Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
frr
0023-frr-7.4-bgpd-CVE-2017-15865_rewind_fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0023-frr-7.4-bgpd-CVE-2017-15865_rewind_fix.patch of Package frr
From 25d1f39f5afd53d4ce7d25fa6aa16fc1496af2ed Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Fri, 20 Sep 2024 11:05:08 +0200 Subject: [PATCH 1/2] lib: add stream_rewind_getp() References: CVE-2017-15865,bsc#1230866 Backport from frr-8.x: - commit 06cf2c0c36e044dcdc4cdd5f7d6e971bc07a294c from https://github.com/FRRouting/frr/pull/7046 ``` Author: Quentin Young <qlyoung@nvidia.com> Subject: lib: add stream_rewind_getp() stream_forward_getp() cannot be used with negative numbers due to the size_t argument, we'll end up doing overflow arithmetic. ``` diff --git a/lib/stream.c b/lib/stream.c index 683a130e44..7edf24ec32 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -252,6 +252,18 @@ void stream_forward_getp(struct stream *s, size_t size) s->getp += size; } +void stream_rewind_getp(struct stream *s, size_t size) +{ + STREAM_VERIFY_SANE(s); + + if (size > s->getp || !GETP_VALID(s, s->getp - size)) { + STREAM_BOUND_WARN(s, "rewind getp"); + return; + } + + s->getp -= size; +} + void stream_forward_endp(struct stream *s, size_t size) { STREAM_VERIFY_SANE(s); diff --git a/lib/stream.h b/lib/stream.h index 5c7d94fab8..d25a203bdf 100644 --- a/lib/stream.h +++ b/lib/stream.h @@ -171,6 +171,7 @@ extern struct stream *stream_dupcat(struct stream *s1, struct stream *s2, extern void stream_set_getp(struct stream *, size_t); extern void stream_set_endp(struct stream *, size_t); extern void stream_forward_getp(struct stream *, size_t); +extern void stream_rewind_getp(struct stream *s, size_t size); extern void stream_forward_endp(struct stream *, size_t); /* steam_put: NULL source zeroes out size_t bytes of stream */ -- 2.43.0 From 552778202145ef1e7e3d97e9dcd98cab3599ab76 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Fri, 20 Sep 2024 11:07:02 +0200 Subject: [PATCH 2/2] bgpd: use stream_rewind_getp() to remove overflow References: CVE-2017-15865 Backport from frr-8.x: - commit 763a5d3c2dc7e9061006d56a9a983c2a8be64765 from https://github.com/FRRouting/frr/pull/7046 ``` Author: Quentin Young <qlyoung@nvidia.com> Subject: bgpd: use stream_rewind_getp() to remove overflow Passing a negative argument to a size_t parameter creates an overflow condition ``` diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 9ef0b38e4d..f7a1ae7875 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2990,7 +2990,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, size_t lfl = CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 2 : 1; /* Rewind to end of flag field */ - stream_forward_getp(BGP_INPUT(peer), -(1 + lfl)); + stream_rewind_getp(BGP_INPUT(peer), (1 + lfl)); /* Type */ stream_get(&ndata[0], BGP_INPUT(peer), 1); /* Length */ -- 2.43.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor