Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
quagga
quagga-13-CVE-2017-15865_rewind-fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File quagga-13-CVE-2017-15865_rewind-fix.patch of Package quagga
From bd2bdfd2c3eb225588613e835fa2dc074fd33081 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Wed, 18 Sep 2024 12:16:48 +0200 Subject: [PATCH 1/3] bgpd: fix mishandled attribute length References: CVE-2017-15865,bsc#1230866 Backported fix from frr: - commit dacffad46143fb57e5fa973fcbfbd0eb51ea37b2 from https://github.com/FRRouting/frr/pull/1417 ``` Author: Quentin Young <qlyoung@cumulusnetworks.com> Subject: bgpd: fix mishandled attribute length A crafted BGP UPDATE with a malformed path attribute length field causes bgpd to dump up to 65535 bytes of application memory and send it as the data field in a BGP NOTIFY message, which is truncated to 4075 bytes after accounting for protocol headers. After reading a malformed length field, a NOTIFY is generated that is supposed to contain the problematic data, but the malformed length field is inadvertently used to compute how much data we send. CVE-2017-15865 ``` diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index fce4b542..fceb10cc 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2167,10 +2167,44 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, zlog (peer->log, LOG_WARNING, "%s: BGP type %d length %d is too large, attribute total length is %d. attr_endp is %p. endp is %p", peer->host, type, length, size, attr_endp, endp); zlog_warn ("%s: BGP type %d length %d is too large, attribute total length is %d. attr_endp is %p. endp is %p", peer->host, type, length, size, attr_endp, endp); + /* + * RFC 4271 6.3 + * If any recognized attribute has an Attribute + * Length that conflicts with the expected length + * (based on the attribute type code), then the + * Error Subcode MUST be set to Attribute Length + * Error. The Data field MUST contain the erroneous + * attribute (type, length, and value). + * ---------- + * We do not currently have a good way to determine the + * length of the attribute independent of the length + * received in the message. Instead we send the + * minimum between the amount of data we have and the + * amount specified by the attribute length field. + * + * Instead of directly passing in the packet buffer and + * offset we use the stream_get* functions to read into + * a stack buffer, since they perform bounds checking + * and we are working with untrusted data. + */ + unsigned char ndata[BGP_MAX_PACKET_SIZE]; + memset(ndata, 0x00, sizeof(ndata)); + size_t lfl = CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 2 : 1; + /* Rewind to end of flag field */ + stream_forward_getp(BGP_INPUT(peer), -(1 + lfl)); + /* Type */ + stream_get(&ndata[0], BGP_INPUT(peer), 1); + /* Length */ + stream_get(&ndata[1], BGP_INPUT(peer), lfl); + /* Value */ + size_t atl = attr_endp - startp; + size_t ndl = MIN(atl, STREAM_READABLE(BGP_INPUT(peer))); + stream_get(&ndata[lfl + 1], BGP_INPUT(peer), ndl); + bgp_notify_send_with_data (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, - startp, endp - startp); + ndata, ndl + lfl + 1); return BGP_ATTR_PARSE_ERROR; } -- 2.43.0 From 0f97e676f577d5364d19b136e9ee4fbca6b39fb9 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Wed, 18 Sep 2024 12:17:06 +0200 Subject: [PATCH 2/3] lib: add stream_rewind_getp() References: CVE-2017-15865,bsc#1230866 Backport from frr: - commit 06cf2c0c36e044dcdc4cdd5f7d6e971bc07a294c from https://github.com/FRRouting/frr/pull/7046 ``` Author: Quentin Young <qlyoung@nvidia.com> Subject: lib: add stream_rewind_getp() stream_forward_getp() cannot be used with negative numbers due to the size_t argument, we'll end up doing overflow arithmetic. ``` diff --git a/lib/stream.c b/lib/stream.c index b50992d6..01434c18 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -272,6 +272,19 @@ stream_forward_getp (struct stream *s, size_t size) s->getp += size; } +void stream_rewind_getp(struct stream *s, size_t size) +{ + STREAM_VERIFY_SANE(s); + + if (size > s->getp || !GETP_VALID(s, s->getp - size)) + { + STREAM_BOUND_WARN (s, "rewind getp"); + return; + } + + s->getp -= size; +} + void stream_forward_endp (struct stream *s, size_t size) { diff --git a/lib/stream.h b/lib/stream.h index 06b0ee12..c52f294c 100644 --- a/lib/stream.h +++ b/lib/stream.h @@ -159,6 +159,7 @@ extern struct stream *stream_dupcat(struct stream *s1, struct stream *s2, extern void stream_set_getp (struct stream *, size_t); extern void stream_set_endp (struct stream *, size_t); extern void stream_forward_getp (struct stream *, size_t); +extern void stream_rewind_getp(struct stream *s, size_t size); extern void stream_forward_endp (struct stream *, size_t); /* steam_put: NULL source zeroes out size_t bytes of stream */ -- 2.43.0 From 7b1f948357c92cfaf6fd7f9813ee2bcad2dfd242 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Wed, 18 Sep 2024 12:17:23 +0200 Subject: [PATCH 3/3] bgpd: use stream_rewind_getp() to remove overflow References: CVE-2017-15865,bsc#1230866 Backported fix from frr: - commit 763a5d3c2dc7e9061006d56a9a983c2a8be64765 from https://github.com/FRRouting/frr/pull/7046 ``` Author: Quentin Young <qlyoung@nvidia.com> Subject: bgpd: use stream_rewind_getp() to remove overflow Passing a negative argument to a size_t parameter creates an overflow condition ``` diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index fceb10cc..63a78d42 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2191,7 +2191,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, memset(ndata, 0x00, sizeof(ndata)); size_t lfl = CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 2 : 1; /* Rewind to end of flag field */ - stream_forward_getp(BGP_INPUT(peer), -(1 + lfl)); + stream_rewind_getp(BGP_INPUT(peer), (1 + lfl)); /* Type */ stream_get(&ndata[0], BGP_INPUT(peer), 1); /* Length */ -- 2.43.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor