File 0021-bgpd-Flowspec-overflow-issue.patch of Package frr.35834

Overview Repositories Revisions Requests Users Attributes Meta

File 0021-bgpd-Flowspec-overflow-issue.patch of Package frr.35834

From e4c130c3a4523141aa2a7e82beffb787f3f4cac5 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 23 Feb 2023 13:29:32 -0500
Subject: [PATCH] bgpd: Flowspec overflow issue
Upstream: yes
References: CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3

According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside.  Which
in this case is not a good thing at all.  Prevent warmth, stay cold
on the inside.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index e14907033a..ddf92c5132 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -144,6 +144,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 				psize);
 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
+
+		if (psize == 0) {
+			flog_err(EC_BGP_FLOWSPEC_PACKET,
+				 "Flowspec NLRI length 0 which makes no sense");
+			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+		}
+
 		if (bgp_fs_nlri_validate(pnt, psize) < 0) {
 			flog_err(
 				EC_BGP_FLOWSPEC_PACKET,
-- 
2.35.3

Places

File 0021-bgpd-Flowspec-overflow-issue.patch of Package frr.35834

Places