Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
frr
0020-bgpd-Fix-use-beyond-end-of-stream-of-label...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0020-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch of Package frr
From 995d2dc58dec7196d2cae7cf0fa767f9e0c46c91 Mon Sep 17 00:00:00 2001 From: Donald Sharp <sharpd@nvidia.com> Date: Fri, 3 Mar 2023 21:58:33 -0500 Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing Upstream: yes References: CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f Fixes a couple crashes associated with attempting to read beyond the end of the stream. Reported-by: Iggy Frankovic <iggyfran@amazon.com> Signed-off-by: Donald Sharp <sharpd@nvidia.com> (cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b) diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c index ec44037bf7..488b0954c7 100644 --- a/bgpd/bgp_label.c +++ b/bgpd/bgp_label.c @@ -304,6 +304,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, uint8_t llen = 0; uint8_t label_depth = 0; + if (plen < BGP_LABEL_BYTES) + return 0; + for (; data < lim; data += BGP_LABEL_BYTES) { memcpy(label, data, BGP_LABEL_BYTES); llen += BGP_LABEL_BYTES; @@ -369,6 +372,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); addpath_id = ntohl(addpath_id); pnt += BGP_ADDPATH_ID_LEN; + + if (pnt >= lim) + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; } /* Fetch prefix length. */ @@ -387,6 +393,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, /* Fill in the labels */ llen = bgp_nlri_get_labels(peer, pnt, psize, &label); + if (llen == 0) { + flog_err( + EC_BGP_UPDATE_RCV, + "%s [Error] Update packet error (wrong label length 0)", + peer->host); + bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, + BGP_NOTIFY_UPDATE_INVAL_NETWORK); + return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; + } p.prefixlen = prefixlen - BSIZE(llen); /* There needs to be at least one label */ -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor