File 0023-frr-7.4-bgpd-CVE-2017-15865_rewind_fix.patch of Package frr.35834

Overview Repositories Revisions Requests Users Attributes Meta

File 0023-frr-7.4-bgpd-CVE-2017-15865_rewind_fix.patch of Package frr.35834

From 25d1f39f5afd53d4ce7d25fa6aa16fc1496af2ed Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 20 Sep 2024 11:05:08 +0200
Subject: [PATCH 1/2] lib: add stream_rewind_getp()
References: CVE-2017-15865,bsc#1230866

Backport from frr-8.x:
- commit 06cf2c0c36e044dcdc4cdd5f7d6e971bc07a294c
  from https://github.com/FRRouting/frr/pull/7046
  ```
  Author: Quentin Young <qlyoung@nvidia.com>
  Subject: lib: add stream_rewind_getp()

stream_forward_getp() cannot be used with negative numbers due to the
  size_t argument, we'll end up doing overflow arithmetic.
  ```

diff --git a/lib/stream.c b/lib/stream.c
index 683a130e44..7edf24ec32 100644
--- a/lib/stream.c
+++ b/lib/stream.c
@@ -252,6 +252,18 @@ void stream_forward_getp(struct stream *s, size_t size)
 	s->getp += size;
 }
 
+void stream_rewind_getp(struct stream *s, size_t size)
+{
+	STREAM_VERIFY_SANE(s);
+
+	if (size > s->getp || !GETP_VALID(s, s->getp - size)) {
+		STREAM_BOUND_WARN(s, "rewind getp");
+		return;
+	}
+
+	s->getp -= size;
+}
+
 void stream_forward_endp(struct stream *s, size_t size)
 {
 	STREAM_VERIFY_SANE(s);
diff --git a/lib/stream.h b/lib/stream.h
index 5c7d94fab8..d25a203bdf 100644
--- a/lib/stream.h
+++ b/lib/stream.h
@@ -171,6 +171,7 @@ extern struct stream *stream_dupcat(struct stream *s1, struct stream *s2,
 extern void stream_set_getp(struct stream *, size_t);
 extern void stream_set_endp(struct stream *, size_t);
 extern void stream_forward_getp(struct stream *, size_t);
+extern void stream_rewind_getp(struct stream *s, size_t size);
 extern void stream_forward_endp(struct stream *, size_t);
 
 /* steam_put: NULL source zeroes out size_t bytes of stream */
-- 
2.43.0

From 552778202145ef1e7e3d97e9dcd98cab3599ab76 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Fri, 20 Sep 2024 11:07:02 +0200
Subject: [PATCH 2/2] bgpd: use stream_rewind_getp() to remove overflow
References: CVE-2017-15865

Backport from frr-8.x:
- commit 763a5d3c2dc7e9061006d56a9a983c2a8be64765
  from https://github.com/FRRouting/frr/pull/7046
  ```
  Author: Quentin Young <qlyoung@nvidia.com>
  Subject: bgpd: use stream_rewind_getp() to remove overflow

Passing a negative argument to a size_t parameter creates an overflow
  condition
  ```

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 9ef0b38e4d..f7a1ae7875 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2990,7 +2990,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
 			size_t lfl =
 				CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 2 : 1;
 			/* Rewind to end of flag field */
-			stream_forward_getp(BGP_INPUT(peer), -(1 + lfl));
+			stream_rewind_getp(BGP_INPUT(peer), (1 + lfl));
 			/* Type */
 			stream_get(&ndata[0], BGP_INPUT(peer), 1);
 			/* Length */
-- 
2.43.0

Places

File 0023-frr-7.4-bgpd-CVE-2017-15865_rewind_fix.patch of Package frr.35834

Places