7 +1798,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size) /* Network Layer Reachability Information. */ update_len = end - stream_pnt (s); - if (update_len) + if (update_len && attribute_len) { /* Set NLRI portion to structure. */ nlris[NLRI_UPDATE].afi = AFI_IP; -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor